postfix-3.10-20250202

postfix/HISTORY

@@ -28866,7 +28866,7 @@ Apologies for any names omitted.
 
 	Feature: support for the RFC 8689 "TLS-Required: no" message
 	header. This limits the Postfix SMTP client TLS security
-	level to "smtp_tls_security = may", which does not authenticate
+	level to "smtp_tls_security = may", which does not verify
 	remote SMTP server TLS certificates, and which allows falling
 	back to plaintext. This is needed for the delivery of
 	messages such as TLSRPT summaries, which should be sent
@@ -28898,3 +28898,24 @@ Apologies for any names omitted.
 
 	Debug: verbose logging for the tlsrpt_wrapper functions.
 	File: tls/tlsrpt_wrapper.c.
+
+20250201
+
+	Cleanup: simplified the code in cleanup_envelope_test.c.
+
+	Feature: configuration parameter "tls_required_enable
+	(default: yes) to control support for the "TLS-Required:
+	no" message header. Files: global/mail_params.[hc],
+	bounce/bounce.c, bounce/bounce_notify_util.c, cleanup/cleanup.c,
+	cleanup/cleanup_message.c, smtp/smtp.c, smtp/smtp_connect.c,
+	mantools/postlink.
+
+20250202
+
+	Documentation: edited for clarity. Files: pipe/pipe.c,
+	proto/postconf.proto.
+
+	Debug logging: cleanup/cleanup_api.c. tls/tlsrpt_wrapper.c.
+	proto/TLSRPT_README.html.
+
+	Postfix 3.10 code freeze.

postfix/README_FILES/TLSRPT_README

@@ -30,8 +30,8 @@ successful and failed SMTP over TLS connections to domain example.com, and to
 report those summaries via email to the specified address. Instead of mailto:,
 a policy may specify an https: destination.
 
-The high-level diagram below shows how TLS handshake success and failure events
+The diagram below shows how Postfix TLS handshake success and failure events
-from Postfix are collected and processed into daily summary reports.
+are collected and processed into daily summary reports.
 
      Postfix SMTP and      TLSRPT client     TLSRPT collector,    Email or HTTP
     TLS client engines -> library (linked ->   fetcher, and    ->   delivery

postfix/html/TLSRPT_README.html

@@ -55,9 +55,9 @@ summaries of successful and failed SMTP over TLS connections to domain
 specified address. Instead of <tt>mailto:</tt>, a policy may specify an
 <tt>https:</tt> destination. </p>
 
-<p> The high-level diagram below shows how TLS handshake success
+<p> The diagram below shows how Postfix TLS handshake success and
-and failure events from Postfix are collected and processed into
+failure events are collected and processed into daily summary
-daily summary reports.  </p>
+reports. </p>
 
 <blockquote>
 

postfix/html/bounce.8.html

@@ -166,6 +166,12 @@ BOUNCE(8)                                                            BOUNCE(8)
        <b><a href="postconf.5.html#header_from_format">header_from_format</a> (standard)</b>
               The format of the Postfix-generated <b>From:</b> header.
 
+       Available in Postfix 3.10 and later:
+
+       <b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
+              Enable  support  for  the  "TLS-Required:  no"  message  header,
+              defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
+
 <b><a name="files">FILES</a></b>
        /var/spool/postfix/bounce/* non-delivery records
        /var/spool/postfix/defer/* non-delivery records

postfix/html/cleanup.8.html

@@ -70,6 +70,7 @@ CLEANUP(8)                                                          CLEANUP(8)
        <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
        <a href="https://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery status notifications)
        <a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
+       <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a> (TLS-Required: message header)
 
 <b><a name="diagnostics">DIAGNOSTICS</a></b>
        Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
@@ -461,6 +462,13 @@ CLEANUP(8)                                                          CLEANUP(8)
               IDNA2008, when converting UTF-8 domain names to/from  the  ASCII
               form that is used for DNS lookups.
 
+<b><a name="tls_support">TLS SUPPORT</a></b>
+       Available in Postfix version 3.10 and later:
+
+       <b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
+              Enable  support  for  the  "TLS-Required:  no"  message  header,
+              defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
+
 <b><a name="miscellaneous_controls">MISCELLANEOUS CONTROLS</a></b>
        <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
               The default location of the Postfix <a href="postconf.5.html">main.cf</a> and  <a href="master.5.html">master.cf</a>  con-

postfix/html/defer.8.html

@@ -166,6 +166,12 @@ BOUNCE(8)                                                            BOUNCE(8)
        <b><a href="postconf.5.html#header_from_format">header_from_format</a> (standard)</b>
               The format of the Postfix-generated <b>From:</b> header.
 
+       Available in Postfix 3.10 and later:
+
+       <b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
+              Enable  support  for  the  "TLS-Required:  no"  message  header,
+              defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
+
 <b><a name="files">FILES</a></b>
        /var/spool/postfix/bounce/* non-delivery records
        /var/spool/postfix/defer/* non-delivery records

postfix/html/lmtp.8.html

@@ -174,6 +174,7 @@ SMTP(8)                                                                SMTP(8)
        <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
        <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
        <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (SMTP security via opportunistic DANE TLS)
+       <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a> (TLS-Required message header)
 
 <b><a name="diagnostics">DIAGNOSTICS</a></b>
        Problems  and  transactions  are  logged  to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
@@ -746,6 +747,8 @@ SMTP(8)                                                                SMTP(8)
               Request  that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key
               instead of an X.509 certificate.
 
+       Available in Postfix version 3.10 and later:
+
        <b><a href="postconf.5.html#smtp_tlsrpt_enable">smtp_tlsrpt_enable</a> (no)</b>
               Enable support for <a href="https://tools.ietf.org/html/rfc8460">RFC 8460</a> TLSRPT notifications.
 
@@ -758,6 +761,10 @@ SMTP(8)                                                                SMTP(8)
               reuse a previously-negotiated  TLS  session  (there  is  no  new
               information to report).
 
+       <b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
+              Enable  support  for  the  "TLS-Required:  no"  message  header,
+              defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
+
 <b><a name="obsolete_starttls_controls">OBSOLETE STARTTLS CONTROLS</a></b>
        The following configuration parameters  exist  for  compatibility  with
        Postfix  versions  before  2.3.  Support for these will be removed in a

postfix/html/pipe.8.html

@@ -170,6 +170,7 @@ PIPE(8)                                                                PIPE(8)
               as an argument by itself:
 
                   <i>Right</i>: command -f $sender -- $recipient
+
               NOTE: DO NOT put quotes around the command, $sender, or $recipi-
               ent.
 
@@ -422,7 +423,7 @@ PIPE(8)                                                                PIPE(8)
 
        <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
               The maximal number of digits after the decimal point  when  log-
-              ging sub-second delay values.
+              ging delay values.
 
        <b><a href="postconf.5.html#export_environment">export_environment</a> (see 'postconf -d' output)</b>
               The  list  of  environment variables that a Postfix process will

postfix/html/postconf.5.html

@@ -20603,6 +20603,23 @@ gives timeout errors.  </p>
 <p> This feature is available in Postfix 2.2 and later.  </p>
 
 
+</DD>
+
+<DT><b><a name="tls_required_enable">tls_required_enable</a>
+(default: yes)</b></DT><DD>
+
+<p> Enable support for the "TLS-Required: no" message header, defined
+in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>. By adding this header to a message, a sender requests
+no enforcement of TLS policy. This limits the Postfix SMTP client
+TLS security level to "may", that is, do not verify remote SMTP
+server certificates, and fall back to plaintext if TLS is unavailable.
+If a message contains a "TLS-Required: no" header, then Postfix
+will add that header to a delivery status notification for that
+message. </p>
+
+<p> This feature is available in Postfix &ge; 3.10. </p>
+
+
 </DD>
 
 <DT><b><a name="tls_server_sni_maps">tls_server_sni_maps</a>

postfix/html/smtp.8.html

@@ -174,6 +174,7 @@ SMTP(8)                                                                SMTP(8)
        <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
        <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
        <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (SMTP security via opportunistic DANE TLS)
+       <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a> (TLS-Required message header)
 
 <b><a name="diagnostics">DIAGNOSTICS</a></b>
        Problems  and  transactions  are  logged  to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
@@ -746,6 +747,8 @@ SMTP(8)                                                                SMTP(8)
               Request  that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key
               instead of an X.509 certificate.
 
+       Available in Postfix version 3.10 and later:
+
        <b><a href="postconf.5.html#smtp_tlsrpt_enable">smtp_tlsrpt_enable</a> (no)</b>
               Enable support for <a href="https://tools.ietf.org/html/rfc8460">RFC 8460</a> TLSRPT notifications.
 
@@ -758,6 +761,10 @@ SMTP(8)                                                                SMTP(8)
               reuse a previously-negotiated  TLS  session  (there  is  no  new
               information to report).
 
+       <b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
+              Enable  support  for  the  "TLS-Required:  no"  message  header,
+              defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
+
 <b><a name="obsolete_starttls_controls">OBSOLETE STARTTLS CONTROLS</a></b>
        The following configuration parameters  exist  for  compatibility  with
        Postfix  versions  before  2.3.  Support for these will be removed in a

postfix/html/trace.8.html

@@ -166,6 +166,12 @@ BOUNCE(8)                                                            BOUNCE(8)
        <b><a href="postconf.5.html#header_from_format">header_from_format</a> (standard)</b>
               The format of the Postfix-generated <b>From:</b> header.
 
+       Available in Postfix 3.10 and later:
+
+       <b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
+              Enable  support  for  the  "TLS-Required:  no"  message  header,
+              defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
+
 <b><a name="files">FILES</a></b>
        /var/spool/postfix/bounce/* non-delivery records
        /var/spool/postfix/defer/* non-delivery records

postfix/man/man5/postconf.5

@@ -14331,6 +14331,17 @@ Note: on OpenBSD systems specify dev:/dev/arandom when dev:/dev/urandom
 gives timeout errors.
 .PP
 This feature is available in Postfix 2.2 and later.
+.SH tls_required_enable (default: yes)
+Enable support for the "TLS\-Required: no" message header, defined
+in RFC 8689. By adding this header to a message, a sender requests
+no enforcement of TLS policy. This limits the Postfix SMTP client
+TLS security level to "may", that is, do not verify remote SMTP
+server certificates, and fall back to plaintext if TLS is unavailable.
+If a message contains a "TLS\-Required: no" header, then Postfix
+will add that header to a delivery status notification for that
+message.
+.PP
+This feature is available in Postfix >= 3.10.
 .SH tls_server_sni_maps (default: empty)
 Optional lookup tables that map names received from remote SMTP
 clients via the TLS Server Name Indication (SNI) extension to the

postfix/man/man8/bounce.8

@@ -146,6 +146,11 @@ header with the original Message\-ID value.
 Available in Postfix 3.7 and later:
 .IP "\fBheader_from_format (standard)\fR"
 The format of the Postfix\-generated \fBFrom:\fR header.
+.PP
+Available in Postfix 3.10 and later:
+.IP "\fBtls_required_enable (yes)\fR"
+Enable support for the "TLS\-Required: no" message header, defined
+in RFC 8689.
 .SH "FILES"
 .na
 .nf

postfix/man/man8/cleanup.8

@@ -78,6 +78,7 @@ RFC 2822 (Internet Message Format)
 RFC 3463 (Enhanced Status Codes)
 RFC 3464 (Delivery status notifications)
 RFC 5322 (Internet Message Format)
+RFC 8689 (TLS\-Required: message header)
 .SH DIAGNOSTICS
 .ad
 .fi
@@ -422,6 +423,15 @@ Available in Postfix version 3.2 and later:
 Enable 'transitional' compatibility between IDNA2003 and IDNA2008,
 when converting UTF\-8 domain names to/from the ASCII form that is
 used for DNS lookups.
+.SH "TLS SUPPORT"
+.na
+.nf
+.ad
+.fi
+Available in Postfix version 3.10 and later:
+.IP "\fBtls_required_enable (yes)\fR"
+Enable support for the "TLS\-Required: no" message header, defined
+in RFC 8689.
 .SH "MISCELLANEOUS CONTROLS"
 .na
 .nf

postfix/man/man8/pipe.8

@@ -180,6 +180,7 @@ specify \fB$sender\fR as an argument by itself:
 .nf
     \fIRight\fR: command \-f $sender \-\- $recipient
 .fi
+.IP
 NOTE: DO NOT put quotes around the command, $sender, or $recipient.
 .IP
 This feature is available as of Postfix 2.3.
@@ -412,7 +413,7 @@ How much time a Postfix daemon process may take to handle a
 request before it is terminated by a built\-in watchdog timer.
 .IP "\fBdelay_logging_resolution_limit (2)\fR"
 The maximal number of digits after the decimal point when logging
-sub\-second delay values.
+delay values.
 .IP "\fBexport_environment (see 'postconf -d' output)\fR"
 The list of environment variables that a Postfix process will export
 to non\-Postfix processes.

postfix/man/man8/smtp.8

@@ -190,6 +190,7 @@ RFC 5321 (SMTP protocol)
 RFC 6531 (Internationalized SMTP)
 RFC 6533 (Internationalized Delivery Status Notifications)
 RFC 7672 (SMTP security via opportunistic DANE TLS)
+RFC 8689 (TLS\-Required message header)
 .SH DIAGNOSTICS
 .ad
 .fi
@@ -672,7 +673,8 @@ Available in Postfix version 3.9 and later:
 .IP "\fBsmtp_tls_enable_rpk (no)\fR"
 Request that remote SMTP servers send an RFC7250 raw public key
 instead of an X.509 certificate.
-.PP Available in Postfix version 3.10 and later:
+.PP
+Available in Postfix version 3.10 and later:
 .IP "\fBsmtp_tlsrpt_enable (no)\fR"
 Enable support for RFC 8460 TLSRPT notifications.
 .IP "\fBsmtp_tlsrpt_socket_name (empty)\fR"
@@ -682,6 +684,9 @@ by a local TLSRPT reporting service.
 Do not report the TLSRPT status for TLS protocol handshakes
 that reuse a previously\-negotiated TLS session (there is no new
 information to report).
+.IP "\fBtls_required_enable (yes)\fR"
+Enable support for the "TLS\-Required: no" message header, defined
+in RFC 8689.
 .SH "OBSOLETE STARTTLS CONTROLS"
 .na
 .nf

postfix/mantools/postlink

@@ -1186,6 +1186,7 @@ while (<>) {
     s;\ballow_srv_lookup_fallback\b;<a href="postconf.5.html#allow_srv_lookup_fallback">$&</a>;g;
     s;\bignore_srv_lookup_error\b;<a href="postconf.5.html#ignore_srv_lookup_error">$&</a>;g;
 
+    s;\btls_required_enable\b;<a href="postconf.5.html#tls_required_enable">$&</a>;g;
     s;\bfull_name_encoding_charset\b;<a href="postconf.5.html#full_name_encoding_charset">$&</a>;g;
 
     # Service-defined parameters...

postfix/proto/TLSRPT_README.html

@@ -55,9 +55,9 @@ summaries of successful and failed SMTP over TLS connections to domain
 specified address. Instead of <tt>mailto:</tt>, a policy may specify an
 <tt>https:</tt> destination. </p>
 
-<p> The high-level diagram below shows how TLS handshake success
+<p> The diagram below shows how Postfix TLS handshake success and
-and failure events from Postfix are collected and processed into
+failure events are collected and processed into daily summary
-daily summary reports.  </p>
+reports. </p>
 
 <blockquote>
 

postfix/proto/postconf.proto

@@ -19473,3 +19473,16 @@ skip the full name. </p>
 including the netstring encapsulation. </p>
 
 <p> This feature is available in Postfix &ge; 3.10. </p>
+
+%PARAM tls_required_enable yes
+
+<p> Enable support for the "TLS-Required: no" message header, defined
+in RFC 8689. By adding this header to a message, a sender requests
+no enforcement of TLS policy. This limits the Postfix SMTP client
+TLS security level to "may", that is, do not verify remote SMTP
+server certificates, and fall back to plaintext if TLS is unavailable.
+If a message contains a "TLS-Required: no" header, then Postfix
+will add that header to a delivery status notification for that
+message. </p>
+
+<p> This feature is available in Postfix &ge; 3.10. </p>

postfix/proto/stop.double-history

@@ -159,3 +159,4 @@ proto  proto socketmap_table
  qmgr qmgr_deliver c qmgr qmgr_message c qmqpd qmqpd c 
  smtp smtp_proto c smtpd smtpd c verify verify c 
  operations Files cleanup cleanup h cleanup cleanup_message c 
+ proto postconf proto pipe pipe c 

postfix/proto/stop.spell-cc

@@ -1857,3 +1857,4 @@ cntrl
 TINYCDB
 getdata
 XXXSENDOPTS
+xtra

postfix/src/bounce/bounce.c

@@ -134,6 +134,11 @@
 /*	Available in Postfix 3.7 and later:
 /* .IP "\fBheader_from_format (standard)\fR"
 /*	The format of the Postfix-generated \fBFrom:\fR header.
+/* .PP
+/*	Available in Postfix 3.10 and later:
+/* .IP "\fBtls_required_enable (yes)\fR"
+/*	Enable support for the "TLS-Required: no" message header, defined
+/*	in RFC 8689.
 /* FILES
 /*	/var/spool/postfix/bounce/* non-delivery records
 /*	/var/spool/postfix/defer/* non-delivery records

postfix/src/bounce/bounce_notify_util.c

@@ -533,6 +533,13 @@ int     bounce_header(VSTREAM *bounce, BOUNCE_INFO *bounce_info,
 	post_mail_fprintf(bounce, "In-Reply-To: %s", STR(bounce_info->orig_msgid));
     }
 
+    /*
+     * Trade confidentiality against availability.
+     */
+    if (var_tls_required_enable
+	&& (bounce_info->sendopts & SOPT_REQUIRETLS_HEADER) != 0)
+	post_mail_fprintf(bounce, "TLS-Required: no");
+
     /*
      * Auto-Submitted header, as per RFC 3834.
      */

postfix/src/cleanup/cleanup.c

@@ -70,6 +70,7 @@
 /*	RFC 3463 (Enhanced Status Codes)
 /*	RFC 3464 (Delivery status notifications)
 /*	RFC 5322 (Internet Message Format)
+/*	RFC 8689 (TLS-Required: message header)
 /* DIAGNOSTICS
 /*	Problems and transactions are logged to \fBsyslogd\fR(8)
 /*	or \fBpostlogd\fR(8).
@@ -390,6 +391,13 @@
 /*	Enable 'transitional' compatibility between IDNA2003 and IDNA2008,
 /*	when converting UTF-8 domain names to/from the ASCII form that is
 /*	used for DNS lookups.
+/* TLS SUPPORT
+/* .ad
+/* .fi
+/*	Available in Postfix version 3.10 and later:
+/* .IP "\fBtls_required_enable (yes)\fR"
+/*	Enable support for the "TLS-Required: no" message header, defined
+/*	in RFC 8689.
 /* MISCELLANEOUS CONTROLS
 /* .ad
 /* .fi

postfix/src/cleanup/cleanup_api.c

@@ -202,7 +202,7 @@ void    cleanup_control(CLEANUP_STATE *state, int flags)
      * definition.
      */
     if (msg_verbose)
-	msg_info("cleanup flags = %s", cleanup_strflags(flags));
+	msg_info("client flags = %s", cleanup_strflags(flags));
     if ((state->flags = flags) & CLEANUP_FLAG_BOUNCE) {
 	state->err_mask = CLEANUP_STAT_MASK_INCOMPLETE;
     } else {
@@ -211,6 +211,8 @@ void    cleanup_control(CLEANUP_STATE *state, int flags)
     if (state->flags & CLEANUP_FLAG_SMTPUTF8)
 	state->sendopts |= SMTPUTF8_FLAG_REQUESTED;
     /* TODO(wietse) REQUIRETLS. */
+    if (msg_verbose)
+	msg_info("server flags = %s", cleanup_strflags(state->flags));
 }
 
 /* cleanup_flush - finish queue file */

postfix/src/cleanup/cleanup_envelope_test.c

@@ -5,7 +5,6 @@
 #include <sys_defs.h>
 #include <string.h>
 #include <stdlib.h>
-#include <stdio.h>			/* ssscanf() */
 #include <ctype.h>
 
  /*
@@ -20,7 +19,6 @@
  /*
   * Global library.
   */
-#include <been_here.h>
 #include <record.h>
 #include <rec_type.h>
 #include <cleanup_user.h>
@@ -135,10 +133,8 @@ static int overrides_size_fields(const TEST_CASE *tp)
      * Process the test SIZE record payload, clear some bits from the
      * sendopts field, and write an all-zeroes preliminary SIZE record.
      */
-    VSTRING *output_stream_buf = vstring_alloc(100);
+    if ((state->dst = vstream_fopen("/dev/null", O_WRONLY, 0)) == 0) {
-
+	msg_warn("vstream_fopen(\"/dev/null\", O_WRONLY, 0): %m");
-    if ((state->dst = vstream_memopen(output_stream_buf, O_WRONLY)) == 0) {
-	msg_warn("vstream_memopen(output_stream_buf, O_WRONLY): %m");
 	return (FAIL);
     }
     cleanup_envelope(state, REC_TYPE_SIZE, vstring_str(input_buf),
@@ -151,94 +147,50 @@ static int overrides_size_fields(const TEST_CASE *tp)
     }
     vstring_free(input_buf);
     input_buf = 0;
-
-    /*
-     * Overwrite the SIZE record with an updated version that includes the
-     * modified sendopts field.
-     */
-    cleanup_final(state);
-    if (state->errs != CLEANUP_STAT_OK) {
-	msg_warn("cleanup_final: got: '%s', want: '%s'",
-		 cleanup_strerror(state->errs),
-		 cleanup_strerror(CLEANUP_STAT_OK));
-	return (FAIL);
-    }
     (void) vstream_fclose(state->dst);
     state->dst = 0;
 
     /*
-     * Read the final SIZE record content. This normally happens in the queue
+     * Compare the updated state against the expected content. We expect that
-     * manager, and in the pickup daemon after a message is re-queued.
+     * the fields for xtra_offset, data_offset, rcpt_count, qmgr_opts, and
+     * cont_length, are consistent with the saved CLEANUP_STATE, and we
+     * expect to see a specific value for the sendopts field that was
+     * assigned in cleanup_envelope().
      */
-    VSTREAM *fp;
+    if (state->xtra_offset != saved_state.xtra_offset) {
-
+	msg_warn("state->xtra_offset: got %ld, want: %ld",
-    if ((fp = vstream_memopen(output_stream_buf, O_RDONLY)) == 0) {
+		 (long) state->xtra_offset, (long) saved_state.xtra_offset);
-	msg_warn("vstream_memopen(output_stream_buf, O_RDONLY): %m");
 	return (FAIL);
     }
-    VSTRING *got_size_payload = vstring_alloc(VSTRING_LEN(output_stream_buf));
+    if (state->data_offset != saved_state.data_offset) {
-    int     got_rec_type;
+	msg_warn("state->data_offset: got %ld, want: %ld",
-
+		 (long) state->data_offset, (long) saved_state.data_offset);
-    if ((got_rec_type = rec_get(fp, got_size_payload, 0)) != REC_TYPE_SIZE) {
-	msg_warn("rec_get: got: %s, want: %s",
-		 rec_type_name(got_rec_type), rec_type_name(REC_TYPE_SIZE));
 	return (FAIL);
     }
-    (void) vstream_fclose(fp);
+    if (state->rcpt_count != saved_state.rcpt_count) {
-    vstring_free(output_stream_buf);
+	msg_warn("state->rcpt_count: got: %ld, want: %ld",
-
+		 (long) state->rcpt_count, (long) saved_state.rcpt_count);
-    /*
-     * Compare the stored SIZE record content against the expected content.
-     * We expect that the fields for data_size, data_offset, rcpt_count,
-     * qmgr_opts, and cont_length, are consistent with the saved
-     * CLEANUP_STATE, and we expect to see a specific value for the sendopts
-     * field that was made by cleanup_envelope().
-     */
-    int     got_conv;
-    long    data_size, data_offset, cont_length;
-    int     rcpt_count, qmgr_opts, sendopts;
-
-    if ((got_conv = sscanf(vstring_str(got_size_payload), "%ld %ld %d %d %ld %d",
-			   &data_size, &data_offset, &rcpt_count, &qmgr_opts,
-			   &cont_length, &sendopts)) != 6) {
-	msg_warn("sscanf SIZE record fields: got: %d, want 6", got_conv);
 	return (FAIL);
     }
-    if (data_size != saved_state.xtra_offset - saved_state.data_offset) {
+    if (state->qmgr_opts != saved_state.qmgr_opts) {
-	msg_warn("SIZE.data_size: got %ld, want: %ld", (long) data_size,
+	msg_warn("state=>qmgr_opts: got: %d, want: %d",
-		 (long) (saved_state.xtra_offset - saved_state.data_offset));
+		 state->qmgr_opts, saved_state.qmgr_opts);
 	return (FAIL);
     }
-    if (data_offset != saved_state.data_offset) {
+    if (state->cont_length != saved_state.cont_length) {
-	msg_warn("SIZE.data_offset: got %ld, want: %ld", (long) data_offset,
+	msg_warn("state->cont_length: got %ld, want: %ld",
-		 (long) saved_state.data_offset);
+		 (long) state->cont_length, (long) saved_state.cont_length);
 	return (FAIL);
     }
-    if (rcpt_count != saved_state.rcpt_count) {
+    if (state->sendopts != (SOPT_FLAG_ALL & ~SOPT_FLAG_DERIVED)) {
-	msg_warn("SIZE.rcpt_count: got: %d, want: %d", rcpt_count,
+	msg_warn("state->sendopts: got: 0x%x, want: 0x%x",
-		 (int) saved_state.rcpt_count);
+		 state->sendopts, SOPT_FLAG_ALL & ~SOPT_FLAG_DERIVED);
-	return (FAIL);
-    }
-    if (qmgr_opts != saved_state.qmgr_opts) {
-	msg_warn("SIZE.qmgr_opts: got: %d, want: %d", qmgr_opts,
-		 saved_state.qmgr_opts);
-	return (FAIL);
-    }
-    if (cont_length != saved_state.cont_length) {
-	msg_warn("SIZE.cont_length: got %ld, want: %ld", (long) cont_length,
-		 (long) saved_state.cont_length);
-	return (FAIL);
-    }
-    if (sendopts != (SOPT_FLAG_ALL & ~SOPT_FLAG_DERIVED)) {
-	msg_warn("SIZE.sendopts: got: 0x%x, want: 0x%x",
-		 sendopts, SOPT_FLAG_ALL & ~SOPT_FLAG_DERIVED);
 	return (FAIL);
     }
 
     /*
      * Cleanup.
      */
-    vstring_free(got_size_payload);
     cleanup_state_free(state);
     return (PASS);
 }

postfix/src/cleanup/cleanup_message.c

@@ -653,7 +653,7 @@ static void cleanup_header_callback(void *context, int header_class,
 	    if (state->hop_count == 1)
 		argv_add(state->auto_hdrs, vstring_str(header_buf), ARGV_END);
 	}
-	if (hdr_opts->type == HDR_TLS_REQUIRED) {
+	if (hdr_opts->type == HDR_TLS_REQUIRED && var_tls_required_enable) {
 	    char   *cp = vstring_str(header_buf) + strlen(hdr_opts->name) + 1;
 
 	    while (ISSPACE(*cp))

postfix/src/global/mail_params.c

@@ -125,9 +125,10 @@
 /*	bool	var_long_queue_ids;
 /*	bool	var_daemon_open_fatal;
 /*	char	*var_dsn_filter;
-/*	int	var_smtputf8_enable
+/*	int	var_smtputf8_enable;
 /*	int	var_strict_smtputf8;
 /*	char	*var_smtputf8_autoclass;
+/*	int	var_tls_required_enable;
 /*	int     var_idna2003_compat;
 /*	char	*var_compatibility_level;
 /*	char	*var_drop_hdrs;
@@ -369,6 +370,7 @@ char   *var_dsn_filter;
 int     var_smtputf8_enable;
 int     var_strict_smtputf8;
 char   *var_smtputf8_autoclass;
+int     var_tls_required_enable;
 int     var_idna2003_compat;
 char   *var_compatibility_level;
 char   *var_drop_hdrs;
@@ -755,6 +757,7 @@ void    mail_params_init()
 	VAR_SMTPUTF8_ENABLE, DEF_SMTPUTF8_ENABLE, &var_smtputf8_enable,
 	VAR_IDNA2003_COMPAT, DEF_IDNA2003_COMPAT, &var_idna2003_compat,
 	VAR_RESPECTFUL_LOGGING, DEF_RESPECTFUL_LOGGING, &var_respectful_logging,
+	VAR_TLSREQUIRED_ENABLE, DEF_TLSREQUIRED_ENABLE, &var_tls_required_enable,
 	0,
     };
     static const CONFIG_STR_FN_TABLE function_str_defaults[] = {

postfix/src/global/mail_params.h

@@ -4376,6 +4376,13 @@ extern char *var_smtputf8_autoclass;
 #define DEF_IDNA2003_COMPAT		"no"
 extern int var_idna2003_compat;
 
+ /*
+  * REQUIRETLS support (RFC 8689).
+  */
+#define VAR_TLSREQUIRED_ENABLE		"tls_required_enable"
+#define DEF_TLSREQUIRED_ENABLE		"yes"
+extern int var_tls_required_enable;
+
  /*
   * Workaround for future incompatibility. Our implementation of RFC 2308
   * negative reply caching relies on the promise that res_query() and

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20250131"
+#define MAIL_RELEASE_DATE	"20250202"
 #define MAIL_VERSION_NUMBER	"3.10"
 
 #ifdef SNAPSHOT

postfix/src/pipe/pipe.c

@@ -170,6 +170,7 @@
 /* .nf
 /*	    \fIRight\fR: command -f $sender -- $recipient
 /* .fi
+/* .IP
 /*	NOTE: DO NOT put quotes around the command, $sender, or $recipient.
 /* .IP
 /*	This feature is available as of Postfix 2.3.
@@ -390,7 +391,7 @@
 /*	request before it is terminated by a built-in watchdog timer.
 /* .IP "\fBdelay_logging_resolution_limit (2)\fR"
 /*	The maximal number of digits after the decimal point when logging
-/*	sub-second delay values.
+/*	delay values.
 /* .IP "\fBexport_environment (see 'postconf -d' output)\fR"
 /*	The list of environment variables that a Postfix process will export
 /*	to non-Postfix processes.

postfix/src/smtp/smtp.c

@@ -172,6 +172,7 @@
 /*	RFC 6531 (Internationalized SMTP)
 /*	RFC 6533 (Internationalized Delivery Status Notifications)
 /*	RFC 7672 (SMTP security via opportunistic DANE TLS)
+/*	RFC 8689 (TLS-Required message header)
 /* DIAGNOSTICS
 /*	Problems and transactions are logged to \fBsyslogd\fR(8)
 /*	or \fBpostlogd\fR(8).
@@ -638,7 +639,8 @@
 /* .IP "\fBsmtp_tls_enable_rpk (no)\fR"
 /*	Request that remote SMTP servers send an RFC7250 raw public key
 /*	instead of an X.509 certificate.
-/* .PP Available in Postfix version 3.10 and later:
+/* .PP
+/*	Available in Postfix version 3.10 and later:
 /* .IP "\fBsmtp_tlsrpt_enable (no)\fR"
 /*	Enable support for RFC 8460 TLSRPT notifications.
 /* .IP "\fBsmtp_tlsrpt_socket_name (empty)\fR"
@@ -648,6 +650,9 @@
 /*	Do not report the TLSRPT status for TLS protocol handshakes
 /*	that reuse a previously-negotiated TLS session (there is no new
 /*	information to report).
+/* .IP "\fBtls_required_enable (yes)\fR"
+/*	Enable support for the "TLS-Required: no" message header, defined
+/*	in RFC 8689.
 /* OBSOLETE STARTTLS CONTROLS
 /* .ad
 /* .fi

postfix/src/smtp/smtp_connect.c

@@ -534,7 +534,7 @@ static int smtp_get_effective_tls_level(DSN_BUF *why, SMTP_STATE *state)
      * the message contains a "TLS-Required: no" header, limit the level to
      * TLS_LEV_MAY.
      */
-    else if (tls->level > TLS_LEV_NONE
+    else if (var_tls_required_enable && tls->level > TLS_LEV_NONE
 	     && (state->request->sendopts & SOPT_REQUIRETLS_HEADER)) {
 	tls->level = TLS_LEV_MAY;
     }

postfix/src/util/Makefile.in

@@ -1391,6 +1391,14 @@ cidr_match.o: stringops.h
 cidr_match.o: sys_defs.h
 cidr_match.o: vbuf.h
 cidr_match.o: vstring.h
+clean_ascii_cntrl_space.o: check_arg.h
+clean_ascii_cntrl_space.o: clean_ascii_cntrl_space.c
+clean_ascii_cntrl_space.o: clean_ascii_cntrl_space.h
+clean_ascii_cntrl_space.o: stringops.h
+clean_ascii_cntrl_space.o: sys_defs.h
+clean_ascii_cntrl_space.o: vbuf.h
+clean_ascii_cntrl_space.o: vstream.h
+clean_ascii_cntrl_space.o: vstring.h
 clean_env.o: argv.h
 clean_env.o: check_arg.h
 clean_env.o: clean_env.c
@@ -2837,14 +2845,6 @@ trimblanks.o: sys_defs.h
 trimblanks.o: trimblanks.c
 trimblanks.o: vbuf.h
 trimblanks.o: vstring.h
-clean_ascii_cntrl_space.o: check_arg.h
-clean_ascii_cntrl_space.o: stringops.h
-clean_ascii_cntrl_space.o: sys_defs.h
-clean_ascii_cntrl_space.o: clean_ascii_cntrl_space.c
-clean_ascii_cntrl_space.o: clean_ascii_cntrl_space.h
-clean_ascii_cntrl_space.o: vbuf.h
-clean_ascii_cntrl_space.o: vstream.h
-clean_ascii_cntrl_space.o: vstring.h
 unescape.o: check_arg.h
 unescape.o: stringops.h
 unescape.o: sys_defs.h