postfix-3.10-20250202

postfix/HISTORY

@@ -28866,7 +28866,7 @@ Apologies for any names omitted.
 
 	Feature: support for the RFC 8689 "TLS-Required: no" message
 	header. This limits the Postfix SMTP client TLS security
-	level to "smtp_tls_security = may", which does not authenticate
+	level to "smtp_tls_security = may", which does not verify
 	remote SMTP server TLS certificates, and which allows falling
 	back to plaintext. This is needed for the delivery of
 	messages such as TLSRPT summaries, which should be sent
@@ -28898,3 +28898,24 @@ Apologies for any names omitted.
 
 	Debug: verbose logging for the tlsrpt_wrapper functions.
 	File: tls/tlsrpt_wrapper.c.
+
+20250201
+
+	Cleanup: simplified the code in cleanup_envelope_test.c.
+
+	Feature: configuration parameter "tls_required_enable
+	(default: yes) to control support for the "TLS-Required:
+	no" message header. Files: global/mail_params.[hc],
+	bounce/bounce.c, bounce/bounce_notify_util.c, cleanup/cleanup.c,
+	cleanup/cleanup_message.c, smtp/smtp.c, smtp/smtp_connect.c,
+	mantools/postlink.
+
+20250202
+
+	Documentation: edited for clarity. Files: pipe/pipe.c,
+	proto/postconf.proto.
+
+	Debug logging: cleanup/cleanup_api.c. tls/tlsrpt_wrapper.c.
+	proto/TLSRPT_README.html.
+
+	Postfix 3.10 code freeze.

postfix/README_FILES/TLSRPT_README

@@ -30,8 +30,8 @@ successful and failed SMTP over TLS connections to domain example.com, and to
 report those summaries via email to the specified address. Instead of mailto:,
 a policy may specify an https: destination.
 
-The high-level diagram below shows how TLS handshake success and failure events
+The diagram below shows how Postfix TLS handshake success and failure events
-from Postfix are collected and processed into daily summary reports.
+are collected and processed into daily summary reports.
 
      Postfix SMTP and      TLSRPT client     TLSRPT collector,    Email or HTTP
     TLS client engines -> library (linked ->   fetcher, and    ->   delivery

postfix/html/TLSRPT_README.html

@@ -55,9 +55,9 @@ summaries of successful and failed SMTP over TLS connections to domain
 specified address. Instead of <tt>mailto:</tt>, a policy may specify an
 <tt>https:</tt> destination. </p>
 
-<p> The high-level diagram below shows how TLS handshake success
+<p> The diagram below shows how Postfix TLS handshake success and
-and failure events from Postfix are collected and processed into
+failure events are collected and processed into daily summary
-daily summary reports.  </p>
+reports. </p>
 
 <blockquote>
 

postfix/html/bounce.8.html

@@ -166,6 +166,12 @@ BOUNCE(8)                                                            BOUNCE(8)
        <b><a href="postconf.5.html#header_from_format">header_from_format</a> (standard)</b>
               The format of the Postfix-generated <b>From:</b> header.
 
+       Available in Postfix 3.10 and later:
+
+       <b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
+              Enable  support  for  the  "TLS-Required:  no"  message  header,
+              defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
+
 <b><a name="files">FILES</a></b>
        /var/spool/postfix/bounce/* non-delivery records
        /var/spool/postfix/defer/* non-delivery records

postfix/html/cleanup.8.html

@@ -70,6 +70,7 @@ CLEANUP(8)                                                          CLEANUP(8)
        <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
        <a href="https://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery status notifications)
        <a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
+       <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a> (TLS-Required: message header)
 
 <b><a name="diagnostics">DIAGNOSTICS</a></b>
        Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
@@ -461,29 +462,36 @@ CLEANUP(8)                                                          CLEANUP(8)
               IDNA2008, when converting UTF-8 domain names to/from  the  ASCII
               form that is used for DNS lookups.
 
+<b><a name="tls_support">TLS SUPPORT</a></b>
+       Available in Postfix version 3.10 and later:
+
+       <b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
+              Enable  support  for  the  "TLS-Required:  no"  message  header,
+              defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
+
 <b><a name="miscellaneous_controls">MISCELLANEOUS CONTROLS</a></b>
        <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The  default  location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
+              The default location of the Postfix <a href="postconf.5.html">main.cf</a> and  <a href="master.5.html">master.cf</a>  con-
               figuration files.
 
        <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
-              How much time a Postfix daemon process  may  take  to  handle  a
+              How  much  time  a  Postfix  daemon process may take to handle a
               request before it is terminated by a built-in watchdog timer.
 
        <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
-              The  maximal  number of digits after the decimal point when log-
+              The maximal number of digits after the decimal point  when  log-
               ging delay values.
 
        <b><a href="postconf.5.html#delay_warning_time">delay_warning_time</a> (0h)</b>
-              The time after which the sender receives a copy of  the  message
+              The  time  after which the sender receives a copy of the message
               headers of mail that is still queued.
 
        <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
-              The  time  limit  for  sending  or receiving information over an
+              The time limit for sending  or  receiving  information  over  an
               internal communication channel.
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
-              The maximum amount of time that an idle Postfix  daemon  process
+              The  maximum  amount of time that an idle Postfix daemon process
               waits for an incoming connection before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
@@ -494,7 +502,7 @@ CLEANUP(8)                                                          CLEANUP(8)
               The internet hostname of this mail system.
 
        <b><a href="postconf.5.html#myorigin">myorigin</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
-              The  domain  name that locally-posted mail appears to come from,
+              The domain name that locally-posted mail appears to  come  from,
               and that locally posted mail is delivered to.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
@@ -507,21 +515,21 @@ CLEANUP(8)                                                          CLEANUP(8)
               The location of the Postfix top-level queue directory.
 
        <b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b>
-              Safety net to keep mail queued that would otherwise be  returned
+              Safety  net to keep mail queued that would otherwise be returned
               to the sender.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
-              A  prefix  that  is  prepended  to  the  process  name in syslog
+              A prefix that  is  prepended  to  the  process  name  in  syslog
               records, so that, for example, "smtpd" becomes "prefix/smtpd".
 
        Available in Postfix version 2.1 and later:
 
        <b><a href="postconf.5.html#enable_original_recipient">enable_original_recipient</a> (yes)</b>
-              Enable support for  the  original  recipient  address  after  an
+              Enable  support  for  the  original  recipient  address after an
-              address  is  rewritten  to a different address (for example with
+              address is rewritten to a different address  (for  example  with
               aliasing or with canonical mapping).
 
        Available in Postfix 3.3 and later:
@@ -532,14 +540,14 @@ CLEANUP(8)                                                          CLEANUP(8)
        Available in Postfix 3.5 and later:
 
        <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b>
-              The email address form that will be used  in  non-debug  logging
+              The  email  address  form that will be used in non-debug logging
               (info, warning, etc.).
 
        Available in Postfix 3.9 and later:
 
        <b><a href="postconf.5.html#force_mime_input_conversion">force_mime_input_conversion</a> (no)</b>
-              Convert  body content that claims to be 8-bit into quoted-print-
+              Convert body content that claims to be 8-bit into  quoted-print-
-              able, before <a href="postconf.5.html#header_checks">header_checks</a>,  <a href="postconf.5.html#body_checks">body_checks</a>,  Milters,  and  before
+              able,  before  <a href="postconf.5.html#header_checks">header_checks</a>,  <a href="postconf.5.html#body_checks">body_checks</a>,  Milters, and before
               after-queue content filters.
 
 <b><a name="files">FILES</a></b>

postfix/html/defer.8.html

@@ -166,6 +166,12 @@ BOUNCE(8)                                                            BOUNCE(8)
        <b><a href="postconf.5.html#header_from_format">header_from_format</a> (standard)</b>
               The format of the Postfix-generated <b>From:</b> header.
 
+       Available in Postfix 3.10 and later:
+
+       <b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
+              Enable  support  for  the  "TLS-Required:  no"  message  header,
+              defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
+
 <b><a name="files">FILES</a></b>
        /var/spool/postfix/bounce/* non-delivery records
        /var/spool/postfix/defer/* non-delivery records

postfix/html/lmtp.8.html

@@ -174,6 +174,7 @@ SMTP(8)                                                                SMTP(8)
        <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
        <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
        <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (SMTP security via opportunistic DANE TLS)
+       <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a> (TLS-Required message header)
 
 <b><a name="diagnostics">DIAGNOSTICS</a></b>
        Problems  and  transactions  are  logged  to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
@@ -746,6 +747,8 @@ SMTP(8)                                                                SMTP(8)
               Request  that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key
               instead of an X.509 certificate.
 
+       Available in Postfix version 3.10 and later:
+
        <b><a href="postconf.5.html#smtp_tlsrpt_enable">smtp_tlsrpt_enable</a> (no)</b>
               Enable support for <a href="https://tools.ietf.org/html/rfc8460">RFC 8460</a> TLSRPT notifications.
 
@@ -758,41 +761,45 @@ SMTP(8)                                                                SMTP(8)
               reuse a previously-negotiated  TLS  session  (there  is  no  new
               information to report).
 
+       <b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
+              Enable  support  for  the  "TLS-Required:  no"  message  header,
+              defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
+
 <b><a name="obsolete_starttls_controls">OBSOLETE STARTTLS CONTROLS</a></b>
-       The  following  configuration  parameters  exist for compatibility with
+       The following configuration parameters  exist  for  compatibility  with
-       Postfix versions before 2.3. Support for these will  be  removed  in  a
+       Postfix  versions  before  2.3.  Support for these will be removed in a
        future release.
 
        <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
-              Opportunistic  mode: use TLS when a remote SMTP server announces
+              Opportunistic mode: use TLS when a remote SMTP server  announces
               STARTTLS support, otherwise send the mail in the clear.
 
        <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
-              Enforcement mode: require  that  remote  SMTP  servers  use  TLS
+              Enforcement  mode:  require  that  remote  SMTP  servers use TLS
               encryption, and never send mail in the clear.
 
        <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
-              With  mandatory  TLS  encryption,  require  that the remote SMTP
+              With mandatory TLS encryption,  require  that  the  remote  SMTP
-              server hostname matches  the  information  in  the  remote  SMTP
+              server  hostname  matches  the  information  in  the remote SMTP
               server certificate.
 
        <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
-              Optional  lookup  tables  with the Postfix SMTP client TLS usage
+              Optional lookup tables with the Postfix SMTP  client  TLS  usage
-              policy by next-hop destination and by remote SMTP  server  host-
+              policy  by  next-hop destination and by remote SMTP server host-
               name.
 
        <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
-              Obsolete  Postfix  &lt; 2.3 control for the Postfix SMTP client TLS
+              Obsolete Postfix &lt; 2.3 control for the Postfix SMTP  client  TLS
               cipher list.
 
 <b><a name="resource_and_rate_controls">RESOURCE AND RATE CONTROLS</a></b>
        <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
-              The Postfix SMTP client time limit for completing a TCP  connec-
+              The  Postfix SMTP client time limit for completing a TCP connec-
               tion, or zero (use the operating system built-in time limit).
 
        <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
-              The  Postfix SMTP client time limit for sending the HELO or EHLO
+              The Postfix SMTP client time limit for sending the HELO or  EHLO
-              command, and  for  receiving  the  initial  remote  SMTP  server
+              command,  and  for  receiving  the  initial  remote  SMTP server
               response.
 
        <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
@@ -804,19 +811,19 @@ SMTP(8)                                                                SMTP(8)
               mand, and for receiving the remote SMTP server response.
 
        <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
-              The  Postfix  SMTP  client  time limit for sending the MAIL FROM
+              The Postfix SMTP client time limit for  sending  the  MAIL  FROM
               command, and for receiving the remote SMTP server response.
 
        <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
-              The Postfix SMTP client time limit for sending the SMTP RCPT  TO
+              The  Postfix SMTP client time limit for sending the SMTP RCPT TO
               command, and for receiving the remote SMTP server response.
 
        <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
-              The  Postfix  SMTP  client  time limit for sending the SMTP DATA
+              The Postfix SMTP client time limit for  sending  the  SMTP  DATA
               command, and for receiving the remote SMTP server response.
 
        <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
-              The Postfix SMTP client time limit for sending the SMTP  message
+              The  Postfix SMTP client time limit for sending the SMTP message
               content.
 
        <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
@@ -830,13 +837,13 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.1 and later:
 
        <b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b>
-              The  maximal number of MX (mail exchanger) IP addresses that can
+              The maximal number of MX (mail exchanger) IP addresses that  can
-              result from Postfix SMTP client mail exchanger lookups, or  zero
+              result  from Postfix SMTP client mail exchanger lookups, or zero
               (no limit).
 
        <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
-              The  maximal number of SMTP sessions per delivery request before
+              The maximal number of SMTP sessions per delivery request  before
-              the Postfix SMTP client gives up  or  delivers  to  a  fall-back
+              the  Postfix  SMTP  client  gives  up or delivers to a fall-back
               <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
 
        <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
@@ -846,17 +853,17 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.2 and earlier:
 
        <b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b>
-              Keep Postfix LMTP client connections open for  up  to  $<a href="postconf.5.html#max_idle">max_idle</a>
+              Keep  Postfix  LMTP  client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
               seconds.
 
        Available in Postfix version 2.2 and later:
 
        <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
-              Permanently  enable  SMTP  connection  caching for the specified
+              Permanently enable SMTP connection  caching  for  the  specified
               destinations.
 
        <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
-              Temporarily enable SMTP connection caching while  a  destination
+              Temporarily  enable  SMTP connection caching while a destination
               has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>.
 
        <b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b>
@@ -870,23 +877,23 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.3 and later:
 
        <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
-              Time  limit for connection cache connect, send or receive opera-
+              Time limit for connection cache connect, send or receive  opera-
               tions.
 
        Available in Postfix version 2.9 - 3.6:
 
        <b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
-              Change the behavior of the smtp_*_timeout time  limits,  from  a
+              Change  the  behavior  of the smtp_*_timeout time limits, from a
-              time  limit  per  read  or write system call, to a time limit to
+              time limit per read or write system call, to  a  time  limit  to
-              send or receive a complete record (an SMTP  command  line,  SMTP
+              send  or  receive  a complete record (an SMTP command line, SMTP
-              response  line,  SMTP message content line, or TLS protocol mes-
+              response line, SMTP message content line, or TLS  protocol  mes-
               sage).
 
        Available in Postfix version 2.11 and later:
 
        <b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b>
-              When SMTP connection caching is enabled,  the  number  of  times
+              When  SMTP  connection  caching  is enabled, the number of times
-              that  an SMTP session may be reused before it is closed, or zero
+              that an SMTP session may be reused before it is closed, or  zero
               (no limit).
 
        Available in Postfix version 3.4 and later:
@@ -897,13 +904,13 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 3.7 and later:
 
        <b><a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a> (no)</b>
-              Change the behavior of the smtp_*_timeout time  limits,  from  a
+              Change  the  behavior  of the smtp_*_timeout time limits, from a
-              time  limit  per  plaintext or TLS read or write call, to a com-
+              time limit per plaintext or TLS read or write call,  to  a  com-
-              bined time limit for sending a complete  SMTP  request  and  for
+              bined  time  limit  for  sending a complete SMTP request and for
               receiving a complete SMTP response.
 
        <b><a href="postconf.5.html#smtp_min_data_rate">smtp_min_data_rate</a> (500)</b>
-              The  minimum  plaintext  data  transfer rate in bytes/second for
+              The minimum plaintext data transfer  rate  in  bytes/second  for
               DATA    requests,    when    deadlines    are    enabled    with
               <a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>.
 
@@ -911,54 +918,54 @@ SMTP(8)                                                                SMTP(8)
 
        <b><a href="postconf.5.html#transport_destination_concurrency_limit">transport_destination_concurrency_limit</a>   ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
        <b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b>
-              A  transport-specific  override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
+              A transport-specific override for  the  <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
               <a href="postconf.5.html#default_destination_concurrency_limit">currency_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
               name of the message delivery transport.
 
        <b><a href="postconf.5.html#transport_destination_recipient_limit">transport_destination_recipient_limit</a>     ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipi</a>-</b>
        <b><a href="postconf.5.html#default_destination_recipient_limit">ent_limit</a>)</b>
               A transport-specific override for the <a href="postconf.5.html#default_destination_recipient_limit">default_destination_recip</a>-
-              <a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a> parameter value, where  <i>transport</i>  is  the  <a href="master.5.html">master.cf</a>
+              <a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a>  parameter  value,  where  <i>transport</i> is the <a href="master.5.html">master.cf</a>
               name of the message delivery transport.
 
 <b><a name="smtputf8_controls">SMTPUTF8 CONTROLS</a></b>
        Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
 
        <b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
-              Enable  preliminary SMTPUTF8 support for the protocols described
+              Enable preliminary SMTPUTF8 support for the protocols  described
               in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>, <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a>, and <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a>.
 
        <b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
-              Detect that a message requires SMTPUTF8 support for  the  speci-
+              Detect  that  a message requires SMTPUTF8 support for the speci-
               fied mail origin classes.
 
        Available in Postfix version 3.2 and later:
 
        <b><a href="postconf.5.html#enable_idna2003_compatibility">enable_idna2003_compatibility</a> (no)</b>
-              Enable   'transitional'   compatibility   between  IDNA2003  and
+              Enable  'transitional'  compatibility   between   IDNA2003   and
-              IDNA2008, when converting UTF-8 domain names to/from  the  ASCII
+              IDNA2008,  when  converting UTF-8 domain names to/from the ASCII
               form that is used for DNS lookups.
 
 <b><a name="trouble_shooting_controls">TROUBLE SHOOTING CONTROLS</a></b>
        <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
-              The  increment  in verbose logging level when a nexthop destina-
+              The increment in verbose logging level when a  nexthop  destina-
-              tion, remote client or server name or network address matches  a
+              tion,  remote client or server name or network address matches a
               pattern given with the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
 
        <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
-              Optional  list  of  nexthop destination, remote client or server
+              Optional list of nexthop destination, remote  client  or  server
-              name or network address patterns that,  if  matched,  cause  the
+              name  or  network  address  patterns that, if matched, cause the
-              verbose  logging  level  to  increase by the amount specified in
+              verbose logging level to increase by  the  amount  specified  in
               $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
 
        <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
-              The recipient of postmaster notifications  about  mail  delivery
+              The  recipient  of  postmaster notifications about mail delivery
               problems that are caused by policy, resource, software or proto-
               col errors.
 
        <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
-              What  categories  of  Postfix-generated  mail  are  subject   to
+              What   categories  of  Postfix-generated  mail  are  subject  to
-              before-queue    content    inspection    by   <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
+              before-queue   content    inspection    by    <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
               <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
 
        <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
@@ -966,46 +973,46 @@ SMTP(8)                                                                SMTP(8)
 
 <b><a name="miscellaneous_controls">MISCELLANEOUS CONTROLS</a></b>
        <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
-              Where the Postfix  SMTP  client  should  deliver  mail  when  it
+              Where  the  Postfix  SMTP  client  should  deliver  mail when it
               detects a "mail loops back to myself" error condition.
 
        <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The  default  location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
+              The default location of the Postfix <a href="postconf.5.html">main.cf</a> and  <a href="master.5.html">master.cf</a>  con-
               figuration files.
 
        <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
-              How much time a Postfix daemon process  may  take  to  handle  a
+              How  much  time  a  Postfix  daemon process may take to handle a
               request before it is terminated by a built-in watchdog timer.
 
        <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
-              The  maximal  number of digits after the decimal point when log-
+              The maximal number of digits after the decimal point  when  log-
               ging delay values.
 
        <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
               Disable DNS lookups in the Postfix SMTP and LMTP clients.
 
        <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
-              The local network interface  addresses  that  this  mail  system
+              The  local  network  interface  addresses  that this mail system
               receives mail on.
 
        <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d' output)</b>
-              The  Internet  protocols Postfix will attempt to use when making
+              The Internet protocols Postfix will attempt to use  when  making
               or accepting connections.
 
        <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
-              The time limit for sending  or  receiving  information  over  an
+              The  time  limit  for  sending  or receiving information over an
               internal communication channel.
 
        <b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b>
-              When  a remote LMTP server announces no DSN support, assume that
+              When a remote LMTP server announces no DSN support, assume  that
-              the server performs final delivery, and send "delivered"  deliv-
+              the  server performs final delivery, and send "delivered" deliv-
               ery status notifications instead of "relayed".
 
        <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
               The default TCP port that the Postfix LMTP client connects to.
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
-              The  maximum  amount of time that an idle Postfix daemon process
+              The maximum amount of time that an idle Postfix  daemon  process
               waits for an incoming connection before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
@@ -1019,21 +1026,21 @@ SMTP(8)                                                                SMTP(8)
               The process name of a Postfix command or daemon process.
 
        <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
-              The remote network interface addresses  that  this  mail  system
+              The  remote  network  interface  addresses that this mail system
-              receives  mail  on by way of a proxy or network address transla-
+              receives mail on by way of a proxy or network  address  transla-
               tion unit.
 
        <b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (any)</b>
               The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
-              client  will  try  first,  when  a destination has IPv6 and IPv4
+              client will try first, when a  destination  has  IPv6  and  IPv4
               addresses with equal MX preference.
 
        <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
-              An optional numerical network  address  that  the  Postfix  SMTP
+              An  optional  numerical  network  address  that the Postfix SMTP
               client should bind to when making an IPv4 connection.
 
        <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
-              An  optional  numerical  network  address  that the Postfix SMTP
+              An optional numerical network  address  that  the  Postfix  SMTP
               client should bind to when making an IPv6 connection.
 
        <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
@@ -1053,7 +1060,7 @@ SMTP(8)                                                                SMTP(8)
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
-              A  prefix  that  is  prepended  to  the  process  name in syslog
+              A prefix that  is  prepended  to  the  process  name  in  syslog
               records, so that, for example, "smtpd" becomes "prefix/smtpd".
 
        Available with Postfix 2.2 and earlier:
@@ -1065,14 +1072,14 @@ SMTP(8)                                                                SMTP(8)
        Available with Postfix 2.3 and later:
 
        <b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
-              Optional  list  of  relay destinations that will be used when an
+              Optional list of relay destinations that will be  used  when  an
-              SMTP destination is not found, or when delivery fails due  to  a
+              SMTP  destination  is not found, or when delivery fails due to a
               non-permanent error.
 
        Available with Postfix 3.0 and later:
 
        <b><a href="postconf.5.html#smtp_address_verify_target">smtp_address_verify_target</a> (rcpt)</b>
-              In  the context of email address verification, the SMTP protocol
+              In the context of email address verification, the SMTP  protocol
               stage that determines whether an email address is deliverable.
 
        Available with Postfix 3.1 and later:
@@ -1094,7 +1101,7 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix 3.7 and later:
 
        <b><a href="postconf.5.html#smtp_bind_address_enforce">smtp_bind_address_enforce</a> (no)</b>
-              Defer  delivery  when  the  Postfix SMTP client cannot apply the
+              Defer delivery when the Postfix SMTP  client  cannot  apply  the
               <a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> or <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> setting.
 
 <b><a name="see_also">SEE ALSO</a></b>

postfix/html/pipe.8.html

@@ -170,6 +170,7 @@ PIPE(8)                                                                PIPE(8)
               as an argument by itself:
 
                   <i>Right</i>: command -f $sender -- $recipient
+
               NOTE: DO NOT put quotes around the command, $sender, or $recipi-
               ent.
 
@@ -422,7 +423,7 @@ PIPE(8)                                                                PIPE(8)
 
        <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
               The maximal number of digits after the decimal point  when  log-
-              ging sub-second delay values.
+              ging delay values.
 
        <b><a href="postconf.5.html#export_environment">export_environment</a> (see 'postconf -d' output)</b>
               The  list  of  environment variables that a Postfix process will

postfix/html/postconf.5.html

@@ -20603,6 +20603,23 @@ gives timeout errors.  </p>
 <p> This feature is available in Postfix 2.2 and later.  </p>
 
 
+</DD>
+
+<DT><b><a name="tls_required_enable">tls_required_enable</a>
+(default: yes)</b></DT><DD>
+
+<p> Enable support for the "TLS-Required: no" message header, defined
+in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>. By adding this header to a message, a sender requests
+no enforcement of TLS policy. This limits the Postfix SMTP client
+TLS security level to "may", that is, do not verify remote SMTP
+server certificates, and fall back to plaintext if TLS is unavailable.
+If a message contains a "TLS-Required: no" header, then Postfix
+will add that header to a delivery status notification for that
+message. </p>
+
+<p> This feature is available in Postfix &ge; 3.10. </p>
+
+
 </DD>
 
 <DT><b><a name="tls_server_sni_maps">tls_server_sni_maps</a>

postfix/html/smtp.8.html

@@ -174,6 +174,7 @@ SMTP(8)                                                                SMTP(8)
        <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
        <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
        <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (SMTP security via opportunistic DANE TLS)
+       <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a> (TLS-Required message header)
 
 <b><a name="diagnostics">DIAGNOSTICS</a></b>
        Problems  and  transactions  are  logged  to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
@@ -746,6 +747,8 @@ SMTP(8)                                                                SMTP(8)
               Request  that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key
               instead of an X.509 certificate.
 
+       Available in Postfix version 3.10 and later:
+
        <b><a href="postconf.5.html#smtp_tlsrpt_enable">smtp_tlsrpt_enable</a> (no)</b>
               Enable support for <a href="https://tools.ietf.org/html/rfc8460">RFC 8460</a> TLSRPT notifications.
 
@@ -758,41 +761,45 @@ SMTP(8)                                                                SMTP(8)
               reuse a previously-negotiated  TLS  session  (there  is  no  new
               information to report).
 
+       <b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
+              Enable  support  for  the  "TLS-Required:  no"  message  header,
+              defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
+
 <b><a name="obsolete_starttls_controls">OBSOLETE STARTTLS CONTROLS</a></b>
-       The  following  configuration  parameters  exist for compatibility with
+       The following configuration parameters  exist  for  compatibility  with
-       Postfix versions before 2.3. Support for these will  be  removed  in  a
+       Postfix  versions  before  2.3.  Support for these will be removed in a
        future release.
 
        <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
-              Opportunistic  mode: use TLS when a remote SMTP server announces
+              Opportunistic mode: use TLS when a remote SMTP server  announces
               STARTTLS support, otherwise send the mail in the clear.
 
        <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
-              Enforcement mode: require  that  remote  SMTP  servers  use  TLS
+              Enforcement  mode:  require  that  remote  SMTP  servers use TLS
               encryption, and never send mail in the clear.
 
        <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
-              With  mandatory  TLS  encryption,  require  that the remote SMTP
+              With mandatory TLS encryption,  require  that  the  remote  SMTP
-              server hostname matches  the  information  in  the  remote  SMTP
+              server  hostname  matches  the  information  in  the remote SMTP
               server certificate.
 
        <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
-              Optional  lookup  tables  with the Postfix SMTP client TLS usage
+              Optional lookup tables with the Postfix SMTP  client  TLS  usage
-              policy by next-hop destination and by remote SMTP  server  host-
+              policy  by  next-hop destination and by remote SMTP server host-
               name.
 
        <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
-              Obsolete  Postfix  &lt; 2.3 control for the Postfix SMTP client TLS
+              Obsolete Postfix &lt; 2.3 control for the Postfix SMTP  client  TLS
               cipher list.
 
 <b><a name="resource_and_rate_controls">RESOURCE AND RATE CONTROLS</a></b>
        <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
-              The Postfix SMTP client time limit for completing a TCP  connec-
+              The  Postfix SMTP client time limit for completing a TCP connec-
               tion, or zero (use the operating system built-in time limit).
 
        <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
-              The  Postfix SMTP client time limit for sending the HELO or EHLO
+              The Postfix SMTP client time limit for sending the HELO or  EHLO
-              command, and  for  receiving  the  initial  remote  SMTP  server
+              command,  and  for  receiving  the  initial  remote  SMTP server
               response.
 
        <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
@@ -804,19 +811,19 @@ SMTP(8)                                                                SMTP(8)
               mand, and for receiving the remote SMTP server response.
 
        <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
-              The  Postfix  SMTP  client  time limit for sending the MAIL FROM
+              The Postfix SMTP client time limit for  sending  the  MAIL  FROM
               command, and for receiving the remote SMTP server response.
 
        <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
-              The Postfix SMTP client time limit for sending the SMTP RCPT  TO
+              The  Postfix SMTP client time limit for sending the SMTP RCPT TO
               command, and for receiving the remote SMTP server response.
 
        <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
-              The  Postfix  SMTP  client  time limit for sending the SMTP DATA
+              The Postfix SMTP client time limit for  sending  the  SMTP  DATA
               command, and for receiving the remote SMTP server response.
 
        <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
-              The Postfix SMTP client time limit for sending the SMTP  message
+              The  Postfix SMTP client time limit for sending the SMTP message
               content.
 
        <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
@@ -830,13 +837,13 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.1 and later:
 
        <b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b>
-              The  maximal number of MX (mail exchanger) IP addresses that can
+              The maximal number of MX (mail exchanger) IP addresses that  can
-              result from Postfix SMTP client mail exchanger lookups, or  zero
+              result  from Postfix SMTP client mail exchanger lookups, or zero
               (no limit).
 
        <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
-              The  maximal number of SMTP sessions per delivery request before
+              The maximal number of SMTP sessions per delivery request  before
-              the Postfix SMTP client gives up  or  delivers  to  a  fall-back
+              the  Postfix  SMTP  client  gives  up or delivers to a fall-back
               <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
 
        <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
@@ -846,17 +853,17 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.2 and earlier:
 
        <b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b>
-              Keep Postfix LMTP client connections open for  up  to  $<a href="postconf.5.html#max_idle">max_idle</a>
+              Keep  Postfix  LMTP  client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
               seconds.
 
        Available in Postfix version 2.2 and later:
 
        <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
-              Permanently  enable  SMTP  connection  caching for the specified
+              Permanently enable SMTP connection  caching  for  the  specified
               destinations.
 
        <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
-              Temporarily enable SMTP connection caching while  a  destination
+              Temporarily  enable  SMTP connection caching while a destination
               has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>.
 
        <b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b>
@@ -870,23 +877,23 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.3 and later:
 
        <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
-              Time  limit for connection cache connect, send or receive opera-
+              Time limit for connection cache connect, send or receive  opera-
               tions.
 
        Available in Postfix version 2.9 - 3.6:
 
        <b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
-              Change the behavior of the smtp_*_timeout time  limits,  from  a
+              Change  the  behavior  of the smtp_*_timeout time limits, from a
-              time  limit  per  read  or write system call, to a time limit to
+              time limit per read or write system call, to  a  time  limit  to
-              send or receive a complete record (an SMTP  command  line,  SMTP
+              send  or  receive  a complete record (an SMTP command line, SMTP
-              response  line,  SMTP message content line, or TLS protocol mes-
+              response line, SMTP message content line, or TLS  protocol  mes-
               sage).
 
        Available in Postfix version 2.11 and later:
 
        <b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b>
-              When SMTP connection caching is enabled,  the  number  of  times
+              When  SMTP  connection  caching  is enabled, the number of times
-              that  an SMTP session may be reused before it is closed, or zero
+              that an SMTP session may be reused before it is closed, or  zero
               (no limit).
 
        Available in Postfix version 3.4 and later:
@@ -897,13 +904,13 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 3.7 and later:
 
        <b><a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a> (no)</b>
-              Change the behavior of the smtp_*_timeout time  limits,  from  a
+              Change  the  behavior  of the smtp_*_timeout time limits, from a
-              time  limit  per  plaintext or TLS read or write call, to a com-
+              time limit per plaintext or TLS read or write call,  to  a  com-
-              bined time limit for sending a complete  SMTP  request  and  for
+              bined  time  limit  for  sending a complete SMTP request and for
               receiving a complete SMTP response.
 
        <b><a href="postconf.5.html#smtp_min_data_rate">smtp_min_data_rate</a> (500)</b>
-              The  minimum  plaintext  data  transfer rate in bytes/second for
+              The minimum plaintext data transfer  rate  in  bytes/second  for
               DATA    requests,    when    deadlines    are    enabled    with
               <a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>.
 
@@ -911,54 +918,54 @@ SMTP(8)                                                                SMTP(8)
 
        <b><a href="postconf.5.html#transport_destination_concurrency_limit">transport_destination_concurrency_limit</a>   ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
        <b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b>
-              A  transport-specific  override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
+              A transport-specific override for  the  <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
               <a href="postconf.5.html#default_destination_concurrency_limit">currency_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
               name of the message delivery transport.
 
        <b><a href="postconf.5.html#transport_destination_recipient_limit">transport_destination_recipient_limit</a>     ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipi</a>-</b>
        <b><a href="postconf.5.html#default_destination_recipient_limit">ent_limit</a>)</b>
               A transport-specific override for the <a href="postconf.5.html#default_destination_recipient_limit">default_destination_recip</a>-
-              <a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a> parameter value, where  <i>transport</i>  is  the  <a href="master.5.html">master.cf</a>
+              <a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a>  parameter  value,  where  <i>transport</i> is the <a href="master.5.html">master.cf</a>
               name of the message delivery transport.
 
 <b><a name="smtputf8_controls">SMTPUTF8 CONTROLS</a></b>
        Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
 
        <b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
-              Enable  preliminary SMTPUTF8 support for the protocols described
+              Enable preliminary SMTPUTF8 support for the protocols  described
               in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>, <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a>, and <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a>.
 
        <b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
-              Detect that a message requires SMTPUTF8 support for  the  speci-
+              Detect  that  a message requires SMTPUTF8 support for the speci-
               fied mail origin classes.
 
        Available in Postfix version 3.2 and later:
 
        <b><a href="postconf.5.html#enable_idna2003_compatibility">enable_idna2003_compatibility</a> (no)</b>
-              Enable   'transitional'   compatibility   between  IDNA2003  and
+              Enable  'transitional'  compatibility   between   IDNA2003   and
-              IDNA2008, when converting UTF-8 domain names to/from  the  ASCII
+              IDNA2008,  when  converting UTF-8 domain names to/from the ASCII
               form that is used for DNS lookups.
 
 <b><a name="trouble_shooting_controls">TROUBLE SHOOTING CONTROLS</a></b>
        <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
-              The  increment  in verbose logging level when a nexthop destina-
+              The increment in verbose logging level when a  nexthop  destina-
-              tion, remote client or server name or network address matches  a
+              tion,  remote client or server name or network address matches a
               pattern given with the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
 
        <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
-              Optional  list  of  nexthop destination, remote client or server
+              Optional list of nexthop destination, remote  client  or  server
-              name or network address patterns that,  if  matched,  cause  the
+              name  or  network  address  patterns that, if matched, cause the
-              verbose  logging  level  to  increase by the amount specified in
+              verbose logging level to increase by  the  amount  specified  in
               $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
 
        <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
-              The recipient of postmaster notifications  about  mail  delivery
+              The  recipient  of  postmaster notifications about mail delivery
               problems that are caused by policy, resource, software or proto-
               col errors.
 
        <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
-              What  categories  of  Postfix-generated  mail  are  subject   to
+              What   categories  of  Postfix-generated  mail  are  subject  to
-              before-queue    content    inspection    by   <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
+              before-queue   content    inspection    by    <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
               <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
 
        <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
@@ -966,46 +973,46 @@ SMTP(8)                                                                SMTP(8)
 
 <b><a name="miscellaneous_controls">MISCELLANEOUS CONTROLS</a></b>
        <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
-              Where the Postfix  SMTP  client  should  deliver  mail  when  it
+              Where  the  Postfix  SMTP  client  should  deliver  mail when it
               detects a "mail loops back to myself" error condition.
 
        <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The  default  location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
+              The default location of the Postfix <a href="postconf.5.html">main.cf</a> and  <a href="master.5.html">master.cf</a>  con-
               figuration files.
 
        <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
-              How much time a Postfix daemon process  may  take  to  handle  a
+              How  much  time  a  Postfix  daemon process may take to handle a
               request before it is terminated by a built-in watchdog timer.
 
        <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
-              The  maximal  number of digits after the decimal point when log-
+              The maximal number of digits after the decimal point  when  log-
               ging delay values.
 
        <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
               Disable DNS lookups in the Postfix SMTP and LMTP clients.
 
        <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
-              The local network interface  addresses  that  this  mail  system
+              The  local  network  interface  addresses  that this mail system
               receives mail on.
 
        <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d' output)</b>
-              The  Internet  protocols Postfix will attempt to use when making
+              The Internet protocols Postfix will attempt to use  when  making
               or accepting connections.
 
        <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
-              The time limit for sending  or  receiving  information  over  an
+              The  time  limit  for  sending  or receiving information over an
               internal communication channel.
 
        <b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b>
-              When  a remote LMTP server announces no DSN support, assume that
+              When a remote LMTP server announces no DSN support, assume  that
-              the server performs final delivery, and send "delivered"  deliv-
+              the  server performs final delivery, and send "delivered" deliv-
               ery status notifications instead of "relayed".
 
        <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
               The default TCP port that the Postfix LMTP client connects to.
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
-              The  maximum  amount of time that an idle Postfix daemon process
+              The maximum amount of time that an idle Postfix  daemon  process
               waits for an incoming connection before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
@@ -1019,21 +1026,21 @@ SMTP(8)                                                                SMTP(8)
               The process name of a Postfix command or daemon process.
 
        <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
-              The remote network interface addresses  that  this  mail  system
+              The  remote  network  interface  addresses that this mail system
-              receives  mail  on by way of a proxy or network address transla-
+              receives mail on by way of a proxy or network  address  transla-
               tion unit.
 
        <b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (any)</b>
               The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
-              client  will  try  first,  when  a destination has IPv6 and IPv4
+              client will try first, when a  destination  has  IPv6  and  IPv4
               addresses with equal MX preference.
 
        <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
-              An optional numerical network  address  that  the  Postfix  SMTP
+              An  optional  numerical  network  address  that the Postfix SMTP
               client should bind to when making an IPv4 connection.
 
        <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
-              An  optional  numerical  network  address  that the Postfix SMTP
+              An optional numerical network  address  that  the  Postfix  SMTP
               client should bind to when making an IPv6 connection.
 
        <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
@@ -1053,7 +1060,7 @@ SMTP(8)                                                                SMTP(8)
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
-              A  prefix  that  is  prepended  to  the  process  name in syslog
+              A prefix that  is  prepended  to  the  process  name  in  syslog
               records, so that, for example, "smtpd" becomes "prefix/smtpd".
 
        Available with Postfix 2.2 and earlier:
@@ -1065,14 +1072,14 @@ SMTP(8)                                                                SMTP(8)
        Available with Postfix 2.3 and later:
 
        <b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
-              Optional  list  of  relay destinations that will be used when an
+              Optional list of relay destinations that will be  used  when  an
-              SMTP destination is not found, or when delivery fails due  to  a
+              SMTP  destination  is not found, or when delivery fails due to a
               non-permanent error.
 
        Available with Postfix 3.0 and later:
 
        <b><a href="postconf.5.html#smtp_address_verify_target">smtp_address_verify_target</a> (rcpt)</b>
-              In  the context of email address verification, the SMTP protocol
+              In the context of email address verification, the SMTP  protocol
               stage that determines whether an email address is deliverable.
 
        Available with Postfix 3.1 and later:
@@ -1094,7 +1101,7 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix 3.7 and later:
 
        <b><a href="postconf.5.html#smtp_bind_address_enforce">smtp_bind_address_enforce</a> (no)</b>
-              Defer  delivery  when  the  Postfix SMTP client cannot apply the
+              Defer delivery when the Postfix SMTP  client  cannot  apply  the
               <a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> or <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> setting.
 
 <b><a name="see_also">SEE ALSO</a></b>

postfix/html/trace.8.html

@@ -166,6 +166,12 @@ BOUNCE(8)                                                            BOUNCE(8)
        <b><a href="postconf.5.html#header_from_format">header_from_format</a> (standard)</b>
               The format of the Postfix-generated <b>From:</b> header.
 
+       Available in Postfix 3.10 and later:
+
+       <b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
+              Enable  support  for  the  "TLS-Required:  no"  message  header,
+              defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
+
 <b><a name="files">FILES</a></b>
        /var/spool/postfix/bounce/* non-delivery records
        /var/spool/postfix/defer/* non-delivery records

postfix/man/man5/postconf.5

@@ -14331,6 +14331,17 @@ Note: on OpenBSD systems specify dev:/dev/arandom when dev:/dev/urandom
 gives timeout errors.
 .PP
 This feature is available in Postfix 2.2 and later.
+.SH tls_required_enable (default: yes)
+Enable support for the "TLS\-Required: no" message header, defined
+in RFC 8689. By adding this header to a message, a sender requests
+no enforcement of TLS policy. This limits the Postfix SMTP client
+TLS security level to "may", that is, do not verify remote SMTP
+server certificates, and fall back to plaintext if TLS is unavailable.
+If a message contains a "TLS\-Required: no" header, then Postfix
+will add that header to a delivery status notification for that
+message.
+.PP
+This feature is available in Postfix >= 3.10.
 .SH tls_server_sni_maps (default: empty)
 Optional lookup tables that map names received from remote SMTP
 clients via the TLS Server Name Indication (SNI) extension to the

postfix/man/man8/bounce.8

@@ -146,6 +146,11 @@ header with the original Message\-ID value.
 Available in Postfix 3.7 and later:
 .IP "\fBheader_from_format (standard)\fR"
 The format of the Postfix\-generated \fBFrom:\fR header.
+.PP
+Available in Postfix 3.10 and later:
+.IP "\fBtls_required_enable (yes)\fR"
+Enable support for the "TLS\-Required: no" message header, defined
+in RFC 8689.
 .SH "FILES"
 .na
 .nf

postfix/man/man8/cleanup.8

@@ -78,6 +78,7 @@ RFC 2822 (Internet Message Format)
 RFC 3463 (Enhanced Status Codes)
 RFC 3464 (Delivery status notifications)
 RFC 5322 (Internet Message Format)
+RFC 8689 (TLS\-Required: message header)
 .SH DIAGNOSTICS
 .ad
 .fi
@@ -422,6 +423,15 @@ Available in Postfix version 3.2 and later:
 Enable 'transitional' compatibility between IDNA2003 and IDNA2008,
 when converting UTF\-8 domain names to/from the ASCII form that is
 used for DNS lookups.
+.SH "TLS SUPPORT"
+.na
+.nf
+.ad
+.fi
+Available in Postfix version 3.10 and later:
+.IP "\fBtls_required_enable (yes)\fR"
+Enable support for the "TLS\-Required: no" message header, defined
+in RFC 8689.
 .SH "MISCELLANEOUS CONTROLS"
 .na
 .nf

postfix/man/man8/pipe.8

@@ -180,6 +180,7 @@ specify \fB$sender\fR as an argument by itself:
 .nf
     \fIRight\fR: command \-f $sender \-\- $recipient
 .fi
+.IP
 NOTE: DO NOT put quotes around the command, $sender, or $recipient.
 .IP
 This feature is available as of Postfix 2.3.
@@ -412,7 +413,7 @@ How much time a Postfix daemon process may take to handle a
 request before it is terminated by a built\-in watchdog timer.
 .IP "\fBdelay_logging_resolution_limit (2)\fR"
 The maximal number of digits after the decimal point when logging
-sub\-second delay values.
+delay values.
 .IP "\fBexport_environment (see 'postconf -d' output)\fR"
 The list of environment variables that a Postfix process will export
 to non\-Postfix processes.

postfix/man/man8/smtp.8

@@ -190,6 +190,7 @@ RFC 5321 (SMTP protocol)
 RFC 6531 (Internationalized SMTP)
 RFC 6533 (Internationalized Delivery Status Notifications)
 RFC 7672 (SMTP security via opportunistic DANE TLS)
+RFC 8689 (TLS\-Required message header)
 .SH DIAGNOSTICS
 .ad
 .fi
@@ -672,7 +673,8 @@ Available in Postfix version 3.9 and later:
 .IP "\fBsmtp_tls_enable_rpk (no)\fR"
 Request that remote SMTP servers send an RFC7250 raw public key
 instead of an X.509 certificate.
-.PP Available in Postfix version 3.10 and later:
+.PP
+Available in Postfix version 3.10 and later:
 .IP "\fBsmtp_tlsrpt_enable (no)\fR"
 Enable support for RFC 8460 TLSRPT notifications.
 .IP "\fBsmtp_tlsrpt_socket_name (empty)\fR"
@@ -682,6 +684,9 @@ by a local TLSRPT reporting service.
 Do not report the TLSRPT status for TLS protocol handshakes
 that reuse a previously\-negotiated TLS session (there is no new
 information to report).
+.IP "\fBtls_required_enable (yes)\fR"
+Enable support for the "TLS\-Required: no" message header, defined
+in RFC 8689.
 .SH "OBSOLETE STARTTLS CONTROLS"
 .na
 .nf

postfix/mantools/postlink

@@ -1186,6 +1186,7 @@ while (<>) {
     s;\ballow_srv_lookup_fallback\b;<a href="postconf.5.html#allow_srv_lookup_fallback">$&</a>;g;
     s;\bignore_srv_lookup_error\b;<a href="postconf.5.html#ignore_srv_lookup_error">$&</a>;g;
 
+    s;\btls_required_enable\b;<a href="postconf.5.html#tls_required_enable">$&</a>;g;
     s;\bfull_name_encoding_charset\b;<a href="postconf.5.html#full_name_encoding_charset">$&</a>;g;
 
     # Service-defined parameters...

postfix/proto/TLSRPT_README.html

@@ -55,9 +55,9 @@ summaries of successful and failed SMTP over TLS connections to domain
 specified address. Instead of <tt>mailto:</tt>, a policy may specify an
 <tt>https:</tt> destination. </p>
 
-<p> The high-level diagram below shows how TLS handshake success
+<p> The diagram below shows how Postfix TLS handshake success and
-and failure events from Postfix are collected and processed into
+failure events are collected and processed into daily summary
-daily summary reports.  </p>
+reports. </p>
 
 <blockquote>
 

postfix/proto/postconf.proto

@@ -19473,3 +19473,16 @@ skip the full name. </p>
 including the netstring encapsulation. </p>
 
 <p> This feature is available in Postfix &ge; 3.10. </p>
+
+%PARAM tls_required_enable yes
+
+<p> Enable support for the "TLS-Required: no" message header, defined
+in RFC 8689. By adding this header to a message, a sender requests
+no enforcement of TLS policy. This limits the Postfix SMTP client
+TLS security level to "may", that is, do not verify remote SMTP
+server certificates, and fall back to plaintext if TLS is unavailable.
+If a message contains a "TLS-Required: no" header, then Postfix
+will add that header to a delivery status notification for that
+message. </p>
+
+<p> This feature is available in Postfix &ge; 3.10. </p>

postfix/proto/stop.double-history

@@ -159,3 +159,4 @@ proto  proto socketmap_table
  qmgr qmgr_deliver c qmgr qmgr_message c qmqpd qmqpd c 
  smtp smtp_proto c smtpd smtpd c verify verify c 
  operations Files cleanup cleanup h cleanup cleanup_message c 
+ proto postconf proto pipe pipe c 

postfix/proto/stop.spell-cc

@@ -1857,3 +1857,4 @@ cntrl
 TINYCDB
 getdata
 XXXSENDOPTS
+xtra

postfix/src/bounce/bounce.c

@@ -134,6 +134,11 @@
 /*	Available in Postfix 3.7 and later:
 /* .IP "\fBheader_from_format (standard)\fR"
 /*	The format of the Postfix-generated \fBFrom:\fR header.
+/* .PP
+/*	Available in Postfix 3.10 and later:
+/* .IP "\fBtls_required_enable (yes)\fR"
+/*	Enable support for the "TLS-Required: no" message header, defined
+/*	in RFC 8689.
 /* FILES
 /*	/var/spool/postfix/bounce/* non-delivery records
 /*	/var/spool/postfix/defer/* non-delivery records

postfix/src/bounce/bounce_notify_util.c

@@ -533,6 +533,13 @@ int     bounce_header(VSTREAM *bounce, BOUNCE_INFO *bounce_info,
 	post_mail_fprintf(bounce, "In-Reply-To: %s", STR(bounce_info->orig_msgid));
     }
 
+    /*
+     * Trade confidentiality against availability.
+     */
+    if (var_tls_required_enable
+	&& (bounce_info->sendopts & SOPT_REQUIRETLS_HEADER) != 0)
+	post_mail_fprintf(bounce, "TLS-Required: no");
+
     /*
      * Auto-Submitted header, as per RFC 3834.
      */

postfix/src/cleanup/cleanup.c

@@ -70,6 +70,7 @@
 /*	RFC 3463 (Enhanced Status Codes)
 /*	RFC 3464 (Delivery status notifications)
 /*	RFC 5322 (Internet Message Format)
+/*	RFC 8689 (TLS-Required: message header)
 /* DIAGNOSTICS
 /*	Problems and transactions are logged to \fBsyslogd\fR(8)
 /*	or \fBpostlogd\fR(8).
@@ -390,6 +391,13 @@
 /*	Enable 'transitional' compatibility between IDNA2003 and IDNA2008,
 /*	when converting UTF-8 domain names to/from the ASCII form that is
 /*	used for DNS lookups.
+/* TLS SUPPORT
+/* .ad
+/* .fi
+/*	Available in Postfix version 3.10 and later:
+/* .IP "\fBtls_required_enable (yes)\fR"
+/*	Enable support for the "TLS-Required: no" message header, defined
+/*	in RFC 8689.
 /* MISCELLANEOUS CONTROLS
 /* .ad
 /* .fi

postfix/src/cleanup/cleanup_api.c

@@ -202,7 +202,7 @@ void    cleanup_control(CLEANUP_STATE *state, int flags)
      * definition.
      */
     if (msg_verbose)
-	msg_info("cleanup flags = %s", cleanup_strflags(flags));
+	msg_info("client flags = %s", cleanup_strflags(flags));
     if ((state->flags = flags) & CLEANUP_FLAG_BOUNCE) {
 	state->err_mask = CLEANUP_STAT_MASK_INCOMPLETE;
     } else {
@@ -211,6 +211,8 @@ void    cleanup_control(CLEANUP_STATE *state, int flags)
     if (state->flags & CLEANUP_FLAG_SMTPUTF8)
 	state->sendopts |= SMTPUTF8_FLAG_REQUESTED;
     /* TODO(wietse) REQUIRETLS. */
+    if (msg_verbose)
+	msg_info("server flags = %s", cleanup_strflags(state->flags));
 }
 
 /* cleanup_flush - finish queue file */

postfix/src/cleanup/cleanup_envelope_test.c

@@ -5,7 +5,6 @@
 #include <sys_defs.h>
 #include <string.h>
 #include <stdlib.h>
-#include <stdio.h>			/* ssscanf() */
 #include <ctype.h>
 
  /*
@@ -20,7 +19,6 @@
  /*
   * Global library.
   */
-#include <been_here.h>
 #include <record.h>
 #include <rec_type.h>
 #include <cleanup_user.h>
@@ -135,10 +133,8 @@ static int overrides_size_fields(const TEST_CASE *tp)
      * Process the test SIZE record payload, clear some bits from the
      * sendopts field, and write an all-zeroes preliminary SIZE record.
      */
-    VSTRING *output_stream_buf = vstring_alloc(100);
+    if ((state->dst = vstream_fopen("/dev/null", O_WRONLY, 0)) == 0) {
-
+	msg_warn("vstream_fopen(\"/dev/null\", O_WRONLY, 0): %m");
-    if ((state->dst = vstream_memopen(output_stream_buf, O_WRONLY)) == 0) {
-	msg_warn("vstream_memopen(output_stream_buf, O_WRONLY): %m");
 	return (FAIL);
     }
     cleanup_envelope(state, REC_TYPE_SIZE, vstring_str(input_buf),
@@ -151,94 +147,50 @@ static int overrides_size_fields(const TEST_CASE *tp)
     }
     vstring_free(input_buf);
     input_buf = 0;
-
-    /*
-     * Overwrite the SIZE record with an updated version that includes the
-     * modified sendopts field.
-     */
-    cleanup_final(state);
-    if (state->errs != CLEANUP_STAT_OK) {
-	msg_warn("cleanup_final: got: '%s', want: '%s'",
-		 cleanup_strerror(state->errs),
-		 cleanup_strerror(CLEANUP_STAT_OK));
-	return (FAIL);
-    }
     (void) vstream_fclose(state->dst);
     state->dst = 0;
 
     /*
-     * Read the final SIZE record content. This normally happens in the queue
+     * Compare the updated state against the expected content. We expect that
-     * manager, and in the pickup daemon after a message is re-queued.
+     * the fields for xtra_offset, data_offset, rcpt_count, qmgr_opts, and
+     * cont_length, are consistent with the saved CLEANUP_STATE, and we
+     * expect to see a specific value for the sendopts field that was
+     * assigned in cleanup_envelope().
      */
-    VSTREAM *fp;
+    if (state->xtra_offset != saved_state.xtra_offset) {
-
+	msg_warn("state->xtra_offset: got %ld, want: %ld",
-    if ((fp = vstream_memopen(output_stream_buf, O_RDONLY)) == 0) {
+		 (long) state->xtra_offset, (long) saved_state.xtra_offset);
-	msg_warn("vstream_memopen(output_stream_buf, O_RDONLY): %m");
 	return (FAIL);
     }
-    VSTRING *got_size_payload = vstring_alloc(VSTRING_LEN(output_stream_buf));
+    if (state->data_offset != saved_state.data_offset) {
-    int     got_rec_type;
+	msg_warn("state->data_offset: got %ld, want: %ld",
-
+		 (long) state->data_offset, (long) saved_state.data_offset);
-    if ((got_rec_type = rec_get(fp, got_size_payload, 0)) != REC_TYPE_SIZE) {
-	msg_warn("rec_get: got: %s, want: %s",
-		 rec_type_name(got_rec_type), rec_type_name(REC_TYPE_SIZE));
 	return (FAIL);
     }
-    (void) vstream_fclose(fp);
+    if (state->rcpt_count != saved_state.rcpt_count) {
-    vstring_free(output_stream_buf);
+	msg_warn("state->rcpt_count: got: %ld, want: %ld",
-
+		 (long) state->rcpt_count, (long) saved_state.rcpt_count);
-    /*
-     * Compare the stored SIZE record content against the expected content.
-     * We expect that the fields for data_size, data_offset, rcpt_count,
-     * qmgr_opts, and cont_length, are consistent with the saved
-     * CLEANUP_STATE, and we expect to see a specific value for the sendopts
-     * field that was made by cleanup_envelope().
-     */
-    int     got_conv;
-    long    data_size, data_offset, cont_length;
-    int     rcpt_count, qmgr_opts, sendopts;
-
-    if ((got_conv = sscanf(vstring_str(got_size_payload), "%ld %ld %d %d %ld %d",
-			   &data_size, &data_offset, &rcpt_count, &qmgr_opts,
-			   &cont_length, &sendopts)) != 6) {
-	msg_warn("sscanf SIZE record fields: got: %d, want 6", got_conv);
 	return (FAIL);
     }
-    if (data_size != saved_state.xtra_offset - saved_state.data_offset) {
+    if (state->qmgr_opts != saved_state.qmgr_opts) {
-	msg_warn("SIZE.data_size: got %ld, want: %ld", (long) data_size,
+	msg_warn("state=>qmgr_opts: got: %d, want: %d",
-		 (long) (saved_state.xtra_offset - saved_state.data_offset));
+		 state->qmgr_opts, saved_state.qmgr_opts);
 	return (FAIL);
     }
-    if (data_offset != saved_state.data_offset) {
+    if (state->cont_length != saved_state.cont_length) {
-	msg_warn("SIZE.data_offset: got %ld, want: %ld", (long) data_offset,
+	msg_warn("state->cont_length: got %ld, want: %ld",
-		 (long) saved_state.data_offset);
+		 (long) state->cont_length, (long) saved_state.cont_length);
 	return (FAIL);
     }
-    if (rcpt_count != saved_state.rcpt_count) {
+    if (state->sendopts != (SOPT_FLAG_ALL & ~SOPT_FLAG_DERIVED)) {
-	msg_warn("SIZE.rcpt_count: got: %d, want: %d", rcpt_count,
+	msg_warn("state->sendopts: got: 0x%x, want: 0x%x",
-		 (int) saved_state.rcpt_count);
+		 state->sendopts, SOPT_FLAG_ALL & ~SOPT_FLAG_DERIVED);
-	return (FAIL);
-    }
-    if (qmgr_opts != saved_state.qmgr_opts) {
-	msg_warn("SIZE.qmgr_opts: got: %d, want: %d", qmgr_opts,
-		 saved_state.qmgr_opts);
-	return (FAIL);
-    }
-    if (cont_length != saved_state.cont_length) {
-	msg_warn("SIZE.cont_length: got %ld, want: %ld", (long) cont_length,
-		 (long) saved_state.cont_length);
-	return (FAIL);
-    }
-    if (sendopts != (SOPT_FLAG_ALL & ~SOPT_FLAG_DERIVED)) {
-	msg_warn("SIZE.sendopts: got: 0x%x, want: 0x%x",
-		 sendopts, SOPT_FLAG_ALL & ~SOPT_FLAG_DERIVED);
 	return (FAIL);
     }
 
     /*
      * Cleanup.
      */
-    vstring_free(got_size_payload);
     cleanup_state_free(state);
     return (PASS);
 }

postfix/src/cleanup/cleanup_message.c

@@ -653,7 +653,7 @@ static void cleanup_header_callback(void *context, int header_class,
 	    if (state->hop_count == 1)
 		argv_add(state->auto_hdrs, vstring_str(header_buf), ARGV_END);
 	}
-	if (hdr_opts->type == HDR_TLS_REQUIRED) {
+	if (hdr_opts->type == HDR_TLS_REQUIRED && var_tls_required_enable) {
 	    char   *cp = vstring_str(header_buf) + strlen(hdr_opts->name) + 1;
 
 	    while (ISSPACE(*cp))

postfix/src/global/mail_params.c

@@ -125,9 +125,10 @@
 /*	bool	var_long_queue_ids;
 /*	bool	var_daemon_open_fatal;
 /*	char	*var_dsn_filter;
-/*	int	var_smtputf8_enable
+/*	int	var_smtputf8_enable;
 /*	int	var_strict_smtputf8;
 /*	char	*var_smtputf8_autoclass;
+/*	int	var_tls_required_enable;
 /*	int     var_idna2003_compat;
 /*	char	*var_compatibility_level;
 /*	char	*var_drop_hdrs;
@@ -369,6 +370,7 @@ char   *var_dsn_filter;
 int     var_smtputf8_enable;
 int     var_strict_smtputf8;
 char   *var_smtputf8_autoclass;
+int     var_tls_required_enable;
 int     var_idna2003_compat;
 char   *var_compatibility_level;
 char   *var_drop_hdrs;
@@ -755,6 +757,7 @@ void    mail_params_init()
 	VAR_SMTPUTF8_ENABLE, DEF_SMTPUTF8_ENABLE, &var_smtputf8_enable,
 	VAR_IDNA2003_COMPAT, DEF_IDNA2003_COMPAT, &var_idna2003_compat,
 	VAR_RESPECTFUL_LOGGING, DEF_RESPECTFUL_LOGGING, &var_respectful_logging,
+	VAR_TLSREQUIRED_ENABLE, DEF_TLSREQUIRED_ENABLE, &var_tls_required_enable,
 	0,
     };
     static const CONFIG_STR_FN_TABLE function_str_defaults[] = {

postfix/src/global/mail_params.h

@@ -4376,6 +4376,13 @@ extern char *var_smtputf8_autoclass;
 #define DEF_IDNA2003_COMPAT		"no"
 extern int var_idna2003_compat;
 
+ /*
+  * REQUIRETLS support (RFC 8689).
+  */
+#define VAR_TLSREQUIRED_ENABLE		"tls_required_enable"
+#define DEF_TLSREQUIRED_ENABLE		"yes"
+extern int var_tls_required_enable;
+
  /*
   * Workaround for future incompatibility. Our implementation of RFC 2308
   * negative reply caching relies on the promise that res_query() and

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20250131"
+#define MAIL_RELEASE_DATE	"20250202"
 #define MAIL_VERSION_NUMBER	"3.10"
 
 #ifdef SNAPSHOT

postfix/src/pipe/pipe.c

@@ -170,7 +170,8 @@
 /* .nf
 /*	    \fIRight\fR: command -f $sender -- $recipient
 /* .fi
-/* NOTE: DO NOT put quotes around the command, $sender, or $recipient.
+/* .IP
+/*	NOTE: DO NOT put quotes around the command, $sender, or $recipient.
 /* .IP
 /*	This feature is available as of Postfix 2.3.
 /* .IP "\fBsize\fR=\fIsize_limit\fR (optional)"
@@ -390,7 +391,7 @@
 /*	request before it is terminated by a built-in watchdog timer.
 /* .IP "\fBdelay_logging_resolution_limit (2)\fR"
 /*	The maximal number of digits after the decimal point when logging
-/*	sub-second delay values.
+/*	delay values.
 /* .IP "\fBexport_environment (see 'postconf -d' output)\fR"
 /*	The list of environment variables that a Postfix process will export
 /*	to non-Postfix processes.

postfix/src/smtp/smtp.c

@@ -172,6 +172,7 @@
 /*	RFC 6531 (Internationalized SMTP)
 /*	RFC 6533 (Internationalized Delivery Status Notifications)
 /*	RFC 7672 (SMTP security via opportunistic DANE TLS)
+/*	RFC 8689 (TLS-Required message header)
 /* DIAGNOSTICS
 /*	Problems and transactions are logged to \fBsyslogd\fR(8)
 /*	or \fBpostlogd\fR(8).
@@ -638,7 +639,8 @@
 /* .IP "\fBsmtp_tls_enable_rpk (no)\fR"
 /*	Request that remote SMTP servers send an RFC7250 raw public key
 /*	instead of an X.509 certificate.
-/* .PP Available in Postfix version 3.10 and later:
+/* .PP
+/*	Available in Postfix version 3.10 and later:
 /* .IP "\fBsmtp_tlsrpt_enable (no)\fR"
 /*	Enable support for RFC 8460 TLSRPT notifications.
 /* .IP "\fBsmtp_tlsrpt_socket_name (empty)\fR"
@@ -648,6 +650,9 @@
 /*	Do not report the TLSRPT status for TLS protocol handshakes
 /*	that reuse a previously-negotiated TLS session (there is no new
 /*	information to report).
+/* .IP "\fBtls_required_enable (yes)\fR"
+/*	Enable support for the "TLS-Required: no" message header, defined
+/*	in RFC 8689.
 /* OBSOLETE STARTTLS CONTROLS
 /* .ad
 /* .fi

postfix/src/smtp/smtp_connect.c

@@ -534,7 +534,7 @@ static int smtp_get_effective_tls_level(DSN_BUF *why, SMTP_STATE *state)
      * the message contains a "TLS-Required: no" header, limit the level to
      * TLS_LEV_MAY.
      */
-    else if (tls->level > TLS_LEV_NONE
+    else if (var_tls_required_enable && tls->level > TLS_LEV_NONE
 	     && (state->request->sendopts & SOPT_REQUIRETLS_HEADER)) {
 	tls->level = TLS_LEV_MAY;
     }

postfix/src/util/Makefile.in

@@ -1391,6 +1391,14 @@ cidr_match.o: stringops.h
 cidr_match.o: sys_defs.h
 cidr_match.o: vbuf.h
 cidr_match.o: vstring.h
+clean_ascii_cntrl_space.o: check_arg.h
+clean_ascii_cntrl_space.o: clean_ascii_cntrl_space.c
+clean_ascii_cntrl_space.o: clean_ascii_cntrl_space.h
+clean_ascii_cntrl_space.o: stringops.h
+clean_ascii_cntrl_space.o: sys_defs.h
+clean_ascii_cntrl_space.o: vbuf.h
+clean_ascii_cntrl_space.o: vstream.h
+clean_ascii_cntrl_space.o: vstring.h
 clean_env.o: argv.h
 clean_env.o: check_arg.h
 clean_env.o: clean_env.c
@@ -2837,14 +2845,6 @@ trimblanks.o: sys_defs.h
 trimblanks.o: trimblanks.c
 trimblanks.o: vbuf.h
 trimblanks.o: vstring.h
-clean_ascii_cntrl_space.o: check_arg.h
-clean_ascii_cntrl_space.o: stringops.h
-clean_ascii_cntrl_space.o: sys_defs.h
-clean_ascii_cntrl_space.o: clean_ascii_cntrl_space.c
-clean_ascii_cntrl_space.o: clean_ascii_cntrl_space.h
-clean_ascii_cntrl_space.o: vbuf.h
-clean_ascii_cntrl_space.o: vstream.h
-clean_ascii_cntrl_space.o: vstring.h
 unescape.o: check_arg.h
 unescape.o: stringops.h
 unescape.o: sys_defs.h