mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-22 09:57:34 +00:00
Code Issues Releases Wiki Activity

postfix-3.10-20250202

Browse Source
This commit is contained in:
Wietse Z Venema 2025-02-02 00:00:00 -05:00 committed by Viktor Dukhovni
parent 592931cd01
commit 70fe1107cf
34 changed files with 368 additions and 251 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
postfix/HISTORY
View File

@ -28866,7 +28866,7 @@ Apologies for any names omitted.
Feature: support for the RFC 8689 "TLS-Required: no" message
header. This limits the Postfix SMTP client TLS security
level to "smtp_tls_security = may", which does not authenticate
level to "smtp_tls_security = may", which does not verify
remote SMTP server TLS certificates, and which allows falling
back to plaintext. This is needed for the delivery of
messages such as TLSRPT summaries, which should be sent
@ -28898,3 +28898,24 @@ Apologies for any names omitted.
Debug: verbose logging for the tlsrpt_wrapper functions.
File: tls/tlsrpt_wrapper.c.
20250201
Cleanup: simplified the code in cleanup_envelope_test.c.
Feature: configuration parameter "tls_required_enable
(default: yes) to control support for the "TLS-Required:
no" message header. Files: global/mail_params.[hc],
bounce/bounce.c, bounce/bounce_notify_util.c, cleanup/cleanup.c,
cleanup/cleanup_message.c, smtp/smtp.c, smtp/smtp_connect.c,
mantools/postlink.
20250202
Documentation: edited for clarity. Files: pipe/pipe.c,
proto/postconf.proto.
Debug logging: cleanup/cleanup_api.c. tls/tlsrpt_wrapper.c.
proto/TLSRPT_README.html.
Postfix 3.10 code freeze.

4
postfix/README_FILES/TLSRPT_README
View File

@ -30,8 +30,8 @@ successful and failed SMTP over TLS connections to domain example.com, and to
report those summaries via email to the specified address. Instead of mailto:,
a policy may specify an https: destination.
The high-level diagram below shows how TLS handshake success and failure events
from Postfix are collected and processed into daily summary reports.
The diagram below shows how Postfix TLS handshake success and failure events
are collected and processed into daily summary reports.
Postfix SMTP and TLSRPT client TLSRPT collector, Email or HTTP
TLS client engines -> library (linked -> fetcher, and -> delivery

6
postfix/html/TLSRPT_README.html
View File

@ -55,9 +55,9 @@ summaries of successful and failed SMTP over TLS connections to domain
specified address. Instead of <tt>mailto:</tt>, a policy may specify an
<tt>https:</tt> destination. </p>
<p> The high-level diagram below shows how TLS handshake success
and failure events from Postfix are collected and processed into
daily summary reports. </p>
<p> The diagram below shows how Postfix TLS handshake success and
failure events are collected and processed into daily summary
reports. </p>
<blockquote>

6
postfix/html/bounce.8.html
View File

@ -166,6 +166,12 @@ BOUNCE(8) BOUNCE(8)
<b><a href="postconf.5.html#header_from_format">header_from_format</a> (standard)</b>
The format of the Postfix-generated <b>From:</b> header.
Available in Postfix 3.10 and later:
<b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
Enable support for the "TLS-Required: no" message header,
defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
<b><a name="files">FILES</a></b>
/var/spool/postfix/bounce/* non-delivery records
/var/spool/postfix/defer/* non-delivery records

36
postfix/html/cleanup.8.html
View File

@ -70,6 +70,7 @@ CLEANUP(8) CLEANUP(8)
<a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
<a href="https://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery status notifications)
<a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
<a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a> (TLS-Required: message header)
<b><a name="diagnostics">DIAGNOSTICS</a></b>
Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
@ -461,29 +462,36 @@ CLEANUP(8) CLEANUP(8)
IDNA2008, when converting UTF-8 domain names to/from the ASCII
form that is used for DNS lookups.
<b><a name="tls_support">TLS SUPPORT</a></b>
Available in Postfix version 3.10 and later:
<b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
Enable support for the "TLS-Required: no" message header,
defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
<b><a name="miscellaneous_controls">MISCELLANEOUS CONTROLS</a></b>
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
figuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
How much time a Postfix daemon process may take to handle a
How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer.
<b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
The maximal number of digits after the decimal point when log-
The maximal number of digits after the decimal point when log-
ging delay values.
<b><a href="postconf.5.html#delay_warning_time">delay_warning_time</a> (0h)</b>
The time after which the sender receives a copy of the message
The time after which the sender receives a copy of the message
headers of mail that is still queued.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
The time limit for sending or receiving information over an
The time limit for sending or receiving information over an
internal communication channel.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix daemon process
The maximum amount of time that an idle Postfix daemon process
waits for an incoming connection before terminating voluntarily.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
@ -494,7 +502,7 @@ CLEANUP(8) CLEANUP(8)
The internet hostname of this mail system.
<b><a href="postconf.5.html#myorigin">myorigin</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
The domain name that locally-posted mail appears to come from,
The domain name that locally-posted mail appears to come from,
and that locally posted mail is delivered to.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
@ -507,21 +515,21 @@ CLEANUP(8) CLEANUP(8)
The location of the Postfix top-level queue directory.
<b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b>
Safety net to keep mail queued that would otherwise be returned
Safety net to keep mail queued that would otherwise be returned
to the sender.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
A prefix that is prepended to the process name in syslog
A prefix that is prepended to the process name in syslog
records, so that, for example, "smtpd" becomes "prefix/smtpd".
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#enable_original_recipient">enable_original_recipient</a> (yes)</b>
Enable support for the original recipient address after an
address is rewritten to a different address (for example with
Enable support for the original recipient address after an
address is rewritten to a different address (for example with
aliasing or with canonical mapping).
Available in Postfix 3.3 and later:
@ -532,14 +540,14 @@ CLEANUP(8) CLEANUP(8)
Available in Postfix 3.5 and later:
<b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b>
The email address form that will be used in non-debug logging
The email address form that will be used in non-debug logging
(info, warning, etc.).
Available in Postfix 3.9 and later:
<b><a href="postconf.5.html#force_mime_input_conversion">force_mime_input_conversion</a> (no)</b>
Convert body content that claims to be 8-bit into quoted-print-
able, before <a href="postconf.5.html#header_checks">header_checks</a>, <a href="postconf.5.html#body_checks">body_checks</a>, Milters, and before
Convert body content that claims to be 8-bit into quoted-print-
able, before <a href="postconf.5.html#header_checks">header_checks</a>, <a href="postconf.5.html#body_checks">body_checks</a>, Milters, and before
after-queue content filters.
<b><a name="files">FILES</a></b>

6
postfix/html/defer.8.html
View File

@ -166,6 +166,12 @@ BOUNCE(8) BOUNCE(8)
<b><a href="postconf.5.html#header_from_format">header_from_format</a> (standard)</b>
The format of the Postfix-generated <b>From:</b> header.
Available in Postfix 3.10 and later:
<b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
Enable support for the "TLS-Required: no" message header,
defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
<b><a name="files">FILES</a></b>
/var/spool/postfix/bounce/* non-delivery records
/var/spool/postfix/defer/* non-delivery records

143
postfix/html/lmtp.8.html
View File

@ -174,6 +174,7 @@ SMTP(8) SMTP(8)
<a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
<a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
<a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (SMTP security via opportunistic DANE TLS)
<a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a> (TLS-Required message header)
<b><a name="diagnostics">DIAGNOSTICS</a></b>
Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
@ -746,6 +747,8 @@ SMTP(8) SMTP(8)
Request that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key
instead of an X.509 certificate.
Available in Postfix version 3.10 and later:
<b><a href="postconf.5.html#smtp_tlsrpt_enable">smtp_tlsrpt_enable</a> (no)</b>
Enable support for <a href="https://tools.ietf.org/html/rfc8460">RFC 8460</a> TLSRPT notifications.
@ -758,41 +761,45 @@ SMTP(8) SMTP(8)
reuse a previously-negotiated TLS session (there is no new
information to report).
<b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
Enable support for the "TLS-Required: no" message header,
defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
<b><a name="obsolete_starttls_controls">OBSOLETE STARTTLS CONTROLS</a></b>
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
future release.
<b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
Opportunistic mode: use TLS when a remote SMTP server announces
Opportunistic mode: use TLS when a remote SMTP server announces
STARTTLS support, otherwise send the mail in the clear.
<b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
Enforcement mode: require that remote SMTP servers use TLS
Enforcement mode: require that remote SMTP servers use TLS
encryption, and never send mail in the clear.
<b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
With mandatory TLS encryption, require that the remote SMTP
server hostname matches the information in the remote SMTP
With mandatory TLS encryption, require that the remote SMTP
server hostname matches the information in the remote SMTP
server certificate.
<b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
Optional lookup tables with the Postfix SMTP client TLS usage
policy by next-hop destination and by remote SMTP server host-
Optional lookup tables with the Postfix SMTP client TLS usage
policy by next-hop destination and by remote SMTP server host-
name.
<b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
Obsolete Postfix &lt; 2.3 control for the Postfix SMTP client TLS
Obsolete Postfix &lt; 2.3 control for the Postfix SMTP client TLS
cipher list.
<b><a name="resource_and_rate_controls">RESOURCE AND RATE CONTROLS</a></b>
<b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
The Postfix SMTP client time limit for completing a TCP connec-
The Postfix SMTP client time limit for completing a TCP connec-
tion, or zero (use the operating system built-in time limit).
<b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the HELO or EHLO
command, and for receiving the initial remote SMTP server
The Postfix SMTP client time limit for sending the HELO or EHLO
command, and for receiving the initial remote SMTP server
response.
<b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
@ -804,19 +811,19 @@ SMTP(8) SMTP(8)
mand, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the MAIL FROM
The Postfix SMTP client time limit for sending the MAIL FROM
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the SMTP RCPT TO
The Postfix SMTP client time limit for sending the SMTP RCPT TO
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
The Postfix SMTP client time limit for sending the SMTP DATA
The Postfix SMTP client time limit for sending the SMTP DATA
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
The Postfix SMTP client time limit for sending the SMTP message
The Postfix SMTP client time limit for sending the SMTP message
content.
<b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
@ -830,13 +837,13 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b>
The maximal number of MX (mail exchanger) IP addresses that can
result from Postfix SMTP client mail exchanger lookups, or zero
The maximal number of MX (mail exchanger) IP addresses that can
result from Postfix SMTP client mail exchanger lookups, or zero
(no limit).
<b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
The maximal number of SMTP sessions per delivery request before
the Postfix SMTP client gives up or delivers to a fall-back
The maximal number of SMTP sessions per delivery request before
the Postfix SMTP client gives up or delivers to a fall-back
<a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
<b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
@ -846,17 +853,17 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.2 and earlier:
<b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b>
Keep Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
Keep Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
seconds.
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
Permanently enable SMTP connection caching for the specified
Permanently enable SMTP connection caching for the specified
destinations.
<b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
Temporarily enable SMTP connection caching while a destination
Temporarily enable SMTP connection caching while a destination
has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>.
<b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b>
@ -870,23 +877,23 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
Time limit for connection cache connect, send or receive opera-
Time limit for connection cache connect, send or receive opera-
tions.
Available in Postfix version 2.9 - 3.6:
<b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
Change the behavior of the smtp_*_timeout time limits, from a
time limit per read or write system call, to a time limit to
send or receive a complete record (an SMTP command line, SMTP
response line, SMTP message content line, or TLS protocol mes-
Change the behavior of the smtp_*_timeout time limits, from a
time limit per read or write system call, to a time limit to
send or receive a complete record (an SMTP command line, SMTP
response line, SMTP message content line, or TLS protocol mes-
sage).
Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b>
When SMTP connection caching is enabled, the number of times
that an SMTP session may be reused before it is closed, or zero
When SMTP connection caching is enabled, the number of times
that an SMTP session may be reused before it is closed, or zero
(no limit).
Available in Postfix version 3.4 and later:
@ -897,13 +904,13 @@ SMTP(8) SMTP(8)
Available in Postfix version 3.7 and later:
<b><a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a> (no)</b>
Change the behavior of the smtp_*_timeout time limits, from a
time limit per plaintext or TLS read or write call, to a com-
bined time limit for sending a complete SMTP request and for
Change the behavior of the smtp_*_timeout time limits, from a
time limit per plaintext or TLS read or write call, to a com-
bined time limit for sending a complete SMTP request and for
receiving a complete SMTP response.
<b><a href="postconf.5.html#smtp_min_data_rate">smtp_min_data_rate</a> (500)</b>
The minimum plaintext data transfer rate in bytes/second for
The minimum plaintext data transfer rate in bytes/second for
DATA requests, when deadlines are enabled with
<a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>.
@ -911,54 +918,54 @@ SMTP(8) SMTP(8)
<b><a href="postconf.5.html#transport_destination_concurrency_limit">transport_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
<b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b>
A transport-specific override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
A transport-specific override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
<a href="postconf.5.html#default_destination_concurrency_limit">currency_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
name of the message delivery transport.
<b><a href="postconf.5.html#transport_destination_recipient_limit">transport_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipi</a>-</b>
<b><a href="postconf.5.html#default_destination_recipient_limit">ent_limit</a>)</b>
A transport-specific override for the <a href="postconf.5.html#default_destination_recipient_limit">default_destination_recip</a>-
<a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
<a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
name of the message delivery transport.
<b><a name="smtputf8_controls">SMTPUTF8 CONTROLS</a></b>
Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
<b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
Enable preliminary SMTPUTF8 support for the protocols described
Enable preliminary SMTPUTF8 support for the protocols described
in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>, <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a>, and <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a>.
<b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
Detect that a message requires SMTPUTF8 support for the speci-
Detect that a message requires SMTPUTF8 support for the speci-
fied mail origin classes.
Available in Postfix version 3.2 and later:
<b><a href="postconf.5.html#enable_idna2003_compatibility">enable_idna2003_compatibility</a> (no)</b>
Enable 'transitional' compatibility between IDNA2003 and
IDNA2008, when converting UTF-8 domain names to/from the ASCII
Enable 'transitional' compatibility between IDNA2003 and
IDNA2008, when converting UTF-8 domain names to/from the ASCII
form that is used for DNS lookups.
<b><a name="trouble_shooting_controls">TROUBLE SHOOTING CONTROLS</a></b>
<b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
The increment in verbose logging level when a nexthop destina-
tion, remote client or server name or network address matches a
The increment in verbose logging level when a nexthop destina-
tion, remote client or server name or network address matches a
pattern given with the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
<b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
Optional list of nexthop destination, remote client or server
name or network address patterns that, if matched, cause the
verbose logging level to increase by the amount specified in
Optional list of nexthop destination, remote client or server
name or network address patterns that, if matched, cause the
verbose logging level to increase by the amount specified in
$<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
<b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
The recipient of postmaster notifications about mail delivery
The recipient of postmaster notifications about mail delivery
problems that are caused by policy, resource, software or proto-
col errors.
<b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
What categories of Postfix-generated mail are subject to
before-queue content inspection by <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
What categories of Postfix-generated mail are subject to
before-queue content inspection by <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
<a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
<b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
@ -966,46 +973,46 @@ SMTP(8) SMTP(8)
<b><a name="miscellaneous_controls">MISCELLANEOUS CONTROLS</a></b>
<b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
Where the Postfix SMTP client should deliver mail when it
Where the Postfix SMTP client should deliver mail when it
detects a "mail loops back to myself" error condition.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
figuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
How much time a Postfix daemon process may take to handle a
How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer.
<b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
The maximal number of digits after the decimal point when log-
The maximal number of digits after the decimal point when log-
ging delay values.
<b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
Disable DNS lookups in the Postfix SMTP and LMTP clients.
<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
The local network interface addresses that this mail system
The local network interface addresses that this mail system
receives mail on.
<b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d' output)</b>
The Internet protocols Postfix will attempt to use when making
The Internet protocols Postfix will attempt to use when making
or accepting connections.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
The time limit for sending or receiving information over an
The time limit for sending or receiving information over an
internal communication channel.
<b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b>
When a remote LMTP server announces no DSN support, assume that
the server performs final delivery, and send "delivered" deliv-
When a remote LMTP server announces no DSN support, assume that
the server performs final delivery, and send "delivered" deliv-
ery status notifications instead of "relayed".
<b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
The default TCP port that the Postfix LMTP client connects to.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix daemon process
The maximum amount of time that an idle Postfix daemon process
waits for an incoming connection before terminating voluntarily.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
@ -1019,21 +1026,21 @@ SMTP(8) SMTP(8)
The process name of a Postfix command or daemon process.
<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
The remote network interface addresses that this mail system
receives mail on by way of a proxy or network address transla-
The remote network interface addresses that this mail system
receives mail on by way of a proxy or network address transla-
tion unit.
<b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (any)</b>
The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
client will try first, when a destination has IPv6 and IPv4
client will try first, when a destination has IPv6 and IPv4
addresses with equal MX preference.
<b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
An optional numerical network address that the Postfix SMTP
An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv4 connection.
<b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
An optional numerical network address that the Postfix SMTP
An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv6 connection.
<b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
@ -1053,7 +1060,7 @@ SMTP(8) SMTP(8)
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
A prefix that is prepended to the process name in syslog
A prefix that is prepended to the process name in syslog
records, so that, for example, "smtpd" becomes "prefix/smtpd".
Available with Postfix 2.2 and earlier:
@ -1065,14 +1072,14 @@ SMTP(8) SMTP(8)
Available with Postfix 2.3 and later:
<b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
Optional list of relay destinations that will be used when an
SMTP destination is not found, or when delivery fails due to a
Optional list of relay destinations that will be used when an
SMTP destination is not found, or when delivery fails due to a
non-permanent error.
Available with Postfix 3.0 and later:
<b><a href="postconf.5.html#smtp_address_verify_target">smtp_address_verify_target</a> (rcpt)</b>
In the context of email address verification, the SMTP protocol
In the context of email address verification, the SMTP protocol
stage that determines whether an email address is deliverable.
Available with Postfix 3.1 and later:
@ -1094,7 +1101,7 @@ SMTP(8) SMTP(8)
Available in Postfix 3.7 and later:
<b><a href="postconf.5.html#smtp_bind_address_enforce">smtp_bind_address_enforce</a> (no)</b>
Defer delivery when the Postfix SMTP client cannot apply the
Defer delivery when the Postfix SMTP client cannot apply the
<a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> or <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> setting.
<b><a name="see_also">SEE ALSO</a></b>

3
postfix/html/pipe.8.html
View File

@ -170,6 +170,7 @@ PIPE(8) PIPE(8)
as an argument by itself:
<i>Right</i>: command -f $sender -- $recipient
NOTE: DO NOT put quotes around the command, $sender, or $recipi-
ent.
@ -422,7 +423,7 @@ PIPE(8) PIPE(8)
<b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
The maximal number of digits after the decimal point when log-
ging sub-second delay values.
ging delay values.
<b><a href="postconf.5.html#export_environment">export_environment</a> (see 'postconf -d' output)</b>
The list of environment variables that a Postfix process will

17
postfix/html/postconf.5.html
View File

@ -20603,6 +20603,23 @@ gives timeout errors. </p>
<p> This feature is available in Postfix 2.2 and later. </p>
</DD>
<DT><b><a name="tls_required_enable">tls_required_enable</a>
(default: yes)</b></DT><DD>
<p> Enable support for the "TLS-Required: no" message header, defined
in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>. By adding this header to a message, a sender requests
no enforcement of TLS policy. This limits the Postfix SMTP client
TLS security level to "may", that is, do not verify remote SMTP
server certificates, and fall back to plaintext if TLS is unavailable.
If a message contains a "TLS-Required: no" header, then Postfix
will add that header to a delivery status notification for that
message. </p>
<p> This feature is available in Postfix &ge; 3.10. </p>
</DD>
<DT><b><a name="tls_server_sni_maps">tls_server_sni_maps</a>

143
postfix/html/smtp.8.html
View File

@ -174,6 +174,7 @@ SMTP(8) SMTP(8)
<a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
<a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
<a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (SMTP security via opportunistic DANE TLS)
<a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a> (TLS-Required message header)
<b><a name="diagnostics">DIAGNOSTICS</a></b>
Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
@ -746,6 +747,8 @@ SMTP(8) SMTP(8)
Request that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key
instead of an X.509 certificate.
Available in Postfix version 3.10 and later:
<b><a href="postconf.5.html#smtp_tlsrpt_enable">smtp_tlsrpt_enable</a> (no)</b>
Enable support for <a href="https://tools.ietf.org/html/rfc8460">RFC 8460</a> TLSRPT notifications.
@ -758,41 +761,45 @@ SMTP(8) SMTP(8)
reuse a previously-negotiated TLS session (there is no new
information to report).
<b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
Enable support for the "TLS-Required: no" message header,
defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
<b><a name="obsolete_starttls_controls">OBSOLETE STARTTLS CONTROLS</a></b>
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
future release.
<b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
Opportunistic mode: use TLS when a remote SMTP server announces
Opportunistic mode: use TLS when a remote SMTP server announces
STARTTLS support, otherwise send the mail in the clear.
<b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
Enforcement mode: require that remote SMTP servers use TLS
Enforcement mode: require that remote SMTP servers use TLS
encryption, and never send mail in the clear.
<b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
With mandatory TLS encryption, require that the remote SMTP
server hostname matches the information in the remote SMTP
With mandatory TLS encryption, require that the remote SMTP
server hostname matches the information in the remote SMTP
server certificate.
<b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
Optional lookup tables with the Postfix SMTP client TLS usage
policy by next-hop destination and by remote SMTP server host-
Optional lookup tables with the Postfix SMTP client TLS usage
policy by next-hop destination and by remote SMTP server host-
name.
<b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
Obsolete Postfix &lt; 2.3 control for the Postfix SMTP client TLS
Obsolete Postfix &lt; 2.3 control for the Postfix SMTP client TLS
cipher list.
<b><a name="resource_and_rate_controls">RESOURCE AND RATE CONTROLS</a></b>
<b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
The Postfix SMTP client time limit for completing a TCP connec-
The Postfix SMTP client time limit for completing a TCP connec-
tion, or zero (use the operating system built-in time limit).
<b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the HELO or EHLO
command, and for receiving the initial remote SMTP server
The Postfix SMTP client time limit for sending the HELO or EHLO
command, and for receiving the initial remote SMTP server
response.
<b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
@ -804,19 +811,19 @@ SMTP(8) SMTP(8)
mand, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the MAIL FROM
The Postfix SMTP client time limit for sending the MAIL FROM
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the SMTP RCPT TO
The Postfix SMTP client time limit for sending the SMTP RCPT TO
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
The Postfix SMTP client time limit for sending the SMTP DATA
The Postfix SMTP client time limit for sending the SMTP DATA
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
The Postfix SMTP client time limit for sending the SMTP message
The Postfix SMTP client time limit for sending the SMTP message
content.
<b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
@ -830,13 +837,13 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b>
The maximal number of MX (mail exchanger) IP addresses that can
result from Postfix SMTP client mail exchanger lookups, or zero
The maximal number of MX (mail exchanger) IP addresses that can
result from Postfix SMTP client mail exchanger lookups, or zero
(no limit).
<b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
The maximal number of SMTP sessions per delivery request before
the Postfix SMTP client gives up or delivers to a fall-back
The maximal number of SMTP sessions per delivery request before
the Postfix SMTP client gives up or delivers to a fall-back
<a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
<b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
@ -846,17 +853,17 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.2 and earlier:
<b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b>
Keep Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
Keep Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
seconds.
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
Permanently enable SMTP connection caching for the specified
Permanently enable SMTP connection caching for the specified
destinations.
<b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
Temporarily enable SMTP connection caching while a destination
Temporarily enable SMTP connection caching while a destination
has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>.
<b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b>
@ -870,23 +877,23 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
Time limit for connection cache connect, send or receive opera-
Time limit for connection cache connect, send or receive opera-
tions.
Available in Postfix version 2.9 - 3.6:
<b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
Change the behavior of the smtp_*_timeout time limits, from a
time limit per read or write system call, to a time limit to
send or receive a complete record (an SMTP command line, SMTP
response line, SMTP message content line, or TLS protocol mes-
Change the behavior of the smtp_*_timeout time limits, from a
time limit per read or write system call, to a time limit to
send or receive a complete record (an SMTP command line, SMTP
response line, SMTP message content line, or TLS protocol mes-
sage).
Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b>
When SMTP connection caching is enabled, the number of times
that an SMTP session may be reused before it is closed, or zero
When SMTP connection caching is enabled, the number of times
that an SMTP session may be reused before it is closed, or zero
(no limit).
Available in Postfix version 3.4 and later:
@ -897,13 +904,13 @@ SMTP(8) SMTP(8)
Available in Postfix version 3.7 and later:
<b><a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a> (no)</b>
Change the behavior of the smtp_*_timeout time limits, from a
time limit per plaintext or TLS read or write call, to a com-
bined time limit for sending a complete SMTP request and for
Change the behavior of the smtp_*_timeout time limits, from a
time limit per plaintext or TLS read or write call, to a com-
bined time limit for sending a complete SMTP request and for
receiving a complete SMTP response.
<b><a href="postconf.5.html#smtp_min_data_rate">smtp_min_data_rate</a> (500)</b>
The minimum plaintext data transfer rate in bytes/second for
The minimum plaintext data transfer rate in bytes/second for
DATA requests, when deadlines are enabled with
<a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>.
@ -911,54 +918,54 @@ SMTP(8) SMTP(8)
<b><a href="postconf.5.html#transport_destination_concurrency_limit">transport_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
<b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b>
A transport-specific override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
A transport-specific override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
<a href="postconf.5.html#default_destination_concurrency_limit">currency_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
name of the message delivery transport.
<b><a href="postconf.5.html#transport_destination_recipient_limit">transport_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipi</a>-</b>
<b><a href="postconf.5.html#default_destination_recipient_limit">ent_limit</a>)</b>
A transport-specific override for the <a href="postconf.5.html#default_destination_recipient_limit">default_destination_recip</a>-
<a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
<a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
name of the message delivery transport.
<b><a name="smtputf8_controls">SMTPUTF8 CONTROLS</a></b>
Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
<b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
Enable preliminary SMTPUTF8 support for the protocols described
Enable preliminary SMTPUTF8 support for the protocols described
in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>, <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a>, and <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a>.
<b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
Detect that a message requires SMTPUTF8 support for the speci-
Detect that a message requires SMTPUTF8 support for the speci-
fied mail origin classes.
Available in Postfix version 3.2 and later:
<b><a href="postconf.5.html#enable_idna2003_compatibility">enable_idna2003_compatibility</a> (no)</b>
Enable 'transitional' compatibility between IDNA2003 and
IDNA2008, when converting UTF-8 domain names to/from the ASCII
Enable 'transitional' compatibility between IDNA2003 and
IDNA2008, when converting UTF-8 domain names to/from the ASCII
form that is used for DNS lookups.
<b><a name="trouble_shooting_controls">TROUBLE SHOOTING CONTROLS</a></b>
<b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
The increment in verbose logging level when a nexthop destina-
tion, remote client or server name or network address matches a
The increment in verbose logging level when a nexthop destina-
tion, remote client or server name or network address matches a
pattern given with the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
<b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
Optional list of nexthop destination, remote client or server
name or network address patterns that, if matched, cause the
verbose logging level to increase by the amount specified in
Optional list of nexthop destination, remote client or server
name or network address patterns that, if matched, cause the
verbose logging level to increase by the amount specified in
$<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
<b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
The recipient of postmaster notifications about mail delivery
The recipient of postmaster notifications about mail delivery
problems that are caused by policy, resource, software or proto-
col errors.
<b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
What categories of Postfix-generated mail are subject to
before-queue content inspection by <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
What categories of Postfix-generated mail are subject to
before-queue content inspection by <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
<a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
<b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
@ -966,46 +973,46 @@ SMTP(8) SMTP(8)
<b><a name="miscellaneous_controls">MISCELLANEOUS CONTROLS</a></b>
<b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
Where the Postfix SMTP client should deliver mail when it
Where the Postfix SMTP client should deliver mail when it
detects a "mail loops back to myself" error condition.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
figuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
How much time a Postfix daemon process may take to handle a
How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer.
<b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
The maximal number of digits after the decimal point when log-
The maximal number of digits after the decimal point when log-
ging delay values.
<b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
Disable DNS lookups in the Postfix SMTP and LMTP clients.
<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
The local network interface addresses that this mail system
The local network interface addresses that this mail system
receives mail on.
<b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d' output)</b>
The Internet protocols Postfix will attempt to use when making
The Internet protocols Postfix will attempt to use when making
or accepting connections.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
The time limit for sending or receiving information over an
The time limit for sending or receiving information over an
internal communication channel.
<b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b>
When a remote LMTP server announces no DSN support, assume that
the server performs final delivery, and send "delivered" deliv-
When a remote LMTP server announces no DSN support, assume that
the server performs final delivery, and send "delivered" deliv-
ery status notifications instead of "relayed".
<b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
The default TCP port that the Postfix LMTP client connects to.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix daemon process
The maximum amount of time that an idle Postfix daemon process
waits for an incoming connection before terminating voluntarily.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
@ -1019,21 +1026,21 @@ SMTP(8) SMTP(8)
The process name of a Postfix command or daemon process.
<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
The remote network interface addresses that this mail system
receives mail on by way of a proxy or network address transla-
The remote network interface addresses that this mail system
receives mail on by way of a proxy or network address transla-
tion unit.
<b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (any)</b>
The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
client will try first, when a destination has IPv6 and IPv4
client will try first, when a destination has IPv6 and IPv4
addresses with equal MX preference.
<b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
An optional numerical network address that the Postfix SMTP
An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv4 connection.
<b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
An optional numerical network address that the Postfix SMTP
An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv6 connection.
<b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
@ -1053,7 +1060,7 @@ SMTP(8) SMTP(8)
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
A prefix that is prepended to the process name in syslog
A prefix that is prepended to the process name in syslog
records, so that, for example, "smtpd" becomes "prefix/smtpd".
Available with Postfix 2.2 and earlier:
@ -1065,14 +1072,14 @@ SMTP(8) SMTP(8)
Available with Postfix 2.3 and later:
<b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
Optional list of relay destinations that will be used when an
SMTP destination is not found, or when delivery fails due to a
Optional list of relay destinations that will be used when an
SMTP destination is not found, or when delivery fails due to a
non-permanent error.
Available with Postfix 3.0 and later:
<b><a href="postconf.5.html#smtp_address_verify_target">smtp_address_verify_target</a> (rcpt)</b>
In the context of email address verification, the SMTP protocol
In the context of email address verification, the SMTP protocol
stage that determines whether an email address is deliverable.
Available with Postfix 3.1 and later:
@ -1094,7 +1101,7 @@ SMTP(8) SMTP(8)
Available in Postfix 3.7 and later:
<b><a href="postconf.5.html#smtp_bind_address_enforce">smtp_bind_address_enforce</a> (no)</b>
Defer delivery when the Postfix SMTP client cannot apply the
Defer delivery when the Postfix SMTP client cannot apply the
<a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> or <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> setting.
<b><a name="see_also">SEE ALSO</a></b>

6
postfix/html/trace.8.html
View File

@ -166,6 +166,12 @@ BOUNCE(8) BOUNCE(8)
<b><a href="postconf.5.html#header_from_format">header_from_format</a> (standard)</b>
The format of the Postfix-generated <b>From:</b> header.
Available in Postfix 3.10 and later:
<b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
Enable support for the "TLS-Required: no" message header,
defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
<b><a name="files">FILES</a></b>
/var/spool/postfix/bounce/* non-delivery records
/var/spool/postfix/defer/* non-delivery records

11
postfix/man/man5/postconf.5
View File

@ -14331,6 +14331,17 @@ Note: on OpenBSD systems specify dev:/dev/arandom when dev:/dev/urandom
gives timeout errors.
.PP
This feature is available in Postfix 2.2 and later.
.SH tls_required_enable (default: yes)
Enable support for the "TLS\-Required: no" message header, defined
in RFC 8689. By adding this header to a message, a sender requests
no enforcement of TLS policy. This limits the Postfix SMTP client
TLS security level to "may", that is, do not verify remote SMTP
server certificates, and fall back to plaintext if TLS is unavailable.
If a message contains a "TLS\-Required: no" header, then Postfix
will add that header to a delivery status notification for that
message.
.PP
This feature is available in Postfix >= 3.10.
.SH tls_server_sni_maps (default: empty)
Optional lookup tables that map names received from remote SMTP
clients via the TLS Server Name Indication (SNI) extension to the

5
postfix/man/man8/bounce.8
View File

@ -146,6 +146,11 @@ header with the original Message\-ID value.
Available in Postfix 3.7 and later:
.IP "\fBheader_from_format (standard)\fR"
The format of the Postfix\-generated \fBFrom:\fR header.
.PP
Available in Postfix 3.10 and later:
.IP "\fBtls_required_enable (yes)\fR"
Enable support for the "TLS\-Required: no" message header, defined
in RFC 8689.
.SH "FILES"
.na
.nf

10
postfix/man/man8/cleanup.8
View File

@ -78,6 +78,7 @@ RFC 2822 (Internet Message Format)
RFC 3463 (Enhanced Status Codes)
RFC 3464 (Delivery status notifications)
RFC 5322 (Internet Message Format)
RFC 8689 (TLS\-Required: message header)
.SH DIAGNOSTICS
.ad
.fi
@ -422,6 +423,15 @@ Available in Postfix version 3.2 and later:
Enable 'transitional' compatibility between IDNA2003 and IDNA2008,
when converting UTF\-8 domain names to/from the ASCII form that is
used for DNS lookups.
.SH "TLS SUPPORT"
.na
.nf
.ad
.fi
Available in Postfix version 3.10 and later:
.IP "\fBtls_required_enable (yes)\fR"
Enable support for the "TLS\-Required: no" message header, defined
in RFC 8689.
.SH "MISCELLANEOUS CONTROLS"
.na
.nf

3
postfix/man/man8/pipe.8
View File

@ -180,6 +180,7 @@ specify \fB$sender\fR as an argument by itself:
.nf
\fIRight\fR: command \-f $sender \-\- $recipient
.fi
.IP
NOTE: DO NOT put quotes around the command, $sender, or $recipient.
.IP
This feature is available as of Postfix 2.3.
@ -412,7 +413,7 @@ How much time a Postfix daemon process may take to handle a
request before it is terminated by a built\-in watchdog timer.
.IP "\fBdelay_logging_resolution_limit (2)\fR"
The maximal number of digits after the decimal point when logging
sub\-second delay values.
delay values.
.IP "\fBexport_environment (see 'postconf -d' output)\fR"
The list of environment variables that a Postfix process will export
to non\-Postfix processes.

7
postfix/man/man8/smtp.8
View File

@ -190,6 +190,7 @@ RFC 5321 (SMTP protocol)
RFC 6531 (Internationalized SMTP)
RFC 6533 (Internationalized Delivery Status Notifications)
RFC 7672 (SMTP security via opportunistic DANE TLS)
RFC 8689 (TLS\-Required message header)
.SH DIAGNOSTICS
.ad
.fi
@ -672,7 +673,8 @@ Available in Postfix version 3.9 and later:
.IP "\fBsmtp_tls_enable_rpk (no)\fR"
Request that remote SMTP servers send an RFC7250 raw public key
instead of an X.509 certificate.
.PP Available in Postfix version 3.10 and later:
.PP
Available in Postfix version 3.10 and later:
.IP "\fBsmtp_tlsrpt_enable (no)\fR"
Enable support for RFC 8460 TLSRPT notifications.
.IP "\fBsmtp_tlsrpt_socket_name (empty)\fR"
@ -682,6 +684,9 @@ by a local TLSRPT reporting service.
Do not report the TLSRPT status for TLS protocol handshakes
that reuse a previously\-negotiated TLS session (there is no new
information to report).
.IP "\fBtls_required_enable (yes)\fR"
Enable support for the "TLS\-Required: no" message header, defined
in RFC 8689.
.SH "OBSOLETE STARTTLS CONTROLS"
.na
.nf

1
postfix/mantools/postlink
View File

@ -1186,6 +1186,7 @@ while (<>) {
s;\ballow_srv_lookup_fallback\b;<a href="postconf.5.html#allow_srv_lookup_fallback">$&</a>;g;
s;\bignore_srv_lookup_error\b;<a href="postconf.5.html#ignore_srv_lookup_error">$&</a>;g;
s;\btls_required_enable\b;<a href="postconf.5.html#tls_required_enable">$&</a>;g;
s;\bfull_name_encoding_charset\b;<a href="postconf.5.html#full_name_encoding_charset">$&</a>;g;
# Service-defined parameters...

6
postfix/proto/TLSRPT_README.html
View File

@ -55,9 +55,9 @@ summaries of successful and failed SMTP over TLS connections to domain
specified address. Instead of <tt>mailto:</tt>, a policy may specify an
<tt>https:</tt> destination. </p>
<p> The high-level diagram below shows how TLS handshake success
and failure events from Postfix are collected and processed into
daily summary reports. </p>
<p> The diagram below shows how Postfix TLS handshake success and
failure events are collected and processed into daily summary
reports. </p>
<blockquote>

13
postfix/proto/postconf.proto
View File

@ -19473,3 +19473,16 @@ skip the full name. </p>
including the netstring encapsulation. </p>
<p> This feature is available in Postfix &ge; 3.10. </p>
%PARAM tls_required_enable yes
<p> Enable support for the "TLS-Required: no" message header, defined
in RFC 8689. By adding this header to a message, a sender requests
no enforcement of TLS policy. This limits the Postfix SMTP client
TLS security level to "may", that is, do not verify remote SMTP
server certificates, and fall back to plaintext if TLS is unavailable.
If a message contains a "TLS-Required: no" header, then Postfix
will add that header to a delivery status notification for that
message. </p>
<p> This feature is available in Postfix &ge; 3.10. </p>

1
postfix/proto/stop.double-history
View File

@ -159,3 +159,4 @@ proto proto socketmap_table
qmgr qmgr_deliver c qmgr qmgr_message c qmqpd qmqpd c
smtp smtp_proto c smtpd smtpd c verify verify c
operations Files cleanup cleanup h cleanup cleanup_message c
proto postconf proto pipe pipe c

1
postfix/proto/stop.spell-cc
View File

@ -1857,3 +1857,4 @@ cntrl
TINYCDB
getdata
XXXSENDOPTS
xtra

5
postfix/src/bounce/bounce.c
View File

@ -134,6 +134,11 @@
/* Available in Postfix 3.7 and later:
/* .IP "\fBheader_from_format (standard)\fR"
/* The format of the Postfix-generated \fBFrom:\fR header.
/* .PP
/* Available in Postfix 3.10 and later:
/* .IP "\fBtls_required_enable (yes)\fR"
/* Enable support for the "TLS-Required: no" message header, defined
/* in RFC 8689.
/* FILES
/* /var/spool/postfix/bounce/* non-delivery records
/* /var/spool/postfix/defer/* non-delivery records

7
postfix/src/bounce/bounce_notify_util.c
View File

@ -533,6 +533,13 @@ int bounce_header(VSTREAM *bounce, BOUNCE_INFO *bounce_info,
post_mail_fprintf(bounce, "In-Reply-To: %s", STR(bounce_info->orig_msgid));
}
/*
* Trade confidentiality against availability.
*/
if (var_tls_required_enable
&& (bounce_info->sendopts & SOPT_REQUIRETLS_HEADER) != 0)
post_mail_fprintf(bounce, "TLS-Required: no");
/*
* Auto-Submitted header, as per RFC 3834.
*/

8
postfix/src/cleanup/cleanup.c
View File

@ -70,6 +70,7 @@
/* RFC 3463 (Enhanced Status Codes)
/* RFC 3464 (Delivery status notifications)
/* RFC 5322 (Internet Message Format)
/* RFC 8689 (TLS-Required: message header)
/* DIAGNOSTICS
/* Problems and transactions are logged to \fBsyslogd\fR(8)
/* or \fBpostlogd\fR(8).
@ -390,6 +391,13 @@
/* Enable 'transitional' compatibility between IDNA2003 and IDNA2008,
/* when converting UTF-8 domain names to/from the ASCII form that is
/* used for DNS lookups.
/* TLS SUPPORT
/* .ad
/* .fi
/* Available in Postfix version 3.10 and later:
/* .IP "\fBtls_required_enable (yes)\fR"
/* Enable support for the "TLS-Required: no" message header, defined
/* in RFC 8689.
/* MISCELLANEOUS CONTROLS
/* .ad
/* .fi

4
postfix/src/cleanup/cleanup_api.c
View File

@ -202,7 +202,7 @@ void cleanup_control(CLEANUP_STATE *state, int flags)
* definition.
*/
if (msg_verbose)
msg_info("cleanup flags = %s", cleanup_strflags(flags));
msg_info("client flags = %s", cleanup_strflags(flags));
if ((state->flags = flags) & CLEANUP_FLAG_BOUNCE) {
state->err_mask = CLEANUP_STAT_MASK_INCOMPLETE;
} else {
@ -211,6 +211,8 @@ void cleanup_control(CLEANUP_STATE *state, int flags)
if (state->flags & CLEANUP_FLAG_SMTPUTF8)
state->sendopts |= SMTPUTF8_FLAG_REQUESTED;
/* TODO(wietse) REQUIRETLS. */
if (msg_verbose)
msg_info("server flags = %s", cleanup_strflags(state->flags));
}
/* cleanup_flush - finish queue file */

98
postfix/src/cleanup/cleanup_envelope_test.c
View File

@ -5,7 +5,6 @@
#include <sys_defs.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h> /* ssscanf() */
#include <ctype.h>
/*
@ -20,7 +19,6 @@
/*
* Global library.
*/
#include <been_here.h>
#include <record.h>
#include <rec_type.h>
#include <cleanup_user.h>
@ -135,10 +133,8 @@ static int overrides_size_fields(const TEST_CASE *tp)
* Process the test SIZE record payload, clear some bits from the
* sendopts field, and write an all-zeroes preliminary SIZE record.
*/
VSTRING *output_stream_buf = vstring_alloc(100);
if ((state->dst = vstream_memopen(output_stream_buf, O_WRONLY)) == 0) {
msg_warn("vstream_memopen(output_stream_buf, O_WRONLY): %m");
if ((state->dst = vstream_fopen("/dev/null", O_WRONLY, 0)) == 0) {
msg_warn("vstream_fopen(\"/dev/null\", O_WRONLY, 0): %m");
return (FAIL);
}
cleanup_envelope(state, REC_TYPE_SIZE, vstring_str(input_buf),
@ -151,94 +147,50 @@ static int overrides_size_fields(const TEST_CASE *tp)
}
vstring_free(input_buf);
input_buf = 0;
/*
* Overwrite the SIZE record with an updated version that includes the
* modified sendopts field.
*/
cleanup_final(state);
if (state->errs != CLEANUP_STAT_OK) {
msg_warn("cleanup_final: got: '%s', want: '%s'",
cleanup_strerror(state->errs),
cleanup_strerror(CLEANUP_STAT_OK));
return (FAIL);
}
(void) vstream_fclose(state->dst);
state->dst = 0;
/*
* Read the final SIZE record content. This normally happens in the queue
* manager, and in the pickup daemon after a message is re-queued.
* Compare the updated state against the expected content. We expect that
* the fields for xtra_offset, data_offset, rcpt_count, qmgr_opts, and
* cont_length, are consistent with the saved CLEANUP_STATE, and we
* expect to see a specific value for the sendopts field that was
* assigned in cleanup_envelope().
*/
VSTREAM *fp;
if ((fp = vstream_memopen(output_stream_buf, O_RDONLY)) == 0) {
msg_warn("vstream_memopen(output_stream_buf, O_RDONLY): %m");
if (state->xtra_offset != saved_state.xtra_offset) {
msg_warn("state->xtra_offset: got %ld, want: %ld",
(long) state->xtra_offset, (long) saved_state.xtra_offset);
return (FAIL);
}
VSTRING *got_size_payload = vstring_alloc(VSTRING_LEN(output_stream_buf));
int got_rec_type;
if ((got_rec_type = rec_get(fp, got_size_payload, 0)) != REC_TYPE_SIZE) {
msg_warn("rec_get: got: %s, want: %s",
rec_type_name(got_rec_type), rec_type_name(REC_TYPE_SIZE));
if (state->data_offset != saved_state.data_offset) {
msg_warn("state->data_offset: got %ld, want: %ld",
(long) state->data_offset, (long) saved_state.data_offset);
return (FAIL);
}
(void) vstream_fclose(fp);
vstring_free(output_stream_buf);
/*
* Compare the stored SIZE record content against the expected content.
* We expect that the fields for data_size, data_offset, rcpt_count,
* qmgr_opts, and cont_length, are consistent with the saved
* CLEANUP_STATE, and we expect to see a specific value for the sendopts
* field that was made by cleanup_envelope().
*/
int got_conv;
long data_size, data_offset, cont_length;
int rcpt_count, qmgr_opts, sendopts;
if ((got_conv = sscanf(vstring_str(got_size_payload), "%ld %ld %d %d %ld %d",
&data_size, &data_offset, &rcpt_count, &qmgr_opts,
&cont_length, &sendopts)) != 6) {
msg_warn("sscanf SIZE record fields: got: %d, want 6", got_conv);
if (state->rcpt_count != saved_state.rcpt_count) {
msg_warn("state->rcpt_count: got: %ld, want: %ld",
(long) state->rcpt_count, (long) saved_state.rcpt_count);
return (FAIL);
}
if (data_size != saved_state.xtra_offset - saved_state.data_offset) {
msg_warn("SIZE.data_size: got %ld, want: %ld", (long) data_size,
(long) (saved_state.xtra_offset - saved_state.data_offset));
if (state->qmgr_opts != saved_state.qmgr_opts) {
msg_warn("state=>qmgr_opts: got: %d, want: %d",
state->qmgr_opts, saved_state.qmgr_opts);
return (FAIL);
}
if (data_offset != saved_state.data_offset) {
msg_warn("SIZE.data_offset: got %ld, want: %ld", (long) data_offset,
(long) saved_state.data_offset);
if (state->cont_length != saved_state.cont_length) {
msg_warn("state->cont_length: got %ld, want: %ld",
(long) state->cont_length, (long) saved_state.cont_length);
return (FAIL);
}
if (rcpt_count != saved_state.rcpt_count) {
msg_warn("SIZE.rcpt_count: got: %d, want: %d", rcpt_count,
(int) saved_state.rcpt_count);
return (FAIL);
}
if (qmgr_opts != saved_state.qmgr_opts) {
msg_warn("SIZE.qmgr_opts: got: %d, want: %d", qmgr_opts,
saved_state.qmgr_opts);
return (FAIL);
}
if (cont_length != saved_state.cont_length) {
msg_warn("SIZE.cont_length: got %ld, want: %ld", (long) cont_length,
(long) saved_state.cont_length);
return (FAIL);
}
if (sendopts != (SOPT_FLAG_ALL & ~SOPT_FLAG_DERIVED)) {
msg_warn("SIZE.sendopts: got: 0x%x, want: 0x%x",
sendopts, SOPT_FLAG_ALL & ~SOPT_FLAG_DERIVED);
if (state->sendopts != (SOPT_FLAG_ALL & ~SOPT_FLAG_DERIVED)) {
msg_warn("state->sendopts: got: 0x%x, want: 0x%x",
state->sendopts, SOPT_FLAG_ALL & ~SOPT_FLAG_DERIVED);
return (FAIL);
}
/*
* Cleanup.
*/
vstring_free(got_size_payload);
cleanup_state_free(state);
return (PASS);
}

2
postfix/src/cleanup/cleanup_message.c
View File

@ -653,7 +653,7 @@ static void cleanup_header_callback(void *context, int header_class,
if (state->hop_count == 1)
argv_add(state->auto_hdrs, vstring_str(header_buf), ARGV_END);
}
if (hdr_opts->type == HDR_TLS_REQUIRED) {
if (hdr_opts->type == HDR_TLS_REQUIRED && var_tls_required_enable) {
char *cp = vstring_str(header_buf) + strlen(hdr_opts->name) + 1;
while (ISSPACE(*cp))

5
postfix/src/global/mail_params.c
View File

@ -125,9 +125,10 @@
/* bool var_long_queue_ids;
/* bool var_daemon_open_fatal;
/* char *var_dsn_filter;
/* int var_smtputf8_enable
/* int var_smtputf8_enable;
/* int var_strict_smtputf8;
/* char *var_smtputf8_autoclass;
/* int var_tls_required_enable;
/* int var_idna2003_compat;
/* char *var_compatibility_level;
/* char *var_drop_hdrs;
@ -369,6 +370,7 @@ char *var_dsn_filter;
int var_smtputf8_enable;
int var_strict_smtputf8;
char *var_smtputf8_autoclass;
int var_tls_required_enable;
int var_idna2003_compat;
char *var_compatibility_level;
char *var_drop_hdrs;
@ -755,6 +757,7 @@ void mail_params_init()
VAR_SMTPUTF8_ENABLE, DEF_SMTPUTF8_ENABLE, &var_smtputf8_enable,
VAR_IDNA2003_COMPAT, DEF_IDNA2003_COMPAT, &var_idna2003_compat,
VAR_RESPECTFUL_LOGGING, DEF_RESPECTFUL_LOGGING, &var_respectful_logging,
VAR_TLSREQUIRED_ENABLE, DEF_TLSREQUIRED_ENABLE, &var_tls_required_enable,
0,
};
static const CONFIG_STR_FN_TABLE function_str_defaults[] = {

7
postfix/src/global/mail_params.h
View File

@ -4376,6 +4376,13 @@ extern char *var_smtputf8_autoclass;
#define DEF_IDNA2003_COMPAT "no"
extern int var_idna2003_compat;
/*
* REQUIRETLS support (RFC 8689).
*/
#define VAR_TLSREQUIRED_ENABLE "tls_required_enable"
#define DEF_TLSREQUIRED_ENABLE "yes"
extern int var_tls_required_enable;
/*
* Workaround for future incompatibility. Our implementation of RFC 2308
* negative reply caching relies on the promise that res_query() and

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20250131"
#define MAIL_RELEASE_DATE "20250202"
#define MAIL_VERSION_NUMBER "3.10"
#ifdef SNAPSHOT

5
postfix/src/pipe/pipe.c
View File

@ -170,7 +170,8 @@
/* .nf
/* \fIRight\fR: command -f $sender -- $recipient
/* .fi
/* NOTE: DO NOT put quotes around the command, $sender, or $recipient.
/* .IP
/* NOTE: DO NOT put quotes around the command, $sender, or $recipient.
/* .IP
/* This feature is available as of Postfix 2.3.
/* .IP "\fBsize\fR=\fIsize_limit\fR (optional)"
@ -390,7 +391,7 @@
/* request before it is terminated by a built-in watchdog timer.
/* .IP "\fBdelay_logging_resolution_limit (2)\fR"
/* The maximal number of digits after the decimal point when logging
/* sub-second delay values.
/* delay values.
/* .IP "\fBexport_environment (see 'postconf -d' output)\fR"
/* The list of environment variables that a Postfix process will export
/* to non-Postfix processes.

7
postfix/src/smtp/smtp.c
View File

@ -172,6 +172,7 @@
/* RFC 6531 (Internationalized SMTP)
/* RFC 6533 (Internationalized Delivery Status Notifications)
/* RFC 7672 (SMTP security via opportunistic DANE TLS)
/* RFC 8689 (TLS-Required message header)
/* DIAGNOSTICS
/* Problems and transactions are logged to \fBsyslogd\fR(8)
/* or \fBpostlogd\fR(8).
@ -638,7 +639,8 @@
/* .IP "\fBsmtp_tls_enable_rpk (no)\fR"
/* Request that remote SMTP servers send an RFC7250 raw public key
/* instead of an X.509 certificate.
/* .PP Available in Postfix version 3.10 and later:
/* .PP
/* Available in Postfix version 3.10 and later:
/* .IP "\fBsmtp_tlsrpt_enable (no)\fR"
/* Enable support for RFC 8460 TLSRPT notifications.
/* .IP "\fBsmtp_tlsrpt_socket_name (empty)\fR"
@ -648,6 +650,9 @@
/* Do not report the TLSRPT status for TLS protocol handshakes
/* that reuse a previously-negotiated TLS session (there is no new
/* information to report).
/* .IP "\fBtls_required_enable (yes)\fR"
/* Enable support for the "TLS-Required: no" message header, defined
/* in RFC 8689.
/* OBSOLETE STARTTLS CONTROLS
/* .ad
/* .fi

2
postfix/src/smtp/smtp_connect.c
View File

@ -534,7 +534,7 @@ static int smtp_get_effective_tls_level(DSN_BUF *why, SMTP_STATE *state)
* the message contains a "TLS-Required: no" header, limit the level to
* TLS_LEV_MAY.
*/
else if (tls->level > TLS_LEV_NONE
else if (var_tls_required_enable && tls->level > TLS_LEV_NONE
&& (state->request->sendopts & SOPT_REQUIRETLS_HEADER)) {
tls->level = TLS_LEV_MAY;
}

16
postfix/src/util/Makefile.in
View File

@ -1391,6 +1391,14 @@ cidr_match.o: stringops.h
cidr_match.o: sys_defs.h
cidr_match.o: vbuf.h
cidr_match.o: vstring.h
clean_ascii_cntrl_space.o: check_arg.h
clean_ascii_cntrl_space.o: clean_ascii_cntrl_space.c
clean_ascii_cntrl_space.o: clean_ascii_cntrl_space.h
clean_ascii_cntrl_space.o: stringops.h
clean_ascii_cntrl_space.o: sys_defs.h
clean_ascii_cntrl_space.o: vbuf.h
clean_ascii_cntrl_space.o: vstream.h
clean_ascii_cntrl_space.o: vstring.h
clean_env.o: argv.h
clean_env.o: check_arg.h
clean_env.o: clean_env.c
@ -2837,14 +2845,6 @@ trimblanks.o: sys_defs.h
trimblanks.o: trimblanks.c
trimblanks.o: vbuf.h
trimblanks.o: vstring.h
clean_ascii_cntrl_space.o: check_arg.h
clean_ascii_cntrl_space.o: stringops.h
clean_ascii_cntrl_space.o: sys_defs.h
clean_ascii_cntrl_space.o: clean_ascii_cntrl_space.c
clean_ascii_cntrl_space.o: clean_ascii_cntrl_space.h
clean_ascii_cntrl_space.o: vbuf.h
clean_ascii_cntrl_space.o: vstream.h
clean_ascii_cntrl_space.o: vstring.h
unescape.o: check_arg.h
unescape.o: stringops.h
unescape.o: sys_defs.h