mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-22 01:49:47 +00:00
Code Issues Releases Wiki Activity

postfix-3.10-20250215

Browse Source
This commit is contained in:
Wietse Z Venema 2025-02-15 00:00:00 -05:00 committed by Viktor Dukhovni
parent d2018d3930
commit a5f2cae618
20 changed files with 622 additions and 555 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
postfix/HISTORY
View File

@ -28941,4 +28941,45 @@ Apologies for any names omitted.
requests for 60s. Files: global/dict_pgsql.c, global/dict_mysql.c, requests for 60s. Files: global/dict_pgsql.c, global/dict_mysql.c,
proto/pgsql_table, proto/mysql_table. proto/pgsql_table, proto/mysql_table.
Postfix 3.10 code freeze. 20250210
Bugfix (defect introduced: Postfix 3.6): Reverted the default
smtp_tls_dane_insecure_mx_policy setting to "dane" as of Postfix
3.6.17, 3.7.13, 3.8.8, 3.9.2, and 3.10.0. By mistake the default
was dependent on the smtp_tls_security_level setting. Files:
global/mail_params.h, proto/postconf.proto, smtp/smtp.c.
20250210
Documentation: prefer 'submissions' over 'smtps'. Files:
proto/postconf.proto, proto/TLS_README.html.
20250212
Support for OpenSSL 3.5 post-quantum cryptography. To manage
algorithm selection, OpenSSL introduces new TLS group syntax
that Postfix will not attempt to imitate. Instead, Postfix
now allows the tls_eecdh_auto_curves and tls_ffdhe_auto_groups
parameter values to have an empty value. When both are set
empty, the algorithm selection can be managed through OpenSSL
configuration. Viktor Dukhovni. Files: tls/tls_dh.c,
tls/tls_misc.c.
Bugfix (defect introduced: Postfix 3.4, date 20181113): a
server with multiple TLS certificates could report for a
resumed TLS session, in logging and Received: message
headers, the wrong server-signature and server-digest names.
Viktor Dukhovni. File: tls/tls_misc.c.
20250213
Documentation: updated postconf(5) that the parameters
smtpd_tls_eecdh_grade, tls_eecdh_strong_curve,
tls_eecdh_ultra_curve, and tlsproxy_tls_eecdh_grade, are
not used since Postfix 3.6; updated the tls_eecdh_auto_curves
and tls_ffdhe_auto_groups description with post-quantum
configuration; added a post-quantum example to the
tls_config_file description. File: proto/postconf.proto.
The unused parameters will be deleted in Postfix 3.11.
Postfix 3.10 code freeze.

3
postfix/README_FILES/TLSRPT_README
View File

@ -235,7 +235,8 @@ Examples of smtp_tls_policy_maps plugins with MTA-STS support are:
* postfix-tlspol, supports domains with DANE (using Postfix built-in DANE), * postfix-tlspol, supports domains with DANE (using Postfix built-in DANE),
and domains with MTA-STS. and domains with MTA-STS.
* postfix-mta-sts-resolver, supports domains with MTA-STS. * postfix-mta-sts-resolver, supports domains with MTA-STS as of release 1.5.0
(February 2025).
Both plugins can generate the additional name=value attributes that Postfix Both plugins can generate the additional name=value attributes that Postfix
needs for TLSRPT support (as of February 2025). This is enabled by setting a needs for TLSRPT support (as of February 2025). This is enabled by setting a

99
postfix/README_FILES/TLS_README
View File

@ -374,12 +374,13 @@ This is true for OE (Win32 < 5.0 and Win32 >=5.0 when run on a port<>25 and OE
It is strictly discouraged to use this mode from main.cf. If you want to It is strictly discouraged to use this mode from main.cf. If you want to
support this service, enable a special port in master.cf and specify "- support this service, enable a special port in master.cf and specify "-
o smtpd_tls_wrappermode=yes" (note: no space around the "=") as an smtpd(8) o smtpd_tls_wrappermode=yes" (note: no space around the "=") as an smtpd(8)
command line option. Port 465 (smtps) was once chosen for this feature. command line option. Port 465 (submissions, formerly called smtps) is the most
common example.
Example: Example:
/etc/postfix/master.cf: /etc/postfix/master.cf:
smtps inet n - n - - smtpd submissions inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
CClliieenntt cceerrttiiffiiccaattee vveerriiffiiccaattiioonn CClliieenntt cceerrttiiffiiccaattee vveerriiffiiccaattiioonn
@ -760,7 +761,7 @@ Topics covered in this section:
* Discovering servers that support TLS * Discovering servers that support TLS
* Server certificate verification depth * Server certificate verification depth
* Client-side cipher controls * Client-side cipher controls
* Client-side SMTPS support * Client-side submissions (formerly called smtps) support
* Miscellaneous client controls * Miscellaneous client controls
CCoonnffiigguurriinngg TTLLSS iinn tthhee SSMMTTPP//LLMMTTPP cclliieenntt CCoonnffiigguurriinngg TTLLSS iinn tthhee SSMMTTPP//LLMMTTPP cclliieenntt
@ -1970,48 +1971,51 @@ Example:
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2,!SSLv3 smtp_tls_protocols = !SSLv2,!SSLv3
CClliieenntt--ssiiddee SSMMTTPPSS ssuuppppoorrtt CClliieenntt--ssiiddee ssuubbmmiissssiioonnss ((ffoorrmmeerrllyy ccaalllleedd ssmmttppss)) ssuuppppoorrtt
These sections show how to send mail to a server that does not support These sections show how to send mail to a server that does not support
STARTTLS, but that provides the SMTPS service on TCP port 465. Depending on the STARTTLS, but that provides the submissions (smtps) service on TCP port 465.
Postfix version, some additional tooling may be required. Depending on the Postfix version, some additional tooling may be required.
PPoossttffiixx >>== 33..00 PPoossttffiixx >>== 33..00
The Postfix SMTP client has SMTPS support built-in as of version 3.0. Use one The Postfix SMTP client has submissions service support built-in as of version
of the following examples, to send all remote mail, or to send only some remote 3.0. Use one of the following examples, to send all remote mail, or to send
mail, to an SMTPS server. only some remote mail, to a submissions (smtps) server.
PPoossttffiixx >>== 33..00:: SSeennddiinngg aallll rreemmoottee mmaaiill ttoo aann SSMMTTPPSS sseerrvveerr PPoossttffiixx >>== 33..00:: SSeennddiinngg aallll rreemmoottee mmaaiill ttoo aa ssuubbmmiissssiioonnss ((ffoorrmmeerrllyy ccaalllleedd
ssmmttppss)) sseerrvveerr
The first example will send all remote mail over SMTPS through a provider's The first example will send all remote mail to through a provider's submissions
server called "mail.example.com": server called "mail.example.com":
/etc/postfix/main.cf: /etc/postfix/main.cf:
# Client-side SMTPS requires "encrypt" or stronger. # Client-side submissions requires "encrypt" or stronger.
smtp_tls_security_level = encrypt smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes smtp_tls_wrappermode = yes
# The [] suppress MX lookups. # The [] suppress MX lookups.
relayhost = [mail.example.com]:465 relayhost = [mail.example.com]:submissions
Use "postfix reload" to make the change effective. Use "postfix reload" to make the change effective.
See SOHO_README for additional information about SASL authentication. See SOHO_README for additional information about SASL authentication.
PPoossttffiixx >>== 33..00:: SSeennddiinngg oonnllyy mmaaiill ffoorr aa ssppeecciiffiicc ddeessttiinnaattiioonn vviiaa SSMMTTPPSS PPoossttffiixx >>== 33..00:: SSeennddiinngg oonnllyy mmaaiill ffoorr aa ssppeecciiffiicc ddeessttiinnaattiioonn ttoo aa ssuubbmmiissssiioonnss
((ffoorrmmeerrllyy ccaalllleedd ssmmttppss)) sseerrvviiccee
The second example will send only mail for "example.com" via SMTPS. This time, The second example will send only mail for "example.com" using the submissions
Postfix uses a transport map to deliver only mail for "example.com" via SMTPS: (smtps) service. This time, Postfix uses a transport map to deliver only mail
for "example.com" using the submissions (smtps) service:
/etc/postfix/main.cf: /etc/postfix/main.cf:
transport_maps = hash:/etc/postfix/transport transport_maps = hash:/etc/postfix/transport
/etc/postfix/transport: /etc/postfix/transport:
example.com relay-smtps:example.com:465 example.com relay-submissions:example.com:submissions
/etc/postfix/master.cf: /etc/postfix/master.cf:
relay-smtps unix - - n - - smtp relay-submissions unix - - n - - smtp
# Client-side SMTPS requires "encrypt" or stronger. # Client-side submissions service requires "encrypt" or stronger.
-o smtp_tls_security_level=encrypt -o smtp_tls_security_level=encrypt
-o smtp_tls_wrappermode=yes -o smtp_tls_wrappermode=yes
@ -2022,62 +2026,7 @@ See SOHO_README for additional information about SASL authentication.
PPoossttffiixx << 33..00 PPoossttffiixx << 33..00
Although older Postfix SMTP client versions do not support TLS wrapper mode, it Please see TLS_LEGACY_README.
is relatively easy to forward a connection through the stunnel program if
Postfix needs to deliver mail to some legacy system that doesn't support
STARTTLS.
PPoossttffiixx << 33..00:: SSeennddiinngg aallll rreemmoottee mmaaiill ttoo aann SSMMTTPPSS sseerrvveerr
The first example uses SMTPS to send all remote mail to a provider's mail
server called "mail.example.com".
A minimal stunnel.conf file is sufficient to set up a tunnel from local port
11125 to the remote destination "mail.example.com" and port "smtps". Postfix
will later use this tunnel to connect to the remote server.
/path/to/stunnel.conf:
[smtp-tls-wrapper]
accept = 11125
client = yes
connect = mail.example.com:smtps
To test this tunnel, use:
$ telnet localhost 11125
This should produce the greeting from the remote SMTP server at
mail.example.com.
On the Postfix side, the relayhost feature sends all remote mail through the
local stunnel listener on port 11125:
/etc/postfix/main.cf:
relayhost = [127.0.0.1]:11125
Use "postfix reload" to make the change effective.
See SOHO_README for additional information about SASL authentication.
PPoossttffiixx << 33..00:: SSeennddiinngg oonnllyy mmaaiill ffoorr aa ssppeecciiffiicc ddeessttiinnaattiioonn vviiaa SSMMTTPPSS
The second example will use SMTPS to send only mail for "example.com" via
SMTPS. It uses the same stunnel configuration file as the first example, so it
won't be repeated here.
This time, the Postfix side uses a transport map to direct only mail for
"example.com" through the tunnel:
/etc/postfix/main.cf:
transport_maps = hash:/etc/postfix/transport
/etc/postfix/transport:
example.com relay:[127.0.0.1]:11125
Use "postmap hash:/etc/postfix/transport" and "postfix reload" to make the
change effective.
See SOHO_README for additional information about SASL authentication.
MMiisscceellllaanneeoouuss cclliieenntt ccoonnttrroollss MMiisscceellllaanneeoouuss cclliieenntt ccoonnttrroollss

3
postfix/html/TLSRPT_README.html
View File

@ -345,7 +345,8 @@ postfix-tlspol</a>, supports domains with DANE (using Postfix
built-in DANE), and domains with MTA-STS. </p> built-in DANE), and domains with MTA-STS. </p>
<li> <p> <a href="https://github.com/Snawoot/postfix-mta-sts-resolver"> <li> <p> <a href="https://github.com/Snawoot/postfix-mta-sts-resolver">
postfix-mta-sts-resolver</a>, supports domains with MTA-STS. </p> postfix-mta-sts-resolver</a>, supports domains with MTA-STS as of
release 1.5.0 (February 2025). </p>
</ul> </ul>

122
postfix/html/TLS_README.html
View File

@ -552,8 +552,8 @@ and OE (5.01 Mac on all ports). </p>
<p> It is strictly discouraged to use this mode from <a href="postconf.5.html">main.cf</a>. If <p> It is strictly discouraged to use this mode from <a href="postconf.5.html">main.cf</a>. If
you want to support this service, enable a special port in <a href="master.5.html">master.cf</a> you want to support this service, enable a special port in <a href="master.5.html">master.cf</a>
and specify "-o <a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a>=yes" (note: no space around and specify "-o <a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a>=yes" (note: no space around
the "=") as an <a href="smtpd.8.html">smtpd(8)</a> command line option. Port 465 (smtps) was the "=") as an <a href="smtpd.8.html">smtpd(8)</a> command line option. Port 465 (submissions,
once chosen for this feature. formerly called smtps) is the most common example.
</p> </p>
<p> Example: </p> <p> Example: </p>
@ -561,7 +561,7 @@ once chosen for this feature.
<blockquote> <blockquote>
<pre> <pre>
/etc/postfix/<a href="master.5.html">master.cf</a>: /etc/postfix/<a href="master.5.html">master.cf</a>:
smtps inet n - n - - smtpd submissions inet n - n - - smtpd
-o <a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a>=yes -o <a href="postconf.5.html#smtpd_sasl_auth_enable">smtpd_sasl_auth_enable</a>=yes -o <a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a>=yes -o <a href="postconf.5.html#smtpd_sasl_auth_enable">smtpd_sasl_auth_enable</a>=yes
</pre> </pre>
</blockquote> </blockquote>
@ -1065,7 +1065,7 @@ key configuration </a>
<li> <a href="#client_cipher">Client-side cipher controls </a> <li> <a href="#client_cipher">Client-side cipher controls </a>
<li> <a href="#client_smtps">Client-side SMTPS support </a> <li> <a href="#client_smtps">Client-side submissions (formerly called smtps) support </a>
<li> <a href="#client_misc"> Miscellaneous client controls </a> <li> <a href="#client_misc"> Miscellaneous client controls </a>
@ -2560,32 +2560,33 @@ the TLS protocols used with opportunistic TLS. </p>
</pre> </pre>
</blockquote> </blockquote>
<h3> <a name="client_smtps">Client-side SMTPS support </a> </h3> <h3> <a name="client_smtps">Client-side submissions (formerly called smtps) support </a> </h3>
<p> These sections show how to send mail to a server that does not <p> These sections show how to send mail to a server that does not
support STARTTLS, but that provides the SMTPS service support STARTTLS, but that provides the submissions (smtps) service
on TCP port 465. Depending on the Postfix version, some additional on TCP port 465. Depending on the Postfix version, some additional
tooling may be required. </p> tooling may be required. </p>
<h4> Postfix &ge; 3.0 </h4> <h4> Postfix &ge; 3.0 </h4>
<p> The Postfix SMTP client has SMTPS support built-in as of version <p> The Postfix SMTP client has submissions service support built-in
as of version
3.0. Use one of the following examples, to send all remote mail, 3.0. Use one of the following examples, to send all remote mail,
or to send only some remote mail, to an SMTPS server. </p> or to send only some remote mail, to a submissions (smtps) server. </p>
<h5> Postfix &ge; 3.0: Sending all remote mail to an SMTPS server </h5> <h5> Postfix &ge; 3.0: Sending all remote mail to a submissions (formerly called smtps) server </h5>
<p> The first example will send all remote mail over SMTPS through <p> The first example will send all remote mail to through a
a provider's server called "mail.example.com": </p> provider's submissions server called "mail.example.com": </p>
<blockquote> <blockquote>
<pre> <pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>: /etc/postfix/<a href="postconf.5.html">main.cf</a>:
# Client-side SMTPS requires "encrypt" or stronger. # Client-side submissions requires "encrypt" or stronger.
<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt
<a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> = yes <a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> = yes
# The [] suppress MX lookups. # The [] suppress MX lookups.
<a href="postconf.5.html#relayhost">relayhost</a> = [mail.example.com]:465 <a href="postconf.5.html#relayhost">relayhost</a> = [mail.example.com]:submissions
</pre> </pre>
</blockquote> </blockquote>
@ -2595,11 +2596,12 @@ a provider's server called "mail.example.com": </p>
</p> </p>
<h5> Postfix &ge; 3.0: Sending only mail for a specific destination <h5> Postfix &ge; 3.0: Sending only mail for a specific destination
via SMTPS </h5> to a submissions (formerly called smtps) service </h5>
<p> The second example will send only mail for "example.com" via <p> The second example will send only mail for "example.com" using
SMTPS. This time, Postfix uses a transport map to deliver only the submissions (smtps) service.
mail for "example.com" via SMTPS: </p> This time, Postfix uses a transport map to deliver only
mail for "example.com" using the submissions (smtps) service: </p>
<blockquote> <blockquote>
<pre> <pre>
@ -2607,11 +2609,11 @@ mail for "example.com" via SMTPS: </p>
<a href="postconf.5.html#transport_maps">transport_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/transport <a href="postconf.5.html#transport_maps">transport_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/transport
/etc/postfix/transport: /etc/postfix/transport:
example.com relay-smtps:example.com:465 example.com relay-submissions:example.com:submissions
/etc/postfix/<a href="master.5.html">master.cf</a>: /etc/postfix/<a href="master.5.html">master.cf</a>:
relay-smtps unix - - n - - smtp relay-submissions unix - - n - - smtp
# Client-side SMTPS requires "encrypt" or stronger. # Client-side submissions service requires "encrypt" or stronger.
-o <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>=encrypt -o <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>=encrypt
-o <a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a>=yes -o <a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a>=yes
</pre> </pre>
@ -2625,81 +2627,7 @@ authentication. </p>
<h4> Postfix &lt; 3.0 </h4> <h4> Postfix &lt; 3.0 </h4>
<p> Although older Postfix SMTP client versions do not support TLS <p> Please see <a href="TLS_LEGACY_README.html">TLS_LEGACY_README</a>. </p>
wrapper mode, it is relatively easy to forward a connection through
the stunnel program if Postfix needs to deliver mail to some legacy
system that doesn't support STARTTLS. </p>
<h5> Postfix &lt; 3.0: Sending all remote mail to an SMTPS server </h5>
<p> The first example uses SMTPS to send all remote mail to a
provider's mail server called "mail.example.com". </p>
<p> A minimal stunnel.conf file is sufficient to set up a tunnel
from local port 11125 to the remote destination "mail.example.com"
and port "smtps". Postfix will later use this tunnel to connect to
the remote server. </p>
<blockquote>
<pre>
/path/to/stunnel.conf:
[smtp-tls-wrapper]
accept = 11125
client = yes
connect = mail.example.com:smtps
</pre>
</blockquote>
<p> To test this tunnel, use: </p>
<blockquote>
<pre>
$ telnet localhost 11125
</pre>
</blockquote>
<p> This should produce the greeting from the remote SMTP server
at mail.example.com. </p>
<p> On the Postfix side, the <a href="postconf.5.html#relayhost">relayhost</a> feature sends all remote
mail through the local stunnel listener on port 11125: </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#relayhost">relayhost</a> = [127.0.0.1]:11125
</pre>
</blockquote>
<p> Use "postfix reload" to make the change effective. </p>
<p> See <a href="SOHO_README.html">SOHO_README</a> for additional information about SASL
authentication. </p>
<h4> Postfix &lt; 3.0: Sending only mail for a specific destination via SMTPS </h4>
<p> The second example will use SMTPS to send only mail for
"example.com" via SMTPS. It uses the same stunnel configuration
file as the first example, so it won't be repeated here. </p>
<p> This time, the Postfix side uses a transport map to direct only
mail for "example.com" through the tunnel: </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#transport_maps">transport_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/transport
/etc/postfix/transport:
example.com relay:[127.0.0.1]:11125
</pre>
</blockquote>
<p> Use "postmap <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/transport" and "postfix reload"
to make the change effective. </p>
<p> See <a href="SOHO_README.html">SOHO_README</a> for additional information about SASL authentication.
</p>
<h3> <a name="client_misc"> Miscellaneous client controls </a> </h3> <h3> <a name="client_misc"> Miscellaneous client controls </a> </h3>
@ -2710,7 +2638,7 @@ tries the next network address on the mail exchanger list, and
defers delivery if no alternative server is available. </p> defers delivery if no alternative server is available. </p>
<p> Example: </p> <p> Example: </p>
<blockquote> <blockquote>
<pre> <pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>: /etc/postfix/<a href="postconf.5.html">main.cf</a>:
@ -2727,7 +2655,7 @@ are disabled in the default value of the parameter when linked with
an OpenSSL library that could be vulnerable. </p> an OpenSSL library that could be vulnerable. </p>
<p> Example: </p> <p> Example: </p>
<blockquote> <blockquote>
<pre> <pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>: /etc/postfix/<a href="postconf.5.html">main.cf</a>:

161
postfix/html/lmtp.8.html
View File

@ -691,19 +691,20 @@ SMTP(8) SMTP(8)
<b><a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> (no)</b> <b><a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> (no)</b>
Request that the Postfix SMTP client connects using the SUBMIS- Request that the Postfix SMTP client connects using the SUBMIS-
SIONS/SMTPS protocol instead of using the STARTTLS command. SIONS (formerly called SMTPS) protocol instead of using the
STARTTLS command.
Available in Postfix version 3.1 and later: Available in Postfix version 3.1 and later:
<b><a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> (dane)</b>
The TLS policy for MX hosts with "secure" TLSA records when the The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is <b>dane</b>, but the MX record nexthop destination security level is <b>dane</b>, but the MX record
was found via an "insecure" MX lookup. was found via an "insecure" MX lookup.
Available in Postfix version 3.2 and later: Available in Postfix version 3.2 and later:
<b><a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a> (see 'postconf -d' output)</b>
The prioritized list of elliptic curves, that should be enabled The prioritized list of elliptic curves, that should be enabled
in the Postfix SMTP client and server. in the Postfix SMTP client and server.
Available in Postfix version 3.4 and later: Available in Postfix version 3.4 and later:
@ -712,23 +713,23 @@ SMTP(8) SMTP(8)
Try to make multiple deliveries per TLS-encrypted connection. Try to make multiple deliveries per TLS-encrypted connection.
<b><a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a> (empty)</b>
List of one or more PEM files, each holding one or more private List of one or more PEM files, each holding one or more private
keys directly followed by a corresponding certificate chain. keys directly followed by a corresponding certificate chain.
<b><a href="postconf.5.html#smtp_tls_servername">smtp_tls_servername</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_servername">smtp_tls_servername</a> (empty)</b>
Optional name to send to the remote SMTP server in the TLS Optional name to send to the remote SMTP server in the TLS
Server Name Indication (SNI) extension. Server Name Indication (SNI) extension.
Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later: Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
<b><a href="postconf.5.html#tls_fast_shutdown_enable">tls_fast_shutdown_enable</a> (yes)</b> <b><a href="postconf.5.html#tls_fast_shutdown_enable">tls_fast_shutdown_enable</a> (yes)</b>
A workaround for implementations that hang Postfix while shut- A workaround for implementations that hang Postfix while shut-
ting down a TLS session, until Postfix times out. ting down a TLS session, until Postfix times out.
Available in Postfix version 3.8 and later: Available in Postfix version 3.8 and later:
<b><a href="postconf.5.html#tls_ffdhe_auto_groups">tls_ffdhe_auto_groups</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#tls_ffdhe_auto_groups">tls_ffdhe_auto_groups</a> (see 'postconf -d' output)</b>
The prioritized list of finite-field Diffie-Hellman ephemeral The prioritized list of finite-field Diffie-Hellman ephemeral
(FFDHE) key exchange groups supported by the Postfix SMTP client (FFDHE) key exchange groups supported by the Postfix SMTP client
and server. and server.
@ -738,13 +739,13 @@ SMTP(8) SMTP(8)
Optional configuration file with baseline OpenSSL settings. Optional configuration file with baseline OpenSSL settings.
<b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b> <b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b>
The application name passed by Postfix to OpenSSL library ini- The application name passed by Postfix to OpenSSL library ini-
tialization functions. tialization functions.
Available in Postfix version 3.9 and later: Available in Postfix version 3.9 and later:
<b><a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> (no)</b> <b><a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> (no)</b>
Request that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key Request that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key
instead of an X.509 certificate. instead of an X.509 certificate.
Available in Postfix version 3.10 and later: Available in Postfix version 3.10 and later:
@ -758,7 +759,7 @@ SMTP(8) SMTP(8)
<b><a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> (yes)</b> <b><a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> (yes)</b>
Do not report the TLSRPT status for TLS protocol handshakes that Do not report the TLSRPT status for TLS protocol handshakes that
reuse a previously-negotiated TLS session (there is no new reuse a previously-negotiated TLS session (there is no new
information to report). information to report).
<b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b> <b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
@ -766,40 +767,40 @@ SMTP(8) SMTP(8)
defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>. defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
<b><a name="obsolete_starttls_controls">OBSOLETE STARTTLS CONTROLS</a></b> <b><a name="obsolete_starttls_controls">OBSOLETE STARTTLS CONTROLS</a></b>
The following configuration parameters exist for compatibility with The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a Postfix versions before 2.3. Support for these will be removed in a
future release. future release.
<b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b> <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
Opportunistic mode: use TLS when a remote SMTP server announces Opportunistic mode: use TLS when a remote SMTP server announces
STARTTLS support, otherwise send the mail in the clear. STARTTLS support, otherwise send the mail in the clear.
<b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b> <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
Enforcement mode: require that remote SMTP servers use TLS Enforcement mode: require that remote SMTP servers use TLS
encryption, and never send mail in the clear. encryption, and never send mail in the clear.
<b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b> <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
With mandatory TLS encryption, require that the remote SMTP With mandatory TLS encryption, require that the remote SMTP
server hostname matches the information in the remote SMTP server hostname matches the information in the remote SMTP
server certificate. server certificate.
<b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
Optional lookup tables with the Postfix SMTP client TLS usage Optional lookup tables with the Postfix SMTP client TLS usage
policy by next-hop destination and by remote SMTP server host- policy by next-hop destination and by remote SMTP server host-
name. name.
<b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
Obsolete Postfix &lt; 2.3 control for the Postfix SMTP client TLS Obsolete Postfix &lt; 2.3 control for the Postfix SMTP client TLS
cipher list. cipher list.
<b><a name="resource_and_rate_controls">RESOURCE AND RATE CONTROLS</a></b> <b><a name="resource_and_rate_controls">RESOURCE AND RATE CONTROLS</a></b>
<b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b> <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
The Postfix SMTP client time limit for completing a TCP connec- The Postfix SMTP client time limit for completing a TCP connec-
tion, or zero (use the operating system built-in time limit). tion, or zero (use the operating system built-in time limit).
<b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b> <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the HELO or EHLO The Postfix SMTP client time limit for sending the HELO or EHLO
command, and for receiving the initial remote SMTP server command, and for receiving the initial remote SMTP server
response. response.
<b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b> <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
@ -811,19 +812,19 @@ SMTP(8) SMTP(8)
mand, and for receiving the remote SMTP server response. mand, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b> <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the MAIL FROM The Postfix SMTP client time limit for sending the MAIL FROM
command, and for receiving the remote SMTP server response. command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b> <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the SMTP RCPT TO The Postfix SMTP client time limit for sending the SMTP RCPT TO
command, and for receiving the remote SMTP server response. command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b> <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
The Postfix SMTP client time limit for sending the SMTP DATA The Postfix SMTP client time limit for sending the SMTP DATA
command, and for receiving the remote SMTP server response. command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b> <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
The Postfix SMTP client time limit for sending the SMTP message The Postfix SMTP client time limit for sending the SMTP message
content. content.
<b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b> <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
@ -837,13 +838,13 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.1 and later: Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b> <b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b>
The maximal number of MX (mail exchanger) IP addresses that can The maximal number of MX (mail exchanger) IP addresses that can
result from Postfix SMTP client mail exchanger lookups, or zero result from Postfix SMTP client mail exchanger lookups, or zero
(no limit). (no limit).
<b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b> <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
The maximal number of SMTP sessions per delivery request before The maximal number of SMTP sessions per delivery request before
the Postfix SMTP client gives up or delivers to a fall-back the Postfix SMTP client gives up or delivers to a fall-back
<a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit). <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
<b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b> <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
@ -853,17 +854,17 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.2 and earlier: Available in Postfix version 2.2 and earlier:
<b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b> <b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b>
Keep Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a> Keep Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
seconds. seconds.
Available in Postfix version 2.2 and later: Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b> <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
Permanently enable SMTP connection caching for the specified Permanently enable SMTP connection caching for the specified
destinations. destinations.
<b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b> <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
Temporarily enable SMTP connection caching while a destination Temporarily enable SMTP connection caching while a destination
has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>. has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>.
<b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b> <b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b>
@ -877,23 +878,23 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.3 and later: Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b> <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
Time limit for connection cache connect, send or receive opera- Time limit for connection cache connect, send or receive opera-
tions. tions.
Available in Postfix version 2.9 - 3.6: Available in Postfix version 2.9 - 3.6:
<b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b> <b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
Change the behavior of the smtp_*_timeout time limits, from a Change the behavior of the smtp_*_timeout time limits, from a
time limit per read or write system call, to a time limit to time limit per read or write system call, to a time limit to
send or receive a complete record (an SMTP command line, SMTP send or receive a complete record (an SMTP command line, SMTP
response line, SMTP message content line, or TLS protocol mes- response line, SMTP message content line, or TLS protocol mes-
sage). sage).
Available in Postfix version 2.11 and later: Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b> <b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b>
When SMTP connection caching is enabled, the number of times When SMTP connection caching is enabled, the number of times
that an SMTP session may be reused before it is closed, or zero that an SMTP session may be reused before it is closed, or zero
(no limit). (no limit).
Available in Postfix version 3.4 and later: Available in Postfix version 3.4 and later:
@ -904,13 +905,13 @@ SMTP(8) SMTP(8)
Available in Postfix version 3.7 and later: Available in Postfix version 3.7 and later:
<b><a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a> (no)</b> <b><a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a> (no)</b>
Change the behavior of the smtp_*_timeout time limits, from a Change the behavior of the smtp_*_timeout time limits, from a
time limit per plaintext or TLS read or write call, to a com- time limit per plaintext or TLS read or write call, to a com-
bined time limit for sending a complete SMTP request and for bined time limit for sending a complete SMTP request and for
receiving a complete SMTP response. receiving a complete SMTP response.
<b><a href="postconf.5.html#smtp_min_data_rate">smtp_min_data_rate</a> (500)</b> <b><a href="postconf.5.html#smtp_min_data_rate">smtp_min_data_rate</a> (500)</b>
The minimum plaintext data transfer rate in bytes/second for The minimum plaintext data transfer rate in bytes/second for
DATA requests, when deadlines are enabled with DATA requests, when deadlines are enabled with
<a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>. <a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>.
@ -918,54 +919,54 @@ SMTP(8) SMTP(8)
<b><a href="postconf.5.html#transport_destination_concurrency_limit">transport_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b> <b><a href="postconf.5.html#transport_destination_concurrency_limit">transport_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
<b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b> <b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b>
A transport-specific override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>- A transport-specific override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
<a href="postconf.5.html#default_destination_concurrency_limit">currency_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a> <a href="postconf.5.html#default_destination_concurrency_limit">currency_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
name of the message delivery transport. name of the message delivery transport.
<b><a href="postconf.5.html#transport_destination_recipient_limit">transport_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipi</a>-</b> <b><a href="postconf.5.html#transport_destination_recipient_limit">transport_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipi</a>-</b>
<b><a href="postconf.5.html#default_destination_recipient_limit">ent_limit</a>)</b> <b><a href="postconf.5.html#default_destination_recipient_limit">ent_limit</a>)</b>
A transport-specific override for the <a href="postconf.5.html#default_destination_recipient_limit">default_destination_recip</a>- A transport-specific override for the <a href="postconf.5.html#default_destination_recipient_limit">default_destination_recip</a>-
<a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a> <a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
name of the message delivery transport. name of the message delivery transport.
<b><a name="smtputf8_controls">SMTPUTF8 CONTROLS</a></b> <b><a name="smtputf8_controls">SMTPUTF8 CONTROLS</a></b>
Preliminary SMTPUTF8 support is introduced with Postfix 3.0. Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
<b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b> <b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
Enable preliminary SMTPUTF8 support for the protocols described Enable preliminary SMTPUTF8 support for the protocols described
in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>, <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a>, and <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a>. in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>, <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a>, and <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a>.
<b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b> <b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
Detect that a message requires SMTPUTF8 support for the speci- Detect that a message requires SMTPUTF8 support for the speci-
fied mail origin classes. fied mail origin classes.
Available in Postfix version 3.2 and later: Available in Postfix version 3.2 and later:
<b><a href="postconf.5.html#enable_idna2003_compatibility">enable_idna2003_compatibility</a> (no)</b> <b><a href="postconf.5.html#enable_idna2003_compatibility">enable_idna2003_compatibility</a> (no)</b>
Enable 'transitional' compatibility between IDNA2003 and Enable 'transitional' compatibility between IDNA2003 and
IDNA2008, when converting UTF-8 domain names to/from the ASCII IDNA2008, when converting UTF-8 domain names to/from the ASCII
form that is used for DNS lookups. form that is used for DNS lookups.
<b><a name="trouble_shooting_controls">TROUBLE SHOOTING CONTROLS</a></b> <b><a name="trouble_shooting_controls">TROUBLE SHOOTING CONTROLS</a></b>
<b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b> <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
The increment in verbose logging level when a nexthop destina- The increment in verbose logging level when a nexthop destina-
tion, remote client or server name or network address matches a tion, remote client or server name or network address matches a
pattern given with the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter. pattern given with the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
<b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b> <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
Optional list of nexthop destination, remote client or server Optional list of nexthop destination, remote client or server
name or network address patterns that, if matched, cause the name or network address patterns that, if matched, cause the
verbose logging level to increase by the amount specified in verbose logging level to increase by the amount specified in
$<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>. $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
<b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b> <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
The recipient of postmaster notifications about mail delivery The recipient of postmaster notifications about mail delivery
problems that are caused by policy, resource, software or proto- problems that are caused by policy, resource, software or proto-
col errors. col errors.
<b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b> <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
What categories of Postfix-generated mail are subject to What categories of Postfix-generated mail are subject to
before-queue content inspection by <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, before-queue content inspection by <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
<a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>. <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
<b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b> <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
@ -973,46 +974,46 @@ SMTP(8) SMTP(8)
<b><a name="miscellaneous_controls">MISCELLANEOUS CONTROLS</a></b> <b><a name="miscellaneous_controls">MISCELLANEOUS CONTROLS</a></b>
<b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b> <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
Where the Postfix SMTP client should deliver mail when it Where the Postfix SMTP client should deliver mail when it
detects a "mail loops back to myself" error condition. detects a "mail loops back to myself" error condition.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
figuration files. figuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b> <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
How much time a Postfix daemon process may take to handle a How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer. request before it is terminated by a built-in watchdog timer.
<b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b> <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
The maximal number of digits after the decimal point when log- The maximal number of digits after the decimal point when log-
ging delay values. ging delay values.
<b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b> <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
Disable DNS lookups in the Postfix SMTP and LMTP clients. Disable DNS lookups in the Postfix SMTP and LMTP clients.
<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b> <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
The local network interface addresses that this mail system The local network interface addresses that this mail system
receives mail on. receives mail on.
<b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d' output)</b>
The Internet protocols Postfix will attempt to use when making The Internet protocols Postfix will attempt to use when making
or accepting connections. or accepting connections.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b> <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
The time limit for sending or receiving information over an The time limit for sending or receiving information over an
internal communication channel. internal communication channel.
<b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b> <b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b>
When a remote LMTP server announces no DSN support, assume that When a remote LMTP server announces no DSN support, assume that
the server performs final delivery, and send "delivered" deliv- the server performs final delivery, and send "delivered" deliv-
ery status notifications instead of "relayed". ery status notifications instead of "relayed".
<b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b> <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
The default TCP port that the Postfix LMTP client connects to. The default TCP port that the Postfix LMTP client connects to.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b> <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix daemon process The maximum amount of time that an idle Postfix daemon process
waits for an incoming connection before terminating voluntarily. waits for an incoming connection before terminating voluntarily.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b> <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
@ -1026,21 +1027,21 @@ SMTP(8) SMTP(8)
The process name of a Postfix command or daemon process. The process name of a Postfix command or daemon process.
<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b> <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
The remote network interface addresses that this mail system The remote network interface addresses that this mail system
receives mail on by way of a proxy or network address transla- receives mail on by way of a proxy or network address transla-
tion unit. tion unit.
<b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (any)</b> <b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (any)</b>
The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
client will try first, when a destination has IPv6 and IPv4 client will try first, when a destination has IPv6 and IPv4
addresses with equal MX preference. addresses with equal MX preference.
<b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b> <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
An optional numerical network address that the Postfix SMTP An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv4 connection. client should bind to when making an IPv4 connection.
<b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b> <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
An optional numerical network address that the Postfix SMTP An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv6 connection. client should bind to when making an IPv6 connection.
<b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b> <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
@ -1060,7 +1061,7 @@ SMTP(8) SMTP(8)
The syslog facility of Postfix logging. The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
A prefix that is prepended to the process name in syslog A prefix that is prepended to the process name in syslog
records, so that, for example, "smtpd" becomes "prefix/smtpd". records, so that, for example, "smtpd" becomes "prefix/smtpd".
Available with Postfix 2.2 and earlier: Available with Postfix 2.2 and earlier:
@ -1072,14 +1073,14 @@ SMTP(8) SMTP(8)
Available with Postfix 2.3 and later: Available with Postfix 2.3 and later:
<b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b> <b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
Optional list of relay destinations that will be used when an Optional list of relay destinations that will be used when an
SMTP destination is not found, or when delivery fails due to a SMTP destination is not found, or when delivery fails due to a
non-permanent error. non-permanent error.
Available with Postfix 3.0 and later: Available with Postfix 3.0 and later:
<b><a href="postconf.5.html#smtp_address_verify_target">smtp_address_verify_target</a> (rcpt)</b> <b><a href="postconf.5.html#smtp_address_verify_target">smtp_address_verify_target</a> (rcpt)</b>
In the context of email address verification, the SMTP protocol In the context of email address verification, the SMTP protocol
stage that determines whether an email address is deliverable. stage that determines whether an email address is deliverable.
Available with Postfix 3.1 and later: Available with Postfix 3.1 and later:
@ -1101,7 +1102,7 @@ SMTP(8) SMTP(8)
Available in Postfix 3.7 and later: Available in Postfix 3.7 and later:
<b><a href="postconf.5.html#smtp_bind_address_enforce">smtp_bind_address_enforce</a> (no)</b> <b><a href="postconf.5.html#smtp_bind_address_enforce">smtp_bind_address_enforce</a> (no)</b>
Defer delivery when the Postfix SMTP client cannot apply the Defer delivery when the Postfix SMTP client cannot apply the
<a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> or <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> setting. <a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> or <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> setting.
<b><a name="see_also">SEE ALSO</a></b> <b><a name="see_also">SEE ALSO</a></b>

120
postfix/html/postconf.5.html
View File

@ -11010,11 +11010,11 @@ use the same program name. </p>
<p> Example <a href="master.5.html">master.cf</a> entries: </p> <p> Example <a href="master.5.html">master.cf</a> entries: </p>
<pre> <pre>
# Distinguish inbound MTA logging from submission and smtps logging. # Distinguish inbound MTA logging from submission and submissions logging.
smtp inet n - n - - smtpd smtp inet n - n - - smtpd
submission inet n - n - - smtpd submission inet n - n - - smtpd
-o <a href="postconf.5.html#syslog_name">syslog_name</a>=postfix/$<a href="postconf.5.html#service_name">service_name</a> -o <a href="postconf.5.html#syslog_name">syslog_name</a>=postfix/$<a href="postconf.5.html#service_name">service_name</a>
smtps inet n - n - - smtpd submissions inet n - n - - smtpd
-o <a href="postconf.5.html#syslog_name">syslog_name</a>=postfix/$<a href="postconf.5.html#service_name">service_name</a> -o <a href="postconf.5.html#syslog_name">syslog_name</a>=postfix/$<a href="postconf.5.html#service_name">service_name</a>
</pre> </pre>
@ -13274,7 +13274,7 @@ TLS connection reuse</a>" for background details. </p>
</DD> </DD>
<DT><b><a name="smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> <DT><b><a name="smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a>
(default: see "postconf -d" output)</b></DT><DD> (default: dane)</b></DT><DD>
<p> The TLS policy for MX hosts with "secure" TLSA records when the <p> The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is <b>dane</b>, but the MX nexthop destination security level is <b>dane</b>, but the MX
@ -13298,10 +13298,9 @@ authentication succeeds, it will be logged only as "Trusted", not
"Verified", because the MX host name could have been forged. </dd> "Verified", because the MX host name could have been forged. </dd>
</dl> </dl>
<p> The default setting for Postfix &ge; 3.6 is "dane" with <p> The default setting is "dane" as of Postfix versions 3.6.17,
"<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = dane", otherwise "may". This behavior 3.7.13, 3.8.8, 3.9.2, and 3.10.0. With earlier versions the default
was backported to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21. was mistakenly dependent on the <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> setting.
With earlier Postfix versions the default setting was always "dane".
</p> </p>
<p> Though with "insecure" MX records an active attacker can <p> Though with "insecure" MX records an active attacker can
@ -14823,21 +14822,22 @@ example.com verify match=hostname:nexthop
(default: no)</b></DT><DD> (default: no)</b></DT><DD>
<p> Request that the Postfix SMTP client connects using the <p> Request that the Postfix SMTP client connects using the
SUBMISSIONS/SMTPS protocol instead of using the STARTTLS command. </p> SUBMISSIONS (formerly called SMTPS) protocol instead of using the
STARTTLS command. </p>
<p> This mode requires "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt" or <p> This mode requires "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt" or
stronger. </p> stronger. </p>
<p> Example: deliver all remote mail via a provider's server <p> Example: deliver all remote mail via a provider's submissions
"mail.example.com". </p> service at "mail.example.com". </p>
<pre> <pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>: /etc/postfix/<a href="postconf.5.html">main.cf</a>:
# Client-side SMTPS requires "encrypt" or stronger. # Client-side SUBMISSIONS requires "encrypt" or stronger.
<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt
<a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> = yes <a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> = yes
# The [] suppress MX lookups. # The [] suppress MX lookups.
<a href="postconf.5.html#relayhost">relayhost</a> = [mail.example.com]:465 <a href="postconf.5.html#relayhost">relayhost</a> = [mail.example.com]:submissions
</pre> </pre>
<p> More examples are in <a href="TLS_README.html">TLS_README</a>, including examples for older <p> More examples are in <a href="TLS_README.html">TLS_README</a>, including examples for older
@ -17925,7 +17925,8 @@ envelope sender
<blockquote> <p> Note: to enforce that the From: header address <blockquote> <p> Note: to enforce that the From: header address
matches the envelope sender (MAIL FROM) address, use an external matches the envelope sender (MAIL FROM) address, use an external
filter such as a Milter, for the submission, submissions, or smtps filter such as a Milter, for the submission or submissions (formerly
called smtps )
services. For example: <a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>. </p> services. For example: <a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>. </p>
</blockquote> </blockquote>
@ -18033,8 +18034,8 @@ that they do not explicitly own.
<br> <br>
Note: to enforce that the From: header address matches the envelope Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter, sender (MAIL FROM) address, use an external filter such as a Milter,
for the submission, submissions, or smtps services. For example: for the submission or submissions (formerly called smtps) services.
<a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>. For example: <a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>.
<br> <br>
This feature is available in Postfix version 2.1 and later. </dd> This feature is available in Postfix version 2.1 and later. </dd>
@ -18054,8 +18055,8 @@ unlisted MAIL FROM address.
<br> <br>
Note: to enforce that the From: header address matches the envelope Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter, sender (MAIL FROM) address, use an external filter such as a Milter,
for the submission, submissions, or smtps services. For example: for the submission or submissions (formerly called smtps) services.
<a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>. For example: <a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>.
<br> <br>
This feature is available in Postfix version 2.11 and later.</dd> This feature is available in Postfix version 2.11 and later.</dd>
@ -18100,8 +18101,8 @@ using any MAIL FROM address that is listed in $<a href="postconf.5.html#smtpd_se
<br> <br>
Note: to enforce that the From: header address matches the envelope Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter, sender (MAIL FROM) address, use an external filter such as a Milter,
for the submission, submissions, or smtps services. For example: for the submission or submissions (formerly called smtps) services.
<a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>. For example: <a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>.
<br> <br>
This feature is available in Postfix version 2.1 and later.</dd> This feature is available in Postfix version 2.1 and later.</dd>
@ -18872,6 +18873,8 @@ this parameter is always ignored, and Postfix behaves as though the
<b>auto</b> value (described below) was chosen. <b>auto</b> value (described below) was chosen.
</p> </p>
<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
<p> The available choices are: </p> <p> The available choices are: </p>
<dl> <dl>
@ -19526,8 +19529,8 @@ instead of using the STARTTLS command. </p>
<p> If you want to support this service, enable a special port in <p> If you want to support this service, enable a special port in
<a href="master.5.html">master.cf</a>, and specify "-o <a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a>=yes" on the SMTP <a href="master.5.html">master.cf</a>, and specify "-o <a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a>=yes" on the SMTP
server's command line. Port 465 (submissions/smtps) is reserved for server's command line. Port 465 (submissions, formerly called smtps)
this purpose. </p> is reserved for this purpose. </p>
<p> This feature is available in Postfix 2.2 and later. </p> <p> This feature is available in Postfix 2.2 and later. </p>
@ -20083,6 +20086,47 @@ MinProtocol = TLSv1
</pre> </pre>
</blockquote> </blockquote>
<p> Example: Custom OpenSSL group settings. </p>
<pre>
<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#tls_config_file">tls_config_file</a> = ${<a href="postconf.5.html#config_directory">config_directory</a>}/openssl.cnf
<a href="postconf.5.html#tls_config_name">tls_config_name</a> = postfix
</pre>
<pre>
openssl.cnf:
postfix = postfix_settings
</pre>
<pre>
[postfix_settings]
ssl_conf = postfix_ssl_settings
</pre>
<pre>
[postfix_ssl_settings]
system_default = baseline_postfix_settings
</pre>
<pre>
[baseline_postfix_settings]
# New OpenSSL 3.5 syntax, for older releases consider
# the Postfix default:
#
# Groups = X25519:X448:prime256v1:secp384r1:secp521r1:ffdhe2048:ffdhe3072
#
Groups = *X25519MLKEM768 / *X25519:X448 / P-256:P-384
</pre>
<p> Caution: It is typically best to just use the default group
settings, for which no $<a href="postconf.5.html#tls_config_file">tls_config_file</a> is required (you can set
"<a href="postconf.5.html#tls_config_file">tls_config_file</a> = none", to avoid unwanted leakage of system-wide
settings that strive to harden HTTPS against mostly browser-specific
security and privacy issues into Postfix use of opportunistic TLS,
where they're they can be counterproductive, leading to downgrades
to cleartext, rather than more "secure" TLS). </p>
<p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6, <p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
3.6.10, and 3.5.20. </p> 3.6.10, and 3.5.20. </p>
@ -20274,8 +20318,7 @@ be using 0.9.6! </dd>
(default: see "postconf -d" output)</b></DT><DD> (default: see "postconf -d" output)</b></DT><DD>
<p> The prioritized list of elliptic curves, that should be enabled in the <p> The prioritized list of elliptic curves, that should be enabled in the
Postfix SMTP client and server. These are used by the Postfix SMTP server when Postfix SMTP client and server. The selected curves should be implemented
"<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> = auto". The selected curves should be implemented
by OpenSSL and be standardized for use in the TLS "supported groups" extension by OpenSSL and be standardized for use in the TLS "supported groups" extension
(<a href="https://tools.ietf.org/html/rfc8422">RFC8422</a>, <a href="https://tools.ietf.org/html/rfc8446">RFC8446</a> and <a href="https://tools.ietf.org/html/rfc8447">RFC8447</a>). Be sure to include at least "x25519" and (<a href="https://tools.ietf.org/html/rfc8422">RFC8422</a>, <a href="https://tools.ietf.org/html/rfc8446">RFC8446</a> and <a href="https://tools.ietf.org/html/rfc8447">RFC8447</a>). Be sure to include at least "x25519" and
"prime256v1" (the OpenSSL name for "secp256r1", a.k.a. "P-256"). The default "prime256v1" (the OpenSSL name for "secp256r1", a.k.a. "P-256"). The default
@ -20300,6 +20343,14 @@ customizing the list of FFDHE groups enabled with TLS 1.3. That setting
is introduced with Postfix 3.8, when built against OpenSSL 3.0 or later. is introduced with Postfix 3.8, when built against OpenSSL 3.0 or later.
</p> </p>
<p> Post-quantum cryptography support: OpenSSL 3.5 introduces new
configuration syntax that Postfix will not attempt to imitate.
Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
both <a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a> and if available <a href="postconf.5.html#tls_ffdhe_auto_groups">tls_ffdhe_auto_groups</a>
to the empty value, to enable algorithm selection through OpenSSL
configuration. See <a href="postconf.5.html#tls_config_file">tls_config_file</a> for a configuration example.
</p>
<p> This feature is available in Postfix 3.2 and later, when it is <p> This feature is available in Postfix 3.2 and later, when it is
compiled and linked with OpenSSL 1.0.2 or later on platforms where compiled and linked with OpenSSL 1.0.2 or later on platforms where
EC algorithms have not been disabled by the vendor. </p> EC algorithms have not been disabled by the vendor. </p>
@ -20323,6 +20374,8 @@ must support this curve for EECDH key exchange to take place. It
is unwise to choose only "bleeding-edge" curves supported by only a is unwise to choose only "bleeding-edge" curves supported by only a
small subset of clients. </p> small subset of clients. </p>
<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
<p> The default "strong" curve is rated in NSA <a <p> The default "strong" curve is rated in NSA <a
href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite
B</a> for information classified up to SECRET. </p> B</a> for information classified up to SECRET. </p>
@ -20367,6 +20420,8 @@ client implementations must support this curve for EECDH key exchange
to take place. It is unwise to choose only "bleeding-edge" curves to take place. It is unwise to choose only "bleeding-edge" curves
supported by only a small subset of clients. </p> supported by only a small subset of clients. </p>
<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
<p> This default "ultra" curve is rated in NSA <a <p> This default "ultra" curve is rated in NSA <a
href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite
B</a> for information classified up to TOP SECRET. </p> B</a> for information classified up to TOP SECRET. </p>
@ -20443,10 +20498,15 @@ on whether any of the "kDHE" ciphers are included in the cipherlist.
</p> </p>
<p> Conversely, setting "<a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a>" empty disables TLS 1.3 <p> Conversely, setting "<a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a>" empty disables TLS 1.3
EC key agreement in OpenSSL 3.0 and later. Note that at least one of EC key agreement in OpenSSL 3.0 and later. If both are set empty,
"<a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a>" and "<a href="postconf.5.html#tls_ffdhe_auto_groups">tls_ffdhe_auto_groups</a>" must be non-empty, Postfix will fall back to OpenSSL preferences as described next. </p>
this is required by OpenSSL 3.0. If both are inadvertently set empty,
Postfix will fall back to the compiled-in defaults. </p> <p> Post-quantum cryptography support: OpenSSL 3.5 introduces new
configuration syntax that Postfix will not attempt to imitate.
Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
both <a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a> and <a href="postconf.5.html#tls_ffdhe_auto_groups">tls_ffdhe_auto_groups</a> to the empty
value, to enable algorithm selection through OpenSSL configuration.
See <a href="postconf.5.html#tls_config_file">tls_config_file</a> for a configuration example. </p>
<p> All the default groups and EC curves should be sufficiently strong to make <p> All the default groups and EC curves should be sufficiently strong to make
"pruning" the defaults unwise. At a minimum, "x25519" and "prime256v1" (the "pruning" the defaults unwise. At a minimum, "x25519" and "prime256v1" (the
@ -21401,7 +21461,7 @@ the "<a href="postconf.5.html#tlsproxy_tls_chain_files">tlsproxy_tls_chain_files
elliptic-curve Diffie-Hellman (EECDH) key exchange. See elliptic-curve Diffie-Hellman (EECDH) key exchange. See
<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> for further details. </p> <a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> for further details. </p>
<p> This feature is deprecated as of Postfix 3.9. Do not specify. </p> <p> This feature is not used as of Postfix 3.6. Do not specify. </p>
<p> This feature is available in Postfix 2.8 and later. </p> <p> This feature is available in Postfix 2.8 and later. </p>
@ -22352,8 +22412,8 @@ process. </p>
<p> Specify zero or more service names separated by comma and/or <p> Specify zero or more service names separated by comma and/or
whitespace. Any name in the services(5) database may be specified, whitespace. Any name in the services(5) database may be specified,
though in practice only submission, submissions, and smtp make though in practice only submission or submissions (formerly called
sense. </p> smtp) make sense. </p>
<p> When SRV record lookup is enabled with <a href="postconf.5.html#use_srv_lookup">use_srv_lookup</a>, you can <p> When SRV record lookup is enabled with <a href="postconf.5.html#use_srv_lookup">use_srv_lookup</a>, you can
enclose a domain name in "[]" to force IP address lookup instead enclose a domain name in "[]" to force IP address lookup instead

161
postfix/html/smtp.8.html
View File

@ -691,19 +691,20 @@ SMTP(8) SMTP(8)
<b><a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> (no)</b> <b><a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> (no)</b>
Request that the Postfix SMTP client connects using the SUBMIS- Request that the Postfix SMTP client connects using the SUBMIS-
SIONS/SMTPS protocol instead of using the STARTTLS command. SIONS (formerly called SMTPS) protocol instead of using the
STARTTLS command.
Available in Postfix version 3.1 and later: Available in Postfix version 3.1 and later:
<b><a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> (dane)</b>
The TLS policy for MX hosts with "secure" TLSA records when the The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is <b>dane</b>, but the MX record nexthop destination security level is <b>dane</b>, but the MX record
was found via an "insecure" MX lookup. was found via an "insecure" MX lookup.
Available in Postfix version 3.2 and later: Available in Postfix version 3.2 and later:
<b><a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a> (see 'postconf -d' output)</b>
The prioritized list of elliptic curves, that should be enabled The prioritized list of elliptic curves, that should be enabled
in the Postfix SMTP client and server. in the Postfix SMTP client and server.
Available in Postfix version 3.4 and later: Available in Postfix version 3.4 and later:
@ -712,23 +713,23 @@ SMTP(8) SMTP(8)
Try to make multiple deliveries per TLS-encrypted connection. Try to make multiple deliveries per TLS-encrypted connection.
<b><a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a> (empty)</b>
List of one or more PEM files, each holding one or more private List of one or more PEM files, each holding one or more private
keys directly followed by a corresponding certificate chain. keys directly followed by a corresponding certificate chain.
<b><a href="postconf.5.html#smtp_tls_servername">smtp_tls_servername</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_servername">smtp_tls_servername</a> (empty)</b>
Optional name to send to the remote SMTP server in the TLS Optional name to send to the remote SMTP server in the TLS
Server Name Indication (SNI) extension. Server Name Indication (SNI) extension.
Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later: Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
<b><a href="postconf.5.html#tls_fast_shutdown_enable">tls_fast_shutdown_enable</a> (yes)</b> <b><a href="postconf.5.html#tls_fast_shutdown_enable">tls_fast_shutdown_enable</a> (yes)</b>
A workaround for implementations that hang Postfix while shut- A workaround for implementations that hang Postfix while shut-
ting down a TLS session, until Postfix times out. ting down a TLS session, until Postfix times out.
Available in Postfix version 3.8 and later: Available in Postfix version 3.8 and later:
<b><a href="postconf.5.html#tls_ffdhe_auto_groups">tls_ffdhe_auto_groups</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#tls_ffdhe_auto_groups">tls_ffdhe_auto_groups</a> (see 'postconf -d' output)</b>
The prioritized list of finite-field Diffie-Hellman ephemeral The prioritized list of finite-field Diffie-Hellman ephemeral
(FFDHE) key exchange groups supported by the Postfix SMTP client (FFDHE) key exchange groups supported by the Postfix SMTP client
and server. and server.
@ -738,13 +739,13 @@ SMTP(8) SMTP(8)
Optional configuration file with baseline OpenSSL settings. Optional configuration file with baseline OpenSSL settings.
<b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b> <b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b>
The application name passed by Postfix to OpenSSL library ini- The application name passed by Postfix to OpenSSL library ini-
tialization functions. tialization functions.
Available in Postfix version 3.9 and later: Available in Postfix version 3.9 and later:
<b><a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> (no)</b> <b><a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> (no)</b>
Request that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key Request that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key
instead of an X.509 certificate. instead of an X.509 certificate.
Available in Postfix version 3.10 and later: Available in Postfix version 3.10 and later:
@ -758,7 +759,7 @@ SMTP(8) SMTP(8)
<b><a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> (yes)</b> <b><a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> (yes)</b>
Do not report the TLSRPT status for TLS protocol handshakes that Do not report the TLSRPT status for TLS protocol handshakes that
reuse a previously-negotiated TLS session (there is no new reuse a previously-negotiated TLS session (there is no new
information to report). information to report).
<b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b> <b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
@ -766,40 +767,40 @@ SMTP(8) SMTP(8)
defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>. defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
<b><a name="obsolete_starttls_controls">OBSOLETE STARTTLS CONTROLS</a></b> <b><a name="obsolete_starttls_controls">OBSOLETE STARTTLS CONTROLS</a></b>
The following configuration parameters exist for compatibility with The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a Postfix versions before 2.3. Support for these will be removed in a
future release. future release.
<b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b> <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
Opportunistic mode: use TLS when a remote SMTP server announces Opportunistic mode: use TLS when a remote SMTP server announces
STARTTLS support, otherwise send the mail in the clear. STARTTLS support, otherwise send the mail in the clear.
<b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b> <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
Enforcement mode: require that remote SMTP servers use TLS Enforcement mode: require that remote SMTP servers use TLS
encryption, and never send mail in the clear. encryption, and never send mail in the clear.
<b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b> <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
With mandatory TLS encryption, require that the remote SMTP With mandatory TLS encryption, require that the remote SMTP
server hostname matches the information in the remote SMTP server hostname matches the information in the remote SMTP
server certificate. server certificate.
<b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
Optional lookup tables with the Postfix SMTP client TLS usage Optional lookup tables with the Postfix SMTP client TLS usage
policy by next-hop destination and by remote SMTP server host- policy by next-hop destination and by remote SMTP server host-
name. name.
<b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
Obsolete Postfix &lt; 2.3 control for the Postfix SMTP client TLS Obsolete Postfix &lt; 2.3 control for the Postfix SMTP client TLS
cipher list. cipher list.
<b><a name="resource_and_rate_controls">RESOURCE AND RATE CONTROLS</a></b> <b><a name="resource_and_rate_controls">RESOURCE AND RATE CONTROLS</a></b>
<b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b> <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
The Postfix SMTP client time limit for completing a TCP connec- The Postfix SMTP client time limit for completing a TCP connec-
tion, or zero (use the operating system built-in time limit). tion, or zero (use the operating system built-in time limit).
<b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b> <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the HELO or EHLO The Postfix SMTP client time limit for sending the HELO or EHLO
command, and for receiving the initial remote SMTP server command, and for receiving the initial remote SMTP server
response. response.
<b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b> <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
@ -811,19 +812,19 @@ SMTP(8) SMTP(8)
mand, and for receiving the remote SMTP server response. mand, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b> <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the MAIL FROM The Postfix SMTP client time limit for sending the MAIL FROM
command, and for receiving the remote SMTP server response. command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b> <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the SMTP RCPT TO The Postfix SMTP client time limit for sending the SMTP RCPT TO
command, and for receiving the remote SMTP server response. command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b> <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
The Postfix SMTP client time limit for sending the SMTP DATA The Postfix SMTP client time limit for sending the SMTP DATA
command, and for receiving the remote SMTP server response. command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b> <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
The Postfix SMTP client time limit for sending the SMTP message The Postfix SMTP client time limit for sending the SMTP message
content. content.
<b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b> <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
@ -837,13 +838,13 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.1 and later: Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b> <b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b>
The maximal number of MX (mail exchanger) IP addresses that can The maximal number of MX (mail exchanger) IP addresses that can
result from Postfix SMTP client mail exchanger lookups, or zero result from Postfix SMTP client mail exchanger lookups, or zero
(no limit). (no limit).
<b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b> <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
The maximal number of SMTP sessions per delivery request before The maximal number of SMTP sessions per delivery request before
the Postfix SMTP client gives up or delivers to a fall-back the Postfix SMTP client gives up or delivers to a fall-back
<a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit). <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
<b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b> <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
@ -853,17 +854,17 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.2 and earlier: Available in Postfix version 2.2 and earlier:
<b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b> <b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b>
Keep Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a> Keep Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
seconds. seconds.
Available in Postfix version 2.2 and later: Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b> <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
Permanently enable SMTP connection caching for the specified Permanently enable SMTP connection caching for the specified
destinations. destinations.
<b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b> <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
Temporarily enable SMTP connection caching while a destination Temporarily enable SMTP connection caching while a destination
has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>. has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>.
<b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b> <b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b>
@ -877,23 +878,23 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.3 and later: Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b> <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
Time limit for connection cache connect, send or receive opera- Time limit for connection cache connect, send or receive opera-
tions. tions.
Available in Postfix version 2.9 - 3.6: Available in Postfix version 2.9 - 3.6:
<b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b> <b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
Change the behavior of the smtp_*_timeout time limits, from a Change the behavior of the smtp_*_timeout time limits, from a
time limit per read or write system call, to a time limit to time limit per read or write system call, to a time limit to
send or receive a complete record (an SMTP command line, SMTP send or receive a complete record (an SMTP command line, SMTP
response line, SMTP message content line, or TLS protocol mes- response line, SMTP message content line, or TLS protocol mes-
sage). sage).
Available in Postfix version 2.11 and later: Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b> <b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b>
When SMTP connection caching is enabled, the number of times When SMTP connection caching is enabled, the number of times
that an SMTP session may be reused before it is closed, or zero that an SMTP session may be reused before it is closed, or zero
(no limit). (no limit).
Available in Postfix version 3.4 and later: Available in Postfix version 3.4 and later:
@ -904,13 +905,13 @@ SMTP(8) SMTP(8)
Available in Postfix version 3.7 and later: Available in Postfix version 3.7 and later:
<b><a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a> (no)</b> <b><a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a> (no)</b>
Change the behavior of the smtp_*_timeout time limits, from a Change the behavior of the smtp_*_timeout time limits, from a
time limit per plaintext or TLS read or write call, to a com- time limit per plaintext or TLS read or write call, to a com-
bined time limit for sending a complete SMTP request and for bined time limit for sending a complete SMTP request and for
receiving a complete SMTP response. receiving a complete SMTP response.
<b><a href="postconf.5.html#smtp_min_data_rate">smtp_min_data_rate</a> (500)</b> <b><a href="postconf.5.html#smtp_min_data_rate">smtp_min_data_rate</a> (500)</b>
The minimum plaintext data transfer rate in bytes/second for The minimum plaintext data transfer rate in bytes/second for
DATA requests, when deadlines are enabled with DATA requests, when deadlines are enabled with
<a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>. <a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>.
@ -918,54 +919,54 @@ SMTP(8) SMTP(8)
<b><a href="postconf.5.html#transport_destination_concurrency_limit">transport_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b> <b><a href="postconf.5.html#transport_destination_concurrency_limit">transport_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
<b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b> <b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b>
A transport-specific override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>- A transport-specific override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
<a href="postconf.5.html#default_destination_concurrency_limit">currency_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a> <a href="postconf.5.html#default_destination_concurrency_limit">currency_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
name of the message delivery transport. name of the message delivery transport.
<b><a href="postconf.5.html#transport_destination_recipient_limit">transport_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipi</a>-</b> <b><a href="postconf.5.html#transport_destination_recipient_limit">transport_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipi</a>-</b>
<b><a href="postconf.5.html#default_destination_recipient_limit">ent_limit</a>)</b> <b><a href="postconf.5.html#default_destination_recipient_limit">ent_limit</a>)</b>
A transport-specific override for the <a href="postconf.5.html#default_destination_recipient_limit">default_destination_recip</a>- A transport-specific override for the <a href="postconf.5.html#default_destination_recipient_limit">default_destination_recip</a>-
<a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a> <a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
name of the message delivery transport. name of the message delivery transport.
<b><a name="smtputf8_controls">SMTPUTF8 CONTROLS</a></b> <b><a name="smtputf8_controls">SMTPUTF8 CONTROLS</a></b>
Preliminary SMTPUTF8 support is introduced with Postfix 3.0. Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
<b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b> <b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
Enable preliminary SMTPUTF8 support for the protocols described Enable preliminary SMTPUTF8 support for the protocols described
in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>, <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a>, and <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a>. in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>, <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a>, and <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a>.
<b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b> <b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
Detect that a message requires SMTPUTF8 support for the speci- Detect that a message requires SMTPUTF8 support for the speci-
fied mail origin classes. fied mail origin classes.
Available in Postfix version 3.2 and later: Available in Postfix version 3.2 and later:
<b><a href="postconf.5.html#enable_idna2003_compatibility">enable_idna2003_compatibility</a> (no)</b> <b><a href="postconf.5.html#enable_idna2003_compatibility">enable_idna2003_compatibility</a> (no)</b>
Enable 'transitional' compatibility between IDNA2003 and Enable 'transitional' compatibility between IDNA2003 and
IDNA2008, when converting UTF-8 domain names to/from the ASCII IDNA2008, when converting UTF-8 domain names to/from the ASCII
form that is used for DNS lookups. form that is used for DNS lookups.
<b><a name="trouble_shooting_controls">TROUBLE SHOOTING CONTROLS</a></b> <b><a name="trouble_shooting_controls">TROUBLE SHOOTING CONTROLS</a></b>
<b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b> <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
The increment in verbose logging level when a nexthop destina- The increment in verbose logging level when a nexthop destina-
tion, remote client or server name or network address matches a tion, remote client or server name or network address matches a
pattern given with the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter. pattern given with the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
<b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b> <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
Optional list of nexthop destination, remote client or server Optional list of nexthop destination, remote client or server
name or network address patterns that, if matched, cause the name or network address patterns that, if matched, cause the
verbose logging level to increase by the amount specified in verbose logging level to increase by the amount specified in
$<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>. $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
<b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b> <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
The recipient of postmaster notifications about mail delivery The recipient of postmaster notifications about mail delivery
problems that are caused by policy, resource, software or proto- problems that are caused by policy, resource, software or proto-
col errors. col errors.
<b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b> <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
What categories of Postfix-generated mail are subject to What categories of Postfix-generated mail are subject to
before-queue content inspection by <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, before-queue content inspection by <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
<a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>. <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
<b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b> <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
@ -973,46 +974,46 @@ SMTP(8) SMTP(8)
<b><a name="miscellaneous_controls">MISCELLANEOUS CONTROLS</a></b> <b><a name="miscellaneous_controls">MISCELLANEOUS CONTROLS</a></b>
<b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b> <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
Where the Postfix SMTP client should deliver mail when it Where the Postfix SMTP client should deliver mail when it
detects a "mail loops back to myself" error condition. detects a "mail loops back to myself" error condition.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
figuration files. figuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b> <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
How much time a Postfix daemon process may take to handle a How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer. request before it is terminated by a built-in watchdog timer.
<b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b> <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
The maximal number of digits after the decimal point when log- The maximal number of digits after the decimal point when log-
ging delay values. ging delay values.
<b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b> <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
Disable DNS lookups in the Postfix SMTP and LMTP clients. Disable DNS lookups in the Postfix SMTP and LMTP clients.
<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b> <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
The local network interface addresses that this mail system The local network interface addresses that this mail system
receives mail on. receives mail on.
<b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d' output)</b>
The Internet protocols Postfix will attempt to use when making The Internet protocols Postfix will attempt to use when making
or accepting connections. or accepting connections.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b> <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
The time limit for sending or receiving information over an The time limit for sending or receiving information over an
internal communication channel. internal communication channel.
<b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b> <b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b>
When a remote LMTP server announces no DSN support, assume that When a remote LMTP server announces no DSN support, assume that
the server performs final delivery, and send "delivered" deliv- the server performs final delivery, and send "delivered" deliv-
ery status notifications instead of "relayed". ery status notifications instead of "relayed".
<b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b> <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
The default TCP port that the Postfix LMTP client connects to. The default TCP port that the Postfix LMTP client connects to.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b> <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix daemon process The maximum amount of time that an idle Postfix daemon process
waits for an incoming connection before terminating voluntarily. waits for an incoming connection before terminating voluntarily.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b> <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
@ -1026,21 +1027,21 @@ SMTP(8) SMTP(8)
The process name of a Postfix command or daemon process. The process name of a Postfix command or daemon process.
<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b> <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
The remote network interface addresses that this mail system The remote network interface addresses that this mail system
receives mail on by way of a proxy or network address transla- receives mail on by way of a proxy or network address transla-
tion unit. tion unit.
<b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (any)</b> <b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (any)</b>
The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
client will try first, when a destination has IPv6 and IPv4 client will try first, when a destination has IPv6 and IPv4
addresses with equal MX preference. addresses with equal MX preference.
<b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b> <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
An optional numerical network address that the Postfix SMTP An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv4 connection. client should bind to when making an IPv4 connection.
<b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b> <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
An optional numerical network address that the Postfix SMTP An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv6 connection. client should bind to when making an IPv6 connection.
<b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b> <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
@ -1060,7 +1061,7 @@ SMTP(8) SMTP(8)
The syslog facility of Postfix logging. The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
A prefix that is prepended to the process name in syslog A prefix that is prepended to the process name in syslog
records, so that, for example, "smtpd" becomes "prefix/smtpd". records, so that, for example, "smtpd" becomes "prefix/smtpd".
Available with Postfix 2.2 and earlier: Available with Postfix 2.2 and earlier:
@ -1072,14 +1073,14 @@ SMTP(8) SMTP(8)
Available with Postfix 2.3 and later: Available with Postfix 2.3 and later:
<b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b> <b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
Optional list of relay destinations that will be used when an Optional list of relay destinations that will be used when an
SMTP destination is not found, or when delivery fails due to a SMTP destination is not found, or when delivery fails due to a
non-permanent error. non-permanent error.
Available with Postfix 3.0 and later: Available with Postfix 3.0 and later:
<b><a href="postconf.5.html#smtp_address_verify_target">smtp_address_verify_target</a> (rcpt)</b> <b><a href="postconf.5.html#smtp_address_verify_target">smtp_address_verify_target</a> (rcpt)</b>
In the context of email address verification, the SMTP protocol In the context of email address verification, the SMTP protocol
stage that determines whether an email address is deliverable. stage that determines whether an email address is deliverable.
Available with Postfix 3.1 and later: Available with Postfix 3.1 and later:
@ -1101,7 +1102,7 @@ SMTP(8) SMTP(8)
Available in Postfix 3.7 and later: Available in Postfix 3.7 and later:
<b><a href="postconf.5.html#smtp_bind_address_enforce">smtp_bind_address_enforce</a> (no)</b> <b><a href="postconf.5.html#smtp_bind_address_enforce">smtp_bind_address_enforce</a> (no)</b>
Defer delivery when the Postfix SMTP client cannot apply the Defer delivery when the Postfix SMTP client cannot apply the
<a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> or <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> setting. <a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> or <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> setting.
<b><a name="see_also">SEE ALSO</a></b> <b><a name="see_also">SEE ALSO</a></b>

129
postfix/man/man5/postconf.5
View File

@ -6872,11 +6872,11 @@ Example master.cf entries:
.PP .PP
.nf .nf
.na .na
# Distinguish inbound MTA logging from submission and smtps logging. # Distinguish inbound MTA logging from submission and submissions logging.
smtp inet n \- n \- \- smtpd smtp inet n \- n \- \- smtpd
submission inet n \- n \- \- smtpd submission inet n \- n \- \- smtpd
\-o syslog_name=postfix/$service_name \-o syslog_name=postfix/$service_name
smtps inet n \- n \- \- smtpd submissions inet n \- n \- \- smtpd
\-o syslog_name=postfix/$service_name \-o syslog_name=postfix/$service_name
.fi .fi
.ad .ad
@ -8477,7 +8477,7 @@ See "Client\-side
TLS connection reuse" for background details. TLS connection reuse" for background details.
.PP .PP
This feature is available in Postfix 3.4 and later. This feature is available in Postfix 3.4 and later.
.SH smtp_tls_dane_insecure_mx_policy (default: see "postconf \-d" output) .SH smtp_tls_dane_insecure_mx_policy (default: dane)
The TLS policy for MX hosts with "secure" TLSA records when the The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is \fBdane\fR, but the MX nexthop destination security level is \fBdane\fR, but the MX
record was found via an "insecure" MX lookup. The choices are: record was found via an "insecure" MX lookup. The choices are:
@ -8498,10 +8498,9 @@ authentication succeeds, it will be logged only as "Trusted", not
"Verified", because the MX host name could have been forged. "Verified", because the MX host name could have been forged.
.br .br
.br .br
The default setting for Postfix >= 3.6 is "dane" with The default setting is "dane" as of Postfix versions 3.6.17,
"smtp_tls_security_level = dane", otherwise "may". This behavior 3.7.13, 3.8.8, 3.9.2, and 3.10.0. With earlier versions the default
was backported to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21. was mistakenly dependent on the smtp_tls_security_level setting.
With earlier Postfix versions the default setting was always "dane".
.PP .PP
Though with "insecure" MX records an active attacker can Though with "insecure" MX records an active attacker can
compromise SMTP transport security by returning forged MX records, compromise SMTP transport security by returning forged MX records,
@ -9883,22 +9882,23 @@ example.com verify match=hostname:nexthop
This feature is available in Postfix 2.3 and later. This feature is available in Postfix 2.3 and later.
.SH smtp_tls_wrappermode (default: no) .SH smtp_tls_wrappermode (default: no)
Request that the Postfix SMTP client connects using the Request that the Postfix SMTP client connects using the
SUBMISSIONS/SMTPS protocol instead of using the STARTTLS command. SUBMISSIONS (formerly called SMTPS) protocol instead of using the
STARTTLS command.
.PP .PP
This mode requires "smtp_tls_security_level = encrypt" or This mode requires "smtp_tls_security_level = encrypt" or
stronger. stronger.
.PP .PP
Example: deliver all remote mail via a provider's server Example: deliver all remote mail via a provider's submissions
"mail.example.com". service at "mail.example.com".
.PP .PP
.nf .nf
.na .na
/etc/postfix/main.cf: /etc/postfix/main.cf:
# Client\-side SMTPS requires "encrypt" or stronger. # Client\-side SUBMISSIONS requires "encrypt" or stronger.
smtp_tls_security_level = encrypt smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes smtp_tls_wrappermode = yes
# The [] suppress MX lookups. # The [] suppress MX lookups.
relayhost = [mail.example.com]:465 relayhost = [mail.example.com]:submissions
.fi .fi
.ad .ad
.PP .PP
@ -12171,7 +12171,8 @@ envelope sender
.in +4 .in +4
Note: to enforce that the From: header address Note: to enforce that the From: header address
matches the envelope sender (MAIL FROM) address, use an external matches the envelope sender (MAIL FROM) address, use an external
filter such as a Milter, for the submission, submissions, or smtps filter such as a Milter, for the submission or submissions (formerly
called smtps )
services. For example: https://github.com/magcks/milterfrom. services. For example: https://github.com/magcks/milterfrom.
.in -4 .in -4
.PP .PP
@ -12248,8 +12249,8 @@ that they do not explicitly own.
.br .br
Note: to enforce that the From: header address matches the envelope Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter, sender (MAIL FROM) address, use an external filter such as a Milter,
for the submission, submissions, or smtps services. For example: for the submission or submissions (formerly called smtps) services.
https://github.com/magcks/milterfrom. For example: https://github.com/magcks/milterfrom.
.br .br
This feature is available in Postfix version 2.1 and later. This feature is available in Postfix version 2.1 and later.
.br .br
@ -12268,8 +12269,8 @@ unlisted MAIL FROM address.
.br .br
Note: to enforce that the From: header address matches the envelope Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter, sender (MAIL FROM) address, use an external filter such as a Milter,
for the submission, submissions, or smtps services. For example: for the submission or submissions (formerly called smtps) services.
https://github.com/magcks/milterfrom. For example: https://github.com/magcks/milterfrom.
.br .br
This feature is available in Postfix version 2.11 and later. This feature is available in Postfix version 2.11 and later.
.br .br
@ -12314,8 +12315,8 @@ using any MAIL FROM address that is listed in $smtpd_sender_login_maps.
.br .br
Note: to enforce that the From: header address matches the envelope Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter, sender (MAIL FROM) address, use an external filter such as a Milter,
for the submission, submissions, or smtps services. For example: for the submission or submissions (formerly called smtps) services.
https://github.com/magcks/milterfrom. For example: https://github.com/magcks/milterfrom.
.br .br
This feature is available in Postfix version 2.1 and later. This feature is available in Postfix version 2.1 and later.
.br .br
@ -12973,6 +12974,8 @@ Diffie\-Hellman (EECDH) key exchange. As of Postfix 3.6, the value of
this parameter is always ignored, and Postfix behaves as though the this parameter is always ignored, and Postfix behaves as though the
\fBauto\fR value (described below) was chosen. \fBauto\fR value (described below) was chosen.
.PP .PP
This feature is not used as of Postfix 3.6. Do not specify.
.PP
The available choices are: The available choices are:
.IP "\fBauto\fR" .IP "\fBauto\fR"
Use the most preferred curve that is Use the most preferred curve that is
@ -13566,8 +13569,8 @@ instead of using the STARTTLS command.
.PP .PP
If you want to support this service, enable a special port in If you want to support this service, enable a special port in
master.cf, and specify "\-o smtpd_tls_wrappermode=yes" on the SMTP master.cf, and specify "\-o smtpd_tls_wrappermode=yes" on the SMTP
server's command line. Port 465 (submissions/smtps) is reserved for server's command line. Port 465 (submissions, formerly called smtps)
this purpose. is reserved for this purpose.
.PP .PP
This feature is available in Postfix 2.2 and later. This feature is available in Postfix 2.2 and later.
.SH smtpd_upstream_proxy_protocol (default: empty) .SH smtpd_upstream_proxy_protocol (default: empty)
@ -13942,6 +13945,57 @@ MinProtocol = TLSv1
.ad .ad
.in -4 .in -4
.PP .PP
Example: Custom OpenSSL group settings.
.PP
.nf
.na
main.cf:
tls_config_file = ${config_directory}/openssl.cnf
tls_config_name = postfix
.fi
.ad
.PP
.nf
.na
openssl.cnf:
postfix = postfix_settings
.fi
.ad
.PP
.nf
.na
[postfix_settings]
ssl_conf = postfix_ssl_settings
.fi
.ad
.PP
.nf
.na
[postfix_ssl_settings]
system_default = baseline_postfix_settings
.fi
.ad
.PP
.nf
.na
[baseline_postfix_settings]
# New OpenSSL 3.5 syntax, for older releases consider
# the Postfix default:
#
# Groups = X25519:X448:prime256v1:secp384r1:secp521r1:ffdhe2048:ffdhe3072
#
Groups = *X25519MLKEM768 / *X25519:X448 / P\-256:P\-384
.fi
.ad
.PP
Caution: It is typically best to just use the default group
settings, for which no $tls_config_file is required (you can set
"tls_config_file = none", to avoid unwanted leakage of system\-wide
settings that strive to harden HTTPS against mostly browser\-specific
security and privacy issues into Postfix use of opportunistic TLS,
where they're they can be counterproductive, leading to downgrades
to cleartext, rather than more "secure" TLS).
.PP
This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6, This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6,
3.6.10, and 3.5.20. 3.6.10, and 3.5.20.
.SH tls_config_name (default: empty) .SH tls_config_name (default: empty)
@ -14102,8 +14156,7 @@ Postfix >= 3.4. See \fBSSL_CTX_set_options\fR(3).
This feature is available in Postfix 2.8 and later. This feature is available in Postfix 2.8 and later.
.SH tls_eecdh_auto_curves (default: see "postconf \-d" output) .SH tls_eecdh_auto_curves (default: see "postconf \-d" output)
The prioritized list of elliptic curves, that should be enabled in the The prioritized list of elliptic curves, that should be enabled in the
Postfix SMTP client and server. These are used by the Postfix SMTP server when Postfix SMTP client and server. The selected curves should be implemented
"smtpd_tls_eecdh_grade = auto". The selected curves should be implemented
by OpenSSL and be standardized for use in the TLS "supported groups" extension by OpenSSL and be standardized for use in the TLS "supported groups" extension
(RFC8422, RFC8446 and RFC8447). Be sure to include at least "x25519" and (RFC8422, RFC8446 and RFC8447). Be sure to include at least "x25519" and
"prime256v1" (the OpenSSL name for "secp256r1", a.k.a. "P\-256"). The default "prime256v1" (the OpenSSL name for "secp256r1", a.k.a. "P\-256"). The default
@ -14127,6 +14180,13 @@ See also the "tls_ffdhe_auto_groups" parameter, which supports
customizing the list of FFDHE groups enabled with TLS 1.3. That setting customizing the list of FFDHE groups enabled with TLS 1.3. That setting
is introduced with Postfix 3.8, when built against OpenSSL 3.0 or later. is introduced with Postfix 3.8, when built against OpenSSL 3.0 or later.
.PP .PP
Post\-quantum cryptography support: OpenSSL 3.5 introduces new
configuration syntax that Postfix will not attempt to imitate.
Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
both tls_eecdh_auto_curves and if available tls_ffdhe_auto_groups
to the empty value, to enable algorithm selection through OpenSSL
configuration. See tls_config_file for a configuration example.
.PP
This feature is available in Postfix 3.2 and later, when it is This feature is available in Postfix 3.2 and later, when it is
compiled and linked with OpenSSL 1.0.2 or later on platforms where compiled and linked with OpenSSL 1.0.2 or later on platforms where
EC algorithms have not been disabled by the vendor. EC algorithms have not been disabled by the vendor.
@ -14144,6 +14204,8 @@ must support this curve for EECDH key exchange to take place. It
is unwise to choose only "bleeding\-edge" curves supported by only a is unwise to choose only "bleeding\-edge" curves supported by only a
small subset of clients. small subset of clients.
.PP .PP
This feature is not used as of Postfix 3.6. Do not specify.
.PP
The default "strong" curve is rated in NSA Suite The default "strong" curve is rated in NSA Suite
B for information classified up to SECRET. B for information classified up to SECRET.
.PP .PP
@ -14179,6 +14241,8 @@ client implementations must support this curve for EECDH key exchange
to take place. It is unwise to choose only "bleeding\-edge" curves to take place. It is unwise to choose only "bleeding\-edge" curves
supported by only a small subset of clients. supported by only a small subset of clients.
.PP .PP
This feature is not used as of Postfix 3.6. Do not specify.
.PP
This default "ultra" curve is rated in NSA Suite This default "ultra" curve is rated in NSA Suite
B for information classified up to TOP SECRET. B for information classified up to TOP SECRET.
.PP .PP
@ -14233,10 +14297,15 @@ Whether FFDHE key agreement is enabled in TLS 1.2 and earlier depends
on whether any of the "kDHE" ciphers are included in the cipherlist. on whether any of the "kDHE" ciphers are included in the cipherlist.
.PP .PP
Conversely, setting "tls_eecdh_auto_curves" empty disables TLS 1.3 Conversely, setting "tls_eecdh_auto_curves" empty disables TLS 1.3
EC key agreement in OpenSSL 3.0 and later. Note that at least one of EC key agreement in OpenSSL 3.0 and later. If both are set empty,
"tls_eecdh_auto_curves" and "tls_ffdhe_auto_groups" must be non\-empty, Postfix will fall back to OpenSSL preferences as described next.
this is required by OpenSSL 3.0. If both are inadvertently set empty, .PP
Postfix will fall back to the compiled\-in defaults. Post\-quantum cryptography support: OpenSSL 3.5 introduces new
configuration syntax that Postfix will not attempt to imitate.
Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
both tls_eecdh_auto_curves and tls_ffdhe_auto_groups to the empty
value, to enable algorithm selection through OpenSSL configuration.
See tls_config_file for a configuration example.
.PP .PP
All the default groups and EC curves should be sufficiently strong to make All the default groups and EC curves should be sufficiently strong to make
"pruning" the defaults unwise. At a minimum, "x25519" and "prime256v1" (the "pruning" the defaults unwise. At a minimum, "x25519" and "prime256v1" (the
@ -14874,7 +14943,7 @@ The Postfix \fBtlsproxy\fR(8) server security grade for ephemeral
elliptic\-curve Diffie\-Hellman (EECDH) key exchange. See elliptic\-curve Diffie\-Hellman (EECDH) key exchange. See
smtpd_tls_eecdh_grade for further details. smtpd_tls_eecdh_grade for further details.
.PP .PP
This feature is deprecated as of Postfix 3.9. Do not specify. This feature is not used as of Postfix 3.6. Do not specify.
.PP .PP
This feature is available in Postfix 2.8 and later. This feature is available in Postfix 2.8 and later.
.SH tlsproxy_tls_enable_rpk (default: $smtpd_tls_enable_rpk) .SH tlsproxy_tls_enable_rpk (default: $smtpd_tls_enable_rpk)
@ -15428,8 +15497,8 @@ process.
.PP .PP
Specify zero or more service names separated by comma and/or Specify zero or more service names separated by comma and/or
whitespace. Any name in the \fBservices\fR(5) database may be specified, whitespace. Any name in the \fBservices\fR(5) database may be specified,
though in practice only submission, submissions, and smtp make though in practice only submission or submissions (formerly called
sense. smtp) make sense.
.PP .PP
When SRV record lookup is enabled with use_srv_lookup, you can When SRV record lookup is enabled with use_srv_lookup, you can
enclose a domain name in "[]" to force IP address lookup instead enclose a domain name in "[]" to force IP address lookup instead

5
postfix/man/man8/smtp.8
View File

@ -628,10 +628,11 @@ The name of the \fBtlsmgr\fR(8) service entry in master.cf.
Available in Postfix version 3.0 and later: Available in Postfix version 3.0 and later:
.IP "\fBsmtp_tls_wrappermode (no)\fR" .IP "\fBsmtp_tls_wrappermode (no)\fR"
Request that the Postfix SMTP client connects using the Request that the Postfix SMTP client connects using the
SUBMISSIONS/SMTPS protocol instead of using the STARTTLS command. SUBMISSIONS (formerly called SMTPS) protocol instead of using the
STARTTLS command.
.PP .PP
Available in Postfix version 3.1 and later: Available in Postfix version 3.1 and later:
.IP "\fBsmtp_tls_dane_insecure_mx_policy (see 'postconf -d' output)\fR" .IP "\fBsmtp_tls_dane_insecure_mx_policy (dane)\fR"
The TLS policy for MX hosts with "secure" TLSA records when the The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is \fBdane\fR, but the MX nexthop destination security level is \fBdane\fR, but the MX
record was found via an "insecure" MX lookup. record was found via an "insecure" MX lookup.

3
postfix/proto/TLSRPT_README.html
View File

@ -345,7 +345,8 @@ postfix-tlspol</a>, supports domains with DANE (using Postfix
built-in DANE), and domains with MTA-STS. </p> built-in DANE), and domains with MTA-STS. </p>
<li> <p> <a href="https://github.com/Snawoot/postfix-mta-sts-resolver"> <li> <p> <a href="https://github.com/Snawoot/postfix-mta-sts-resolver">
postfix-mta-sts-resolver</a>, supports domains with MTA-STS. </p> postfix-mta-sts-resolver</a>, supports domains with MTA-STS as of
release 1.5.0 (February 2025). </p>
</ul> </ul>

122
postfix/proto/TLS_README.html
View File

@ -552,8 +552,8 @@ and OE (5.01 Mac on all ports). </p>
<p> It is strictly discouraged to use this mode from main.cf. If <p> It is strictly discouraged to use this mode from main.cf. If
you want to support this service, enable a special port in master.cf you want to support this service, enable a special port in master.cf
and specify "-o smtpd_tls_wrappermode=yes" (note: no space around and specify "-o smtpd_tls_wrappermode=yes" (note: no space around
the "=") as an smtpd(8) command line option. Port 465 (smtps) was the "=") as an smtpd(8) command line option. Port 465 (submissions,
once chosen for this feature. formerly called smtps) is the most common example.
</p> </p>
<p> Example: </p> <p> Example: </p>
@ -561,7 +561,7 @@ once chosen for this feature.
<blockquote> <blockquote>
<pre> <pre>
/etc/postfix/master.cf: /etc/postfix/master.cf:
smtps inet n - n - - smtpd submissions inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
</pre> </pre>
</blockquote> </blockquote>
@ -1065,7 +1065,7 @@ key configuration </a>
<li> <a href="#client_cipher">Client-side cipher controls </a> <li> <a href="#client_cipher">Client-side cipher controls </a>
<li> <a href="#client_smtps">Client-side SMTPS support </a> <li> <a href="#client_smtps">Client-side submissions (formerly called smtps) support </a>
<li> <a href="#client_misc"> Miscellaneous client controls </a> <li> <a href="#client_misc"> Miscellaneous client controls </a>
@ -2560,32 +2560,33 @@ the TLS protocols used with opportunistic TLS. </p>
</pre> </pre>
</blockquote> </blockquote>
<h3> <a name="client_smtps">Client-side SMTPS support </a> </h3> <h3> <a name="client_smtps">Client-side submissions (formerly called smtps) support </a> </h3>
<p> These sections show how to send mail to a server that does not <p> These sections show how to send mail to a server that does not
support STARTTLS, but that provides the SMTPS service support STARTTLS, but that provides the submissions (smtps) service
on TCP port 465. Depending on the Postfix version, some additional on TCP port 465. Depending on the Postfix version, some additional
tooling may be required. </p> tooling may be required. </p>
<h4> Postfix &ge; 3.0 </h4> <h4> Postfix &ge; 3.0 </h4>
<p> The Postfix SMTP client has SMTPS support built-in as of version <p> The Postfix SMTP client has submissions service support built-in
as of version
3.0. Use one of the following examples, to send all remote mail, 3.0. Use one of the following examples, to send all remote mail,
or to send only some remote mail, to an SMTPS server. </p> or to send only some remote mail, to a submissions (smtps) server. </p>
<h5> Postfix &ge; 3.0: Sending all remote mail to an SMTPS server </h5> <h5> Postfix &ge; 3.0: Sending all remote mail to a submissions (formerly called smtps) server </h5>
<p> The first example will send all remote mail over SMTPS through <p> The first example will send all remote mail to through a
a provider's server called "mail.example.com": </p> provider's submissions server called "mail.example.com": </p>
<blockquote> <blockquote>
<pre> <pre>
/etc/postfix/main.cf: /etc/postfix/main.cf:
# Client-side SMTPS requires "encrypt" or stronger. # Client-side submissions requires "encrypt" or stronger.
smtp_tls_security_level = encrypt smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes smtp_tls_wrappermode = yes
# The [] suppress MX lookups. # The [] suppress MX lookups.
relayhost = [mail.example.com]:465 relayhost = [mail.example.com]:submissions
</pre> </pre>
</blockquote> </blockquote>
@ -2595,11 +2596,12 @@ a provider's server called "mail.example.com": </p>
</p> </p>
<h5> Postfix &ge; 3.0: Sending only mail for a specific destination <h5> Postfix &ge; 3.0: Sending only mail for a specific destination
via SMTPS </h5> to a submissions (formerly called smtps) service </h5>
<p> The second example will send only mail for "example.com" via <p> The second example will send only mail for "example.com" using
SMTPS. This time, Postfix uses a transport map to deliver only the submissions (smtps) service.
mail for "example.com" via SMTPS: </p> This time, Postfix uses a transport map to deliver only
mail for "example.com" using the submissions (smtps) service: </p>
<blockquote> <blockquote>
<pre> <pre>
@ -2607,11 +2609,11 @@ mail for "example.com" via SMTPS: </p>
transport_maps = hash:/etc/postfix/transport transport_maps = hash:/etc/postfix/transport
/etc/postfix/transport: /etc/postfix/transport:
example.com relay-smtps:example.com:465 example.com relay-submissions:example.com:submissions
/etc/postfix/master.cf: /etc/postfix/master.cf:
relay-smtps unix - - n - - smtp relay-submissions unix - - n - - smtp
# Client-side SMTPS requires "encrypt" or stronger. # Client-side submissions service requires "encrypt" or stronger.
-o smtp_tls_security_level=encrypt -o smtp_tls_security_level=encrypt
-o smtp_tls_wrappermode=yes -o smtp_tls_wrappermode=yes
</pre> </pre>
@ -2625,81 +2627,7 @@ authentication. </p>
<h4> Postfix &lt; 3.0 </h4> <h4> Postfix &lt; 3.0 </h4>
<p> Although older Postfix SMTP client versions do not support TLS <p> Please see TLS_LEGACY_README. </p>
wrapper mode, it is relatively easy to forward a connection through
the stunnel program if Postfix needs to deliver mail to some legacy
system that doesn't support STARTTLS. </p>
<h5> Postfix &lt; 3.0: Sending all remote mail to an SMTPS server </h5>
<p> The first example uses SMTPS to send all remote mail to a
provider's mail server called "mail.example.com". </p>
<p> A minimal stunnel.conf file is sufficient to set up a tunnel
from local port 11125 to the remote destination "mail.example.com"
and port "smtps". Postfix will later use this tunnel to connect to
the remote server. </p>
<blockquote>
<pre>
/path/to/stunnel.conf:
[smtp-tls-wrapper]
accept = 11125
client = yes
connect = mail.example.com:smtps
</pre>
</blockquote>
<p> To test this tunnel, use: </p>
<blockquote>
<pre>
$ telnet localhost 11125
</pre>
</blockquote>
<p> This should produce the greeting from the remote SMTP server
at mail.example.com. </p>
<p> On the Postfix side, the relayhost feature sends all remote
mail through the local stunnel listener on port 11125: </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
relayhost = [127.0.0.1]:11125
</pre>
</blockquote>
<p> Use "postfix reload" to make the change effective. </p>
<p> See SOHO_README for additional information about SASL
authentication. </p>
<h4> Postfix &lt; 3.0: Sending only mail for a specific destination via SMTPS </h4>
<p> The second example will use SMTPS to send only mail for
"example.com" via SMTPS. It uses the same stunnel configuration
file as the first example, so it won't be repeated here. </p>
<p> This time, the Postfix side uses a transport map to direct only
mail for "example.com" through the tunnel: </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
transport_maps = hash:/etc/postfix/transport
/etc/postfix/transport:
example.com relay:[127.0.0.1]:11125
</pre>
</blockquote>
<p> Use "postmap hash:/etc/postfix/transport" and "postfix reload"
to make the change effective. </p>
<p> See SOHO_README for additional information about SASL authentication.
</p>
<h3> <a name="client_misc"> Miscellaneous client controls </a> </h3> <h3> <a name="client_misc"> Miscellaneous client controls </a> </h3>
@ -2710,7 +2638,7 @@ tries the next network address on the mail exchanger list, and
defers delivery if no alternative server is available. </p> defers delivery if no alternative server is available. </p>
<p> Example: </p> <p> Example: </p>
<blockquote> <blockquote>
<pre> <pre>
/etc/postfix/main.cf: /etc/postfix/main.cf:
@ -2727,7 +2655,7 @@ are disabled in the default value of the parameter when linked with
an OpenSSL library that could be vulnerable. </p> an OpenSSL library that could be vulnerable. </p>
<p> Example: </p> <p> Example: </p>
<blockquote> <blockquote>
<pre> <pre>
/etc/postfix/main.cf: /etc/postfix/main.cf:

120
postfix/proto/postconf.proto
View File

@ -6708,7 +6708,8 @@ envelope sender
<blockquote> <p> Note: to enforce that the From: header address <blockquote> <p> Note: to enforce that the From: header address
matches the envelope sender (MAIL FROM) address, use an external matches the envelope sender (MAIL FROM) address, use an external
filter such as a Milter, for the submission, submissions, or smtps filter such as a Milter, for the submission or submissions (formerly
called smtps )
services. For example: https://github.com/magcks/milterfrom. </p> services. For example: https://github.com/magcks/milterfrom. </p>
</blockquote> </blockquote>
@ -6812,8 +6813,8 @@ that they do not explicitly own.
<br> <br>
Note: to enforce that the From: header address matches the envelope Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter, sender (MAIL FROM) address, use an external filter such as a Milter,
for the submission, submissions, or smtps services. For example: for the submission or submissions (formerly called smtps) services.
https://github.com/magcks/milterfrom. For example: https://github.com/magcks/milterfrom.
<br> <br>
This feature is available in Postfix version 2.1 and later. </dd> This feature is available in Postfix version 2.1 and later. </dd>
@ -6833,8 +6834,8 @@ unlisted MAIL FROM address.
<br> <br>
Note: to enforce that the From: header address matches the envelope Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter, sender (MAIL FROM) address, use an external filter such as a Milter,
for the submission, submissions, or smtps services. For example: for the submission or submissions (formerly called smtps) services.
https://github.com/magcks/milterfrom. For example: https://github.com/magcks/milterfrom.
<br> <br>
This feature is available in Postfix version 2.11 and later.</dd> This feature is available in Postfix version 2.11 and later.</dd>
@ -6879,8 +6880,8 @@ using any MAIL FROM address that is listed in $smtpd_sender_login_maps.
<br> <br>
Note: to enforce that the From: header address matches the envelope Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter, sender (MAIL FROM) address, use an external filter such as a Milter,
for the submission, submissions, or smtps services. For example: for the submission or submissions (formerly called smtps) services.
https://github.com/magcks/milterfrom. For example: https://github.com/magcks/milterfrom.
<br> <br>
This feature is available in Postfix version 2.1 and later.</dd> This feature is available in Postfix version 2.1 and later.</dd>
@ -8466,11 +8467,11 @@ use the same program name. </p>
<p> Example master.cf entries: </p> <p> Example master.cf entries: </p>
<pre> <pre>
# Distinguish inbound MTA logging from submission and smtps logging. # Distinguish inbound MTA logging from submission and submissions logging.
smtp inet n - n - - smtpd smtp inet n - n - - smtpd
submission inet n - n - - smtpd submission inet n - n - - smtpd
-o syslog_name=postfix/$service_name -o syslog_name=postfix/$service_name
smtps inet n - n - - smtpd submissions inet n - n - - smtpd
-o syslog_name=postfix/$service_name -o syslog_name=postfix/$service_name
</pre> </pre>
@ -9930,8 +9931,8 @@ instead of using the STARTTLS command. </p>
<p> If you want to support this service, enable a special port in <p> If you want to support this service, enable a special port in
master.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP master.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP
server's command line. Port 465 (submissions/smtps) is reserved for server's command line. Port 465 (submissions, formerly called smtps)
this purpose. </p> is reserved for this purpose. </p>
<p> This feature is available in Postfix 2.2 and later. </p> <p> This feature is available in Postfix 2.2 and later. </p>
@ -13349,8 +13350,7 @@ parameter. See there for details. </p>
%PARAM tls_eecdh_auto_curves see "postconf -d" output %PARAM tls_eecdh_auto_curves see "postconf -d" output
<p> The prioritized list of elliptic curves, that should be enabled in the <p> The prioritized list of elliptic curves, that should be enabled in the
Postfix SMTP client and server. These are used by the Postfix SMTP server when Postfix SMTP client and server. The selected curves should be implemented
"smtpd_tls_eecdh_grade = auto". The selected curves should be implemented
by OpenSSL and be standardized for use in the TLS "supported groups" extension by OpenSSL and be standardized for use in the TLS "supported groups" extension
(RFC8422, RFC8446 and RFC8447). Be sure to include at least "x25519" and (RFC8422, RFC8446 and RFC8447). Be sure to include at least "x25519" and
"prime256v1" (the OpenSSL name for "secp256r1", a.k.a. "P-256"). The default "prime256v1" (the OpenSSL name for "secp256r1", a.k.a. "P-256"). The default
@ -13375,6 +13375,14 @@ customizing the list of FFDHE groups enabled with TLS 1.3. That setting
is introduced with Postfix 3.8, when built against OpenSSL 3.0 or later. is introduced with Postfix 3.8, when built against OpenSSL 3.0 or later.
</p> </p>
<p> Post-quantum cryptography support: OpenSSL 3.5 introduces new
configuration syntax that Postfix will not attempt to imitate.
Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
both tls_eecdh_auto_curves and if available tls_ffdhe_auto_groups
to the empty value, to enable algorithm selection through OpenSSL
configuration. See tls_config_file for a configuration example.
</p>
<p> This feature is available in Postfix 3.2 and later, when it is <p> This feature is available in Postfix 3.2 and later, when it is
compiled and linked with OpenSSL 1.0.2 or later on platforms where compiled and linked with OpenSSL 1.0.2 or later on platforms where
EC algorithms have not been disabled by the vendor. </p> EC algorithms have not been disabled by the vendor. </p>
@ -13405,10 +13413,15 @@ on whether any of the "kDHE" ciphers are included in the cipherlist.
</p> </p>
<p> Conversely, setting "tls_eecdh_auto_curves" empty disables TLS 1.3 <p> Conversely, setting "tls_eecdh_auto_curves" empty disables TLS 1.3
EC key agreement in OpenSSL 3.0 and later. Note that at least one of EC key agreement in OpenSSL 3.0 and later. If both are set empty,
"tls_eecdh_auto_curves" and "tls_ffdhe_auto_groups" must be non-empty, Postfix will fall back to OpenSSL preferences as described next. </p>
this is required by OpenSSL 3.0. If both are inadvertently set empty,
Postfix will fall back to the compiled-in defaults. </p> <p> Post-quantum cryptography support: OpenSSL 3.5 introduces new
configuration syntax that Postfix will not attempt to imitate.
Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
both tls_eecdh_auto_curves and tls_ffdhe_auto_groups to the empty
value, to enable algorithm selection through OpenSSL configuration.
See tls_config_file for a configuration example. </p>
<p> All the default groups and EC curves should be sufficiently strong to make <p> All the default groups and EC curves should be sufficiently strong to make
"pruning" the defaults unwise. At a minimum, "x25519" and "prime256v1" (the "pruning" the defaults unwise. At a minimum, "x25519" and "prime256v1" (the
@ -13433,6 +13446,8 @@ must support this curve for EECDH key exchange to take place. It
is unwise to choose only "bleeding-edge" curves supported by only a is unwise to choose only "bleeding-edge" curves supported by only a
small subset of clients. </p> small subset of clients. </p>
<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
<p> The default "strong" curve is rated in NSA <a <p> The default "strong" curve is rated in NSA <a
href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite
B</a> for information classified up to SECRET. </p> B</a> for information classified up to SECRET. </p>
@ -13473,6 +13488,8 @@ client implementations must support this curve for EECDH key exchange
to take place. It is unwise to choose only "bleeding-edge" curves to take place. It is unwise to choose only "bleeding-edge" curves
supported by only a small subset of clients. </p> supported by only a small subset of clients. </p>
<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
<p> This default "ultra" curve is rated in NSA <a <p> This default "ultra" curve is rated in NSA <a
href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite
B</a> for information classified up to TOP SECRET. </p> B</a> for information classified up to TOP SECRET. </p>
@ -13499,6 +13516,8 @@ this parameter is always ignored, and Postfix behaves as though the
<b>auto</b> value (described below) was chosen. <b>auto</b> value (described below) was chosen.
</p> </p>
<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
<p> The available choices are: </p> <p> The available choices are: </p>
<dl> <dl>
@ -15979,7 +15998,7 @@ the "tlsproxy_tls_chain_files" parameter. </p>
elliptic-curve Diffie-Hellman (EECDH) key exchange. See elliptic-curve Diffie-Hellman (EECDH) key exchange. See
smtpd_tls_eecdh_grade for further details. </p> smtpd_tls_eecdh_grade for further details. </p>
<p> This feature is deprecated as of Postfix 3.9. Do not specify. </p> <p> This feature is not used as of Postfix 3.6. Do not specify. </p>
<p> This feature is available in Postfix 2.8 and later. </p> <p> This feature is available in Postfix 2.8 and later. </p>
@ -17507,21 +17526,22 @@ with valid PTR etc. records. </p>
%PARAM smtp_tls_wrappermode no %PARAM smtp_tls_wrappermode no
<p> Request that the Postfix SMTP client connects using the <p> Request that the Postfix SMTP client connects using the
SUBMISSIONS/SMTPS protocol instead of using the STARTTLS command. </p> SUBMISSIONS (formerly called SMTPS) protocol instead of using the
STARTTLS command. </p>
<p> This mode requires "smtp_tls_security_level = encrypt" or <p> This mode requires "smtp_tls_security_level = encrypt" or
stronger. </p> stronger. </p>
<p> Example: deliver all remote mail via a provider's server <p> Example: deliver all remote mail via a provider's submissions
"mail.example.com". </p> service at "mail.example.com". </p>
<pre> <pre>
/etc/postfix/main.cf: /etc/postfix/main.cf:
# Client-side SMTPS requires "encrypt" or stronger. # Client-side SUBMISSIONS requires "encrypt" or stronger.
smtp_tls_security_level = encrypt smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes smtp_tls_wrappermode = yes
# The [] suppress MX lookups. # The [] suppress MX lookups.
relayhost = [mail.example.com]:465 relayhost = [mail.example.com]:submissions
</pre> </pre>
<p> More examples are in TLS_README, including examples for older <p> More examples are in TLS_README, including examples for older
@ -17591,7 +17611,7 @@ clients). </p>
This feature is available in Postfix 3.1 and later. This feature is available in Postfix 3.1 and later.
</p> </p>
%PARAM smtp_tls_dane_insecure_mx_policy see "postconf -d" output %PARAM smtp_tls_dane_insecure_mx_policy dane
<p> The TLS policy for MX hosts with "secure" TLSA records when the <p> The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is <b>dane</b>, but the MX nexthop destination security level is <b>dane</b>, but the MX
@ -17615,10 +17635,9 @@ authentication succeeds, it will be logged only as "Trusted", not
"Verified", because the MX host name could have been forged. </dd> "Verified", because the MX host name could have been forged. </dd>
</dl> </dl>
<p> The default setting for Postfix &ge; 3.6 is "dane" with <p> The default setting is "dane" as of Postfix versions 3.6.17,
"smtp_tls_security_level = dane", otherwise "may". This behavior 3.7.13, 3.8.8, 3.9.2, and 3.10.0. With earlier versions the default
was backported to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21. was mistakenly dependent on the smtp_tls_security_level setting.
With earlier Postfix versions the default setting was always "dane".
</p> </p>
<p> Though with "insecure" MX records an active attacker can <p> Though with "insecure" MX records an active attacker can
@ -18985,8 +19004,8 @@ process. </p>
<p> Specify zero or more service names separated by comma and/or <p> Specify zero or more service names separated by comma and/or
whitespace. Any name in the services(5) database may be specified, whitespace. Any name in the services(5) database may be specified,
though in practice only submission, submissions, and smtp make though in practice only submission or submissions (formerly called
sense. </p> smtp) make sense. </p>
<p> When SRV record lookup is enabled with use_srv_lookup, you can <p> When SRV record lookup is enabled with use_srv_lookup, you can
enclose a domain name in "[]" to force IP address lookup instead enclose a domain name in "[]" to force IP address lookup instead
@ -19193,6 +19212,47 @@ MinProtocol = TLSv1
</pre> </pre>
</blockquote> </blockquote>
<p> Example: Custom OpenSSL group settings. </p>
<pre>
main.cf:
tls_config_file = ${config_directory}/openssl.cnf
tls_config_name = postfix
</pre>
<pre>
openssl.cnf:
postfix = postfix_settings
</pre>
<pre>
[postfix_settings]
ssl_conf = postfix_ssl_settings
</pre>
<pre>
[postfix_ssl_settings]
system_default = baseline_postfix_settings
</pre>
<pre>
[baseline_postfix_settings]
# New OpenSSL 3.5 syntax, for older releases consider
# the Postfix default:
#
# Groups = X25519:X448:prime256v1:secp384r1:secp521r1:ffdhe2048:ffdhe3072
#
Groups = *X25519MLKEM768 / *X25519:X448 / P-256:P-384
</pre>
<p> Caution: It is typically best to just use the default group
settings, for which no $tls_config_file is required (you can set
"tls_config_file = none", to avoid unwanted leakage of system-wide
settings that strive to harden HTTPS against mostly browser-specific
security and privacy issues into Postfix use of opportunistic TLS,
where they're they can be counterproductive, leading to downgrades
to cleartext, rather than more "secure" TLS). </p>
<p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6, <p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
3.6.10, and 3.5.20. </p> 3.6.10, and 3.5.20. </p>

2
postfix/proto/stop
View File

@ -1670,3 +1670,5 @@ SIGKILL
URI URI
URIs URIs
bugfix bugfix
MLKEM
cleartext

2
postfix/proto/stop.double-history
View File

@ -164,3 +164,5 @@ proto proto socketmap_table
cleanup cleanup_message c smtp smtp c smtp smtp_connect c cleanup cleanup_message c smtp smtp c smtp smtp_connect c
Documentation edited for clarity Files pipe pipe c Documentation edited for clarity Files pipe pipe c
global mail_params h smtpd smtpd c global mail_params h smtpd smtpd c
global mail_params h proto postconf proto smtp smtp c
proto postconf proto proto TLS_README html

2
postfix/src/global/mail_params.h
View File

@ -1660,7 +1660,7 @@ extern bool var_smtp_tls_force_tlsa;
/* SMTP only */ /* SMTP only */
#define VAR_SMTP_TLS_INSECURE_MX_POLICY "smtp_tls_dane_insecure_mx_policy" #define VAR_SMTP_TLS_INSECURE_MX_POLICY "smtp_tls_dane_insecure_mx_policy"
#define DEF_SMTP_TLS_INSECURE_MX_POLICY "${{$smtp_tls_security_level} == {dane} ? {dane} : {may}}" #define DEF_SMTP_TLS_INSECURE_MX_POLICY "dane"
extern char *var_smtp_tls_insecure_mx_policy; extern char *var_smtp_tls_insecure_mx_policy;
/* /*

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no * Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only. * patchlevel; they change the release date only.
*/ */
#define MAIL_RELEASE_DATE "20250207" #define MAIL_RELEASE_DATE "20250215"
#define MAIL_VERSION_NUMBER "3.10" #define MAIL_VERSION_NUMBER "3.10"
#ifdef SNAPSHOT #ifdef SNAPSHOT

5
postfix/src/smtp/smtp.c
View File

@ -594,10 +594,11 @@
/* Available in Postfix version 3.0 and later: /* Available in Postfix version 3.0 and later:
/* .IP "\fBsmtp_tls_wrappermode (no)\fR" /* .IP "\fBsmtp_tls_wrappermode (no)\fR"
/* Request that the Postfix SMTP client connects using the /* Request that the Postfix SMTP client connects using the
/* SUBMISSIONS/SMTPS protocol instead of using the STARTTLS command. /* SUBMISSIONS (formerly called SMTPS) protocol instead of using the
/* STARTTLS command.
/* .PP /* .PP
/* Available in Postfix version 3.1 and later: /* Available in Postfix version 3.1 and later:
/* .IP "\fBsmtp_tls_dane_insecure_mx_policy (see 'postconf -d' output)\fR" /* .IP "\fBsmtp_tls_dane_insecure_mx_policy (dane)\fR"
/* The TLS policy for MX hosts with "secure" TLSA records when the /* The TLS policy for MX hosts with "secure" TLSA records when the
/* nexthop destination security level is \fBdane\fR, but the MX /* nexthop destination security level is \fBdane\fR, but the MX
/* record was found via an "insecure" MX lookup. /* record was found via an "insecure" MX lookup.

6
postfix/src/tls/tls_dh.c
View File

@ -393,7 +393,6 @@ static int setup_auto_groups(SSL_CTX *ctx, const char *origin,
void tls_auto_groups(SSL_CTX *ctx, const char *eecdh, const char *ffdhe) void tls_auto_groups(SSL_CTX *ctx, const char *eecdh, const char *ffdhe)
{ {
#ifndef OPENSSL_NO_ECDH
char *def_eecdh = DEF_TLS_EECDH_AUTO; char *def_eecdh = DEF_TLS_EECDH_AUTO;
#if OPENSSL_VERSION_PREREQ(3, 0) #if OPENSSL_VERSION_PREREQ(3, 0)
@ -407,6 +406,10 @@ void tls_auto_groups(SSL_CTX *ctx, const char *eecdh, const char *ffdhe)
#endif #endif
const char *origin; const char *origin;
/* Use OpenSSL defaults */
if (!*eecdh && !*ffdhe)
return;
/* /*
* Try the user-specified list first. If that fails (empty list or no * Try the user-specified list first. If that fails (empty list or no
* known group name), try again with the Postfix defaults. We assume that * known group name), try again with the Postfix defaults. We assume that
@ -432,7 +435,6 @@ void tls_auto_groups(SSL_CTX *ctx, const char *eecdh, const char *ffdhe)
return; return;
} }
} }
#endif
} }
#ifdef TEST #ifdef TEST

67
postfix/src/tls/tls_misc.c
View File

@ -674,8 +674,8 @@ void tls_param_init(void)
VAR_TLS_EXPORT_CLIST, DEF_TLS_EXPORT_CLIST, &var_tls_export_ignored, 0, 0, VAR_TLS_EXPORT_CLIST, DEF_TLS_EXPORT_CLIST, &var_tls_export_ignored, 0, 0,
VAR_TLS_NULL_CLIST, DEF_TLS_NULL_CLIST, &var_tls_null_clist, 1, 0, VAR_TLS_NULL_CLIST, DEF_TLS_NULL_CLIST, &var_tls_null_clist, 1, 0,
VAR_TLS_EECDH_AUTO, DEF_TLS_EECDH_AUTO, &var_tls_eecdh_auto, 0, 0, VAR_TLS_EECDH_AUTO, DEF_TLS_EECDH_AUTO, &var_tls_eecdh_auto, 0, 0,
VAR_TLS_EECDH_STRONG, DEF_TLS_EECDH_STRONG, &var_tls_eecdh_strong, 1, 0, VAR_TLS_EECDH_STRONG, DEF_TLS_EECDH_STRONG, &var_tls_eecdh_strong, 0, 0,
VAR_TLS_EECDH_ULTRA, DEF_TLS_EECDH_ULTRA, &var_tls_eecdh_ultra, 1, 0, VAR_TLS_EECDH_ULTRA, DEF_TLS_EECDH_ULTRA, &var_tls_eecdh_ultra, 0, 0,
VAR_TLS_FFDHE_AUTO, DEF_TLS_FFDHE_AUTO, &var_tls_ffdhe_auto, 0, 0, VAR_TLS_FFDHE_AUTO, DEF_TLS_FFDHE_AUTO, &var_tls_ffdhe_auto, 0, 0,
VAR_TLS_BUG_TWEAKS, DEF_TLS_BUG_TWEAKS, &var_tls_bug_tweaks, 0, 0, VAR_TLS_BUG_TWEAKS, DEF_TLS_BUG_TWEAKS, &var_tls_bug_tweaks, 0, 0,
VAR_TLS_SSL_OPTIONS, DEF_TLS_SSL_OPTIONS, &var_tls_ssl_options, 0, 0, VAR_TLS_SSL_OPTIONS, DEF_TLS_SSL_OPTIONS, &var_tls_ssl_options, 0, 0,
@ -1084,8 +1084,17 @@ void tls_get_signature_params(TLS_SESS_STATE *TLScontext)
break; break;
#endif #endif
} }
EVP_PKEY_free(dh_pkey);
} }
if (kex_name) {
TLScontext->kex_name = mystrdup(kex_name);
TLScontext->kex_curve = kex_curve;
}
/* Not a problem if NULL */
EVP_PKEY_free(dh_pkey);
/* Resumption makes no use of signature keys or digests */
if (TLScontext->session_reused)
return;
/* /*
* On the client end, the certificate may be present, but not used, so we * On the client end, the certificate may be present, but not used, so we
@ -1111,12 +1120,19 @@ void tls_get_signature_params(TLS_SESS_STATE *TLScontext)
* the more familiar name. For "RSA" keys report "RSA-PSS", which * the more familiar name. For "RSA" keys report "RSA-PSS", which
* must be used with TLS 1.3. * must be used with TLS 1.3.
*/ */
if ((nid = EVP_PKEY_type(EVP_PKEY_id(local_pkey))) != NID_undef) { if ((nid = EVP_PKEY_id(local_pkey)) != NID_undef) {
switch (nid) { switch (nid) {
default: default:
locl_sig_name = OBJ_nid2sn(nid); if ((nid = EVP_PKEY_type(nid)) != NID_undef)
locl_sig_name = OBJ_nid2sn(nid);
break; break;
#if defined(EVP_PKEY_KEYMGMT)
case EVP_PKEY_KEYMGMT:
locl_sig_name = EVP_PKEY_get0_type_name(local_pkey);
break;
#endif
case EVP_PKEY_RSA: case EVP_PKEY_RSA:
/* For RSA, TLS 1.3 mandates PSS signatures */ /* For RSA, TLS 1.3 mandates PSS signatures */
locl_sig_name = "RSA-PSS"; locl_sig_name = "RSA-PSS";
@ -1138,6 +1154,13 @@ void tls_get_signature_params(TLS_SESS_STATE *TLScontext)
*/ */
if (SSL_get_signature_nid(ssl, &nid) && nid != NID_undef) if (SSL_get_signature_nid(ssl, &nid) && nid != NID_undef)
locl_sig_dgst = OBJ_nid2sn(nid); locl_sig_dgst = OBJ_nid2sn(nid);
if (locl_sig_name) {
SIG_PROP(TLScontext, srvr, name) = mystrdup(locl_sig_name);
SIG_PROP(TLScontext, srvr, curve) = locl_sig_curve;
if (locl_sig_dgst)
SIG_PROP(TLScontext, srvr, dgst) = mystrdup(locl_sig_dgst);
}
} }
peer_cert = TLS_PEEK_PEER_CERT(ssl); peer_cert = TLS_PEEK_PEER_CERT(ssl);
if (peer_cert != 0) { if (peer_cert != 0) {
@ -1165,12 +1188,19 @@ void tls_get_signature_params(TLS_SESS_STATE *TLScontext)
* the more familiar name. For "RSA" keys report "RSA-PSS", which * the more familiar name. For "RSA" keys report "RSA-PSS", which
* must be used with TLS 1.3. * must be used with TLS 1.3.
*/ */
if ((nid = EVP_PKEY_type(EVP_PKEY_id(peer_pkey))) != NID_undef) { if ((nid = EVP_PKEY_id(peer_pkey)) != NID_undef) {
switch (nid) { switch (nid) {
default: default:
peer_sig_name = OBJ_nid2sn(nid); if ((nid = EVP_PKEY_type(nid)) != NID_undef)
peer_sig_name = OBJ_nid2sn(nid);
break; break;
#if defined(EVP_PKEY_KEYMGMT)
case EVP_PKEY_KEYMGMT:
peer_sig_name = EVP_PKEY_get0_type_name(peer_pkey);
break;
#endif
case EVP_PKEY_RSA: case EVP_PKEY_RSA:
/* For RSA, TLS 1.3 mandates PSS signatures */ /* For RSA, TLS 1.3 mandates PSS signatures */
peer_sig_name = "RSA-PSS"; peer_sig_name = "RSA-PSS";
@ -1193,25 +1223,14 @@ void tls_get_signature_params(TLS_SESS_STATE *TLScontext)
if (SSL_get_peer_signature_nid(ssl, &nid) && nid != NID_undef) if (SSL_get_peer_signature_nid(ssl, &nid) && nid != NID_undef)
peer_sig_dgst = OBJ_nid2sn(nid); peer_sig_dgst = OBJ_nid2sn(nid);
if (peer_sig_name) {
SIG_PROP(TLScontext, !srvr, name) = mystrdup(peer_sig_name);
SIG_PROP(TLScontext, !srvr, curve) = peer_sig_curve;
if (peer_sig_dgst)
SIG_PROP(TLScontext, !srvr, dgst) = mystrdup(peer_sig_dgst);
}
} }
TLS_FREE_PEER_CERT(peer_cert); TLS_FREE_PEER_CERT(peer_cert);
if (kex_name) {
TLScontext->kex_name = mystrdup(kex_name);
TLScontext->kex_curve = kex_curve;
}
if (locl_sig_name) {
SIG_PROP(TLScontext, srvr, name) = mystrdup(locl_sig_name);
SIG_PROP(TLScontext, srvr, curve) = locl_sig_curve;
if (locl_sig_dgst)
SIG_PROP(TLScontext, srvr, dgst) = mystrdup(locl_sig_dgst);
}
if (peer_sig_name) {
SIG_PROP(TLScontext, !srvr, name) = mystrdup(peer_sig_name);
SIG_PROP(TLScontext, !srvr, curve) = peer_sig_curve;
if (peer_sig_dgst)
SIG_PROP(TLScontext, !srvr, dgst) = mystrdup(peer_sig_dgst);
}
} }
/* tls_log_summary - TLS loglevel 1 one-liner, embellished with TLS 1.3 details */ /* tls_log_summary - TLS loglevel 1 one-liner, embellished with TLS 1.3 details */