mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-22 01:49:47 +00:00
Code Issues Releases Wiki Activity

postfix-3.10-20250215

Browse Source
This commit is contained in:
Wietse Z Venema 2025-02-15 00:00:00 -05:00 committed by Viktor Dukhovni
parent d2018d3930
commit a5f2cae618
20 changed files with 622 additions and 555 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
postfix/HISTORY
View File

@ -28941,4 +28941,45 @@ Apologies for any names omitted.
requests for 60s. Files: global/dict_pgsql.c, global/dict_mysql.c,
proto/pgsql_table, proto/mysql_table.
Postfix 3.10 code freeze.
20250210
Bugfix (defect introduced: Postfix 3.6): Reverted the default
smtp_tls_dane_insecure_mx_policy setting to "dane" as of Postfix
3.6.17, 3.7.13, 3.8.8, 3.9.2, and 3.10.0. By mistake the default
was dependent on the smtp_tls_security_level setting. Files:
global/mail_params.h, proto/postconf.proto, smtp/smtp.c.
20250210
Documentation: prefer 'submissions' over 'smtps'. Files:
proto/postconf.proto, proto/TLS_README.html.
20250212
Support for OpenSSL 3.5 post-quantum cryptography. To manage
algorithm selection, OpenSSL introduces new TLS group syntax
that Postfix will not attempt to imitate. Instead, Postfix
now allows the tls_eecdh_auto_curves and tls_ffdhe_auto_groups
parameter values to have an empty value. When both are set
empty, the algorithm selection can be managed through OpenSSL
configuration. Viktor Dukhovni. Files: tls/tls_dh.c,
tls/tls_misc.c.
Bugfix (defect introduced: Postfix 3.4, date 20181113): a
server with multiple TLS certificates could report for a
resumed TLS session, in logging and Received: message
headers, the wrong server-signature and server-digest names.
Viktor Dukhovni. File: tls/tls_misc.c.
20250213
Documentation: updated postconf(5) that the parameters
smtpd_tls_eecdh_grade, tls_eecdh_strong_curve,
tls_eecdh_ultra_curve, and tlsproxy_tls_eecdh_grade, are
not used since Postfix 3.6; updated the tls_eecdh_auto_curves
and tls_ffdhe_auto_groups description with post-quantum
configuration; added a post-quantum example to the
tls_config_file description. File: proto/postconf.proto.
The unused parameters will be deleted in Postfix 3.11.
Postfix 3.10 code freeze.

3
postfix/README_FILES/TLSRPT_README
View File

@ -235,7 +235,8 @@ Examples of smtp_tls_policy_maps plugins with MTA-STS support are:
* postfix-tlspol, supports domains with DANE (using Postfix built-in DANE),
and domains with MTA-STS.
* postfix-mta-sts-resolver, supports domains with MTA-STS.
* postfix-mta-sts-resolver, supports domains with MTA-STS as of release 1.5.0
(February 2025).
Both plugins can generate the additional name=value attributes that Postfix
needs for TLSRPT support (as of February 2025). This is enabled by setting a

99
postfix/README_FILES/TLS_README
View File

@ -374,12 +374,13 @@ This is true for OE (Win32 < 5.0 and Win32 >=5.0 when run on a port<>25 and OE
It is strictly discouraged to use this mode from main.cf. If you want to
support this service, enable a special port in master.cf and specify "-
o smtpd_tls_wrappermode=yes" (note: no space around the "=") as an smtpd(8)
command line option. Port 465 (smtps) was once chosen for this feature.
command line option. Port 465 (submissions, formerly called smtps) is the most
common example.
Example:
/etc/postfix/master.cf:
smtps inet n - n - - smtpd
submissions inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
CClliieenntt cceerrttiiffiiccaattee vveerriiffiiccaattiioonn
@ -760,7 +761,7 @@ Topics covered in this section:
* Discovering servers that support TLS
* Server certificate verification depth
* Client-side cipher controls
* Client-side SMTPS support
* Client-side submissions (formerly called smtps) support
* Miscellaneous client controls
CCoonnffiigguurriinngg TTLLSS iinn tthhee SSMMTTPP//LLMMTTPP cclliieenntt
@ -1970,48 +1971,51 @@ Example:
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2,!SSLv3
CClliieenntt--ssiiddee SSMMTTPPSS ssuuppppoorrtt
CClliieenntt--ssiiddee ssuubbmmiissssiioonnss ((ffoorrmmeerrllyy ccaalllleedd ssmmttppss)) ssuuppppoorrtt
These sections show how to send mail to a server that does not support
STARTTLS, but that provides the SMTPS service on TCP port 465. Depending on the
Postfix version, some additional tooling may be required.
STARTTLS, but that provides the submissions (smtps) service on TCP port 465.
Depending on the Postfix version, some additional tooling may be required.
PPoossttffiixx >>== 33..00
The Postfix SMTP client has SMTPS support built-in as of version 3.0. Use one
of the following examples, to send all remote mail, or to send only some remote
mail, to an SMTPS server.
The Postfix SMTP client has submissions service support built-in as of version
3.0. Use one of the following examples, to send all remote mail, or to send
only some remote mail, to a submissions (smtps) server.
PPoossttffiixx >>== 33..00:: SSeennddiinngg aallll rreemmoottee mmaaiill ttoo aann SSMMTTPPSS sseerrvveerr
PPoossttffiixx >>== 33..00:: SSeennddiinngg aallll rreemmoottee mmaaiill ttoo aa ssuubbmmiissssiioonnss ((ffoorrmmeerrllyy ccaalllleedd
ssmmttppss)) sseerrvveerr
The first example will send all remote mail over SMTPS through a provider's
The first example will send all remote mail to through a provider's submissions
server called "mail.example.com":
/etc/postfix/main.cf:
# Client-side SMTPS requires "encrypt" or stronger.
# Client-side submissions requires "encrypt" or stronger.
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
# The [] suppress MX lookups.
relayhost = [mail.example.com]:465
relayhost = [mail.example.com]:submissions
Use "postfix reload" to make the change effective.
See SOHO_README for additional information about SASL authentication.
PPoossttffiixx >>== 33..00:: SSeennddiinngg oonnllyy mmaaiill ffoorr aa ssppeecciiffiicc ddeessttiinnaattiioonn vviiaa SSMMTTPPSS
PPoossttffiixx >>== 33..00:: SSeennddiinngg oonnllyy mmaaiill ffoorr aa ssppeecciiffiicc ddeessttiinnaattiioonn ttoo aa ssuubbmmiissssiioonnss
((ffoorrmmeerrllyy ccaalllleedd ssmmttppss)) sseerrvviiccee
The second example will send only mail for "example.com" via SMTPS. This time,
Postfix uses a transport map to deliver only mail for "example.com" via SMTPS:
The second example will send only mail for "example.com" using the submissions
(smtps) service. This time, Postfix uses a transport map to deliver only mail
for "example.com" using the submissions (smtps) service:
/etc/postfix/main.cf:
transport_maps = hash:/etc/postfix/transport
/etc/postfix/transport:
example.com relay-smtps:example.com:465
example.com relay-submissions:example.com:submissions
/etc/postfix/master.cf:
relay-smtps unix - - n - - smtp
# Client-side SMTPS requires "encrypt" or stronger.
relay-submissions unix - - n - - smtp
# Client-side submissions service requires "encrypt" or stronger.
-o smtp_tls_security_level=encrypt
-o smtp_tls_wrappermode=yes
@ -2022,62 +2026,7 @@ See SOHO_README for additional information about SASL authentication.
PPoossttffiixx << 33..00
Although older Postfix SMTP client versions do not support TLS wrapper mode, it
is relatively easy to forward a connection through the stunnel program if
Postfix needs to deliver mail to some legacy system that doesn't support
STARTTLS.
PPoossttffiixx << 33..00:: SSeennddiinngg aallll rreemmoottee mmaaiill ttoo aann SSMMTTPPSS sseerrvveerr
The first example uses SMTPS to send all remote mail to a provider's mail
server called "mail.example.com".
A minimal stunnel.conf file is sufficient to set up a tunnel from local port
11125 to the remote destination "mail.example.com" and port "smtps". Postfix
will later use this tunnel to connect to the remote server.
/path/to/stunnel.conf:
[smtp-tls-wrapper]
accept = 11125
client = yes
connect = mail.example.com:smtps
To test this tunnel, use:
$ telnet localhost 11125
This should produce the greeting from the remote SMTP server at
mail.example.com.
On the Postfix side, the relayhost feature sends all remote mail through the
local stunnel listener on port 11125:
/etc/postfix/main.cf:
relayhost = [127.0.0.1]:11125
Use "postfix reload" to make the change effective.
See SOHO_README for additional information about SASL authentication.
PPoossttffiixx << 33..00:: SSeennddiinngg oonnllyy mmaaiill ffoorr aa ssppeecciiffiicc ddeessttiinnaattiioonn vviiaa SSMMTTPPSS
The second example will use SMTPS to send only mail for "example.com" via
SMTPS. It uses the same stunnel configuration file as the first example, so it
won't be repeated here.
This time, the Postfix side uses a transport map to direct only mail for
"example.com" through the tunnel:
/etc/postfix/main.cf:
transport_maps = hash:/etc/postfix/transport
/etc/postfix/transport:
example.com relay:[127.0.0.1]:11125
Use "postmap hash:/etc/postfix/transport" and "postfix reload" to make the
change effective.
See SOHO_README for additional information about SASL authentication.
Please see TLS_LEGACY_README.
MMiisscceellllaanneeoouuss cclliieenntt ccoonnttrroollss

3
postfix/html/TLSRPT_README.html
View File

@ -345,7 +345,8 @@ postfix-tlspol</a>, supports domains with DANE (using Postfix
built-in DANE), and domains with MTA-STS. </p>
<li> <p> <a href="https://github.com/Snawoot/postfix-mta-sts-resolver">
postfix-mta-sts-resolver</a>, supports domains with MTA-STS. </p>
postfix-mta-sts-resolver</a>, supports domains with MTA-STS as of
release 1.5.0 (February 2025). </p>
</ul>

118
postfix/html/TLS_README.html
View File

@ -552,8 +552,8 @@ and OE (5.01 Mac on all ports). </p>
<p> It is strictly discouraged to use this mode from <a href="postconf.5.html">main.cf</a>. If
you want to support this service, enable a special port in <a href="master.5.html">master.cf</a>
and specify "-o <a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a>=yes" (note: no space around
the "=") as an <a href="smtpd.8.html">smtpd(8)</a> command line option. Port 465 (smtps) was
once chosen for this feature.
the "=") as an <a href="smtpd.8.html">smtpd(8)</a> command line option. Port 465 (submissions,
formerly called smtps) is the most common example.
</p>
<p> Example: </p>
@ -561,7 +561,7 @@ once chosen for this feature.
<blockquote>
<pre>
/etc/postfix/<a href="master.5.html">master.cf</a>:
smtps inet n - n - - smtpd
submissions inet n - n - - smtpd
-o <a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a>=yes -o <a href="postconf.5.html#smtpd_sasl_auth_enable">smtpd_sasl_auth_enable</a>=yes
</pre>
</blockquote>
@ -1065,7 +1065,7 @@ key configuration </a>
<li> <a href="#client_cipher">Client-side cipher controls </a>
<li> <a href="#client_smtps">Client-side SMTPS support </a>
<li> <a href="#client_smtps">Client-side submissions (formerly called smtps) support </a>
<li> <a href="#client_misc"> Miscellaneous client controls </a>
@ -2560,32 +2560,33 @@ the TLS protocols used with opportunistic TLS. </p>
</pre>
</blockquote>
<h3> <a name="client_smtps">Client-side SMTPS support </a> </h3>
<h3> <a name="client_smtps">Client-side submissions (formerly called smtps) support </a> </h3>
<p> These sections show how to send mail to a server that does not
support STARTTLS, but that provides the SMTPS service
support STARTTLS, but that provides the submissions (smtps) service
on TCP port 465. Depending on the Postfix version, some additional
tooling may be required. </p>
<h4> Postfix &ge; 3.0 </h4>
<p> The Postfix SMTP client has SMTPS support built-in as of version
<p> The Postfix SMTP client has submissions service support built-in
as of version
3.0. Use one of the following examples, to send all remote mail,
or to send only some remote mail, to an SMTPS server. </p>
or to send only some remote mail, to a submissions (smtps) server. </p>
<h5> Postfix &ge; 3.0: Sending all remote mail to an SMTPS server </h5>
<h5> Postfix &ge; 3.0: Sending all remote mail to a submissions (formerly called smtps) server </h5>
<p> The first example will send all remote mail over SMTPS through
a provider's server called "mail.example.com": </p>
<p> The first example will send all remote mail to through a
provider's submissions server called "mail.example.com": </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
# Client-side SMTPS requires "encrypt" or stronger.
# Client-side submissions requires "encrypt" or stronger.
<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt
<a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> = yes
# The [] suppress MX lookups.
<a href="postconf.5.html#relayhost">relayhost</a> = [mail.example.com]:465
<a href="postconf.5.html#relayhost">relayhost</a> = [mail.example.com]:submissions
</pre>
</blockquote>
@ -2595,11 +2596,12 @@ a provider's server called "mail.example.com": </p>
</p>
<h5> Postfix &ge; 3.0: Sending only mail for a specific destination
via SMTPS </h5>
to a submissions (formerly called smtps) service </h5>
<p> The second example will send only mail for "example.com" via
SMTPS. This time, Postfix uses a transport map to deliver only
mail for "example.com" via SMTPS: </p>
<p> The second example will send only mail for "example.com" using
the submissions (smtps) service.
This time, Postfix uses a transport map to deliver only
mail for "example.com" using the submissions (smtps) service: </p>
<blockquote>
<pre>
@ -2607,11 +2609,11 @@ mail for "example.com" via SMTPS: </p>
<a href="postconf.5.html#transport_maps">transport_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/transport
/etc/postfix/transport:
example.com relay-smtps:example.com:465
example.com relay-submissions:example.com:submissions
/etc/postfix/<a href="master.5.html">master.cf</a>:
relay-smtps unix - - n - - smtp
# Client-side SMTPS requires "encrypt" or stronger.
relay-submissions unix - - n - - smtp
# Client-side submissions service requires "encrypt" or stronger.
-o <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>=encrypt
-o <a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a>=yes
</pre>
@ -2625,81 +2627,7 @@ authentication. </p>
<h4> Postfix &lt; 3.0 </h4>
<p> Although older Postfix SMTP client versions do not support TLS
wrapper mode, it is relatively easy to forward a connection through
the stunnel program if Postfix needs to deliver mail to some legacy
system that doesn't support STARTTLS. </p>
<h5> Postfix &lt; 3.0: Sending all remote mail to an SMTPS server </h5>
<p> The first example uses SMTPS to send all remote mail to a
provider's mail server called "mail.example.com". </p>
<p> A minimal stunnel.conf file is sufficient to set up a tunnel
from local port 11125 to the remote destination "mail.example.com"
and port "smtps". Postfix will later use this tunnel to connect to
the remote server. </p>
<blockquote>
<pre>
/path/to/stunnel.conf:
[smtp-tls-wrapper]
accept = 11125
client = yes
connect = mail.example.com:smtps
</pre>
</blockquote>
<p> To test this tunnel, use: </p>
<blockquote>
<pre>
$ telnet localhost 11125
</pre>
</blockquote>
<p> This should produce the greeting from the remote SMTP server
at mail.example.com. </p>
<p> On the Postfix side, the <a href="postconf.5.html#relayhost">relayhost</a> feature sends all remote
mail through the local stunnel listener on port 11125: </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#relayhost">relayhost</a> = [127.0.0.1]:11125
</pre>
</blockquote>
<p> Use "postfix reload" to make the change effective. </p>
<p> See <a href="SOHO_README.html">SOHO_README</a> for additional information about SASL
authentication. </p>
<h4> Postfix &lt; 3.0: Sending only mail for a specific destination via SMTPS </h4>
<p> The second example will use SMTPS to send only mail for
"example.com" via SMTPS. It uses the same stunnel configuration
file as the first example, so it won't be repeated here. </p>
<p> This time, the Postfix side uses a transport map to direct only
mail for "example.com" through the tunnel: </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#transport_maps">transport_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/transport
/etc/postfix/transport:
example.com relay:[127.0.0.1]:11125
</pre>
</blockquote>
<p> Use "postmap <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/transport" and "postfix reload"
to make the change effective. </p>
<p> See <a href="SOHO_README.html">SOHO_README</a> for additional information about SASL authentication.
</p>
<p> Please see <a href="TLS_LEGACY_README.html">TLS_LEGACY_README</a>. </p>
<h3> <a name="client_misc"> Miscellaneous client controls </a> </h3>

161
postfix/html/lmtp.8.html
View File

@ -691,19 +691,20 @@ SMTP(8) SMTP(8)
<b><a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> (no)</b>
Request that the Postfix SMTP client connects using the SUBMIS-
SIONS/SMTPS protocol instead of using the STARTTLS command.
SIONS (formerly called SMTPS) protocol instead of using the
STARTTLS command.
Available in Postfix version 3.1 and later:
<b><a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> (see 'postconf -d' output)</b>
The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is <b>dane</b>, but the MX record
<b><a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> (dane)</b>
The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is <b>dane</b>, but the MX record
was found via an "insecure" MX lookup.
Available in Postfix version 3.2 and later:
<b><a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a> (see 'postconf -d' output)</b>
The prioritized list of elliptic curves, that should be enabled
The prioritized list of elliptic curves, that should be enabled
in the Postfix SMTP client and server.
Available in Postfix version 3.4 and later:
@ -712,23 +713,23 @@ SMTP(8) SMTP(8)
Try to make multiple deliveries per TLS-encrypted connection.
<b><a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a> (empty)</b>
List of one or more PEM files, each holding one or more private
List of one or more PEM files, each holding one or more private
keys directly followed by a corresponding certificate chain.
<b><a href="postconf.5.html#smtp_tls_servername">smtp_tls_servername</a> (empty)</b>
Optional name to send to the remote SMTP server in the TLS
Optional name to send to the remote SMTP server in the TLS
Server Name Indication (SNI) extension.
Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
<b><a href="postconf.5.html#tls_fast_shutdown_enable">tls_fast_shutdown_enable</a> (yes)</b>
A workaround for implementations that hang Postfix while shut-
A workaround for implementations that hang Postfix while shut-
ting down a TLS session, until Postfix times out.
Available in Postfix version 3.8 and later:
<b><a href="postconf.5.html#tls_ffdhe_auto_groups">tls_ffdhe_auto_groups</a> (see 'postconf -d' output)</b>
The prioritized list of finite-field Diffie-Hellman ephemeral
The prioritized list of finite-field Diffie-Hellman ephemeral
(FFDHE) key exchange groups supported by the Postfix SMTP client
and server.
@ -738,13 +739,13 @@ SMTP(8) SMTP(8)
Optional configuration file with baseline OpenSSL settings.
<b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b>
The application name passed by Postfix to OpenSSL library ini-
The application name passed by Postfix to OpenSSL library ini-
tialization functions.
Available in Postfix version 3.9 and later:
<b><a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> (no)</b>
Request that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key
Request that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key
instead of an X.509 certificate.
Available in Postfix version 3.10 and later:
@ -758,7 +759,7 @@ SMTP(8) SMTP(8)
<b><a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> (yes)</b>
Do not report the TLSRPT status for TLS protocol handshakes that
reuse a previously-negotiated TLS session (there is no new
reuse a previously-negotiated TLS session (there is no new
information to report).
<b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
@ -766,40 +767,40 @@ SMTP(8) SMTP(8)
defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
<b><a name="obsolete_starttls_controls">OBSOLETE STARTTLS CONTROLS</a></b>
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
future release.
<b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
Opportunistic mode: use TLS when a remote SMTP server announces
Opportunistic mode: use TLS when a remote SMTP server announces
STARTTLS support, otherwise send the mail in the clear.
<b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
Enforcement mode: require that remote SMTP servers use TLS
Enforcement mode: require that remote SMTP servers use TLS
encryption, and never send mail in the clear.
<b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
With mandatory TLS encryption, require that the remote SMTP
server hostname matches the information in the remote SMTP
With mandatory TLS encryption, require that the remote SMTP
server hostname matches the information in the remote SMTP
server certificate.
<b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
Optional lookup tables with the Postfix SMTP client TLS usage
policy by next-hop destination and by remote SMTP server host-
Optional lookup tables with the Postfix SMTP client TLS usage
policy by next-hop destination and by remote SMTP server host-
name.
<b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
Obsolete Postfix &lt; 2.3 control for the Postfix SMTP client TLS
Obsolete Postfix &lt; 2.3 control for the Postfix SMTP client TLS
cipher list.
<b><a name="resource_and_rate_controls">RESOURCE AND RATE CONTROLS</a></b>
<b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
The Postfix SMTP client time limit for completing a TCP connec-
The Postfix SMTP client time limit for completing a TCP connec-
tion, or zero (use the operating system built-in time limit).
<b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the HELO or EHLO
command, and for receiving the initial remote SMTP server
The Postfix SMTP client time limit for sending the HELO or EHLO
command, and for receiving the initial remote SMTP server
response.
<b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
@ -811,19 +812,19 @@ SMTP(8) SMTP(8)
mand, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the MAIL FROM
The Postfix SMTP client time limit for sending the MAIL FROM
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the SMTP RCPT TO
The Postfix SMTP client time limit for sending the SMTP RCPT TO
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
The Postfix SMTP client time limit for sending the SMTP DATA
The Postfix SMTP client time limit for sending the SMTP DATA
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
The Postfix SMTP client time limit for sending the SMTP message
The Postfix SMTP client time limit for sending the SMTP message
content.
<b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
@ -837,13 +838,13 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b>
The maximal number of MX (mail exchanger) IP addresses that can
result from Postfix SMTP client mail exchanger lookups, or zero
The maximal number of MX (mail exchanger) IP addresses that can
result from Postfix SMTP client mail exchanger lookups, or zero
(no limit).
<b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
The maximal number of SMTP sessions per delivery request before
the Postfix SMTP client gives up or delivers to a fall-back
The maximal number of SMTP sessions per delivery request before
the Postfix SMTP client gives up or delivers to a fall-back
<a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
<b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
@ -853,17 +854,17 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.2 and earlier:
<b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b>
Keep Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
Keep Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
seconds.
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
Permanently enable SMTP connection caching for the specified
Permanently enable SMTP connection caching for the specified
destinations.
<b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
Temporarily enable SMTP connection caching while a destination
Temporarily enable SMTP connection caching while a destination
has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>.
<b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b>
@ -877,23 +878,23 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
Time limit for connection cache connect, send or receive opera-
Time limit for connection cache connect, send or receive opera-
tions.
Available in Postfix version 2.9 - 3.6:
<b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
Change the behavior of the smtp_*_timeout time limits, from a
time limit per read or write system call, to a time limit to
send or receive a complete record (an SMTP command line, SMTP
response line, SMTP message content line, or TLS protocol mes-
Change the behavior of the smtp_*_timeout time limits, from a
time limit per read or write system call, to a time limit to
send or receive a complete record (an SMTP command line, SMTP
response line, SMTP message content line, or TLS protocol mes-
sage).
Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b>
When SMTP connection caching is enabled, the number of times
that an SMTP session may be reused before it is closed, or zero
When SMTP connection caching is enabled, the number of times
that an SMTP session may be reused before it is closed, or zero
(no limit).
Available in Postfix version 3.4 and later:
@ -904,13 +905,13 @@ SMTP(8) SMTP(8)
Available in Postfix version 3.7 and later:
<b><a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a> (no)</b>
Change the behavior of the smtp_*_timeout time limits, from a
time limit per plaintext or TLS read or write call, to a com-
bined time limit for sending a complete SMTP request and for
Change the behavior of the smtp_*_timeout time limits, from a
time limit per plaintext or TLS read or write call, to a com-
bined time limit for sending a complete SMTP request and for
receiving a complete SMTP response.
<b><a href="postconf.5.html#smtp_min_data_rate">smtp_min_data_rate</a> (500)</b>
The minimum plaintext data transfer rate in bytes/second for
The minimum plaintext data transfer rate in bytes/second for
DATA requests, when deadlines are enabled with
<a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>.
@ -918,54 +919,54 @@ SMTP(8) SMTP(8)
<b><a href="postconf.5.html#transport_destination_concurrency_limit">transport_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
<b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b>
A transport-specific override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
A transport-specific override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
<a href="postconf.5.html#default_destination_concurrency_limit">currency_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
name of the message delivery transport.
<b><a href="postconf.5.html#transport_destination_recipient_limit">transport_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipi</a>-</b>
<b><a href="postconf.5.html#default_destination_recipient_limit">ent_limit</a>)</b>
A transport-specific override for the <a href="postconf.5.html#default_destination_recipient_limit">default_destination_recip</a>-
<a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
<a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
name of the message delivery transport.
<b><a name="smtputf8_controls">SMTPUTF8 CONTROLS</a></b>
Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
<b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
Enable preliminary SMTPUTF8 support for the protocols described
Enable preliminary SMTPUTF8 support for the protocols described
in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>, <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a>, and <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a>.
<b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
Detect that a message requires SMTPUTF8 support for the speci-
Detect that a message requires SMTPUTF8 support for the speci-
fied mail origin classes.
Available in Postfix version 3.2 and later:
<b><a href="postconf.5.html#enable_idna2003_compatibility">enable_idna2003_compatibility</a> (no)</b>
Enable 'transitional' compatibility between IDNA2003 and
IDNA2008, when converting UTF-8 domain names to/from the ASCII
Enable 'transitional' compatibility between IDNA2003 and
IDNA2008, when converting UTF-8 domain names to/from the ASCII
form that is used for DNS lookups.
<b><a name="trouble_shooting_controls">TROUBLE SHOOTING CONTROLS</a></b>
<b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
The increment in verbose logging level when a nexthop destina-
tion, remote client or server name or network address matches a
The increment in verbose logging level when a nexthop destina-
tion, remote client or server name or network address matches a
pattern given with the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
<b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
Optional list of nexthop destination, remote client or server
name or network address patterns that, if matched, cause the
verbose logging level to increase by the amount specified in
Optional list of nexthop destination, remote client or server
name or network address patterns that, if matched, cause the
verbose logging level to increase by the amount specified in
$<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
<b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
The recipient of postmaster notifications about mail delivery
The recipient of postmaster notifications about mail delivery
problems that are caused by policy, resource, software or proto-
col errors.
<b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
What categories of Postfix-generated mail are subject to
before-queue content inspection by <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
What categories of Postfix-generated mail are subject to
before-queue content inspection by <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
<a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
<b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
@ -973,46 +974,46 @@ SMTP(8) SMTP(8)
<b><a name="miscellaneous_controls">MISCELLANEOUS CONTROLS</a></b>
<b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
Where the Postfix SMTP client should deliver mail when it
Where the Postfix SMTP client should deliver mail when it
detects a "mail loops back to myself" error condition.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
figuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
How much time a Postfix daemon process may take to handle a
How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer.
<b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
The maximal number of digits after the decimal point when log-
The maximal number of digits after the decimal point when log-
ging delay values.
<b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
Disable DNS lookups in the Postfix SMTP and LMTP clients.
<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
The local network interface addresses that this mail system
The local network interface addresses that this mail system
receives mail on.
<b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d' output)</b>
The Internet protocols Postfix will attempt to use when making
The Internet protocols Postfix will attempt to use when making
or accepting connections.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
The time limit for sending or receiving information over an
The time limit for sending or receiving information over an
internal communication channel.
<b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b>
When a remote LMTP server announces no DSN support, assume that
the server performs final delivery, and send "delivered" deliv-
When a remote LMTP server announces no DSN support, assume that
the server performs final delivery, and send "delivered" deliv-
ery status notifications instead of "relayed".
<b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
The default TCP port that the Postfix LMTP client connects to.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix daemon process
The maximum amount of time that an idle Postfix daemon process
waits for an incoming connection before terminating voluntarily.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
@ -1026,21 +1027,21 @@ SMTP(8) SMTP(8)
The process name of a Postfix command or daemon process.
<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
The remote network interface addresses that this mail system
receives mail on by way of a proxy or network address transla-
The remote network interface addresses that this mail system
receives mail on by way of a proxy or network address transla-
tion unit.
<b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (any)</b>
The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
client will try first, when a destination has IPv6 and IPv4
client will try first, when a destination has IPv6 and IPv4
addresses with equal MX preference.
<b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
An optional numerical network address that the Postfix SMTP
An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv4 connection.
<b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
An optional numerical network address that the Postfix SMTP
An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv6 connection.
<b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
@ -1060,7 +1061,7 @@ SMTP(8) SMTP(8)
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
A prefix that is prepended to the process name in syslog
A prefix that is prepended to the process name in syslog
records, so that, for example, "smtpd" becomes "prefix/smtpd".
Available with Postfix 2.2 and earlier:
@ -1072,14 +1073,14 @@ SMTP(8) SMTP(8)
Available with Postfix 2.3 and later:
<b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
Optional list of relay destinations that will be used when an
SMTP destination is not found, or when delivery fails due to a
Optional list of relay destinations that will be used when an
SMTP destination is not found, or when delivery fails due to a
non-permanent error.
Available with Postfix 3.0 and later:
<b><a href="postconf.5.html#smtp_address_verify_target">smtp_address_verify_target</a> (rcpt)</b>
In the context of email address verification, the SMTP protocol
In the context of email address verification, the SMTP protocol
stage that determines whether an email address is deliverable.
Available with Postfix 3.1 and later:
@ -1101,7 +1102,7 @@ SMTP(8) SMTP(8)
Available in Postfix 3.7 and later:
<b><a href="postconf.5.html#smtp_bind_address_enforce">smtp_bind_address_enforce</a> (no)</b>
Defer delivery when the Postfix SMTP client cannot apply the
Defer delivery when the Postfix SMTP client cannot apply the
<a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> or <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> setting.
<b><a name="see_also">SEE ALSO</a></b>

120
postfix/html/postconf.5.html
View File

@ -11010,11 +11010,11 @@ use the same program name. </p>
<p> Example <a href="master.5.html">master.cf</a> entries: </p>
<pre>
# Distinguish inbound MTA logging from submission and smtps logging.
# Distinguish inbound MTA logging from submission and submissions logging.
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
-o <a href="postconf.5.html#syslog_name">syslog_name</a>=postfix/$<a href="postconf.5.html#service_name">service_name</a>
smtps inet n - n - - smtpd
submissions inet n - n - - smtpd
-o <a href="postconf.5.html#syslog_name">syslog_name</a>=postfix/$<a href="postconf.5.html#service_name">service_name</a>
</pre>
@ -13274,7 +13274,7 @@ TLS connection reuse</a>" for background details. </p>
</DD>
<DT><b><a name="smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a>
(default: see "postconf -d" output)</b></DT><DD>
(default: dane)</b></DT><DD>
<p> The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is <b>dane</b>, but the MX
@ -13298,10 +13298,9 @@ authentication succeeds, it will be logged only as "Trusted", not
"Verified", because the MX host name could have been forged. </dd>
</dl>
<p> The default setting for Postfix &ge; 3.6 is "dane" with
"<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = dane", otherwise "may". This behavior
was backported to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21.
With earlier Postfix versions the default setting was always "dane".
<p> The default setting is "dane" as of Postfix versions 3.6.17,
3.7.13, 3.8.8, 3.9.2, and 3.10.0. With earlier versions the default
was mistakenly dependent on the <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> setting.
</p>
<p> Though with "insecure" MX records an active attacker can
@ -14823,21 +14822,22 @@ example.com verify match=hostname:nexthop
(default: no)</b></DT><DD>
<p> Request that the Postfix SMTP client connects using the
SUBMISSIONS/SMTPS protocol instead of using the STARTTLS command. </p>
SUBMISSIONS (formerly called SMTPS) protocol instead of using the
STARTTLS command. </p>
<p> This mode requires "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt" or
stronger. </p>
<p> Example: deliver all remote mail via a provider's server
"mail.example.com". </p>
<p> Example: deliver all remote mail via a provider's submissions
service at "mail.example.com". </p>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
# Client-side SMTPS requires "encrypt" or stronger.
# Client-side SUBMISSIONS requires "encrypt" or stronger.
<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt
<a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> = yes
# The [] suppress MX lookups.
<a href="postconf.5.html#relayhost">relayhost</a> = [mail.example.com]:465
<a href="postconf.5.html#relayhost">relayhost</a> = [mail.example.com]:submissions
</pre>
<p> More examples are in <a href="TLS_README.html">TLS_README</a>, including examples for older
@ -17925,7 +17925,8 @@ envelope sender
<blockquote> <p> Note: to enforce that the From: header address
matches the envelope sender (MAIL FROM) address, use an external
filter such as a Milter, for the submission, submissions, or smtps
filter such as a Milter, for the submission or submissions (formerly
called smtps )
services. For example: <a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>. </p>
</blockquote>
@ -18033,8 +18034,8 @@ that they do not explicitly own.
<br>
Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter,
for the submission, submissions, or smtps services. For example:
<a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>.
for the submission or submissions (formerly called smtps) services.
For example: <a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>.
<br>
This feature is available in Postfix version 2.1 and later. </dd>
@ -18054,8 +18055,8 @@ unlisted MAIL FROM address.
<br>
Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter,
for the submission, submissions, or smtps services. For example:
<a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>.
for the submission or submissions (formerly called smtps) services.
For example: <a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>.
<br>
This feature is available in Postfix version 2.11 and later.</dd>
@ -18100,8 +18101,8 @@ using any MAIL FROM address that is listed in $<a href="postconf.5.html#smtpd_se
<br>
Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter,
for the submission, submissions, or smtps services. For example:
<a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>.
for the submission or submissions (formerly called smtps) services.
For example: <a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>.
<br>
This feature is available in Postfix version 2.1 and later.</dd>
@ -18872,6 +18873,8 @@ this parameter is always ignored, and Postfix behaves as though the
<b>auto</b> value (described below) was chosen.
</p>
<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
<p> The available choices are: </p>
<dl>
@ -19526,8 +19529,8 @@ instead of using the STARTTLS command. </p>
<p> If you want to support this service, enable a special port in
<a href="master.5.html">master.cf</a>, and specify "-o <a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a>=yes" on the SMTP
server's command line. Port 465 (submissions/smtps) is reserved for
this purpose. </p>
server's command line. Port 465 (submissions, formerly called smtps)
is reserved for this purpose. </p>
<p> This feature is available in Postfix 2.2 and later. </p>
@ -20083,6 +20086,47 @@ MinProtocol = TLSv1
</pre>
</blockquote>
<p> Example: Custom OpenSSL group settings. </p>
<pre>
<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#tls_config_file">tls_config_file</a> = ${<a href="postconf.5.html#config_directory">config_directory</a>}/openssl.cnf
<a href="postconf.5.html#tls_config_name">tls_config_name</a> = postfix
</pre>
<pre>
openssl.cnf:
postfix = postfix_settings
</pre>
<pre>
[postfix_settings]
ssl_conf = postfix_ssl_settings
</pre>
<pre>
[postfix_ssl_settings]
system_default = baseline_postfix_settings
</pre>
<pre>
[baseline_postfix_settings]
# New OpenSSL 3.5 syntax, for older releases consider
# the Postfix default:
#
# Groups = X25519:X448:prime256v1:secp384r1:secp521r1:ffdhe2048:ffdhe3072
#
Groups = *X25519MLKEM768 / *X25519:X448 / P-256:P-384
</pre>
<p> Caution: It is typically best to just use the default group
settings, for which no $<a href="postconf.5.html#tls_config_file">tls_config_file</a> is required (you can set
"<a href="postconf.5.html#tls_config_file">tls_config_file</a> = none", to avoid unwanted leakage of system-wide
settings that strive to harden HTTPS against mostly browser-specific
security and privacy issues into Postfix use of opportunistic TLS,
where they're they can be counterproductive, leading to downgrades
to cleartext, rather than more "secure" TLS). </p>
<p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
3.6.10, and 3.5.20. </p>
@ -20274,8 +20318,7 @@ be using 0.9.6! </dd>
(default: see "postconf -d" output)</b></DT><DD>
<p> The prioritized list of elliptic curves, that should be enabled in the
Postfix SMTP client and server. These are used by the Postfix SMTP server when
"<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> = auto". The selected curves should be implemented
Postfix SMTP client and server. The selected curves should be implemented
by OpenSSL and be standardized for use in the TLS "supported groups" extension
(<a href="https://tools.ietf.org/html/rfc8422">RFC8422</a>, <a href="https://tools.ietf.org/html/rfc8446">RFC8446</a> and <a href="https://tools.ietf.org/html/rfc8447">RFC8447</a>). Be sure to include at least "x25519" and
"prime256v1" (the OpenSSL name for "secp256r1", a.k.a. "P-256"). The default
@ -20300,6 +20343,14 @@ customizing the list of FFDHE groups enabled with TLS 1.3. That setting
is introduced with Postfix 3.8, when built against OpenSSL 3.0 or later.
</p>
<p> Post-quantum cryptography support: OpenSSL 3.5 introduces new
configuration syntax that Postfix will not attempt to imitate.
Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
both <a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a> and if available <a href="postconf.5.html#tls_ffdhe_auto_groups">tls_ffdhe_auto_groups</a>
to the empty value, to enable algorithm selection through OpenSSL
configuration. See <a href="postconf.5.html#tls_config_file">tls_config_file</a> for a configuration example.
</p>
<p> This feature is available in Postfix 3.2 and later, when it is
compiled and linked with OpenSSL 1.0.2 or later on platforms where
EC algorithms have not been disabled by the vendor. </p>
@ -20323,6 +20374,8 @@ must support this curve for EECDH key exchange to take place. It
is unwise to choose only "bleeding-edge" curves supported by only a
small subset of clients. </p>
<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
<p> The default "strong" curve is rated in NSA <a
href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite
B</a> for information classified up to SECRET. </p>
@ -20367,6 +20420,8 @@ client implementations must support this curve for EECDH key exchange
to take place. It is unwise to choose only "bleeding-edge" curves
supported by only a small subset of clients. </p>
<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
<p> This default "ultra" curve is rated in NSA <a
href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite
B</a> for information classified up to TOP SECRET. </p>
@ -20443,10 +20498,15 @@ on whether any of the "kDHE" ciphers are included in the cipherlist.
</p>
<p> Conversely, setting "<a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a>" empty disables TLS 1.3
EC key agreement in OpenSSL 3.0 and later. Note that at least one of
"<a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a>" and "<a href="postconf.5.html#tls_ffdhe_auto_groups">tls_ffdhe_auto_groups</a>" must be non-empty,
this is required by OpenSSL 3.0. If both are inadvertently set empty,
Postfix will fall back to the compiled-in defaults. </p>
EC key agreement in OpenSSL 3.0 and later. If both are set empty,
Postfix will fall back to OpenSSL preferences as described next. </p>
<p> Post-quantum cryptography support: OpenSSL 3.5 introduces new
configuration syntax that Postfix will not attempt to imitate.
Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
both <a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a> and <a href="postconf.5.html#tls_ffdhe_auto_groups">tls_ffdhe_auto_groups</a> to the empty
value, to enable algorithm selection through OpenSSL configuration.
See <a href="postconf.5.html#tls_config_file">tls_config_file</a> for a configuration example. </p>
<p> All the default groups and EC curves should be sufficiently strong to make
"pruning" the defaults unwise. At a minimum, "x25519" and "prime256v1" (the
@ -21401,7 +21461,7 @@ the "<a href="postconf.5.html#tlsproxy_tls_chain_files">tlsproxy_tls_chain_files
elliptic-curve Diffie-Hellman (EECDH) key exchange. See
<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> for further details. </p>
<p> This feature is deprecated as of Postfix 3.9. Do not specify. </p>
<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
<p> This feature is available in Postfix 2.8 and later. </p>
@ -22352,8 +22412,8 @@ process. </p>
<p> Specify zero or more service names separated by comma and/or
whitespace. Any name in the services(5) database may be specified,
though in practice only submission, submissions, and smtp make
sense. </p>
though in practice only submission or submissions (formerly called
smtp) make sense. </p>
<p> When SRV record lookup is enabled with <a href="postconf.5.html#use_srv_lookup">use_srv_lookup</a>, you can
enclose a domain name in "[]" to force IP address lookup instead

161
postfix/html/smtp.8.html
View File

@ -691,19 +691,20 @@ SMTP(8) SMTP(8)
<b><a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> (no)</b>
Request that the Postfix SMTP client connects using the SUBMIS-
SIONS/SMTPS protocol instead of using the STARTTLS command.
SIONS (formerly called SMTPS) protocol instead of using the
STARTTLS command.
Available in Postfix version 3.1 and later:
<b><a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> (see 'postconf -d' output)</b>
The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is <b>dane</b>, but the MX record
<b><a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> (dane)</b>
The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is <b>dane</b>, but the MX record
was found via an "insecure" MX lookup.
Available in Postfix version 3.2 and later:
<b><a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a> (see 'postconf -d' output)</b>
The prioritized list of elliptic curves, that should be enabled
The prioritized list of elliptic curves, that should be enabled
in the Postfix SMTP client and server.
Available in Postfix version 3.4 and later:
@ -712,23 +713,23 @@ SMTP(8) SMTP(8)
Try to make multiple deliveries per TLS-encrypted connection.
<b><a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a> (empty)</b>
List of one or more PEM files, each holding one or more private
List of one or more PEM files, each holding one or more private
keys directly followed by a corresponding certificate chain.
<b><a href="postconf.5.html#smtp_tls_servername">smtp_tls_servername</a> (empty)</b>
Optional name to send to the remote SMTP server in the TLS
Optional name to send to the remote SMTP server in the TLS
Server Name Indication (SNI) extension.
Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
<b><a href="postconf.5.html#tls_fast_shutdown_enable">tls_fast_shutdown_enable</a> (yes)</b>
A workaround for implementations that hang Postfix while shut-
A workaround for implementations that hang Postfix while shut-
ting down a TLS session, until Postfix times out.
Available in Postfix version 3.8 and later:
<b><a href="postconf.5.html#tls_ffdhe_auto_groups">tls_ffdhe_auto_groups</a> (see 'postconf -d' output)</b>
The prioritized list of finite-field Diffie-Hellman ephemeral
The prioritized list of finite-field Diffie-Hellman ephemeral
(FFDHE) key exchange groups supported by the Postfix SMTP client
and server.
@ -738,13 +739,13 @@ SMTP(8) SMTP(8)
Optional configuration file with baseline OpenSSL settings.
<b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b>
The application name passed by Postfix to OpenSSL library ini-
The application name passed by Postfix to OpenSSL library ini-
tialization functions.
Available in Postfix version 3.9 and later:
<b><a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> (no)</b>
Request that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key
Request that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key
instead of an X.509 certificate.
Available in Postfix version 3.10 and later:
@ -758,7 +759,7 @@ SMTP(8) SMTP(8)
<b><a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> (yes)</b>
Do not report the TLSRPT status for TLS protocol handshakes that
reuse a previously-negotiated TLS session (there is no new
reuse a previously-negotiated TLS session (there is no new
information to report).
<b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
@ -766,40 +767,40 @@ SMTP(8) SMTP(8)
defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
<b><a name="obsolete_starttls_controls">OBSOLETE STARTTLS CONTROLS</a></b>
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
future release.
<b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
Opportunistic mode: use TLS when a remote SMTP server announces
Opportunistic mode: use TLS when a remote SMTP server announces
STARTTLS support, otherwise send the mail in the clear.
<b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
Enforcement mode: require that remote SMTP servers use TLS
Enforcement mode: require that remote SMTP servers use TLS
encryption, and never send mail in the clear.
<b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
With mandatory TLS encryption, require that the remote SMTP
server hostname matches the information in the remote SMTP
With mandatory TLS encryption, require that the remote SMTP
server hostname matches the information in the remote SMTP
server certificate.
<b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
Optional lookup tables with the Postfix SMTP client TLS usage
policy by next-hop destination and by remote SMTP server host-
Optional lookup tables with the Postfix SMTP client TLS usage
policy by next-hop destination and by remote SMTP server host-
name.
<b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
Obsolete Postfix &lt; 2.3 control for the Postfix SMTP client TLS
Obsolete Postfix &lt; 2.3 control for the Postfix SMTP client TLS
cipher list.
<b><a name="resource_and_rate_controls">RESOURCE AND RATE CONTROLS</a></b>
<b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
The Postfix SMTP client time limit for completing a TCP connec-
The Postfix SMTP client time limit for completing a TCP connec-
tion, or zero (use the operating system built-in time limit).
<b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the HELO or EHLO
command, and for receiving the initial remote SMTP server
The Postfix SMTP client time limit for sending the HELO or EHLO
command, and for receiving the initial remote SMTP server
response.
<b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
@ -811,19 +812,19 @@ SMTP(8) SMTP(8)
mand, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the MAIL FROM
The Postfix SMTP client time limit for sending the MAIL FROM
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the SMTP RCPT TO
The Postfix SMTP client time limit for sending the SMTP RCPT TO
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
The Postfix SMTP client time limit for sending the SMTP DATA
The Postfix SMTP client time limit for sending the SMTP DATA
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
The Postfix SMTP client time limit for sending the SMTP message
The Postfix SMTP client time limit for sending the SMTP message
content.
<b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
@ -837,13 +838,13 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b>
The maximal number of MX (mail exchanger) IP addresses that can
result from Postfix SMTP client mail exchanger lookups, or zero
The maximal number of MX (mail exchanger) IP addresses that can
result from Postfix SMTP client mail exchanger lookups, or zero
(no limit).
<b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
The maximal number of SMTP sessions per delivery request before
the Postfix SMTP client gives up or delivers to a fall-back
The maximal number of SMTP sessions per delivery request before
the Postfix SMTP client gives up or delivers to a fall-back
<a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
<b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
@ -853,17 +854,17 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.2 and earlier:
<b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b>
Keep Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
Keep Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
seconds.
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
Permanently enable SMTP connection caching for the specified
Permanently enable SMTP connection caching for the specified
destinations.
<b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
Temporarily enable SMTP connection caching while a destination
Temporarily enable SMTP connection caching while a destination
has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>.
<b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b>
@ -877,23 +878,23 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
Time limit for connection cache connect, send or receive opera-
Time limit for connection cache connect, send or receive opera-
tions.
Available in Postfix version 2.9 - 3.6:
<b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
Change the behavior of the smtp_*_timeout time limits, from a
time limit per read or write system call, to a time limit to
send or receive a complete record (an SMTP command line, SMTP
response line, SMTP message content line, or TLS protocol mes-
Change the behavior of the smtp_*_timeout time limits, from a
time limit per read or write system call, to a time limit to
send or receive a complete record (an SMTP command line, SMTP
response line, SMTP message content line, or TLS protocol mes-
sage).
Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b>
When SMTP connection caching is enabled, the number of times
that an SMTP session may be reused before it is closed, or zero
When SMTP connection caching is enabled, the number of times
that an SMTP session may be reused before it is closed, or zero
(no limit).
Available in Postfix version 3.4 and later:
@ -904,13 +905,13 @@ SMTP(8) SMTP(8)
Available in Postfix version 3.7 and later:
<b><a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a> (no)</b>
Change the behavior of the smtp_*_timeout time limits, from a
time limit per plaintext or TLS read or write call, to a com-
bined time limit for sending a complete SMTP request and for
Change the behavior of the smtp_*_timeout time limits, from a
time limit per plaintext or TLS read or write call, to a com-
bined time limit for sending a complete SMTP request and for
receiving a complete SMTP response.
<b><a href="postconf.5.html#smtp_min_data_rate">smtp_min_data_rate</a> (500)</b>
The minimum plaintext data transfer rate in bytes/second for
The minimum plaintext data transfer rate in bytes/second for
DATA requests, when deadlines are enabled with
<a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>.
@ -918,54 +919,54 @@ SMTP(8) SMTP(8)
<b><a href="postconf.5.html#transport_destination_concurrency_limit">transport_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
<b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b>
A transport-specific override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
A transport-specific override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
<a href="postconf.5.html#default_destination_concurrency_limit">currency_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
name of the message delivery transport.
<b><a href="postconf.5.html#transport_destination_recipient_limit">transport_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipi</a>-</b>
<b><a href="postconf.5.html#default_destination_recipient_limit">ent_limit</a>)</b>
A transport-specific override for the <a href="postconf.5.html#default_destination_recipient_limit">default_destination_recip</a>-
<a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
<a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
name of the message delivery transport.
<b><a name="smtputf8_controls">SMTPUTF8 CONTROLS</a></b>
Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
<b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
Enable preliminary SMTPUTF8 support for the protocols described
Enable preliminary SMTPUTF8 support for the protocols described
in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>, <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a>, and <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a>.
<b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
Detect that a message requires SMTPUTF8 support for the speci-
Detect that a message requires SMTPUTF8 support for the speci-
fied mail origin classes.
Available in Postfix version 3.2 and later:
<b><a href="postconf.5.html#enable_idna2003_compatibility">enable_idna2003_compatibility</a> (no)</b>
Enable 'transitional' compatibility between IDNA2003 and
IDNA2008, when converting UTF-8 domain names to/from the ASCII
Enable 'transitional' compatibility between IDNA2003 and
IDNA2008, when converting UTF-8 domain names to/from the ASCII
form that is used for DNS lookups.
<b><a name="trouble_shooting_controls">TROUBLE SHOOTING CONTROLS</a></b>
<b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
The increment in verbose logging level when a nexthop destina-
tion, remote client or server name or network address matches a
The increment in verbose logging level when a nexthop destina-
tion, remote client or server name or network address matches a
pattern given with the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
<b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
Optional list of nexthop destination, remote client or server
name or network address patterns that, if matched, cause the
verbose logging level to increase by the amount specified in
Optional list of nexthop destination, remote client or server
name or network address patterns that, if matched, cause the
verbose logging level to increase by the amount specified in
$<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
<b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
The recipient of postmaster notifications about mail delivery
The recipient of postmaster notifications about mail delivery
problems that are caused by policy, resource, software or proto-
col errors.
<b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
What categories of Postfix-generated mail are subject to
before-queue content inspection by <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
What categories of Postfix-generated mail are subject to
before-queue content inspection by <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
<a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
<b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
@ -973,46 +974,46 @@ SMTP(8) SMTP(8)
<b><a name="miscellaneous_controls">MISCELLANEOUS CONTROLS</a></b>
<b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
Where the Postfix SMTP client should deliver mail when it
Where the Postfix SMTP client should deliver mail when it
detects a "mail loops back to myself" error condition.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
figuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
How much time a Postfix daemon process may take to handle a
How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer.
<b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
The maximal number of digits after the decimal point when log-
The maximal number of digits after the decimal point when log-
ging delay values.
<b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
Disable DNS lookups in the Postfix SMTP and LMTP clients.
<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
The local network interface addresses that this mail system
The local network interface addresses that this mail system
receives mail on.
<b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d' output)</b>
The Internet protocols Postfix will attempt to use when making
The Internet protocols Postfix will attempt to use when making
or accepting connections.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
The time limit for sending or receiving information over an
The time limit for sending or receiving information over an
internal communication channel.
<b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b>
When a remote LMTP server announces no DSN support, assume that
the server performs final delivery, and send "delivered" deliv-
When a remote LMTP server announces no DSN support, assume that
the server performs final delivery, and send "delivered" deliv-
ery status notifications instead of "relayed".
<b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
The default TCP port that the Postfix LMTP client connects to.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix daemon process
The maximum amount of time that an idle Postfix daemon process
waits for an incoming connection before terminating voluntarily.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
@ -1026,21 +1027,21 @@ SMTP(8) SMTP(8)
The process name of a Postfix command or daemon process.
<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
The remote network interface addresses that this mail system
receives mail on by way of a proxy or network address transla-
The remote network interface addresses that this mail system
receives mail on by way of a proxy or network address transla-
tion unit.
<b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (any)</b>
The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
client will try first, when a destination has IPv6 and IPv4
client will try first, when a destination has IPv6 and IPv4
addresses with equal MX preference.
<b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
An optional numerical network address that the Postfix SMTP
An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv4 connection.
<b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
An optional numerical network address that the Postfix SMTP
An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv6 connection.
<b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
@ -1060,7 +1061,7 @@ SMTP(8) SMTP(8)
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
A prefix that is prepended to the process name in syslog
A prefix that is prepended to the process name in syslog
records, so that, for example, "smtpd" becomes "prefix/smtpd".
Available with Postfix 2.2 and earlier:
@ -1072,14 +1073,14 @@ SMTP(8) SMTP(8)
Available with Postfix 2.3 and later:
<b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
Optional list of relay destinations that will be used when an
SMTP destination is not found, or when delivery fails due to a
Optional list of relay destinations that will be used when an
SMTP destination is not found, or when delivery fails due to a
non-permanent error.
Available with Postfix 3.0 and later:
<b><a href="postconf.5.html#smtp_address_verify_target">smtp_address_verify_target</a> (rcpt)</b>
In the context of email address verification, the SMTP protocol
In the context of email address verification, the SMTP protocol
stage that determines whether an email address is deliverable.
Available with Postfix 3.1 and later:
@ -1101,7 +1102,7 @@ SMTP(8) SMTP(8)
Available in Postfix 3.7 and later:
<b><a href="postconf.5.html#smtp_bind_address_enforce">smtp_bind_address_enforce</a> (no)</b>
Defer delivery when the Postfix SMTP client cannot apply the
Defer delivery when the Postfix SMTP client cannot apply the
<a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> or <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> setting.
<b><a name="see_also">SEE ALSO</a></b>

129
postfix/man/man5/postconf.5
View File

@ -6872,11 +6872,11 @@ Example master.cf entries:
.PP
.nf
.na
# Distinguish inbound MTA logging from submission and smtps logging.
# Distinguish inbound MTA logging from submission and submissions logging.
smtp inet n \- n \- \- smtpd
submission inet n \- n \- \- smtpd
\-o syslog_name=postfix/$service_name
smtps inet n \- n \- \- smtpd
submissions inet n \- n \- \- smtpd
\-o syslog_name=postfix/$service_name
.fi
.ad
@ -8477,7 +8477,7 @@ See "Client\-side
TLS connection reuse" for background details.
.PP
This feature is available in Postfix 3.4 and later.
.SH smtp_tls_dane_insecure_mx_policy (default: see "postconf \-d" output)
.SH smtp_tls_dane_insecure_mx_policy (default: dane)
The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is \fBdane\fR, but the MX
record was found via an "insecure" MX lookup. The choices are:
@ -8498,10 +8498,9 @@ authentication succeeds, it will be logged only as "Trusted", not
"Verified", because the MX host name could have been forged.
.br
.br
The default setting for Postfix >= 3.6 is "dane" with
"smtp_tls_security_level = dane", otherwise "may". This behavior
was backported to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21.
With earlier Postfix versions the default setting was always "dane".
The default setting is "dane" as of Postfix versions 3.6.17,
3.7.13, 3.8.8, 3.9.2, and 3.10.0. With earlier versions the default
was mistakenly dependent on the smtp_tls_security_level setting.
.PP
Though with "insecure" MX records an active attacker can
compromise SMTP transport security by returning forged MX records,
@ -9883,22 +9882,23 @@ example.com verify match=hostname:nexthop
This feature is available in Postfix 2.3 and later.
.SH smtp_tls_wrappermode (default: no)
Request that the Postfix SMTP client connects using the
SUBMISSIONS/SMTPS protocol instead of using the STARTTLS command.
SUBMISSIONS (formerly called SMTPS) protocol instead of using the
STARTTLS command.
.PP
This mode requires "smtp_tls_security_level = encrypt" or
stronger.
.PP
Example: deliver all remote mail via a provider's server
"mail.example.com".
Example: deliver all remote mail via a provider's submissions
service at "mail.example.com".
.PP
.nf
.na
/etc/postfix/main.cf:
# Client\-side SMTPS requires "encrypt" or stronger.
# Client\-side SUBMISSIONS requires "encrypt" or stronger.
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
# The [] suppress MX lookups.
relayhost = [mail.example.com]:465
relayhost = [mail.example.com]:submissions
.fi
.ad
.PP
@ -12171,7 +12171,8 @@ envelope sender
.in +4
Note: to enforce that the From: header address
matches the envelope sender (MAIL FROM) address, use an external
filter such as a Milter, for the submission, submissions, or smtps
filter such as a Milter, for the submission or submissions (formerly
called smtps )
services. For example: https://github.com/magcks/milterfrom.
.in -4
.PP
@ -12248,8 +12249,8 @@ that they do not explicitly own.
.br
Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter,
for the submission, submissions, or smtps services. For example:
https://github.com/magcks/milterfrom.
for the submission or submissions (formerly called smtps) services.
For example: https://github.com/magcks/milterfrom.
.br
This feature is available in Postfix version 2.1 and later.
.br
@ -12268,8 +12269,8 @@ unlisted MAIL FROM address.
.br
Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter,
for the submission, submissions, or smtps services. For example:
https://github.com/magcks/milterfrom.
for the submission or submissions (formerly called smtps) services.
For example: https://github.com/magcks/milterfrom.
.br
This feature is available in Postfix version 2.11 and later.
.br
@ -12314,8 +12315,8 @@ using any MAIL FROM address that is listed in $smtpd_sender_login_maps.
.br
Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter,
for the submission, submissions, or smtps services. For example:
https://github.com/magcks/milterfrom.
for the submission or submissions (formerly called smtps) services.
For example: https://github.com/magcks/milterfrom.
.br
This feature is available in Postfix version 2.1 and later.
.br
@ -12973,6 +12974,8 @@ Diffie\-Hellman (EECDH) key exchange. As of Postfix 3.6, the value of
this parameter is always ignored, and Postfix behaves as though the
\fBauto\fR value (described below) was chosen.
.PP
This feature is not used as of Postfix 3.6. Do not specify.
.PP
The available choices are:
.IP "\fBauto\fR"
Use the most preferred curve that is
@ -13566,8 +13569,8 @@ instead of using the STARTTLS command.
.PP
If you want to support this service, enable a special port in
master.cf, and specify "\-o smtpd_tls_wrappermode=yes" on the SMTP
server's command line. Port 465 (submissions/smtps) is reserved for
this purpose.
server's command line. Port 465 (submissions, formerly called smtps)
is reserved for this purpose.
.PP
This feature is available in Postfix 2.2 and later.
.SH smtpd_upstream_proxy_protocol (default: empty)
@ -13942,6 +13945,57 @@ MinProtocol = TLSv1
.ad
.in -4
.PP
Example: Custom OpenSSL group settings.
.PP
.nf
.na
main.cf:
tls_config_file = ${config_directory}/openssl.cnf
tls_config_name = postfix
.fi
.ad
.PP
.nf
.na
openssl.cnf:
postfix = postfix_settings
.fi
.ad
.PP
.nf
.na
[postfix_settings]
ssl_conf = postfix_ssl_settings
.fi
.ad
.PP
.nf
.na
[postfix_ssl_settings]
system_default = baseline_postfix_settings
.fi
.ad
.PP
.nf
.na
[baseline_postfix_settings]
# New OpenSSL 3.5 syntax, for older releases consider
# the Postfix default:
#
# Groups = X25519:X448:prime256v1:secp384r1:secp521r1:ffdhe2048:ffdhe3072
#
Groups = *X25519MLKEM768 / *X25519:X448 / P\-256:P\-384
.fi
.ad
.PP
Caution: It is typically best to just use the default group
settings, for which no $tls_config_file is required (you can set
"tls_config_file = none", to avoid unwanted leakage of system\-wide
settings that strive to harden HTTPS against mostly browser\-specific
security and privacy issues into Postfix use of opportunistic TLS,
where they're they can be counterproductive, leading to downgrades
to cleartext, rather than more "secure" TLS).
.PP
This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6,
3.6.10, and 3.5.20.
.SH tls_config_name (default: empty)
@ -14102,8 +14156,7 @@ Postfix >= 3.4. See \fBSSL_CTX_set_options\fR(3).
This feature is available in Postfix 2.8 and later.
.SH tls_eecdh_auto_curves (default: see "postconf \-d" output)
The prioritized list of elliptic curves, that should be enabled in the
Postfix SMTP client and server. These are used by the Postfix SMTP server when
"smtpd_tls_eecdh_grade = auto". The selected curves should be implemented
Postfix SMTP client and server. The selected curves should be implemented
by OpenSSL and be standardized for use in the TLS "supported groups" extension
(RFC8422, RFC8446 and RFC8447). Be sure to include at least "x25519" and
"prime256v1" (the OpenSSL name for "secp256r1", a.k.a. "P\-256"). The default
@ -14127,6 +14180,13 @@ See also the "tls_ffdhe_auto_groups" parameter, which supports
customizing the list of FFDHE groups enabled with TLS 1.3. That setting
is introduced with Postfix 3.8, when built against OpenSSL 3.0 or later.
.PP
Post\-quantum cryptography support: OpenSSL 3.5 introduces new
configuration syntax that Postfix will not attempt to imitate.
Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
both tls_eecdh_auto_curves and if available tls_ffdhe_auto_groups
to the empty value, to enable algorithm selection through OpenSSL
configuration. See tls_config_file for a configuration example.
.PP
This feature is available in Postfix 3.2 and later, when it is
compiled and linked with OpenSSL 1.0.2 or later on platforms where
EC algorithms have not been disabled by the vendor.
@ -14144,6 +14204,8 @@ must support this curve for EECDH key exchange to take place. It
is unwise to choose only "bleeding\-edge" curves supported by only a
small subset of clients.
.PP
This feature is not used as of Postfix 3.6. Do not specify.
.PP
The default "strong" curve is rated in NSA Suite
B for information classified up to SECRET.
.PP
@ -14179,6 +14241,8 @@ client implementations must support this curve for EECDH key exchange
to take place. It is unwise to choose only "bleeding\-edge" curves
supported by only a small subset of clients.
.PP
This feature is not used as of Postfix 3.6. Do not specify.
.PP
This default "ultra" curve is rated in NSA Suite
B for information classified up to TOP SECRET.
.PP
@ -14233,10 +14297,15 @@ Whether FFDHE key agreement is enabled in TLS 1.2 and earlier depends
on whether any of the "kDHE" ciphers are included in the cipherlist.
.PP
Conversely, setting "tls_eecdh_auto_curves" empty disables TLS 1.3
EC key agreement in OpenSSL 3.0 and later. Note that at least one of
"tls_eecdh_auto_curves" and "tls_ffdhe_auto_groups" must be non\-empty,
this is required by OpenSSL 3.0. If both are inadvertently set empty,
Postfix will fall back to the compiled\-in defaults.
EC key agreement in OpenSSL 3.0 and later. If both are set empty,
Postfix will fall back to OpenSSL preferences as described next.
.PP
Post\-quantum cryptography support: OpenSSL 3.5 introduces new
configuration syntax that Postfix will not attempt to imitate.
Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
both tls_eecdh_auto_curves and tls_ffdhe_auto_groups to the empty
value, to enable algorithm selection through OpenSSL configuration.
See tls_config_file for a configuration example.
.PP
All the default groups and EC curves should be sufficiently strong to make
"pruning" the defaults unwise. At a minimum, "x25519" and "prime256v1" (the
@ -14874,7 +14943,7 @@ The Postfix \fBtlsproxy\fR(8) server security grade for ephemeral
elliptic\-curve Diffie\-Hellman (EECDH) key exchange. See
smtpd_tls_eecdh_grade for further details.
.PP
This feature is deprecated as of Postfix 3.9. Do not specify.
This feature is not used as of Postfix 3.6. Do not specify.
.PP
This feature is available in Postfix 2.8 and later.
.SH tlsproxy_tls_enable_rpk (default: $smtpd_tls_enable_rpk)
@ -15428,8 +15497,8 @@ process.
.PP
Specify zero or more service names separated by comma and/or
whitespace. Any name in the \fBservices\fR(5) database may be specified,
though in practice only submission, submissions, and smtp make
sense.
though in practice only submission or submissions (formerly called
smtp) make sense.
.PP
When SRV record lookup is enabled with use_srv_lookup, you can
enclose a domain name in "[]" to force IP address lookup instead

5
postfix/man/man8/smtp.8
View File

@ -628,10 +628,11 @@ The name of the \fBtlsmgr\fR(8) service entry in master.cf.
Available in Postfix version 3.0 and later:
.IP "\fBsmtp_tls_wrappermode (no)\fR"
Request that the Postfix SMTP client connects using the
SUBMISSIONS/SMTPS protocol instead of using the STARTTLS command.
SUBMISSIONS (formerly called SMTPS) protocol instead of using the
STARTTLS command.
.PP
Available in Postfix version 3.1 and later:
.IP "\fBsmtp_tls_dane_insecure_mx_policy (see 'postconf -d' output)\fR"
.IP "\fBsmtp_tls_dane_insecure_mx_policy (dane)\fR"
The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is \fBdane\fR, but the MX
record was found via an "insecure" MX lookup.

3
postfix/proto/TLSRPT_README.html
View File

@ -345,7 +345,8 @@ postfix-tlspol</a>, supports domains with DANE (using Postfix
built-in DANE), and domains with MTA-STS. </p>
<li> <p> <a href="https://github.com/Snawoot/postfix-mta-sts-resolver">
postfix-mta-sts-resolver</a>, supports domains with MTA-STS. </p>
postfix-mta-sts-resolver</a>, supports domains with MTA-STS as of
release 1.5.0 (February 2025). </p>
</ul>

118
postfix/proto/TLS_README.html
View File

@ -552,8 +552,8 @@ and OE (5.01 Mac on all ports). </p>
<p> It is strictly discouraged to use this mode from main.cf. If
you want to support this service, enable a special port in master.cf
and specify "-o smtpd_tls_wrappermode=yes" (note: no space around
the "=") as an smtpd(8) command line option. Port 465 (smtps) was
once chosen for this feature.
the "=") as an smtpd(8) command line option. Port 465 (submissions,
formerly called smtps) is the most common example.
</p>
<p> Example: </p>
@ -561,7 +561,7 @@ once chosen for this feature.
<blockquote>
<pre>
/etc/postfix/master.cf:
smtps inet n - n - - smtpd
submissions inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
</pre>
</blockquote>
@ -1065,7 +1065,7 @@ key configuration </a>
<li> <a href="#client_cipher">Client-side cipher controls </a>
<li> <a href="#client_smtps">Client-side SMTPS support </a>
<li> <a href="#client_smtps">Client-side submissions (formerly called smtps) support </a>
<li> <a href="#client_misc"> Miscellaneous client controls </a>
@ -2560,32 +2560,33 @@ the TLS protocols used with opportunistic TLS. </p>
</pre>
</blockquote>
<h3> <a name="client_smtps">Client-side SMTPS support </a> </h3>
<h3> <a name="client_smtps">Client-side submissions (formerly called smtps) support </a> </h3>
<p> These sections show how to send mail to a server that does not
support STARTTLS, but that provides the SMTPS service
support STARTTLS, but that provides the submissions (smtps) service
on TCP port 465. Depending on the Postfix version, some additional
tooling may be required. </p>
<h4> Postfix &ge; 3.0 </h4>
<p> The Postfix SMTP client has SMTPS support built-in as of version
<p> The Postfix SMTP client has submissions service support built-in
as of version
3.0. Use one of the following examples, to send all remote mail,
or to send only some remote mail, to an SMTPS server. </p>
or to send only some remote mail, to a submissions (smtps) server. </p>
<h5> Postfix &ge; 3.0: Sending all remote mail to an SMTPS server </h5>
<h5> Postfix &ge; 3.0: Sending all remote mail to a submissions (formerly called smtps) server </h5>
<p> The first example will send all remote mail over SMTPS through
a provider's server called "mail.example.com": </p>
<p> The first example will send all remote mail to through a
provider's submissions server called "mail.example.com": </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
# Client-side SMTPS requires "encrypt" or stronger.
# Client-side submissions requires "encrypt" or stronger.
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
# The [] suppress MX lookups.
relayhost = [mail.example.com]:465
relayhost = [mail.example.com]:submissions
</pre>
</blockquote>
@ -2595,11 +2596,12 @@ a provider's server called "mail.example.com": </p>
</p>
<h5> Postfix &ge; 3.0: Sending only mail for a specific destination
via SMTPS </h5>
to a submissions (formerly called smtps) service </h5>
<p> The second example will send only mail for "example.com" via
SMTPS. This time, Postfix uses a transport map to deliver only
mail for "example.com" via SMTPS: </p>
<p> The second example will send only mail for "example.com" using
the submissions (smtps) service.
This time, Postfix uses a transport map to deliver only
mail for "example.com" using the submissions (smtps) service: </p>
<blockquote>
<pre>
@ -2607,11 +2609,11 @@ mail for "example.com" via SMTPS: </p>
transport_maps = hash:/etc/postfix/transport
/etc/postfix/transport:
example.com relay-smtps:example.com:465
example.com relay-submissions:example.com:submissions
/etc/postfix/master.cf:
relay-smtps unix - - n - - smtp
# Client-side SMTPS requires "encrypt" or stronger.
relay-submissions unix - - n - - smtp
# Client-side submissions service requires "encrypt" or stronger.
-o smtp_tls_security_level=encrypt
-o smtp_tls_wrappermode=yes
</pre>
@ -2625,81 +2627,7 @@ authentication. </p>
<h4> Postfix &lt; 3.0 </h4>
<p> Although older Postfix SMTP client versions do not support TLS
wrapper mode, it is relatively easy to forward a connection through
the stunnel program if Postfix needs to deliver mail to some legacy
system that doesn't support STARTTLS. </p>
<h5> Postfix &lt; 3.0: Sending all remote mail to an SMTPS server </h5>
<p> The first example uses SMTPS to send all remote mail to a
provider's mail server called "mail.example.com". </p>
<p> A minimal stunnel.conf file is sufficient to set up a tunnel
from local port 11125 to the remote destination "mail.example.com"
and port "smtps". Postfix will later use this tunnel to connect to
the remote server. </p>
<blockquote>
<pre>
/path/to/stunnel.conf:
[smtp-tls-wrapper]
accept = 11125
client = yes
connect = mail.example.com:smtps
</pre>
</blockquote>
<p> To test this tunnel, use: </p>
<blockquote>
<pre>
$ telnet localhost 11125
</pre>
</blockquote>
<p> This should produce the greeting from the remote SMTP server
at mail.example.com. </p>
<p> On the Postfix side, the relayhost feature sends all remote
mail through the local stunnel listener on port 11125: </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
relayhost = [127.0.0.1]:11125
</pre>
</blockquote>
<p> Use "postfix reload" to make the change effective. </p>
<p> See SOHO_README for additional information about SASL
authentication. </p>
<h4> Postfix &lt; 3.0: Sending only mail for a specific destination via SMTPS </h4>
<p> The second example will use SMTPS to send only mail for
"example.com" via SMTPS. It uses the same stunnel configuration
file as the first example, so it won't be repeated here. </p>
<p> This time, the Postfix side uses a transport map to direct only
mail for "example.com" through the tunnel: </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
transport_maps = hash:/etc/postfix/transport
/etc/postfix/transport:
example.com relay:[127.0.0.1]:11125
</pre>
</blockquote>
<p> Use "postmap hash:/etc/postfix/transport" and "postfix reload"
to make the change effective. </p>
<p> See SOHO_README for additional information about SASL authentication.
</p>
<p> Please see TLS_LEGACY_README. </p>
<h3> <a name="client_misc"> Miscellaneous client controls </a> </h3>

120
postfix/proto/postconf.proto
View File

@ -6708,7 +6708,8 @@ envelope sender
<blockquote> <p> Note: to enforce that the From: header address
matches the envelope sender (MAIL FROM) address, use an external
filter such as a Milter, for the submission, submissions, or smtps
filter such as a Milter, for the submission or submissions (formerly
called smtps )
services. For example: https://github.com/magcks/milterfrom. </p>
</blockquote>
@ -6812,8 +6813,8 @@ that they do not explicitly own.
<br>
Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter,
for the submission, submissions, or smtps services. For example:
https://github.com/magcks/milterfrom.
for the submission or submissions (formerly called smtps) services.
For example: https://github.com/magcks/milterfrom.
<br>
This feature is available in Postfix version 2.1 and later. </dd>
@ -6833,8 +6834,8 @@ unlisted MAIL FROM address.
<br>
Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter,
for the submission, submissions, or smtps services. For example:
https://github.com/magcks/milterfrom.
for the submission or submissions (formerly called smtps) services.
For example: https://github.com/magcks/milterfrom.
<br>
This feature is available in Postfix version 2.11 and later.</dd>
@ -6879,8 +6880,8 @@ using any MAIL FROM address that is listed in $smtpd_sender_login_maps.
<br>
Note: to enforce that the From: header address matches the envelope
sender (MAIL FROM) address, use an external filter such as a Milter,
for the submission, submissions, or smtps services. For example:
https://github.com/magcks/milterfrom.
for the submission or submissions (formerly called smtps) services.
For example: https://github.com/magcks/milterfrom.
<br>
This feature is available in Postfix version 2.1 and later.</dd>
@ -8466,11 +8467,11 @@ use the same program name. </p>
<p> Example master.cf entries: </p>
<pre>
# Distinguish inbound MTA logging from submission and smtps logging.
# Distinguish inbound MTA logging from submission and submissions logging.
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
-o syslog_name=postfix/$service_name
smtps inet n - n - - smtpd
submissions inet n - n - - smtpd
-o syslog_name=postfix/$service_name
</pre>
@ -9930,8 +9931,8 @@ instead of using the STARTTLS command. </p>
<p> If you want to support this service, enable a special port in
master.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP
server's command line. Port 465 (submissions/smtps) is reserved for
this purpose. </p>
server's command line. Port 465 (submissions, formerly called smtps)
is reserved for this purpose. </p>
<p> This feature is available in Postfix 2.2 and later. </p>
@ -13349,8 +13350,7 @@ parameter. See there for details. </p>
%PARAM tls_eecdh_auto_curves see "postconf -d" output
<p> The prioritized list of elliptic curves, that should be enabled in the
Postfix SMTP client and server. These are used by the Postfix SMTP server when
"smtpd_tls_eecdh_grade = auto". The selected curves should be implemented
Postfix SMTP client and server. The selected curves should be implemented
by OpenSSL and be standardized for use in the TLS "supported groups" extension
(RFC8422, RFC8446 and RFC8447). Be sure to include at least "x25519" and
"prime256v1" (the OpenSSL name for "secp256r1", a.k.a. "P-256"). The default
@ -13375,6 +13375,14 @@ customizing the list of FFDHE groups enabled with TLS 1.3. That setting
is introduced with Postfix 3.8, when built against OpenSSL 3.0 or later.
</p>
<p> Post-quantum cryptography support: OpenSSL 3.5 introduces new
configuration syntax that Postfix will not attempt to imitate.
Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
both tls_eecdh_auto_curves and if available tls_ffdhe_auto_groups
to the empty value, to enable algorithm selection through OpenSSL
configuration. See tls_config_file for a configuration example.
</p>
<p> This feature is available in Postfix 3.2 and later, when it is
compiled and linked with OpenSSL 1.0.2 or later on platforms where
EC algorithms have not been disabled by the vendor. </p>
@ -13405,10 +13413,15 @@ on whether any of the "kDHE" ciphers are included in the cipherlist.
</p>
<p> Conversely, setting "tls_eecdh_auto_curves" empty disables TLS 1.3
EC key agreement in OpenSSL 3.0 and later. Note that at least one of
"tls_eecdh_auto_curves" and "tls_ffdhe_auto_groups" must be non-empty,
this is required by OpenSSL 3.0. If both are inadvertently set empty,
Postfix will fall back to the compiled-in defaults. </p>
EC key agreement in OpenSSL 3.0 and later. If both are set empty,
Postfix will fall back to OpenSSL preferences as described next. </p>
<p> Post-quantum cryptography support: OpenSSL 3.5 introduces new
configuration syntax that Postfix will not attempt to imitate.
Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
both tls_eecdh_auto_curves and tls_ffdhe_auto_groups to the empty
value, to enable algorithm selection through OpenSSL configuration.
See tls_config_file for a configuration example. </p>
<p> All the default groups and EC curves should be sufficiently strong to make
"pruning" the defaults unwise. At a minimum, "x25519" and "prime256v1" (the
@ -13433,6 +13446,8 @@ must support this curve for EECDH key exchange to take place. It
is unwise to choose only "bleeding-edge" curves supported by only a
small subset of clients. </p>
<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
<p> The default "strong" curve is rated in NSA <a
href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite
B</a> for information classified up to SECRET. </p>
@ -13473,6 +13488,8 @@ client implementations must support this curve for EECDH key exchange
to take place. It is unwise to choose only "bleeding-edge" curves
supported by only a small subset of clients. </p>
<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
<p> This default "ultra" curve is rated in NSA <a
href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite
B</a> for information classified up to TOP SECRET. </p>
@ -13499,6 +13516,8 @@ this parameter is always ignored, and Postfix behaves as though the
<b>auto</b> value (described below) was chosen.
</p>
<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
<p> The available choices are: </p>
<dl>
@ -15979,7 +15998,7 @@ the "tlsproxy_tls_chain_files" parameter. </p>
elliptic-curve Diffie-Hellman (EECDH) key exchange. See
smtpd_tls_eecdh_grade for further details. </p>
<p> This feature is deprecated as of Postfix 3.9. Do not specify. </p>
<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
<p> This feature is available in Postfix 2.8 and later. </p>
@ -17507,21 +17526,22 @@ with valid PTR etc. records. </p>
%PARAM smtp_tls_wrappermode no
<p> Request that the Postfix SMTP client connects using the
SUBMISSIONS/SMTPS protocol instead of using the STARTTLS command. </p>
SUBMISSIONS (formerly called SMTPS) protocol instead of using the
STARTTLS command. </p>
<p> This mode requires "smtp_tls_security_level = encrypt" or
stronger. </p>
<p> Example: deliver all remote mail via a provider's server
"mail.example.com". </p>
<p> Example: deliver all remote mail via a provider's submissions
service at "mail.example.com". </p>
<pre>
/etc/postfix/main.cf:
# Client-side SMTPS requires "encrypt" or stronger.
# Client-side SUBMISSIONS requires "encrypt" or stronger.
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
# The [] suppress MX lookups.
relayhost = [mail.example.com]:465
relayhost = [mail.example.com]:submissions
</pre>
<p> More examples are in TLS_README, including examples for older
@ -17591,7 +17611,7 @@ clients). </p>
This feature is available in Postfix 3.1 and later.
</p>
%PARAM smtp_tls_dane_insecure_mx_policy see "postconf -d" output
%PARAM smtp_tls_dane_insecure_mx_policy dane
<p> The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is <b>dane</b>, but the MX
@ -17615,10 +17635,9 @@ authentication succeeds, it will be logged only as "Trusted", not
"Verified", because the MX host name could have been forged. </dd>
</dl>
<p> The default setting for Postfix &ge; 3.6 is "dane" with
"smtp_tls_security_level = dane", otherwise "may". This behavior
was backported to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21.
With earlier Postfix versions the default setting was always "dane".
<p> The default setting is "dane" as of Postfix versions 3.6.17,
3.7.13, 3.8.8, 3.9.2, and 3.10.0. With earlier versions the default
was mistakenly dependent on the smtp_tls_security_level setting.
</p>
<p> Though with "insecure" MX records an active attacker can
@ -18985,8 +19004,8 @@ process. </p>
<p> Specify zero or more service names separated by comma and/or
whitespace. Any name in the services(5) database may be specified,
though in practice only submission, submissions, and smtp make
sense. </p>
though in practice only submission or submissions (formerly called
smtp) make sense. </p>
<p> When SRV record lookup is enabled with use_srv_lookup, you can
enclose a domain name in "[]" to force IP address lookup instead
@ -19193,6 +19212,47 @@ MinProtocol = TLSv1
</pre>
</blockquote>
<p> Example: Custom OpenSSL group settings. </p>
<pre>
main.cf:
tls_config_file = ${config_directory}/openssl.cnf
tls_config_name = postfix
</pre>
<pre>
openssl.cnf:
postfix = postfix_settings
</pre>
<pre>
[postfix_settings]
ssl_conf = postfix_ssl_settings
</pre>
<pre>
[postfix_ssl_settings]
system_default = baseline_postfix_settings
</pre>
<pre>
[baseline_postfix_settings]
# New OpenSSL 3.5 syntax, for older releases consider
# the Postfix default:
#
# Groups = X25519:X448:prime256v1:secp384r1:secp521r1:ffdhe2048:ffdhe3072
#
Groups = *X25519MLKEM768 / *X25519:X448 / P-256:P-384
</pre>
<p> Caution: It is typically best to just use the default group
settings, for which no $tls_config_file is required (you can set
"tls_config_file = none", to avoid unwanted leakage of system-wide
settings that strive to harden HTTPS against mostly browser-specific
security and privacy issues into Postfix use of opportunistic TLS,
where they're they can be counterproductive, leading to downgrades
to cleartext, rather than more "secure" TLS). </p>
<p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
3.6.10, and 3.5.20. </p>

2
postfix/proto/stop
View File

@ -1670,3 +1670,5 @@ SIGKILL
URI
URIs
bugfix
MLKEM
cleartext

2
postfix/proto/stop.double-history
View File

@ -164,3 +164,5 @@ proto proto socketmap_table
cleanup cleanup_message c smtp smtp c smtp smtp_connect c
Documentation edited for clarity Files pipe pipe c
global mail_params h smtpd smtpd c
global mail_params h proto postconf proto smtp smtp c
proto postconf proto proto TLS_README html

2
postfix/src/global/mail_params.h
View File

@ -1660,7 +1660,7 @@ extern bool var_smtp_tls_force_tlsa;
/* SMTP only */
#define VAR_SMTP_TLS_INSECURE_MX_POLICY "smtp_tls_dane_insecure_mx_policy"
#define DEF_SMTP_TLS_INSECURE_MX_POLICY "${{$smtp_tls_security_level} == {dane} ? {dane} : {may}}"
#define DEF_SMTP_TLS_INSECURE_MX_POLICY "dane"
extern char *var_smtp_tls_insecure_mx_policy;
/*

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20250207"
#define MAIL_RELEASE_DATE "20250215"
#define MAIL_VERSION_NUMBER "3.10"
#ifdef SNAPSHOT

5
postfix/src/smtp/smtp.c
View File

@ -594,10 +594,11 @@
/* Available in Postfix version 3.0 and later:
/* .IP "\fBsmtp_tls_wrappermode (no)\fR"
/* Request that the Postfix SMTP client connects using the
/* SUBMISSIONS/SMTPS protocol instead of using the STARTTLS command.
/* SUBMISSIONS (formerly called SMTPS) protocol instead of using the
/* STARTTLS command.
/* .PP
/* Available in Postfix version 3.1 and later:
/* .IP "\fBsmtp_tls_dane_insecure_mx_policy (see 'postconf -d' output)\fR"
/* .IP "\fBsmtp_tls_dane_insecure_mx_policy (dane)\fR"
/* The TLS policy for MX hosts with "secure" TLSA records when the
/* nexthop destination security level is \fBdane\fR, but the MX
/* record was found via an "insecure" MX lookup.

6
postfix/src/tls/tls_dh.c
View File

@ -393,7 +393,6 @@ static int setup_auto_groups(SSL_CTX *ctx, const char *origin,
void tls_auto_groups(SSL_CTX *ctx, const char *eecdh, const char *ffdhe)
{
#ifndef OPENSSL_NO_ECDH
char *def_eecdh = DEF_TLS_EECDH_AUTO;
#if OPENSSL_VERSION_PREREQ(3, 0)
@ -407,6 +406,10 @@ void tls_auto_groups(SSL_CTX *ctx, const char *eecdh, const char *ffdhe)
#endif
const char *origin;
/* Use OpenSSL defaults */
if (!*eecdh && !*ffdhe)
return;
/*
* Try the user-specified list first. If that fails (empty list or no
* known group name), try again with the Postfix defaults. We assume that
@ -432,7 +435,6 @@ void tls_auto_groups(SSL_CTX *ctx, const char *eecdh, const char *ffdhe)
return;
}
}
#endif
}
#ifdef TEST

67
postfix/src/tls/tls_misc.c
View File

@ -674,8 +674,8 @@ void tls_param_init(void)
VAR_TLS_EXPORT_CLIST, DEF_TLS_EXPORT_CLIST, &var_tls_export_ignored, 0, 0,
VAR_TLS_NULL_CLIST, DEF_TLS_NULL_CLIST, &var_tls_null_clist, 1, 0,
VAR_TLS_EECDH_AUTO, DEF_TLS_EECDH_AUTO, &var_tls_eecdh_auto, 0, 0,
VAR_TLS_EECDH_STRONG, DEF_TLS_EECDH_STRONG, &var_tls_eecdh_strong, 1, 0,
VAR_TLS_EECDH_ULTRA, DEF_TLS_EECDH_ULTRA, &var_tls_eecdh_ultra, 1, 0,
VAR_TLS_EECDH_STRONG, DEF_TLS_EECDH_STRONG, &var_tls_eecdh_strong, 0, 0,
VAR_TLS_EECDH_ULTRA, DEF_TLS_EECDH_ULTRA, &var_tls_eecdh_ultra, 0, 0,
VAR_TLS_FFDHE_AUTO, DEF_TLS_FFDHE_AUTO, &var_tls_ffdhe_auto, 0, 0,
VAR_TLS_BUG_TWEAKS, DEF_TLS_BUG_TWEAKS, &var_tls_bug_tweaks, 0, 0,
VAR_TLS_SSL_OPTIONS, DEF_TLS_SSL_OPTIONS, &var_tls_ssl_options, 0, 0,
@ -1084,8 +1084,17 @@ void tls_get_signature_params(TLS_SESS_STATE *TLScontext)
break;
#endif
}
EVP_PKEY_free(dh_pkey);
}
if (kex_name) {
TLScontext->kex_name = mystrdup(kex_name);
TLScontext->kex_curve = kex_curve;
}
/* Not a problem if NULL */
EVP_PKEY_free(dh_pkey);
/* Resumption makes no use of signature keys or digests */
if (TLScontext->session_reused)
return;
/*
* On the client end, the certificate may be present, but not used, so we
@ -1111,12 +1120,19 @@ void tls_get_signature_params(TLS_SESS_STATE *TLScontext)
* the more familiar name. For "RSA" keys report "RSA-PSS", which
* must be used with TLS 1.3.
*/
if ((nid = EVP_PKEY_type(EVP_PKEY_id(local_pkey))) != NID_undef) {
if ((nid = EVP_PKEY_id(local_pkey)) != NID_undef) {
switch (nid) {
default:
locl_sig_name = OBJ_nid2sn(nid);
if ((nid = EVP_PKEY_type(nid)) != NID_undef)
locl_sig_name = OBJ_nid2sn(nid);
break;
#if defined(EVP_PKEY_KEYMGMT)
case EVP_PKEY_KEYMGMT:
locl_sig_name = EVP_PKEY_get0_type_name(local_pkey);
break;
#endif
case EVP_PKEY_RSA:
/* For RSA, TLS 1.3 mandates PSS signatures */
locl_sig_name = "RSA-PSS";
@ -1138,6 +1154,13 @@ void tls_get_signature_params(TLS_SESS_STATE *TLScontext)
*/
if (SSL_get_signature_nid(ssl, &nid) && nid != NID_undef)
locl_sig_dgst = OBJ_nid2sn(nid);
if (locl_sig_name) {
SIG_PROP(TLScontext, srvr, name) = mystrdup(locl_sig_name);
SIG_PROP(TLScontext, srvr, curve) = locl_sig_curve;
if (locl_sig_dgst)
SIG_PROP(TLScontext, srvr, dgst) = mystrdup(locl_sig_dgst);
}
}
peer_cert = TLS_PEEK_PEER_CERT(ssl);
if (peer_cert != 0) {
@ -1165,12 +1188,19 @@ void tls_get_signature_params(TLS_SESS_STATE *TLScontext)
* the more familiar name. For "RSA" keys report "RSA-PSS", which
* must be used with TLS 1.3.
*/
if ((nid = EVP_PKEY_type(EVP_PKEY_id(peer_pkey))) != NID_undef) {
if ((nid = EVP_PKEY_id(peer_pkey)) != NID_undef) {
switch (nid) {
default:
peer_sig_name = OBJ_nid2sn(nid);
if ((nid = EVP_PKEY_type(nid)) != NID_undef)
peer_sig_name = OBJ_nid2sn(nid);
break;
#if defined(EVP_PKEY_KEYMGMT)
case EVP_PKEY_KEYMGMT:
peer_sig_name = EVP_PKEY_get0_type_name(peer_pkey);
break;
#endif
case EVP_PKEY_RSA:
/* For RSA, TLS 1.3 mandates PSS signatures */
peer_sig_name = "RSA-PSS";
@ -1193,25 +1223,14 @@ void tls_get_signature_params(TLS_SESS_STATE *TLScontext)
if (SSL_get_peer_signature_nid(ssl, &nid) && nid != NID_undef)
peer_sig_dgst = OBJ_nid2sn(nid);
if (peer_sig_name) {
SIG_PROP(TLScontext, !srvr, name) = mystrdup(peer_sig_name);
SIG_PROP(TLScontext, !srvr, curve) = peer_sig_curve;
if (peer_sig_dgst)
SIG_PROP(TLScontext, !srvr, dgst) = mystrdup(peer_sig_dgst);
}
}
TLS_FREE_PEER_CERT(peer_cert);
if (kex_name) {
TLScontext->kex_name = mystrdup(kex_name);
TLScontext->kex_curve = kex_curve;
}
if (locl_sig_name) {
SIG_PROP(TLScontext, srvr, name) = mystrdup(locl_sig_name);
SIG_PROP(TLScontext, srvr, curve) = locl_sig_curve;
if (locl_sig_dgst)
SIG_PROP(TLScontext, srvr, dgst) = mystrdup(locl_sig_dgst);
}
if (peer_sig_name) {
SIG_PROP(TLScontext, !srvr, name) = mystrdup(peer_sig_name);
SIG_PROP(TLScontext, !srvr, curve) = peer_sig_curve;
if (peer_sig_dgst)
SIG_PROP(TLScontext, !srvr, dgst) = mystrdup(peer_sig_dgst);
}
}
/* tls_log_summary - TLS loglevel 1 one-liner, embellished with TLS 1.3 details */