From bea0e7b32c6d1392dd5bd52e96574c66db0cead7 Mon Sep 17 00:00:00 2001 From: Wietse Venema Date: Sun, 9 Jul 2006 00:00:00 -0500 Subject: [PATCH] postfix-2.3-RC9 --- postfix/HISTORY | 14 + postfix/README_FILES/INSTALL | 2 +- postfix/README_FILES/TLS_README | 144 +++++++---- postfix/RELEASE_NOTES | 237 ++++++++--------- postfix/html/INSTALL.html | 46 ++-- postfix/html/TLS_README.html | 182 ++++++++----- postfix/html/postconf.5.html | 97 +++++-- postfix/html/smtp.8.html | 191 +++++++------- postfix/html/smtpd.8.html | 367 ++++++++++++++------------- postfix/man/man5/postconf.5 | 85 +++++-- postfix/man/man8/smtp.8 | 6 +- postfix/man/man8/smtpd.8 | 12 +- postfix/mantools/postlink | 1 + postfix/proto/INSTALL.html | 2 +- postfix/proto/TLS_README.html | 182 ++++++++----- postfix/proto/postconf.proto | 93 +++++-- postfix/src/cleanup/cleanup_milter.c | 4 + postfix/src/global/mail_params.h | 4 + postfix/src/global/mail_version.h | 4 +- postfix/src/milter/milter8.c | 18 +- postfix/src/smtp/smtp.c | 11 +- postfix/src/smtp/smtp_session.c | 16 +- postfix/src/smtpd/smtpd.c | 54 +++- postfix/src/smtpd/smtpd.h | 2 - postfix/src/tls/Makefile.in | 14 +- postfix/src/tls/tls.h | 10 + postfix/src/tls/tls_level.c | 60 +++++ 27 files changed, 1115 insertions(+), 743 deletions(-) create mode 100644 postfix/src/tls/tls_level.c diff --git a/postfix/HISTORY b/postfix/HISTORY index 4fbba6adc..4299f5c6b 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -12479,6 +12479,20 @@ Apologies for any names omitted. plaintext after an opportunistic TLS handshake fails. Specify "smtp_sasl_auth_enforce = no" to deliver mail anyway. +20060709 + + Cleanup: the new single smtpd_tls_security_level parameter + obsoletes the multiple smtpd_use_tls and smtpd_enforce_tls + parameters. This is done for consistency with the Postfix + SMTP client. In the Postfix SMTP server, the levels "verify" + and "secure" are currently not applicable, and are treated + as "encrypt", after logging a warning. Files: smtpd/smtpd.c, + tls/tls_level.c, smtp/smtp_session.c. + + Compatibility: don't send the first body line to Milter + applications. This also broke domain key etc. signatures + when verified by non-Postfix MTAs. File: milter/milter8.c. + Wish list: The usage of TLScontext->cache_type is unclear. It specifies diff --git a/postfix/README_FILES/INSTALL b/postfix/README_FILES/INSTALL index cbb05de87..295a0d8d9 100644 --- a/postfix/README_FILES/INSTALL +++ b/postfix/README_FILES/INSTALL @@ -95,7 +95,7 @@ At some point in time, a version of Postfix was supported on: OSF1.V3 - OSF1.V5 (Digital UNIX) Reliant UNIX 5.x Rhapsody 5.x - SunOS 4.1.4 (December 2005) + SunOS 4.1.4 (July 2006) SunOS 5.4 - 5.9 (Solaris 2.4..9) Ultrix 4.x (well, that was long ago) diff --git a/postfix/README_FILES/TLS_README b/postfix/README_FILES/TLS_README index 488ff6e64..5c7134fbb 100644 --- a/postfix/README_FILES/TLS_README +++ b/postfix/README_FILES/TLS_README @@ -146,9 +146,8 @@ clients will not, as a rule, fall back to plain text after a TLS handshake failure, the server will be unable to receive email from most TLS enabled clients. To avoid accidental configurations with no certificates, Postfix 2.3 enables certificate-less operation only when the administrator explicitly sets -"smtpd_tls_cert_file = none". This ensures that new Postfix configurations with -just "smtpd_use_tls = yes" added, will not accidentally run with no -certificates. +"smtpd_tls_cert_file = none". This ensures that new Postfix configurations will +not accidentally run with no certificates. Both RSA and DSA certificates are supported. Typically you will only have RSA certificates issued by a commercial CA. In addition, the tools supplied with @@ -282,11 +281,16 @@ Example: EEnnaabblliinngg TTLLSS iinn tthhee PPoossttffiixx SSMMTTPP sseerrvveerr By default, TLS is disabled in the Postfix SMTP server, so no difference to -plain Postfix is visible. Explicitly switch it on using "smtpd_use_tls = yes". +plain Postfix is visible. Explicitly switch it on with +"smtpd_tls_security_level = may" (Postfix 2.3 and later) or +"smtpd_use_tls = yes" (obsolete but still supported). Example: /etc/postfix/main.cf: + # Postfix 2.3 and later + smtpd_tls_security_level = may + # Obsolete, but still supported smtpd_use_tls = yes With this, Postfix SMTP server announces STARTTLS support to SMTP clients, but @@ -298,13 +302,17 @@ is intended behavior. You can ENFORCE the use of TLS, so that the Postfix SMTP server announces STARTTLS and accepts no mail without TLS encryption, by setting -"smtpd_enforce_tls = yes". According to RFC 2487 this MUST NOT be applied in -case of a publicly-referenced Postfix SMTP server. This option is off by -default and should only seldom be used. +"smtpd_tls_security_level = encrypt" (Postfix 2.3 and later) or +"smtpd_enforce_tls = yes" (obsolete but still supported). According to RFC 2487 +this MUST NOT be applied in case of a publicly-referenced Postfix SMTP server. +This option is off by default and should only seldom be used. Example: /etc/postfix/main.cf: + # Postfix 2.3 and later + smtpd_tls_security_level = encrypt + # Obsolete, but still supported smtpd_enforce_tls = yes TLS is sometimes used in the non-standard "wrapper" mode where a server always @@ -343,8 +351,11 @@ server is configured to ask for client certificates. Example: /etc/postfix/main.cf: - smtpd_use_tls = yes smtpd_tls_ask_ccert = yes + # Postfix 2.3 and later + smtpd_tls_security_level = may + # Obsolete, but still supported + smtpd_use_tls = yes When TLS is enforced you may also decide to REQUIRE a remote SMTP client certificate for all TLS connections, by setting "smtpd_tls_req_ccert = yes". @@ -354,8 +365,11 @@ This feature implies "smtpd_tls_ask_ccert = yes". When TLS is not enforced, Example: /etc/postfix/main.cf: - smtpd_enforce_tls = yes smtpd_tls_req_ccert = yes + # Postfix 2.3 and later + smtpd_tls_security_level = encrypt + # Obsolete, but still supported + smtpd_enforce_tls = yes A client certificate verification depth of 1 is sufficient if the certificate is directly issued by a CA listed in the CA file. The default value (5) should @@ -370,12 +384,14 @@ Example: SSuuppppoorrttiinngg AAUUTTHH oovveerr TTLLSS oonnllyy Sending AUTH data over an unencrypted channel poses a security risk. When TLS -layer encryption is required (smtpd_enforce_tls = yes), the Postfix SMTP server -will announce and accept AUTH only after the TLS layer has been activated with -STARTTLS. When TLS layer encryption is optional (smtpd_enforce_tls = no), it -may however still be useful to only offer AUTH when TLS is active. To maintain -compatibility with non-TLS clients, the default is to accept AUTH without -encryption. In order to change this behavior, set "smtpd_tls_auth_only = yes". +layer encryption is required ("smtpd_tls_security_level = encrypt" or the +obsolete "smtpd_enforce_tls = yes"), the Postfix SMTP server will announce and +accept AUTH only after the TLS layer has been activated with STARTTLS. When TLS +layer encryption is optional ("smtpd_tls_security_level = may" or the obsolete +"smtpd_enforce_tls = no"), it may however still be useful to only offer AUTH +when TLS is active. To maintain compatibility with non-TLS clients, the default +is to accept AUTH without encryption. In order to change this behavior, set +"smtpd_tls_auth_only = yes". Example: @@ -489,12 +505,14 @@ specifying an smtpd_tls_dcert_file. Example: (MSA that requires TLS with reasonably secure ciphers) /etc/postfix/main.cf: - smtpd_use_tls = yes - smtpd_enforce_tls = yes smtpd_tls_cert_file = /etc/postfix/cert.pem smtpd_tls_key_file = /etc/postfix/key.pem smtpd_tls_ciphers = medium smtpd_tls_exclude_ciphers = aNULL, MD5 + # Postfix 2.3 and later + smtpd_tls_security_level = encrypt + # Obsolete, but still supported + smtpd_enforce_tls = yes If you want to take advantage of ciphers with EDH, DH parameters are needed. Instead of using the built-in DH parameters for both 1024bit and 512bit, it is @@ -993,13 +1011,13 @@ the new policy table instead. MMaannddaattoorryy sseerrvveerr cceerrttiiffiiccaattee vveerriiffiiccaattiioonn At the "verify" TLS security level, messages are sent only over TLS encrypted -sessions for which server certificate verification succeeds. If no suitable -servers are found, the message will be deferred. With Postfix 2.3 and later, -mandatory server certificate verification can be configured by setting -"smtp_tls_security_level = verify", the smtp_tls_verify_cert_match parameter -can override the default "hostname" certificate match strategy. Fine-tuning the -matching strategy is generally only appropriate for secure-channel -destinations. +sessions if the server certificate is valid (not expired or revoked, and signed +by a trusted certificate authority) and if the server certificate name matches +a known pattern. Mandatory server certificate verification can be configured by +setting "smtp_tls_security_level = verify". The smtp_tls_verify_cert_match +parameter can override the default "hostname" certificate name matching +strategy. Fine-tuning the matching strategy is generally only appropriate for +secure-channel destinations. With Postfix 2.2 and earlier, or when smtp_tls_security_level is set to its default (backwards compatible) empty value, the appropriate configuration @@ -1229,27 +1247,39 @@ nnoonnee mmaayy Opportunistic TLS. No additional attributes are supported at this level. eennccrryypptt - Mandatory TLS encryption. At this level and higher the optional "ciphers" - attribute overrides the main.cf smtp_tls_mandatory_ciphers parameter and - the optional "protocols" keyword overrides the main.cf - smtp_tls_mandatory_protocols parameter. In the policy table, multiple - protocols must be separated by colons, as attribute values may not contain - whitespace or commas. + Mandatory TLS encryption. Mail is delivered only if remote SMTP server + offers STARTTLS and the TLS handshake succeeds. At this level and higher + the optional "ciphers" attribute overrides the main.cf + smtp_tls_mandatory_ciphers parameter and the optional "protocols" keyword + overrides the main.cf smtp_tls_mandatory_protocols parameter. vveerriiffyy - Mandatory server certificate verification. The optional "match" attribute - overrides the main.cf smtp_tls_verify_cert_match parameter. In the policy - table, multiple match patterns and strategies must be separated by colons. + Mandatory server certificate verification. Mail is delivered only if the + TLS handshake succeeds, if the server certificate can be validated (not + expired or revoked, and signed by a trusted certificate authority), and if + the server certificate name matches the optional "match" attribute (or the + main.cf smtp_tls_verify_cert_match parameter value when no optional "match" + attribute is specified). sseeccuurree - Secure-channel TLS. The optional "match" attribute overrides the main.cf - smtp_tls_secure_cert_match parameter. In the policy table, multiple match - patterns and strategies must be separated by colons. The match attribute is - useful when additional domains are supported by common server, the policy - entries for the additional domains specify matching rules for the primary - domain certificate. While transport table overrides routing secondary - domains to the primary nexthop also allow secure verification, they risk - delivery to the wrong destination when domains change hands or are re- - assigned to new gateways. With the "match" attribute approach, routing is - not perturbed, and mail is deferred if verification of a new MX host fails. + Secure-channel TLS. Mail is delivered only if the TLS handshake succeeds, + if the server certificate can be validated (not expired or revoked, and + signed by a trusted certificate authority), and if the server certificate + name matches the optional "match" attribute (or the main.cf + smtp_tls_secure_cert_match parameter value when no optional "match" + attribute is specified). +Notes: + + * The "match" attribute is especially useful to verify TLS certificates for + domains that are hosted on a shared server. In that case, specify "match" + rules for the shared server's name. While secure verification can also be + achieved with manual routing overrides in Postfix transport(5) tables, that + approach can deliver mail to the wrong host when domains are assigned to + new gateway hosts. The "match" attribute approach avoids the problems of + manual routing overrides; mail is deferred if verification of a new MX host + fails. + + * When a policy table entry specifies multiple match patterns, multiple match + strategies, or multiple protocols, these must be separated by colons. + Example: /etc/postfix/main.cf: @@ -1662,18 +1692,22 @@ indicates a super-user shell. certificate and key incorrectly, you will be unable to send mail to sites that request client certificate, but don't require them from all clients. - smtp_tls_CAfile = /etc/postfix/cacert.pem - smtp_tls_session_cache_database = - btree:/var/spool/postfix/smtp_tls_session_cache - smtp_use_tls = yes - smtpd_tls_CAfile = /etc/postfix/cacert.pem - smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem - smtpd_tls_key_file = /etc/postfix/FOO-key.pem - smtpd_tls_received_header = yes - smtpd_tls_session_cache_database = - btree:/var/spool/postfix/smtpd_tls_session_cache - smtpd_use_tls = yes - tls_random_source = dev:/dev/urandom + /etc/postfix/main.cf: + smtp_tls_CAfile = /etc/postfix/cacert.pem + smtp_tls_session_cache_database = + btree:/var/spool/postfix/smtp_tls_session_cache + smtp_use_tls = yes + smtpd_tls_CAfile = /etc/postfix/cacert.pem + smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem + smtpd_tls_key_file = /etc/postfix/FOO-key.pem + smtpd_tls_received_header = yes + smtpd_tls_session_cache_database = + btree:/var/spool/postfix/smtpd_tls_session_cache + tls_random_source = dev:/dev/urandom + # Postfix 2.3 and later + smtpd_tls_security_level = may + # Obsolete, but still supported + smtpd_use_tls = yes RReeppoorrttiinngg pprroobblleemmss diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index f40a26037..c6822b7b5 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -18,12 +18,13 @@ See RELEASE_NOTES_2.2 if you upgrade from Postfix 2.1 or earlier. Some Postfix internal protocols have changed. You need to "postfix reload" or restart Postfix, otherwise many servers will log warning -messages with "unexpected attribute" or "problem talking to service -rewrite: Unknown error: 0", and mail will not be delivered. +messages like "unexpected attribute xxx" or "problem talking to +service yyy", and mail will not be delivered. The Sendmail-compatible Milter support introduces three new queue file record types. As long as you leave this feature turned off, -you can still go back to Postfix version 2.2 without losing mail. +you can still go back to Postfix version 2.2 without losing mail +that was received by Postfix 2.3. Major changes - DNS lookups --------------------------- @@ -38,26 +39,27 @@ Major changes - DSN [Feature 20050615] DSN support as described in RFC 3461 .. RFC 3464. This gives senders control over successful and failed delivery -notifications. DSN involves extra parameters to the SMTP MAIL FROM -and RCPT TO commands, as well as extra Postfix sendmail command -line options for mail submission. +notifications. DSN involves extra parameters to the SMTP "MAIL +FROM" and "RCPT TO" commands, as well as extra Postfix sendmail +command line options for mail submission. -See DSN_README for details. Some implementation notes are in -implementation-notes/DSN. +See DSN_README for details. Some implementation notes can be found +in implementation-notes/DSN. [Incompat 20050615] The new DSN support conflicts with VERP support. For Sendmail compatibility, Postfix now uses the sendmail -V command -line option for DSN. In order to request VERP style delivery, you -must now specify -XV instead of -V. The Postfix sendmail command -will recognize if you try to use -V for VERP-style delivery. It -will do the right thing and will remind you of the new syntax. +line option for DSN. To request VERP style delivery, you must now +specify -XV instead of -V. The Postfix sendmail command will +recognize if you try to use -V for VERP-style delivery. It will +usually do the right thing, and remind you of the new syntax. -[Incompat 20050828] When the cleanup server rejects the content or -size of mail that was submitted with the Postfix sendmail command, -that was forwarded with the local(8) delivery agent, or that was -re-queued with "postsuper -r", Postfix no longer sends DSN SUCCESS -notification after virtual alias expansions. Since all the recipients -are reported as failed, the SUCCESS notification seems redundant. +[Incompat 20050828] Postfix no longer sends DSN SUCCESS notification +after virtual alias expansions when the cleanup server rejects the +content or size of mail that was submitted with the Postfix sendmail +command, mail that was forwarded with the local(8) delivery agent, +or mail that was re-queued with "postsuper -r". Since all the +recipients are reported as failed, the SUCCESS notification seems +redundant. Major changes - LMTP client --------------------------- @@ -68,7 +70,8 @@ to SASL authentication and TLS support, respectively. [Feature 20051208] The SMTP client now implements the LMTP protocol. Most but not all smtp_xxx parameters now have an lmtp_xxx equivalent. This means there are lot of new LMTP features, including support -for TLS and for the shared connection cache. +for TLS and for the shared connection cache. See the "SMTP client" +section for details. [Incompat 20051208] The LMTP client now reports the server as "myhostname[/path/name]". With the real server hostname in delivery @@ -88,9 +91,10 @@ queue ID. See the MILTER_README document for a discussion of how to use Milter support with Postfix, and limitations of the current implementation. -[Incompat 20060515] Milter support introduces three new queue file -record types. As long as you leave this feature turned off, you can -still go back to Postfix version 2.2 without losing mail. +The Sendmail-compatible Milter support introduces three new queue +file record types. As long as you leave this feature turned off, +you can still go back to Postfix version 2.2 without losing mail +that was received by Postfix 2.3. [Incompat 20060515] Milter support introduces new logfile event types: milter-reject, milter-discard and milter-hold, that identify @@ -100,13 +104,6 @@ software. Major changes - SASL authentication ----------------------------------- -[Incompat 20060707] The SMTP/LMTP client now defers delivery when -a SASL password exists but the server does not offer SASL authentication. -Otherwise, the server could reject the mail. This may become an -issue now that Postfix retries delivery in plaintext after an -opportunistic TLS handshake fails. Specify "smtp_sasl_auth_enforce -= no" to deliver mail anyway. - [Feature 20051220] Plug-in support for SASL authentication in the SMTP server and in the SMTP/LMTP client. With this, Postfix can support multiple SASL implementations without source code patches. @@ -164,6 +161,14 @@ ISP accounts. smtp_sender_dependent_authentication = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_pass +[Incompat 20060707] The SMTP/LMTP client now defers delivery when +a SASL password exists but the server does not announce support for +SASL authentication. This can happen with servers that announce +SASL support only when TLS is turned on. When an opportunistic TLS +handshake fails, Postfix >= 2.3 retries delivery in plaintext, and +the remote server rejects mail from the unauthenticated client. +Specify "smtp_sasl_auth_enforce = no" to deliver mail anyway. + Major changes - SMTP client --------------------------- @@ -192,30 +197,6 @@ smtp_fallback_relay, to make clear that the combined SMTP/LMTP client uses this setting only for SMTP deliveries. The old name still works. -[Feature 20051125] This snapshot adds support for sender-dependent -ISP accounts. - -- Sender-dependent smarthost lookup tables. The maps are searched - with the sender address and with the sender @domain. The result - overrides the global relayhost setting, but otherwise has identical - behavior. See the postconf(5) manual page for more details. - - Example: - /etc/postfix/main.cf: - sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay - -- Sender-dependent SASL authentication support. This disables SMTP - connection caching to ensure that mail from different senders - will use the correct authentication credentials. The SMTP SASL - password file is first searched by sender address, and then by - the remote domain and hostname as usual. - - Example: - /etc/postfix/main.cf: - smtp_sasl_auth_enable = yes - smtp_sender_dependent_authentication = yes - smtp_sasl_password_maps = hash:/etc/postfix/sasl_pass - [Incompat 20051106] The relay=... logging has changed and now includes the remote SMTP server port number as hostname[hostaddr]:port. @@ -282,9 +263,9 @@ Major changes - SMTP server See the "SASL authentication" and "TLS" sections for changes related to SASL authentication and TLS support, respectively. -[Feature 20051222] You can now use "resolve_numeric_domain = yes" -to stop Postfix from rejecting user@ipaddress as an invalid -destination. It will deliver the mail to user@[ipaddress] instead. +[Feature 20051222] To accept the non-compliant user@ipaddress form, +specify "resolve_numeric_domain = yes". Postfix will deliver the +mail to user@[ipaddress] instead. [Incompat 20051202] The Postfix SMTP server now refuses to receive mail from the network if it isn't running with postfix mail_owner @@ -294,16 +275,9 @@ privileges. This prevents surprises when, for example, "sendmail [Incompat 20051121] Although the permit_mx_backup feature still accepts mail for authorized destinations (see permit_mx_backup for definition), with all other destinations it now requires that the -local MTA is listed as non-primary MX. This prevents mail loop -problems when someone points the primary MX record at a Postfix -system. - -[Feature 20051011] Optional protection against SMTP clients that -hammer the server with too many new (i.e. uncached) SMTP-over-TLS -sessions. Cached sessions are much less expensive in terms of CPU -cycles. Use the smtpd_client_new_tls_session_rate_limit parameter -to specify a limit that is at least the inbound client concurrency -limit, or else you may deny legitimate service requests. +local MTA is listed as non-primary MX server. This prevents mail +loop problems when someone points their primary MX record at a +Postfix system. [Feature 20051011] Optional suppression of remote SMTP client hostname lookup and hostname verification. Specify "smtpd_peername_lookup @@ -327,73 +301,75 @@ The old names are still recognized and documented. Major changes - TLS ------------------- -[Feature 20060123] Postfix 2.3 provides a new per-site TLS policy -mechanism that is more flexible and that eliminates DNS spoofing -attacks more effectively. The legacy smtp_tls_per_site feature will -be kept intact for a few releases so that sites can upgrade Postfix -without being forced to use a different TLS policy mechanism. +Major revisions were made to Postfix TLS support; see TLS_README +for the details. For backwards compatibility, the old TLS policy +user interface will be kept intact for a few releases so that sites +can upgrade Postfix without being forced to use a different TLS +policy mechanism. -[Feature 20060614] New smtp_tls_security_level parameter obsoletes -the smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername -parameters. The old parameters are still supported but will be -removed in a future Postfix release. +[Feature 20060614] New concept: TLS security levels ("none", "may", +"encrypt", "verify" or "secure") in the Postfix SMTP client. You +can specify the TLS security level via the smtp_tls_security_level +parameter. This is more convenient than controlling TLS with the +multiple smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername, +parameters. -[Feature 20060614] New smtpd_tls_protocols parameter complements -the smtp_tls_mandatory_protocols parameter. This recommended for -MSA configurations, not for MX for hosts that face the Internet. +[Feature 20060709] TLS security levels ("none", "may", "encrypt") +in the Postfix SMTP server. You specify the security level with the +smtpd_tls_security_level parameter. This overrides the multiple +smtpd_use_tls and smtpd_enforce_tls parameters. When a value of +"verify" or "secure" is specified, the Postfix SMTP server logs a +warning and uses "encrypt" instead. -[Feature 20060626] Both the SMTP client and server can be configured -without a client or server certificate. An SMTP server without -certificate can use only anonymous ciphers, and will not inter-operate -with most clients. +[Feature 20060123] A new per-site TLS policy mechanism for the +Postfix SMTP client that supports the new TLS security levels, +and that eliminates DNS spoofing attacks more effectively. -The SMTP server supports anonymous ciphers when client certificates -are not requested or required, and the administrator has not excluded -the "aNULL" OpenSSL cipher type with smtpd_tls_exclude_ciphers. +[Feature 20060626] Both the Postfix SMTP client and server can be +configured without a client or server certificate. An SMTP server +without certificate can use only anonymous ciphers, and will not +inter-operate with most clients. -The SMTP client supports anonymous ciphers when no server certificate -is required (notably Postfix 2.3 in "opportunistic" mode) and the -administrator has not excluded the "aNULL" OpenSSL cipher type with -smtp_tls_exclude_ciphers. +The Postfix SMTP server supports anonymous ciphers when 1) no client +certificates are requested or required, and 2) the administrator +has not excluded the "aNULL" OpenSSL cipher type with the +smtpd_tls_exclude_ciphers parameter. -[Feature 20060626] You can specify cipher grades (instead of cipher -names) with the smtp_tls_mandatory_ciphers, lmtp_tls_mandatory_ciphers -and smtpd_tls_ciphers parameters. Specify one of "high", "medium", -"low", "export" or "null". See TLS_README for details. +The Postfix SMTP client supports anonymous ciphers when 1) no server +certificate is required and 2) the administrator has not excluded +the "aNULL" OpenSSL cipher type with the smtp_tls_exclude_ciphers +parameter. [Incompat 20060707] The SMTPD policy client now encodes the ccert_subject and ccert_issuer attributes as xtext. Some characters are represented by +XX, where XX is the two-digit hexadecimal representation of the character value. -[Incompat 20060614] The smtp_sasl_tls_verified_security_options -feature is not yet complete, and will therefore not appear in the -stable Postfix 2.3 release. - -[Incompat 20060614] New smtp_tls_mandatory_protocols feature used -for mandatory TLS destinations. The default value is "SSLv3, TLSv1". -SSLv2 is by default no longer used with mandatory TLS. +[Feature 20060614] The smtpd_tls_protocols parameter restricts the +list of TLS protocols supported by the SMTP server. This is +recommended for use with MSA configurations only. It should not +be used with MX hosts that receive mail from the Internet, as it +reduces inter-operability. [Incompat 20060614] The smtp_tls_cipherlist parameter only applies when TLS is mandatory. It is ignored with opportunistic TLS sessions. [Incompat 20060614] At (lmtp|smtp|smtpd)_tls_loglevel >= 2, Postfix now also logs TLS session cache activity. Use level 2 and higher -for debugging only, use levels 0 or 1 as production settings. +for debugging only; use levels 0 or 1 as production settings. [Incompat 20060207] The Postfix SMTP server no longer complains when TLS support is not compiled in while permit_tls_clientcerts, permit_tls_all_clientcerts, or check_ccert_access are specified in main.cf. These features now are effectively ignored. However, the reject_plaintext_session feature is not ignored and will reject -mail. +plain-text mail. [Feature 20060123] Some obscure behavior was eliminated from the smtp_tls_per_site feature, without changes to the user interface. -Some Postfix internals had to be re-structured in preparation for -a more general TLS policy mechanism; this required that smtp_tls_per_site -be re-implemented from scratch. The obscure behavior was found -during compatibility testing. +Some Postfix internals had to be re-structured for the new TLS +policy mechanism; for this, smtp_tls_per_site had to be re-implemented. +The obscure behavior was found during compatibility testing. [Feature 20051011] Optional protection against SMTP clients that hammer the server with too many new (i.e. uncached) SMTP-over-TLS @@ -420,14 +396,14 @@ changed. The SMTP server now resets state to the initial server greeting stage, immediately before the EHLO/HELO greeting. This was needed to correctly simulate the effect of connection-level access restrictions. Without this change, XCLIENT would not work -with Milter applications. +at all with Milter applications. [Incompat 20060611] The SMTP server XCLIENT and XFORWARD commands now expect that attributes are xtext encoded (RFC 1891). For backwards compatibility they will also accept unencoded attribute values. The XFORWARD client code in the SMTP client and in the SMTPD_PROXY -client will always encode attribute values. This change will have -effect only for malformed hostname and helo parameter values. +client now always encode attribute values. This change will have a +visible effect only for malformed hostname and helo parameter values. For more details, see the XCLIENT_README and XFORWARD_README documents. @@ -461,9 +437,8 @@ Major changes - bounce message templates that was developed by Nicolas Riendeau. The file with templates is specified with the bounce_template_file parameter. Details are in the bounce(5) manual page, and examples of the built-in templates -can be found in a file bounce.cf.default in the Postfix configuration -directory. The template for the default bounce message looks like -this: +can be found in $config_directory/bounce.cf.default. The template +for the default bounce message looks like this: failure_template = < OSF1.V3 - OSF1.V5 (Digital UNIX)
Reliant UNIX 5.x
Rhapsody 5.x
-SunOS 4.1.4 (December 2005)
+SunOS 4.1.4 (July 2006)
SunOS 5.4 - 5.9 (Solaris 2.4..9)
Ultrix 4.x (well, that was long ago)

@@ -478,13 +478,13 @@ one of the following commands as the super-user:

@@ -520,13 +520,13 @@ configuration file edits" in section 10, and review the "To chroot or not to chroot" text in section 11.

-

You MUST comment out the "smtp inet" entry in /etc/postfix/master.cf, +

You MUST comment out the "smtp inet" entry in /etc/postfix/master.cf, in order to avoid conflicts with the real sendmail. Put a "#" character in front of the line that defines the smtpd service: 

-/etc/postfix/master.cf:
+/etc/postfix/master.cf:
     #smtp      inet  n       -       n       -       -       smtpd
@@ -585,11 +585,11 @@ receive mail while leaving your Sendmail setup intact, by running Postfix on a virtual interface address. Simply configure your mail user agent to directly invoke the Postfix sendmail program.

-

In the /etc/postfix/main.cf file, I would specify

+

In the /etc/postfix/main.cf file, I would specify 

-/etc/postfix/main.cf:
+/etc/postfix/main.cf:
     myhostname = virtual.host.tld
     inet_interfaces = $myhostname
     mydestination = $myhostname
@@ -722,12 +722,12 @@ presented below is targeted at experienced system administrators.
 
10.1 - Postfix configuration files

 
 
 By default, Postfix configuration files are in /etc/postfix.
-The two most important files are main.cf and master.cf; these files
+The two most important files are main.cf and master.cf; these files
 must be owned by root.  Giving someone else write permission to
-main.cf or master.cf (or to their parent directories) means giving
+main.cf or master.cf (or to their parent directories) means giving
 root privileges to that person. 

 
-
 In /etc/postfix/main.cf, you will have to set up a minimal number
+
 In /etc/postfix/main.cf, you will have to set up a minimal number
 of configuration parameters.  Postfix configuration parameters  
 resemble shell variables, with two important differences: the first  
 one is that Postfix does not know about quotes like the UNIX shell
@@ -737,7 +737,7 @@ does.

 
 

 
-/etc/postfix/main.cf:
+/etc/postfix/main.cf:
     parameter = value
 

 

@@ -746,7 +746,7 @@ does.

 
 

 
-/etc/postfix/main.cf:
+/etc/postfix/main.cf:
     other_parameter = $parameter
 

 

@@ -756,7 +756,7 @@ second main difference with UNIX shell variables). The Postfix
 configuration language uses lazy evaluation, and does not look at
 a parameter value until it is needed at runtime.  

 
-
 Whenever you make a change to the main.cf or master.cf file,
+
 Whenever you make a change to the main.cf or master.cf file,
 execute the following command in order to refresh a running mail
 system: 

 
@@ -777,7 +777,7 @@ probably OK only for very small sites.  

 
 

 
-/etc/postfix/main.cf:
+/etc/postfix/main.cf:
     myorigin = $myhostname    (send mail as "user@$myhostname")
     myorigin = $mydomain      (send mail as "user@$mydomain")
 

@@ -792,7 +792,7 @@ locally. 

 
 

 
-/etc/postfix/main.cf:
+/etc/postfix/main.cf:
     mydestination = $myhostname, localhost.$mydomain, localhost
     mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
     mydestination = $myhostname
@@ -819,7 +819,7 @@ mail delivery loops will happen when the primary MX host is down.
 
 

 
-/etc/postfix/main.cf:
+/etc/postfix/main.cf:
     proxy_interfaces = 1.2.3.4 (the proxy/NAT external network address)
 

 

@@ -834,7 +834,7 @@ permission to too many clients.  My own settings are: 

 
 

 
-/etc/postfix/main.cf:
+/etc/postfix/main.cf:
     mynetworks = 168.100.189.0/28, 127.0.0.0/8
 

 

@@ -849,7 +849,7 @@ too many destinations.  Recommended settings (use only one): 

 
 

 
-/etc/postfix/main.cf:
+/etc/postfix/main.cf:
     relay_domains =            (do not forward mail from strangers)
     relay_domains = $mydomain  (my domain and subdomains)
     relay_domains = $mydomain, other.domain.tld, ...
@@ -868,7 +868,7 @@ a hard-coded hostname.  

 
 

 
-/etc/postfix/main.cf:
+/etc/postfix/main.cf:
     relayhost = $mydomain
     relayhost = [mail.$mydomain]
 

@@ -882,7 +882,7 @@ turn off SMTP client DNS lookups like this: 

 
 

 
-/etc/postfix/main.cf:
+/etc/postfix/main.cf:
     disable_dns_lookups = yes
 

 

@@ -928,7 +928,7 @@ following commands: 

 
 
11 - To chroot or not to chroot

 
-
 Postfix daemon processes can be configured (via master.cf) to
+
 Postfix daemon processes can be configured (via master.cf) to
 run in a chroot jail.  The processes run at a fixed low privilege
 and with access only to the Postfix queue directories (/var/spool/postfix).
 This provides a significant barrier against intrusion. The barrier
@@ -944,9 +944,9 @@ processes, and perhaps also the lmtp(8) client. The au
 porcupine.org mail server runs all daemons chrooted that can be
 chrooted. 

 
-
 The default /etc/postfix/master.cf file specifies that no
+
 The default /etc/postfix/master.cf file specifies that no
 Postfix daemon runs chrooted.  In order to enable chroot operation,
-edit the file /etc/postfix/master.cf. Instructions are in the file.
+edit the file /etc/postfix/master.cf. Instructions are in the file.
 

 
 
 Note that a chrooted daemon resolves all filenames relative to
diff --git a/postfix/html/TLS_README.html b/postfix/html/TLS_README.html
index 2d5f85181..f37fee8a0 100644
--- a/postfix/html/TLS_README.html
+++ b/postfix/html/TLS_README.html
@@ -248,8 +248,7 @@ be unable to receive email from most TLS enabled clients. To avoid
 accidental configurations with no certificates, Postfix 2.3 enables
 certificate-less operation only when the administrator explicitly sets
 "smtpd_tls_cert_file = none". This ensures that new Postfix
-configurations with just "smtpd_use_tls = yes" added, will
-not accidentally run with no certificates. 

+configurations will not accidentally run with no certificates. 

 
 
 Both RSA and DSA certificates are supported. Typically you will
 only have RSA certificates issued by a commercial CA. In addition,
@@ -437,13 +436,18 @@ since the headers may be changed by intermediate servers. 

 
 
 By default, TLS is disabled in the Postfix SMTP server, so no
 difference to plain Postfix is visible.  Explicitly switch it on
-using "smtpd_use_tls = yes". 

+with "smtpd_tls_security_level = may" (Postfix 2.3 and
+later) or "smtpd_use_tls = yes" (obsolete but still
+supported). 

 
 
 Example: 

  
 

 
 /etc/postfix/main.cf:
+    # Postfix 2.3 and later
+    smtpd_tls_security_level = may
+    # Obsolete, but still supported
     smtpd_use_tls = yes
 

 

@@ -456,18 +460,23 @@ SMTP clients, but does not require that clients use TLS encryption.
 is never offered due to insufficient privileges to access the server
 private key. This is intended behavior. 

 
-
 You can ENFORCE the use of TLS, so that
-the Postfix SMTP server announces STARTTLS and accepts no mail without
-TLS encryption, by setting "smtpd_enforce_tls = yes". According
-to RFC 2487 this MUST NOT be applied in case of a publicly-referenced
-Postfix SMTP server.  This option is off by default and should only
-seldom be used. 

+
 You can ENFORCE the use of TLS,
+so that the Postfix SMTP server announces STARTTLS and accepts no
+mail without TLS encryption, by setting
+"smtpd_tls_security_level = encrypt" (Postfix 2.3 and
+later) or "smtpd_enforce_tls = yes" (obsolete but still
+supported). According to RFC 2487 this MUST NOT be applied in case
+of a publicly-referenced Postfix SMTP server.  This option is off
+by default and should only seldom be used. 

 
 
 Example: 

  
 

 
 /etc/postfix/main.cf:
+    # Postfix 2.3 and later
+    smtpd_tls_security_level = encrypt
+    # Obsolete, but still supported
     smtpd_enforce_tls = yes
 

 

@@ -517,8 +526,11 @@ when the server is configured to ask for client certificates. 

 

 
 /etc/postfix/main.cf:
-    smtpd_use_tls = yes
     smtpd_tls_ask_ccert = yes
+    # Postfix 2.3 and later
+    smtpd_tls_security_level = may
+    # Obsolete, but still supported
+    smtpd_use_tls = yes
 

 

 
@@ -534,8 +546,11 @@ logged. 

 

 
 /etc/postfix/main.cf:
-    smtpd_enforce_tls = yes
     smtpd_tls_req_ccert = yes
+    # Postfix 2.3 and later
+    smtpd_tls_security_level = encrypt
+    # Obsolete, but still supported
+    smtpd_enforce_tls = yes
 

 

 
@@ -556,15 +571,18 @@ CA issues special CA which then issues the actual certificate...)
 
 
Supporting AUTH over TLS only

 
-
 Sending AUTH data over an unencrypted channel poses a security risk.
-When TLS layer encryption is required (smtpd_enforce_tls = yes),
-the Postfix SMTP server will announce and accept AUTH only
-after the TLS layer has been activated with STARTTLS. When TLS
-layer encryption is optional (smtpd_enforce_tls = no), it may
-however still be useful to only offer AUTH when TLS is active. To
-maintain compatibility with non-TLS clients, the default is to
-accept AUTH without encryption. In order to change this behavior,
-set "smtpd_tls_auth_only = yes". 

+
 Sending AUTH data over an unencrypted channel poses a security
+risk.  When TLS layer encryption is required
+("smtpd_tls_security_level = encrypt" or the obsolete
+"smtpd_enforce_tls = yes"), the Postfix SMTP server will
+announce and accept AUTH only after the TLS layer has been activated
+with STARTTLS. When TLS layer encryption is optional
+("smtpd_tls_security_level = may" or the obsolete
+"smtpd_enforce_tls = no"), it may however still be useful
+to only offer AUTH when TLS is active. To maintain compatibility
+with non-TLS clients, the default is to accept AUTH without encryption.
+In order to change this behavior, set
+"smtpd_tls_auth_only = yes". 

 
 
 Example: 

  
@@ -715,12 +733,14 @@ and not specifying an smtpd_tls_d
 

 
 /etc/postfix/main.cf:
-    smtpd_use_tls = yes
-    smtpd_enforce_tls = yes
     smtpd_tls_cert_file = /etc/postfix/cert.pem
     smtpd_tls_key_file = /etc/postfix/key.pem
     smtpd_tls_ciphers = medium
     smtpd_tls_exclude_ciphers = aNULL, MD5
+    # Postfix 2.3 and later
+    smtpd_tls_security_level = encrypt
+    # Obsolete, but still supported
+    smtpd_enforce_tls = yes
 

 

 
@@ -1257,12 +1277,12 @@ on TLS limitations above. 

 
 
 At the "encrypt" TLS security level, messages are sent only
 over TLS encrypted sessions. The SMTP transaction is aborted unless
-the STARTTLS ESMTP feature is supported by the server. If no
-suitable servers are found, the message will be deferred. With Postfix
-2.3 and later, mandatory TLS encryption can be configured by setting
-"smtp_tls_security_level = encrypt". Even though TLS encryption
-is always used, mail delivery continues if the server certificate is
-untrusted or bears the wrong name. 

+the STARTTLS ESMTP feature is supported by the server. If no suitable
+servers are found, the message will be deferred. With Postfix 2.3
+and later, mandatory TLS encryption can be configured by setting
+"smtp_tls_security_level = encrypt". Even though TLS
+encryption is always used, mail delivery continues if the server
+certificate is untrusted or bears the wrong name. 

 
 
 At this security level and higher, the smtp_tls_mandatory_protocols
 and smtp_tls_mandatory_ciphers configuration parameters determine
@@ -1382,15 +1402,15 @@ use the new policy table instead. 

 
 Mandatory server certificate verification 
 

 
-
 At the "verify" TLS security level, messages are sent only
-over TLS encrypted sessions for which server certificate verification
-succeeds. If no suitable servers are found, the message will be
-deferred. With Postfix 2.3 and later, mandatory server certificate
-verification can be configured by setting
-"smtp_tls_security_level = verify", the
+
 At the "verify" TLS security level, messages are sent only over
+TLS encrypted sessions if the server certificate is valid (not
+expired or revoked, and signed by a trusted certificate authority)
+and if the server certificate name matches a known pattern.  Mandatory
+server certificate verification can be configured by setting
+"smtp_tls_security_level = verify".  The
 smtp_tls_verify_cert_match parameter can override the default
-"hostname" certificate match strategy. Fine-tuning the matching
-strategy is generally only appropriate for secure-channel destinations. 

 
 
 With Postfix 2.2 and earlier, or when smtp_tls_security_level
@@ -1676,33 +1696,51 @@ describe the corresponding table syntax: 

 
Opportunistic TLS. No additional attributes are supported at this
 level. 

 
-
encrypt
 
Mandatory TLS encryption. At this level and
-higher the optional "ciphers" attribute overrides the main.cf
-smtp_tls_mandatory_ciphers parameter and the optional "protocols"
-keyword overrides the main.cf smtp_tls_mandatory_protocols parameter.
-In the policy table, multiple protocols must be separated by colons,
-as attribute values may not contain whitespace or commas.

+
encrypt
 
Mandatory TLS encryption. Mail is
+delivered only if remote SMTP server offers STARTTLS and the TLS
+handshake succeeds.  At this level and higher the optional "ciphers"
+attribute overrides the main.cf smtp_tls_mandatory_ciphers parameter
+and the optional "protocols" keyword overrides the main.cf
+smtp_tls_mandatory_protocols parameter. 

 
-
verify

-
Mandatory server certificate verification. The optional "match"
-attribute overrides the main.cf smtp_tls_verify_cert_match parameter.
-In the policy table, multiple match patterns and strategies must
-be separated by colons. 

+
verify
 
Mandatory server certificate verification.
+Mail is delivered only if the TLS handshake succeeds, if the server
+certificate can be validated (not expired or revoked, and signed
+by a trusted certificate authority), and if the server certificate
+name matches the optional "match" attribute (or the main.cf
+smtp_tls_verify_cert_match parameter value when no optional "match"
+attribute is specified).  

 
-
secure
 
Secure-channel TLS. The optional "match"
-attribute overrides the main.cf smtp_tls_secure_cert_match parameter. In
-the policy table, multiple match patterns and strategies must be separated
-by colons. The match attribute is useful when additional domains are
-supported by common server, the policy entries for the additional domains
-specify matching rules for the primary domain certificate. While transport
-table overrides routing secondary domains to the primary nexthop also
-allow secure verification, they risk delivery to the wrong destination
-when domains change hands or are re-assigned to new gateways. With the
-"match" attribute approach, routing is not perturbed, and mail is deferred
-if verification of a new MX host fails. 

+
secure
 
Secure-channel TLS. Mail is delivered
+only if the TLS handshake succeeds, if the server certificate can
+be validated (not expired or revoked, and signed by a trusted
+certificate authority), and if the server certificate name matches
+the optional "match" attribute (or the main.cf smtp_tls_secure_cert_match
+parameter value when no optional "match" attribute is specified).
+

 
 
 
+
 Notes: 

+
+
    
+
+
  •  
     The "match" attribute is especially useful to verify TLS
+certificates for domains that are hosted on a shared server.  In
+that case, specify "match" rules for the shared server's name.
+While secure verification can also be achieved with manual routing
+overrides in Postfix transport(5) tables, that approach can deliver
+mail to the wrong host when domains are assigned to new gateway
+hosts.  The "match" attribute approach avoids the problems of manual
+routing overrides; mail is deferred if verification of a new MX
+host fails.  
    
+
+
  •  
     When a policy table entry specifies multiple match patterns,
+multiple match strategies, or multiple protocols, these must be
+separated by colons.  
    
+
+

+
 

 Example:
 

@@ -2238,18 +2276,22 @@ but don't require them from all clients. 

 
 

 
-smtp_tls_CAfile = /etc/postfix/cacert.pem
-smtp_tls_session_cache_database =
-    btree:/var/spool/postfix/smtp_tls_session_cache
-smtp_use_tls = yes
-smtpd_tls_CAfile = /etc/postfix/cacert.pem
-smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
-smtpd_tls_key_file = /etc/postfix/FOO-key.pem
-smtpd_tls_received_header = yes
-smtpd_tls_session_cache_database =
-    btree:/var/spool/postfix/smtpd_tls_session_cache
-smtpd_use_tls = yes
-tls_random_source = dev:/dev/urandom
+/etc/postfix/main.cf:
+    smtp_tls_CAfile = /etc/postfix/cacert.pem
+    smtp_tls_session_cache_database =
+	btree:/var/spool/postfix/smtp_tls_session_cache
+    smtp_use_tls = yes
+    smtpd_tls_CAfile = /etc/postfix/cacert.pem
+    smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
+    smtpd_tls_key_file = /etc/postfix/FOO-key.pem
+    smtpd_tls_received_header = yes
+    smtpd_tls_session_cache_database =
+	btree:/var/spool/postfix/smtpd_tls_session_cache
+    tls_random_source = dev:/dev/urandom
+    # Postfix 2.3 and later
+    smtpd_tls_security_level = may
+    # Obsolete, but still supported
+    smtpd_use_tls = yes
 

 

 
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index 5e47f0555..a6c7fc76a 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -8457,9 +8457,10 @@ example.net     secure match=example.com:.example.com
 
smtp_tls_security_level
 (default: empty)

 
-
 The default SMTP TLS security level for all destinations; when
-a non-empty value is specified, this overrides the obsolete parameters
-smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.  

+
 The default SMTP TLS security level for the Postfix SMTP client;
+when a non-empty value is specified, this overrides the obsolete
+parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
+

 
 
 Specify one of the following security levels: 

 
@@ -9457,19 +9458,20 @@ applies in the context of the SMTP END-OF-DATA command. 

 
smtpd_enforce_tls
 (default: no)

 
-
 Enforcement mode: announce STARTTLS support to SMTP clients,
+
 Mandatory TLS: announce STARTTLS support to SMTP clients,
 and require that clients use TLS encryption.  According to RFC 2487
 this MUST NOT be applied in case of a publicly-referenced SMTP
 server.  This option is off by default and should be used only on
 dedicated servers. 

 
-
 Note 1: this mode implies "smtpd_tls_auth_only = yes". 

+
 Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes". 

 
 
 Note 2: when invoked via "sendmail -bs", Postfix will never offer
 STARTTLS due to insufficient privileges to access the server private
 key. This is intended behavior. 

 
-
 This feature is available in Postfix 2.2 and later.  

+
 This feature is available in Postfix 2.2 and later. With
+Postfix 2.3 and later use smtpd_tls_security_level instead. 

 
 
 

@@ -10805,15 +10807,15 @@ able to authenticate the server, but unless it is running Postfix 2.3 or
 similar software, it will still insist on a server certificate. 

 
 
 For servers that are not public Internet MX hosts, Postfix
-2.3 supports configurations with no certificates. This entails the use
-of just the anonymous TLS ciphers, which are not supported by typical
-SMTP clients. Since such clients will not, as a rule, fall back to plain
-text after a TLS handshake failure, the server will be unable to receive
-email from TLS enabled clients. To avoid accidental configurations with
-no certificates, Postfix 2.3 enables certificate-less operation only
-when the administrator explicitly sets "smtpd_tls_cert_file = none". This
-ensures that new Postfix configurations with just "smtpd_use_tls = yes"
-added, will not accidentally run with no certificates. 

+2.3 supports configurations with no certificates. This entails the
+use of just the anonymous TLS ciphers, which are not supported by
+typical SMTP clients. Since such clients will not, as a rule, fall
+back to plain text after a TLS handshake failure, the server will
+be unable to receive email from TLS enabled clients. To avoid
+accidental configurations with no certificates, Postfix 2.3 enables
+certificate-less operation only when the administrator explicitly
+sets "smtpd_tls_cert_file = none". This ensures that new Postfix
+configurations will not accidentally run with no certificates. 

 
 
 Both RSA and DSA certificates are supported.  When both types
 are present, the cipher used determines which certificate will be
@@ -11108,17 +11110,15 @@ loglevel 4 is strongly discouraged. 

 
smtpd_tls_protocols
 (default: empty)

 
-
 The list of TLS protocols supported by the server. If empty the
-default list of protocols is used (i.e. all TLS protocol versions are
-supported). Any non-empty value is interpreted as a list of protocol
-names separated by whitespace, commas or colons. The supported protocol
-names are "SSLv2", "SSLv3" and "TLSv1", and are not
-case-sensitive. 

+
 The list of TLS protocols supported by the Postfix SMTP server.
+If the list is empty, the server supports all available TLS protocol
+versions.  A non-empty value is a list of protocol names separated
+by whitespace, commas or colons. The supported protocol names are
+"SSLv2", "SSLv3" and "TLSv1", and are not case sensitive. 

 
-
 DO NOT set this to a non-default value on an MX-host,
-as some clients may not support any of the narrower set of protocols,
-and may be unable to fallback to plaintext sessions. If you restrict
-the protocol list on an MX host, you may lose mail. 

+
 DO NOT set this to a non-default value on an Internet MX host,
+as this may cause inter-operability problems.  If you restrict the
+protocol list on an Internet MX host, you may lose mail. 

 
 
 Example: 

 
@@ -11159,6 +11159,48 @@ a warning written to the mail log. 

 
 This feature is available in Postfix 2.2 and later.  

 
 
+

+
+
smtpd_tls_security_level
+(default: empty)

+
+
 The SMTP TLS security level for the Postfix SMTP server; when
+a non-empty value is specified, this overrides the obsolete parameters
+smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with
+"smtpd_tls_wrappermode = yes".  

+
+
 Specify one of the following security levels: 

+
+

+
+
none
 
 TLS will not be used. 

+
+
may
 
 Opportunistic TLS: announce STARTTLS support
+to SMTP clients, but do not require that clients use TLS encryption.
+

+
+
encrypt
 
Mandatory TLS encryption: announce
+STARTTLS support to SMTP clients, and require that clients use TLS
+encryption. According to RFC 2487 this MUST NOT be applied in case
+of a publicly-referenced SMTP server. Instead, this option should
+be used only on dedicated servers. 

+
+

+
+
 Note 1: the "verify" and "secure" levels are not supported.
+The Postfix SMTP server logs a warning and uses "encrypt" instead.
+To verify SMTP client certificates, see TLS_README for a discussion
+of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and permit_tls_clientcerts
+features.  

+
+
 Note 2: The parameter setting "smtpd_tls_security_level =
+encrypt" implies "smtpd_tls_auth_only = yes".

+
+
 Note 3: when invoked via "sendmail -bs", Postfix will never
+offer STARTTLS due to insufficient privileges to access the server
+private key. This is intended behavior.

+
+
 

 
 
smtpd_tls_session_cache_database
@@ -11225,14 +11267,15 @@ purpose. 

 
smtpd_use_tls
 (default: no)

 
-
 Opportunistic mode: announce STARTTLS support to SMTP clients,
+
 Opportunistic TLS: announce STARTTLS support to SMTP clients,
 but do not require that clients use TLS encryption. 

 
 
 Note: when invoked via "sendmail -bs", Postfix will never offer
 STARTTLS due to insufficient privileges to access the server private
 key. This is intended behavior. 

 
-
 This feature is available in Postfix 2.2 and later.  

+
 This feature is available in Postfix 2.2 and later. With
+Postfix 2.3 and later use smtpd_tls_security_level instead. 

 
 
 

diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html
index dd82883d2..c1aa2caca 100644
--- a/postfix/html/smtp.8.html
+++ b/postfix/html/smtp.8.html
@@ -320,39 +320,40 @@ SMTP(8)                                                                SMTP(8)
        found in the TLS_README document.
 
        smtp_tls_security_level (empty)
-              The  default SMTP TLS security level for all desti-
-              nations; when a non-empty value is specified,  this
-              overrides  the  obsolete  parameters  smtp_use_tls,
-              smtp_enforce_tls, and smtp_tls_enforce_peername.
+              The default SMTP TLS security level for the Postfix
+              SMTP client; when a non-empty value  is  specified,
+              this     overrides    the    obsolete    parameters
+              smtp_use_tls,         smtp_enforce_tls,         and
+              smtp_tls_enforce_peername.
 
        smtp_sasl_tls_security_options           ($smtp_sasl_secu-
        rity_options)
-              The SASL authentication security options  that  the
-              Postfix  SMTP  client  uses  for TLS encrypted SMTP
+              The  SASL  authentication security options that the
+              Postfix SMTP client uses  for  TLS  encrypted  SMTP
               sessions.
 
        smtp_starttls_timeout (300s)
-              Time limit for Postfix SMTP client write  and  read
-              operations  during  TLS  startup and shutdown hand-
+              Time  limit  for Postfix SMTP client write and read
+              operations during TLS startup  and  shutdown  hand-
               shake procedures.
 
        smtp_tls_CAfile (empty)
-              The file with the certificate of the  certification
-              authority  (CA) that issued the Postfix SMTP client
+              The  file with the certificate of the certification
+              authority (CA) that issued the Postfix SMTP  client
               certificate.
 
        smtp_tls_CApath (empty)
-              Directory with  PEM  format  certificate  authority
-              certificates  that  the Postfix SMTP client uses to
+              Directory  with  PEM  format  certificate authority
+              certificates that the Postfix SMTP client  uses  to
               verify a remote SMTP server certificate.
 
        smtp_tls_cert_file (empty)
-              File with the Postfix SMTP client  RSA  certificate
+              File  with  the Postfix SMTP client RSA certificate
               in PEM format.
 
        smtp_tls_mandatory_ciphers (medium)
-              The  minimum  SMTP  client TLS cipher grade that is
-              strong enough to be used with the  "encrypt"  secu-
+              The minimum SMTP client TLS cipher  grade  that  is
+              strong  enough  to be used with the "encrypt" secu-
               rity level and higher.
 
        smtp_tls_exclude_ciphers (empty)
@@ -361,43 +362,43 @@ SMTP(8)                                                                SMTP(8)
 
        smtp_tls_mandatory_exclude_ciphers (empty)
               List of ciphers or cipher types to exclude from the
-              SMTP  client cipher list at the mandatory TLS secu-
+              SMTP client cipher list at the mandatory TLS  secu-
               rity levels: "encrypt", "verify" and "secure".
 
        smtp_tls_dcert_file (empty)
-              File with the Postfix SMTP client  DSA  certificate
+              File  with  the Postfix SMTP client DSA certificate
               in PEM format.
 
        smtp_tls_dkey_file ($smtp_tls_dcert_file)
-              File  with  the Postfix SMTP client DSA private key
+              File with the Postfix SMTP client DSA  private  key
               in PEM format.
 
        smtp_tls_key_file ($smtp_tls_cert_file)
-              File with the Postfix SMTP client RSA  private  key
+              File  with  the Postfix SMTP client RSA private key
               in PEM format.
 
        smtp_tls_loglevel (0)
-              Enable  additional  Postfix  SMTP client logging of
+              Enable additional Postfix SMTP  client  logging  of
               TLS activity.
 
        smtp_tls_note_starttls_offer (no)
-              Log the hostname  of  a  remote  SMTP  server  that
-              offers  STARTTLS,  when  TLS is not already enabled
+              Log  the  hostname  of  a  remote  SMTP server that
+              offers STARTTLS, when TLS is  not  already  enabled
               for that server.
 
        smtp_tls_policy_maps (empty)
               Optional lookup tables with the Postfix SMTP client
               TLS security policy by next-hop destination; when a
-              non-empty value is specified,  this  overrides  the
+              non-empty  value  is  specified, this overrides the
               obsolete smtp_tls_per_site parameter.
 
        smtp_tls_mandatory_protocols (SSLv3, TLSv1)
-              List  of  TLS  protocol  versions  that  are secure
+              List of  TLS  protocol  versions  that  are  secure
               enough to be used with the "encrypt" security level
               and higher.
 
        smtp_tls_scert_verifydepth (5)
-              The  verification depth for remote SMTP server cer-
+              The verification depth for remote SMTP server  cer-
               tificates.
 
        smtp_tls_secure_cert_match (nexthop, dot-nexthop)
@@ -405,7 +406,7 @@ SMTP(8)                                                                SMTP(8)
               for the "secure" TLS security level.
 
        smtp_tls_session_cache_database (empty)
-              Name  of  the  file containing the optional Postfix
+              Name of the file containing  the  optional  Postfix
               SMTP client TLS session cache.
 
        smtp_tls_session_cache_timeout (3600s)
@@ -417,9 +418,9 @@ SMTP(8)                                                                SMTP(8)
               for the "verify" TLS security level.
 
        tls_daemon_random_bytes (32)
-              The number of pseudo-random bytes that  an  smtp(8)
-              or  smtpd(8)  process  requests  from the tlsmgr(8)
-              server in order to seed its internal pseudo  random
+              The  number  of pseudo-random bytes that an smtp(8)
+              or smtpd(8) process  requests  from  the  tlsmgr(8)
+              server  in order to seed its internal pseudo random
               number generator (PRNG).
 
        tls_high_cipherlist
@@ -431,7 +432,7 @@ SMTP(8)                                                                SMTP(8)
               ciphers.
 
        tls_low_cipherlist (!EXPORT:ALL:+RC4:@STRENGTH)
-              The OpenSSL cipherlist for "LOW"  or  higher  grade
+              The  OpenSSL  cipherlist  for "LOW" or higher grade
               ciphers.
 
        tls_export_cipherlist (ALL:+RC4:@STRENGTH)
@@ -439,66 +440,66 @@ SMTP(8)                                                                SMTP(8)
               ciphers.
 
        tls_null_cipherlist (!aNULL:eNULL+kRSA)
-              The OpenSSL cipherlist  for  "NULL"  grade  ciphers
+              The  OpenSSL  cipherlist  for  "NULL" grade ciphers
               that provide authentication without encryption.
 
        Available in Postfix version 2.4 and later:
 
        smtp_sasl_tls_verified_security_options
        ($smtp_sasl_tls_security_options)
-              The  SASL  authentication security options that the
-              Postfix SMTP client uses  for  TLS  encrypted  SMTP
+              The SASL authentication security options  that  the
+              Postfix  SMTP  client  uses  for TLS encrypted SMTP
               sessions with a verified server certificate.
 
 OBSOLETE STARTTLS CONTROLS
-       The  following configuration parameters exist for compati-
+       The following configuration parameters exist for  compati-
        bility with Postfix versions before 2.3. Support for these
        will be removed in a future release.
 
        smtp_use_tls (no)
-              Opportunistic  mode:  use  TLS  when  a remote SMTP
-              server announces STARTTLS support,  otherwise  send
+              Opportunistic mode: use  TLS  when  a  remote  SMTP
+              server  announces  STARTTLS support, otherwise send
               the mail in the clear.
 
        smtp_enforce_tls (no)
-              Enforcement  mode: require that remote SMTP servers
-              use TLS encryption, and  never  send  mail  in  the
+              Enforcement mode: require that remote SMTP  servers
+              use  TLS  encryption,  and  never  send mail in the
               clear.
 
        smtp_tls_enforce_peername (yes)
-              When  TLS  encryption is enforced, require that the
+              When TLS encryption is enforced, require  that  the
               remote SMTP server hostname matches the information
               in the remote SMTP server certificate.
 
        smtp_tls_per_site (empty)
               Optional lookup tables with the Postfix SMTP client
-              TLS usage policy by  next-hop  destination  and  by
+              TLS  usage  policy  by  next-hop destination and by
               remote SMTP server hostname.
 
 RESOURCE AND RATE CONTROLS
        smtp_destination_concurrency_limit      ($default_destina-
        tion_concurrency_limit)
-              The  maximal  number  of parallel deliveries to the
-              same destination  via  the  smtp  message  delivery
+              The maximal number of parallel  deliveries  to  the
+              same  destination  via  the  smtp  message delivery
               transport.
 
        smtp_destination_recipient_limit        ($default_destina-
        tion_recipient_limit)
-              The  maximal  number of recipients per delivery via
+              The maximal number of recipients per  delivery  via
               the smtp message delivery transport.
 
        smtp_connect_timeout (30s)
-              The SMTP client time limit  for  completing  a  TCP
+              The  SMTP  client  time  limit for completing a TCP
               connection,  or  zero  (use  the  operating  system
               built-in time limit).
 
        smtp_helo_timeout (300s)
-              The SMTP client time limit for sending the HELO  or
-              EHLO  command, and for receiving the initial server
+              The  SMTP client time limit for sending the HELO or
+              EHLO command, and for receiving the initial  server
               response.
 
        lmtp_lhlo_timeout (300s)
-              The LMTP client time limit  for  sending  the  LHLO
+              The  LMTP  client  time  limit for sending the LHLO
               command,  and  for  receiving  the  initial  server
               response.
 
@@ -507,30 +508,30 @@ SMTP(8)                                                                SMTP(8)
               command, and for receiving the server response.
 
        smtp_mail_timeout (300s)
-              The  SMTP  client  time  limit for sending the MAIL
-              FROM  command,  and  for   receiving   the   server
+              The SMTP client time limit  for  sending  the  MAIL
+              FROM   command,   and   for  receiving  the  server
               response.
 
        smtp_rcpt_timeout (300s)
-              The  SMTP  client  time  limit for sending the SMTP
-              RCPT TO  command,  and  for  receiving  the  server
+              The SMTP client time limit  for  sending  the  SMTP
+              RCPT  TO  command,  and  for  receiving  the server
               response.
 
        smtp_data_init_timeout (120s)
-              The  SMTP  client  time  limit for sending the SMTP
-              DATA  command,  and  for   receiving   the   server
+              The SMTP client time limit  for  sending  the  SMTP
+              DATA   command,   and   for  receiving  the  server
               response.
 
        smtp_data_xfer_timeout (180s)
-              The  SMTP  client  time  limit for sending the SMTP
+              The SMTP client time limit  for  sending  the  SMTP
               message content.
 
        smtp_data_done_timeout (600s)
-              The SMTP client time limit  for  sending  the  SMTP
+              The  SMTP  client  time  limit for sending the SMTP
               ".", and for receiving the server response.
 
        smtp_quit_timeout (300s)
-              The  SMTP  client  time  limit for sending the QUIT
+              The SMTP client time limit  for  sending  the  QUIT
               command, and for receiving the server response.
 
        Available in Postfix version 2.1 and later:
@@ -541,12 +542,12 @@ SMTP(8)                                                                SMTP(8)
               lookups, or zero (no limit).
 
        smtp_mx_session_limit (2)
-              The maximal number of SMTP  sessions  per  delivery
-              request  before  giving up or delivering to a fall-
+              The  maximal  number  of SMTP sessions per delivery
+              request before giving up or delivering to  a  fall-
               back relay host, or zero (no limit).
 
        smtp_rset_timeout (20s)
-              The SMTP client time limit  for  sending  the  RSET
+              The  SMTP  client  time  limit for sending the RSET
               command, and for receiving the server response.
 
        Available in Postfix version 2.2 and earlier:
@@ -558,11 +559,11 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.2 and later:
 
        smtp_connection_cache_destinations (empty)
-              Permanently enable SMTP connection caching for  the
+              Permanently  enable SMTP connection caching for the
               specified destinations.
 
        smtp_connection_cache_on_demand (yes)
-              Temporarily  enable SMTP connection caching while a
+              Temporarily enable SMTP connection caching while  a
               destination has a high volume of mail in the active
               queue.
 
@@ -572,57 +573,57 @@ SMTP(8)                                                                SMTP(8)
 
        smtp_connection_cache_time_limit (2s)
               When SMTP connection caching is enabled, the amount
-              of  time  that an unused SMTP client socket is kept
+              of time that an unused SMTP client socket  is  kept
               open before it is closed.
 
        Available in Postfix version 2.3 and later:
 
        connection_cache_protocol_timeout (5s)
-              Time limit for connection cache  connect,  send  or
+              Time  limit  for  connection cache connect, send or
               receive operations.
 
 TROUBLE SHOOTING CONTROLS
        debug_peer_level (2)
-              The  increment  in  verbose  logging  level  when a
-              remote client or server matches a  pattern  in  the
+              The increment  in  verbose  logging  level  when  a
+              remote  client  or  server matches a pattern in the
               debug_peer_list parameter.
 
        debug_peer_list (empty)
-              Optional  list  of remote client or server hostname
-              or network address patterns that cause the  verbose
-              logging  level  to increase by the amount specified
+              Optional list of remote client or  server  hostname
+              or  network address patterns that cause the verbose
+              logging level to increase by the  amount  specified
               in $debug_peer_level.
 
        error_notice_recipient (postmaster)
-              The recipient  of  postmaster  notifications  about
-              mail  delivery  problems that are caused by policy,
+              The  recipient  of  postmaster  notifications about
+              mail delivery problems that are caused  by  policy,
               resource, software or protocol errors.
 
        notify_classes (resource, software)
-              The list of error classes that are reported to  the
+              The  list of error classes that are reported to the
               postmaster.
 
 MISCELLANEOUS CONTROLS
        best_mx_transport (empty)
-              Where  the  Postfix SMTP client should deliver mail
+              Where the Postfix SMTP client should  deliver  mail
               when it detects a "mail loops back to myself" error
               condition.
 
        config_directory (see 'postconf -d' output)
-              The  default  location  of  the Postfix main.cf and
+              The default location of  the  Postfix  main.cf  and
               master.cf configuration files.
 
        daemon_timeout (18000s)
-              How much time a Postfix daemon process may take  to
-              handle  a  request  before  it  is  terminated by a
+              How  much time a Postfix daemon process may take to
+              handle a request  before  it  is  terminated  by  a
               built-in watchdog timer.
 
        delay_logging_resolution_limit (2)
-              The maximal number  of  digits  after  the  decimal
+              The  maximal  number  of  digits  after the decimal
               point when logging sub-second delay values.
 
        disable_dns_lookups (no)
-              Disable  DNS  lookups  in the Postfix SMTP and LMTP
+              Disable DNS lookups in the Postfix  SMTP  and  LMTP
               clients.
 
        inet_interfaces (all)
@@ -630,7 +631,7 @@ SMTP(8)                                                                SMTP(8)
               tem receives mail on.
 
        inet_protocols (ipv4)
-              The  Internet protocols Postfix will attempt to use
+              The Internet protocols Postfix will attempt to  use
               when making or accepting connections.
 
        ipc_timeout (3600s)
@@ -638,74 +639,74 @@ SMTP(8)                                                                SMTP(8)
               over an internal communication channel.
 
        lmtp_tcp_port (24)
-              The  default  TCP port that the Postfix LMTP client
+              The default TCP port that the Postfix  LMTP  client
               connects to.
 
        max_idle (100s)
-              The maximum amount of time  that  an  idle  Postfix
-              daemon  process  waits for the next service request
+              The  maximum  amount  of  time that an idle Postfix
+              daemon process waits for the next  service  request
               before exiting.
 
        max_use (100)
-              The maximal number of connection requests before  a
+              The  maximal number of connection requests before a
               Postfix daemon process terminates.
 
        process_id (read-only)
-              The  process  ID  of  a  Postfix  command or daemon
+              The process ID  of  a  Postfix  command  or  daemon
               process.
 
        process_name (read-only)
-              The process name of a  Postfix  command  or  daemon
+              The  process  name  of  a Postfix command or daemon
               process.
 
        proxy_interfaces (empty)
               The network interface addresses that this mail sys-
-              tem receives mail on by way of a proxy  or  network
+              tem  receives  mail on by way of a proxy or network
               address translation unit.
 
        smtp_bind_address (empty)
               An optional numerical network address that the SMTP
-              client should bind to when making an  IPv4  connec-
+              client  should  bind to when making an IPv4 connec-
               tion.
 
        smtp_bind_address6 (empty)
               An optional numerical network address that the SMTP
-              client should bind to when making an  IPv6  connec-
+              client  should  bind to when making an IPv6 connec-
               tion.
 
        smtp_helo_name ($myhostname)
-              The  hostname to send in the SMTP EHLO or HELO com-
+              The hostname to send in the SMTP EHLO or HELO  com-
               mand.
 
        lmtp_lhlo_name ($myhostname)
               The hostname to send in the LMTP LHLO command.
 
        smtp_host_lookup (dns)
-              What mechanisms when the SMTP client uses  to  look
+              What  mechanisms  when the SMTP client uses to look
               up a host's IP address.
 
        smtp_randomize_addresses (yes)
-              Randomize  the  order  of  equal-preference MX host
+              Randomize the order  of  equal-preference  MX  host
               addresses.
 
        syslog_facility (mail)
               The syslog facility of Postfix logging.
 
        syslog_name (postfix)
-              The mail system  name  that  is  prepended  to  the
-              process  name  in  syslog  records, so that "smtpd"
+              The  mail  system  name  that  is  prepended to the
+              process name in syslog  records,  so  that  "smtpd"
               becomes, for example, "postfix/smtpd".
 
        Available with Postfix 2.2 and earlier:
 
        fallback_relay (empty)
-              Optional list of relay hosts for SMTP  destinations
+              Optional  list of relay hosts for SMTP destinations
               that can't be found or that are unreachable.
 
        Available with Postfix 2.3 and later:
 
        smtp_fallback_relay ($fallback_relay)
-              Optional  list of relay hosts for SMTP destinations
+              Optional list of relay hosts for SMTP  destinations
               that can't be found or that are unreachable.
 
 SEE ALSO
@@ -723,7 +724,7 @@ SMTP(8)                                                                SMTP(8)
        TLS_README, Postfix STARTTLS howto
 
 LICENSE
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 AUTHOR(S)
diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html
index 70e407e6e..476b23482 100644
--- a/postfix/html/smtpd.8.html
+++ b/postfix/html/smtpd.8.html
@@ -329,12 +329,12 @@ SMTPD(8)                                                              SMTPD(8)
        found in the TLS_README document.
 
        smtpd_use_tls (no)
-              Opportunistic mode: announce  STARTTLS  support  to
+              Opportunistic TLS:  announce  STARTTLS  support  to
               SMTP  clients,  but do not require that clients use
               TLS encryption.
 
        smtpd_enforce_tls (no)
-              Enforcement mode: announce STARTTLS support to SMTP
+              Mandatory TLS: announce STARTTLS  support  to  SMTP
               clients,  and  require that clients use TLS encryp-
               tion.
 
@@ -408,7 +408,8 @@ SMTPD(8)                                                              SMTPD(8)
               TLS activity.
 
        smtpd_tls_protocols (empty)
-              The  list of TLS protocols supported by the server.
+              The  list of TLS protocols supported by the Postfix
+              SMTP server.
 
        smtpd_tls_received_header (no)
               Request  that  the  Postfix  SMTP  server  produces
@@ -441,6 +442,14 @@ SMTPD(8)                                                              SMTPD(8)
               server in order to seed its internal pseudo  random
               number generator (PRNG).
 
+       Available in Postfix version 2.3 and later:
+
+       smtpd_tls_security_level (empty)
+              The  SMTP  TLS  security level for the Postfix SMTP
+              server; when a non-empty value is  specified,  this
+              overrides the obsolete parameters smtpd_use_tls and
+              smtpd_enforce_tls.
+
        tls_high_cipherlist
        (!EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH)
               The OpenSSL cipherlist for "HIGH" grade ciphers.
@@ -450,7 +459,7 @@ SMTPD(8)                                                              SMTPD(8)
               ciphers.
 
        tls_low_cipherlist (!EXPORT:ALL:+RC4:@STRENGTH)
-              The OpenSSL cipherlist for "LOW"  or  higher  grade
+              The  OpenSSL  cipherlist  for "LOW" or higher grade
               ciphers.
 
        tls_export_cipherlist (ALL:+RC4:@STRENGTH)
@@ -458,63 +467,63 @@ SMTPD(8)                                                              SMTPD(8)
               ciphers.
 
        tls_null_cipherlist (!aNULL:eNULL+kRSA)
-              The OpenSSL cipherlist  for  "NULL"  grade  ciphers
+              The  OpenSSL  cipherlist  for  "NULL" grade ciphers
               that provide authentication without encryption.
 
 VERP SUPPORT CONTROLS
-       With  VERP  style  delivery,  each  recipient of a message
+       With VERP style delivery,  each  recipient  of  a  message
        receives a customized copy of the message with his/her own
-       recipient  address encoded in the envelope sender address.
+       recipient address encoded in the envelope sender  address.
        The VERP_README file describes configuration and operation
-       details  of  Postfix  support for variable envelope return
+       details of Postfix support for  variable  envelope  return
        path addresses.  VERP style delivery is requested with the
-       SMTP  XVERP command or with the "sendmail -V" command-line
-       option and is available in Postfix version 1.1 and  later.
+       SMTP XVERP command or with the "sendmail -V"  command-line
+       option  and is available in Postfix version 1.1 and later.
 
        default_verp_delimiters (+=)
               The two default VERP delimiter characters.
 
        verp_delimiter_filter (-=+)
-              The  characters  Postfix  accepts as VERP delimiter
-              characters on the Postfix sendmail(1) command  line
+              The characters Postfix accepts  as  VERP  delimiter
+              characters  on the Postfix sendmail(1) command line
               and in SMTP commands.
 
        Available in Postfix version 1.1 and 2.0:
 
        authorized_verp_clients ($mynetworks)
-              What  SMTP clients are allowed to specify the XVERP
+              What SMTP clients are allowed to specify the  XVERP
               command.
 
        Available in Postfix version 2.1 and later:
 
        smtpd_authorized_verp_clients ($authorized_verp_clients)
-              What SMTP clients are allowed to specify the  XVERP
+              What  SMTP clients are allowed to specify the XVERP
               command.
 
 TROUBLE SHOOTING CONTROLS
-       The  DEBUG_README document describes how to debug parts of
-       the Postfix mail system. The methods vary from making  the
-       software  log a lot of detail, to running some daemon pro-
+       The DEBUG_README document describes how to debug parts  of
+       the  Postfix mail system. The methods vary from making the
+       software log a lot of detail, to running some daemon  pro-
        cesses under control of a call tracer or debugger.
 
        debug_peer_level (2)
-              The increment  in  verbose  logging  level  when  a
-              remote  client  or  server matches a pattern in the
+              The  increment  in  verbose  logging  level  when a
+              remote client or server matches a  pattern  in  the
               debug_peer_list parameter.
 
        debug_peer_list (empty)
-              Optional list of remote client or  server  hostname
-              or  network address patterns that cause the verbose
-              logging level to increase by the  amount  specified
+              Optional  list  of remote client or server hostname
+              or network address patterns that cause the  verbose
+              logging  level  to increase by the amount specified
               in $debug_peer_level.
 
        error_notice_recipient (postmaster)
-              The  recipient  of  postmaster  notifications about
-              mail delivery problems that are caused  by  policy,
+              The recipient  of  postmaster  notifications  about
+              mail  delivery  problems that are caused by policy,
               resource, software or protocol errors.
 
        notify_classes (resource, software)
-              The  list of error classes that are reported to the
+              The list of error classes that are reported to  the
               postmaster.
 
        soft_bounce (no)
@@ -524,22 +533,22 @@ SMTPD(8)                                                              SMTPD(8)
        Available in Postfix version 2.1 and later:
 
        smtpd_authorized_xclient_hosts (empty)
-              What  SMTP  clients  are allowed to use the XCLIENT
+              What SMTP clients are allowed to  use  the  XCLIENT
               feature.
 
 KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS
-       As of Postfix version 2.0, the SMTP  server  rejects  mail
-       for  unknown recipients. This prevents the mail queue from
-       clogging up  with  undeliverable  MAILER-DAEMON  messages.
-       Additional   information   on   this   topic   is  in  the
+       As  of  Postfix  version 2.0, the SMTP server rejects mail
+       for unknown recipients. This prevents the mail queue  from
+       clogging  up  with  undeliverable  MAILER-DAEMON messages.
+       Additional  information  on   this   topic   is   in   the
        LOCAL_RECIPIENT_README and ADDRESS_CLASS_README documents.
 
        show_user_unknown_table_name (yes)
-              Display  the  name  of  the  recipient table in the
+              Display the name of  the  recipient  table  in  the
               "User unknown" responses.
 
        canonical_maps (empty)
-              Optional address mapping lookup tables for  message
+              Optional  address mapping lookup tables for message
               headers and envelopes.
 
        recipient_canonical_maps (empty)
@@ -550,7 +559,7 @@ SMTPD(8)                                                              SMTPD(8)
 
        mydestination  ($myhostname,  localhost.$mydomain,  local-
        host)
-              The list of domains  that  are  delivered  via  the
+              The  list  of  domains  that  are delivered via the
               $local_transport mail delivery transport.
 
        inet_interfaces (all)
@@ -559,145 +568,145 @@ SMTPD(8)                                                              SMTPD(8)
 
        proxy_interfaces (empty)
               The network interface addresses that this mail sys-
-              tem  receives  mail on by way of a proxy or network
+              tem receives mail on by way of a proxy  or  network
               address translation unit.
 
        inet_protocols (ipv4)
-              The Internet protocols Postfix will attempt to  use
+              The  Internet protocols Postfix will attempt to use
               when making or accepting connections.
 
        local_recipient_maps             (proxy:unix:passwd.byname
        $alias_maps)
-              Lookup  tables with all names or addresses of local
-              recipients: a recipient address is local  when  its
-              domain  matches $mydestination, $inet_interfaces or
+              Lookup tables with all names or addresses of  local
+              recipients:  a  recipient address is local when its
+              domain matches $mydestination, $inet_interfaces  or
               $proxy_interfaces.
 
        unknown_local_recipient_reject_code (550)
-              The numerical Postfix  SMTP  server  response  code
-              when    a   recipient   address   is   local,   and
-              $local_recipient_maps specifies a  list  of  lookup
+              The  numerical  Postfix  SMTP  server response code
+              when   a   recipient   address   is   local,    and
+              $local_recipient_maps  specifies  a  list of lookup
               tables that does not match the recipient.
 
-       Parameters  concerning  known/unknown  recipients of relay
+       Parameters concerning known/unknown  recipients  of  relay
        destinations:
 
        relay_domains ($mydestination)
-              What destination domains (and  subdomains  thereof)
+              What  destination  domains (and subdomains thereof)
               this system will relay mail to.
 
        relay_recipient_maps (empty)
-              Optional  lookup tables with all valid addresses in
+              Optional lookup tables with all valid addresses  in
               the domains that match $relay_domains.
 
        unknown_relay_recipient_reject_code (550)
               The numerical Postfix SMTP server reply code when a
-              recipient   address   matches  $relay_domains,  and
-              relay_recipient_maps specifies  a  list  of  lookup
+              recipient  address  matches   $relay_domains,   and
+              relay_recipient_maps  specifies  a  list  of lookup
               tables that does not match the recipient address.
 
-       Parameters  concerning known/unknown recipients in virtual
+       Parameters concerning known/unknown recipients in  virtual
        alias domains:
 
        virtual_alias_domains ($virtual_alias_maps)
               Postfix is final destination for the specified list
-              of  virtual  alias  domains,  that  is, domains for
-              which all addresses are  aliased  to  addresses  in
+              of virtual alias  domains,  that  is,  domains  for
+              which  all  addresses  are  aliased to addresses in
               other local or remote domains.
 
        virtual_alias_maps ($virtual_maps)
-              Optional  lookup  tables  that  alias specific mail
-              addresses or  domains  to  other  local  or  remote
+              Optional lookup tables  that  alias  specific  mail
+              addresses  or  domains  to  other  local  or remote
               address.
 
        unknown_virtual_alias_reject_code (550)
               The SMTP server reply code when a recipient address
-              matches    $virtual_alias_domains,    and     $vir-
-              tual_alias_maps  specifies  a list of lookup tables
+              matches     $virtual_alias_domains,    and    $vir-
+              tual_alias_maps specifies a list of  lookup  tables
               that does not match the recipient address.
 
-       Parameters concerning known/unknown recipients in  virtual
+       Parameters  concerning known/unknown recipients in virtual
        mailbox domains:
 
        virtual_mailbox_domains ($virtual_mailbox_maps)
               Postfix is final destination for the specified list
-              of  domains;  mail  is  delivered  via  the   $vir-
+              of   domains;  mail  is  delivered  via  the  $vir-
               tual_transport mail delivery transport.
 
        virtual_mailbox_maps (empty)
-              Optional  lookup tables with all valid addresses in
+              Optional lookup tables with all valid addresses  in
               the domains that match $virtual_mailbox_domains.
 
        unknown_virtual_mailbox_reject_code (550)
               The SMTP server reply code when a recipient address
-              matches    $virtual_mailbox_domains,    and   $vir-
+              matches   $virtual_mailbox_domains,    and    $vir-
               tual_mailbox_maps specifies a list of lookup tables
               that does not match the recipient address.
 
 RESOURCE AND RATE CONTROLS
-       The  following parameters limit resource usage by the SMTP
+       The following parameters limit resource usage by the  SMTP
        server and/or control client request rates.
 
        line_length_limit (2048)
-              Upon input, long lines are chopped up  into  pieces
-              of  at  most this length; upon delivery, long lines
+              Upon  input,  long lines are chopped up into pieces
+              of at most this length; upon delivery,  long  lines
               are reconstructed.
 
        queue_minfree (0)
-              The minimal amount of free space in  bytes  in  the
+              The  minimal  amount  of free space in bytes in the
               queue file system that is needed to receive mail.
 
        message_size_limit (10240000)
-              The  maximal  size in bytes of a message, including
+              The maximal size in bytes of a  message,  including
               envelope information.
 
        smtpd_recipient_limit (1000)
-              The maximal number of recipients that  the  Postfix
+              The  maximal  number of recipients that the Postfix
               SMTP server accepts per message delivery request.
 
        smtpd_timeout (300s)
-              The  time  limit  for sending a Postfix SMTP server
-              response and for receiving  a  remote  SMTP  client
+              The time limit for sending a  Postfix  SMTP  server
+              response  and  for  receiving  a remote SMTP client
               request.
 
        smtpd_history_flush_threshold (100)
-              The  maximal  number  of  lines in the Postfix SMTP
-              server command history before it  is  flushed  upon
+              The maximal number of lines  in  the  Postfix  SMTP
+              server  command  history  before it is flushed upon
               receipt of EHLO, RSET, or end of DATA.
 
        Available in Postfix version 2.3 and later:
 
        smtpd_peername_lookup (yes)
-              Attempt  to  look  up the SMTP client hostname, and
+              Attempt to look up the SMTP  client  hostname,  and
               verify that the name matches the client IP address.
 
        The per SMTP client connection count and request rate lim-
        its are implemented in co-operation with the anvil(8) ser-
-       vice,  and are available in Postfix version 2.2 and later.
+       vice, and are available in Postfix version 2.2 and  later.
 
        smtpd_client_connection_count_limit (50)
-              How many simultaneous  connections  any  client  is
+              How  many  simultaneous  connections  any client is
               allowed to make to this service.
 
        smtpd_client_connection_rate_limit (0)
               The  maximal  number  of  connection  attempts  any
-              client is allowed to make to this service per  time
+              client  is allowed to make to this service per time
               unit.
 
        smtpd_client_message_rate_limit (0)
-              The  maximal  number  of  message delivery requests
-              that any client is allowed to make to this  service
+              The maximal number  of  message  delivery  requests
+              that  any client is allowed to make to this service
               per time unit, regardless of whether or not Postfix
               actually accepts those messages.
 
        smtpd_client_recipient_rate_limit (0)
-              The maximal number of recipient addresses that  any
-              client  is allowed to send to this service per time
+              The  maximal number of recipient addresses that any
+              client is allowed to send to this service per  time
               unit, regardless of whether or not Postfix actually
               accepts those recipients.
 
        smtpd_client_event_limit_exceptions ($mynetworks)
-              Clients  that  are  excluded from connection count,
+              Clients that are excluded  from  connection  count,
               connection rate, or SMTP request rate restrictions.
 
        Available in Postfix version 2.3 and later:
@@ -708,52 +717,52 @@ SMTPD(8)                                                              SMTPD(8)
               tiate with this service per time unit.
 
 TARPIT CONTROLS
-       When  a  remote SMTP client makes errors, the Postfix SMTP
-       server can insert delays before responding. This can  help
-       to  slow  down  run-away  software.   The behavior is con-
-       trolled by an error counter  that  counts  the  number  of
-       errors  within an SMTP session that a client makes without
+       When a remote SMTP client makes errors, the  Postfix  SMTP
+       server  can insert delays before responding. This can help
+       to slow down run-away  software.   The  behavior  is  con-
+       trolled  by  an  error  counter  that counts the number of
+       errors within an SMTP session that a client makes  without
        delivering mail.
 
        smtpd_error_sleep_time (1s)
               With Postfix version 2.1 and later: the SMTP server
-              response  delay  after  a client has made more than
-              $smtpd_soft_error_limit  errors,  and  fewer   than
-              $smtpd_hard_error_limit  errors, without delivering
+              response delay after a client has  made  more  than
+              $smtpd_soft_error_limit   errors,  and  fewer  than
+              $smtpd_hard_error_limit errors, without  delivering
               mail.
 
        smtpd_soft_error_limit (10)
-              The number  of  errors  a  remote  SMTP  client  is
-              allowed  to make without delivering mail before the
+              The  number  of  errors  a  remote  SMTP  client is
+              allowed to make without delivering mail before  the
               Postfix SMTP server slows down all its responses.
 
        smtpd_hard_error_limit (20)
-              The maximal number of errors a remote  SMTP  client
+              The  maximal  number of errors a remote SMTP client
               is allowed to make without delivering mail.
 
        smtpd_junk_command_limit (100)
-              The  number  of  junk commands (NOOP, VRFY, ETRN or
+              The number of junk commands (NOOP,  VRFY,  ETRN  or
               RSET) that a remote SMTP client can send before the
-              Postfix  SMTP  server starts to increment the error
+              Postfix SMTP server starts to increment  the  error
               counter with each junk command.
 
        Available in Postfix version 2.1 and later:
 
        smtpd_recipient_overshoot_limit (1000)
-              The number of recipients that a remote SMTP  client
-              can  send  in  excess  of  the limit specified with
+              The  number of recipients that a remote SMTP client
+              can send in excess  of  the  limit  specified  with
               $smtpd_recipient_limit,  before  the  Postfix  SMTP
-              server  increments  the per-session error count for
+              server increments the per-session error  count  for
               each excess recipient.
 
 ACCESS POLICY DELEGATION CONTROLS
-       As of version 2.1, Postfix can be configured  to  delegate
-       access  policy  decisions  to an external server that runs
-       outside Postfix.  See  the  file  SMTPD_POLICY_README  for
+       As  of  version 2.1, Postfix can be configured to delegate
+       access policy decisions to an external  server  that  runs
+       outside  Postfix.   See  the  file SMTPD_POLICY_README for
        more information.
 
        smtpd_policy_service_max_idle (300s)
-              The  time  after which an idle SMTPD policy service
+              The time after which an idle SMTPD  policy  service
               connection is closed.
 
        smtpd_policy_service_max_ttl (1000s)
@@ -761,161 +770,161 @@ SMTPD(8)                                                              SMTPD(8)
               connection is closed.
 
        smtpd_policy_service_timeout (100s)
-              The  time  limit  for  connecting to, writing to or
+              The time limit for connecting  to,  writing  to  or
               receiving from a delegated SMTPD policy server.
 
 ACCESS CONTROLS
-       The SMTPD_ACCESS_README document gives an introduction  to
+       The  SMTPD_ACCESS_README document gives an introduction to
        all the SMTP server access control features.
 
        smtpd_delay_reject (yes)
-              Wait  until  the  RCPT TO command before evaluating
+              Wait until the RCPT TO  command  before  evaluating
               $smtpd_client_restrictions,    $smtpd_helo_restric-
               tions and $smtpd_sender_restrictions, or wait until
-              the     ETRN     command     before      evaluating
+              the      ETRN     command     before     evaluating
               $smtpd_client_restrictions and $smtpd_helo_restric-
               tions.
 
-       parent_domain_matches_subdomains (see 'postconf  -d'  out-
+       parent_domain_matches_subdomains  (see  'postconf -d' out-
        put)
               What   Postfix   features   match   subdomains   of
               "domain.tld" automatically, instead of requiring an
               explicit ".domain.tld" pattern.
 
        smtpd_client_restrictions (empty)
-              Optional SMTP server  access  restrictions  in  the
+              Optional  SMTP  server  access  restrictions in the
               context of a client SMTP connection request.
 
        smtpd_helo_required (no)
               Require that a remote SMTP client introduces itself
-              at the beginning of an SMTP session with  the  HELO
+              at  the  beginning of an SMTP session with the HELO
               or EHLO command.
 
        smtpd_helo_restrictions (empty)
-              Optional  restrictions that the Postfix SMTP server
+              Optional restrictions that the Postfix SMTP  server
               applies in the context of the SMTP HELO command.
 
        smtpd_sender_restrictions (empty)
-              Optional restrictions that the Postfix SMTP  server
+              Optional  restrictions that the Postfix SMTP server
               applies in the context of the MAIL FROM command.
 
        smtpd_recipient_restrictions           (permit_mynetworks,
        reject_unauth_destination)
               The  access  restrictions  that  the  Postfix  SMTP
-              server applies in the context of the RCPT  TO  com-
+              server  applies  in the context of the RCPT TO com-
               mand.
 
        smtpd_etrn_restrictions (empty)
-              Optional  SMTP  server  access  restrictions in the
+              Optional SMTP server  access  restrictions  in  the
               context of a client ETRN request.
 
        allow_untrusted_routing (no)
-              Forward   mail   with   sender-specified    routing
-              (user[@%!]remote[@%!]site)  from  untrusted clients
+              Forward    mail   with   sender-specified   routing
+              (user[@%!]remote[@%!]site) from  untrusted  clients
               to destinations matching $relay_domains.
 
        smtpd_restriction_classes (empty)
-              User-defined aliases for groups of access  restric-
+              User-defined  aliases for groups of access restric-
               tions.
 
        smtpd_null_access_lookup_key (<>)
-              The  lookup key to be used in SMTP access(5) tables
+              The lookup key to be used in SMTP access(5)  tables
               instead of the null sender address.
 
        permit_mx_backup_networks (empty)
               Restrict  the  use  of  the  permit_mx_backup  SMTP
-              access  feature  to  only  domains whose primary MX
+              access feature to only  domains  whose  primary  MX
               hosts match the listed networks.
 
        Available in Postfix version 2.0 and later:
 
        smtpd_data_restrictions (empty)
-              Optional access restrictions that the Postfix  SMTP
+              Optional  access restrictions that the Postfix SMTP
               server applies in the context of the SMTP DATA com-
               mand.
 
        smtpd_expansion_filter (see 'postconf -d' output)
-              What characters are allowed in $name expansions  of
+              What  characters are allowed in $name expansions of
               RBL reply templates.
 
        Available in Postfix version 2.1 and later:
 
        smtpd_reject_unlisted_sender (no)
-              Request  that  the Postfix SMTP server rejects mail
-              from  unknown  sender  addresses,  even   when   no
-              explicit  reject_unlisted_sender access restriction
+              Request that the Postfix SMTP server  rejects  mail
+              from   unknown   sender  addresses,  even  when  no
+              explicit reject_unlisted_sender access  restriction
               is specified.
 
        smtpd_reject_unlisted_recipient (yes)
-              Request that the Postfix SMTP server  rejects  mail
+              Request  that  the Postfix SMTP server rejects mail
               for  unknown  recipient  addresses,  even  when  no
-              explicit reject_unlisted_recipient access  restric-
+              explicit  reject_unlisted_recipient access restric-
               tion is specified.
 
        Available in Postfix version 2.2 and later:
 
        smtpd_end_of_data_restrictions (empty)
-              Optional  access restrictions that the Postfix SMTP
-              server applies in the context of the  SMTP  END-OF-
+              Optional access restrictions that the Postfix  SMTP
+              server  applies  in the context of the SMTP END-OF-
               DATA command.
 
 SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS
-       Postfix   version  2.1  introduces  sender  and  recipient
-       address verification.   This  feature  is  implemented  by
-       sending  probe email messages that are not actually deliv-
-       ered.  This feature is requested  via  the  reject_unveri-
-       fied_sender    and    reject_unverified_recipient   access
-       restrictions.  The status of verification probes is  main-
+       Postfix  version  2.1  introduces  sender  and   recipient
+       address  verification.   This  feature  is  implemented by
+       sending probe email messages that are not actually  deliv-
+       ered.   This  feature  is requested via the reject_unveri-
+       fied_sender   and    reject_unverified_recipient    access
+       restrictions.   The status of verification probes is main-
        tained by the verify(8) server.  See the file ADDRESS_VER-
-       IFICATION_README for information about  how  to  configure
+       IFICATION_README  for  information  about how to configure
        and operate the Postfix sender/recipient address verifica-
        tion service.
 
        address_verify_poll_count (3)
-              How many times to query the verify(8)  service  for
-              the  completion  of an address verification request
+              How  many  times to query the verify(8) service for
+              the completion of an address  verification  request
               in progress.
 
        address_verify_poll_delay (3s)
-              The delay between queries for the completion of  an
+              The  delay between queries for the completion of an
               address verification request in progress.
 
        address_verify_sender (postmaster)
-              The  sender  address to use in address verification
+              The sender address to use in  address  verification
               probes.
 
        unverified_sender_reject_code (450)
-              The numerical Postfix  SMTP  server  response  code
-              when   a  recipient  address  is  rejected  by  the
+              The  numerical  Postfix  SMTP  server response code
+              when  a  recipient  address  is  rejected  by   the
               reject_unverified_sender restriction.
 
        unverified_recipient_reject_code (450)
-              The numerical Postfix SMTP server response  when  a
+              The  numerical  Postfix SMTP server response when a
               recipient address is rejected by the reject_unveri-
               fied_recipient restriction.
 
 ACCESS CONTROL RESPONSES
-       The following  parameters  control  numerical  SMTP  reply
+       The  following  parameters  control  numerical  SMTP reply
        codes and/or text responses.
 
        access_map_reject_code (554)
-              The  numerical  Postfix  SMTP  server response code
-              when a client  is  rejected  by  an  access(5)  map
+              The numerical Postfix  SMTP  server  response  code
+              when  a  client  is  rejected  by  an access(5) map
               restriction.
 
        defer_code (450)
-              The  numerical  Postfix  SMTP  server response code
-              when a remote SMTP client request  is  rejected  by
+              The numerical Postfix  SMTP  server  response  code
+              when  a  remote  SMTP client request is rejected by
               the "defer" restriction.
 
        invalid_hostname_reject_code (501)
-              The  numerical  Postfix  SMTP  server response code
-              when the client HELO or EHLO command  parameter  is
-              rejected    by   the   reject_invalid_helo_hostname
+              The numerical Postfix  SMTP  server  response  code
+              when  the  client HELO or EHLO command parameter is
+              rejected   by   the    reject_invalid_helo_hostname
               restriction.
 
        maps_rbl_reject_code (554)
-              The numerical Postfix  SMTP  server  response  code
+              The  numerical  Postfix  SMTP  server response code
               when a remote SMTP client request is blocked by the
               reject_rbl_client,             reject_rhsbl_client,
               reject_rhsbl_sender    or    reject_rhsbl_recipient
@@ -923,53 +932,53 @@ SMTPD(8)                                                              SMTPD(8)
 
        non_fqdn_reject_code (504)
               The numerical Postfix SMTP server reply code when a
-              client     request     is     rejected    by    the
+              client    request    is     rejected     by     the
               reject_non_fqdn_helo_hostname,
               reject_non_fqdn_sender or reject_non_fqdn_recipient
               restriction.
 
        plaintext_reject_code (450)
-              The numerical Postfix  SMTP  server  response  code
-              when  a  request  is  rejected by the reject_plain-
+              The  numerical  Postfix  SMTP  server response code
+              when a request is  rejected  by  the  reject_plain-
               text_session restriction.
 
        reject_code (554)
-              The numerical Postfix  SMTP  server  response  code
-              when  a  remote  SMTP client request is rejected by
+              The  numerical  Postfix  SMTP  server response code
+              when a remote SMTP client request  is  rejected  by
               the "reject" restriction.
 
        relay_domains_reject_code (554)
-              The numerical Postfix  SMTP  server  response  code
-              when   a   client   request   is  rejected  by  the
+              The  numerical  Postfix  SMTP  server response code
+              when  a  client  request   is   rejected   by   the
               reject_unauth_destination recipient restriction.
 
        unknown_address_reject_code (450)
-              The numerical Postfix  SMTP  server  response  code
-              when  a  sender or recipient address is rejected by
+              The  numerical  Postfix  SMTP  server response code
+              when a sender or recipient address is  rejected  by
               the         reject_unknown_sender_domain         or
               reject_unknown_recipient_domain restriction.
 
        unknown_client_reject_code (450)
-              The  numerical  Postfix  SMTP  server response code
-              when a client without valid address <=>  name  map-
+              The numerical Postfix  SMTP  server  response  code
+              when  a  client without valid address <=> name map-
               ping is rejected by the reject_unknown_client_host-
               name restriction.
 
        unknown_hostname_reject_code (450)
-              The numerical Postfix  SMTP  server  response  code
-              when  the  hostname specified with the HELO or EHLO
-              command       is       rejected       by        the
+              The  numerical  Postfix  SMTP  server response code
+              when the hostname specified with the HELO  or  EHLO
+              command        is       rejected       by       the
               reject_unknown_helo_hostname restriction.
 
        Available in Postfix version 2.0 and later:
 
        default_rbl_reply (see 'postconf -d' output)
-              The  default  SMTP  server  response template for a
-              request that is rejected by an  RBL-based  restric-
+              The default SMTP server  response  template  for  a
+              request  that  is rejected by an RBL-based restric-
               tion.
 
        multi_recipient_bounce_reject_code (550)
-              The  numerical  Postfix  SMTP  server response code
+              The numerical Postfix  SMTP  server  response  code
               when a remote SMTP client request is blocked by the
               reject_multi_recipient_bounce restriction.
 
@@ -978,16 +987,16 @@ SMTPD(8)                                                              SMTPD(8)
 
 MISCELLANEOUS CONTROLS
        config_directory (see 'postconf -d' output)
-              The default location of  the  Postfix  main.cf  and
+              The  default  location  of  the Postfix main.cf and
               master.cf configuration files.
 
        daemon_timeout (18000s)
-              How  much time a Postfix daemon process may take to
-              handle a request  before  it  is  terminated  by  a
+              How much time a Postfix daemon process may take  to
+              handle  a  request  before  it  is  terminated by a
               built-in watchdog timer.
 
        command_directory (see 'postconf -d' output)
-              The  location  of  all  postfix administrative com-
+              The location of  all  postfix  administrative  com-
               mands.
 
        double_bounce_sender (double-bounce)
@@ -1008,36 +1017,36 @@ SMTPD(8)                                                              SMTPD(8)
               and most Postfix daemon processes.
 
        max_idle (100s)
-              The  maximum  amount  of  time that an idle Postfix
-              daemon process waits for the next  service  request
+              The maximum amount of time  that  an  idle  Postfix
+              daemon  process  waits for the next service request
               before exiting.
 
        max_use (100)
-              The  maximal number of connection requests before a
+              The maximal number of connection requests before  a
               Postfix daemon process terminates.
 
        myhostname (see 'postconf -d' output)
               The internet hostname of this mail system.
 
        mynetworks (see 'postconf -d' output)
-              The list of "trusted" SMTP clients that  have  more
+              The  list  of "trusted" SMTP clients that have more
               privileges than "strangers".
 
        myorigin ($myhostname)
               The domain name that locally-posted mail appears to
-              come from, and that locally posted mail  is  deliv-
+              come  from,  and that locally posted mail is deliv-
               ered to.
 
        process_id (read-only)
-              The  process  ID  of  a  Postfix  command or daemon
+              The process ID  of  a  Postfix  command  or  daemon
               process.
 
        process_name (read-only)
-              The process name of a  Postfix  command  or  daemon
+              The  process  name  of  a Postfix command or daemon
               process.
 
        queue_directory (see 'postconf -d' output)
-              The  location of the Postfix top-level queue direc-
+              The location of the Postfix top-level queue  direc-
               tory.
 
        recipient_delimiter (empty)
@@ -1045,22 +1054,22 @@ SMTPD(8)                                                              SMTPD(8)
               sions (user+foo).
 
        smtpd_banner ($myhostname ESMTP $mail_name)
-              The  text  that  follows the 220 status code in the
+              The text that follows the 220 status  code  in  the
               SMTP greeting banner.
 
        syslog_facility (mail)
               The syslog facility of Postfix logging.
 
        syslog_name (postfix)
-              The mail system  name  that  is  prepended  to  the
-              process  name  in  syslog  records, so that "smtpd"
+              The  mail  system  name  that  is  prepended to the
+              process name in syslog  records,  so  that  "smtpd"
               becomes, for example, "postfix/smtpd".
 
        Available in Postfix version 2.2 and later:
 
        smtpd_forbidden_commands (CONNECT, GET, POST)
-              List of  commands  that  causes  the  Postfix  SMTP
-              server  to immediately terminate the session with a
+              List  of  commands  that  causes  the  Postfix SMTP
+              server to immediately terminate the session with  a
               221 code.
 
 SEE ALSO
@@ -1090,7 +1099,7 @@ SMTPD(8)                                                              SMTPD(8)
        XFORWARD_README, Postfix XFORWARD extension
 
 LICENSE
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 AUTHOR(S)
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index 3a75dc5ed..f024a3df5 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -4884,9 +4884,9 @@ example.net     secure match=example.com:.example.com
 .PP
 This feature is available in Postfix 2.3 and later.
 .SH smtp_tls_security_level (default: empty)
-The default SMTP TLS security level for all destinations; when
-a non-empty value is specified, this overrides the obsolete parameters
-smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
+The default SMTP TLS security level for the Postfix SMTP client;
+when a non-empty value is specified, this overrides the obsolete
+parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
 .PP
 Specify one of the following security levels:
 .IP "\fBnone\fR"
@@ -5621,19 +5621,20 @@ This feature is available in Postfix 2.2 and later.
 .PP
 See smtpd_data_restrictions for syntax details.
 .SH smtpd_enforce_tls (default: no)
-Enforcement mode: announce STARTTLS support to SMTP clients,
+Mandatory TLS: announce STARTTLS support to SMTP clients,
 and require that clients use TLS encryption.  According to RFC 2487
 this MUST NOT be applied in case of a publicly-referenced SMTP
 server.  This option is off by default and should be used only on
 dedicated servers.
 .PP
-Note 1: this mode implies "smtpd_tls_auth_only = yes".
+Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes".
 .PP
 Note 2: when invoked via "\fBsendmail -bs\fR", Postfix will never offer
 STARTTLS due to insufficient privileges to access the server private
 key. This is intended behavior.
 .PP
-This feature is available in Postfix 2.2 and later.
+This feature is available in Postfix 2.2 and later. With
+Postfix 2.3 and later use smtpd_tls_security_level instead.
 .SH smtpd_error_sleep_time (default: 1s)
 With Postfix version 2.1 and later: the SMTP server response delay after
 a client has made more than $smtpd_soft_error_limit errors, and
@@ -6470,15 +6471,15 @@ able to authenticate the server, but unless it is running Postfix 2.3 or
 similar software, it will still insist on a server certificate.
 .PP
 For servers that are \fBnot\fR public Internet MX hosts, Postfix
-2.3 supports configurations with no certificates. This entails the use
-of just the anonymous TLS ciphers, which are not supported by typical
-SMTP clients. Since such clients will not, as a rule, fall back to plain
-text after a TLS handshake failure, the server will be unable to receive
-email from TLS enabled clients. To avoid accidental configurations with
-no certificates, Postfix 2.3 enables certificate-less operation only
-when the administrator explicitly sets "smtpd_tls_cert_file = none". This
-ensures that new Postfix configurations with just "smtpd_use_tls = yes"
-added, will not accidentally run with no certificates.
+2.3 supports configurations with no certificates. This entails the
+use of just the anonymous TLS ciphers, which are not supported by
+typical SMTP clients. Since such clients will not, as a rule, fall
+back to plain text after a TLS handshake failure, the server will
+be unable to receive email from TLS enabled clients. To avoid
+accidental configurations with no certificates, Postfix 2.3 enables
+certificate-less operation only when the administrator explicitly
+sets "smtpd_tls_cert_file = none". This ensures that new Postfix
+configurations will not accidentally run with no certificates.
 .PP
 Both RSA and DSA certificates are supported.  When both types
 are present, the cipher used determines which certificate will be
@@ -6723,17 +6724,15 @@ loglevel 4 is strongly discouraged.
 .PP
 This feature is available in Postfix 2.2 and later.
 .SH smtpd_tls_protocols (default: empty)
-The list of TLS protocols supported by the server. If empty the
-default list of protocols is used (i.e. all TLS protocol versions are
-supported). Any non-empty value is interpreted as a list of protocol
-names separated by whitespace, commas or colons. The supported protocol
-names are "SSLv2", "SSLv3" and "TLSv1", and are not
-case-sensitive.
+The list of TLS protocols supported by the Postfix SMTP server.
+If the list is empty, the server supports all available TLS protocol
+versions.  A non-empty value is a list of protocol names separated
+by whitespace, commas or colons. The supported protocol names are
+"SSLv2", "SSLv3" and "TLSv1", and are not case sensitive.
 .PP
-DO NOT set this to a non-default value on an MX-host,
-as some clients may not support any of the narrower set of protocols,
-and may be unable to fallback to plaintext sessions. If you restrict
-the protocol list on an MX host, you may lose mail.
+DO NOT set this to a non-default value on an Internet MX host,
+as this may cause inter-operability problems.  If you restrict the
+protocol list on an Internet MX host, you may lose mail.
 .PP
 Example:
 .PP
@@ -6764,6 +6763,37 @@ When TLS encryption is optional, this setting is ignored with
 a warning written to the mail log.
 .PP
 This feature is available in Postfix 2.2 and later.
+.SH smtpd_tls_security_level (default: empty)
+The SMTP TLS security level for the Postfix SMTP server; when
+a non-empty value is specified, this overrides the obsolete parameters
+smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with
+"smtpd_tls_wrappermode = yes".
+.PP
+Specify one of the following security levels:
+.IP "\fBnone\fR"
+TLS will not be used.
+.IP "\fBmay\fR"
+Opportunistic TLS: announce STARTTLS support
+to SMTP clients, but do not require that clients use TLS encryption.
+.IP "\fBencrypt\fR"
+Mandatory TLS encryption: announce
+STARTTLS support to SMTP clients, and require that clients use TLS
+encryption. According to RFC 2487 this MUST NOT be applied in case
+of a publicly-referenced SMTP server. Instead, this option should
+be used only on dedicated servers.
+.PP
+Note 1: the "verify" and "secure" levels are not supported.
+The Postfix SMTP server logs a warning and uses "encrypt" instead.
+To verify SMTP client certificates, see TLS_README for a discussion
+of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and permit_tls_clientcerts
+features.
+.PP
+Note 2: The parameter setting "smtpd_tls_security_level =
+encrypt" implies "smtpd_tls_auth_only = yes".
+.PP
+Note 3: when invoked via "sendmail -bs", Postfix will never
+offer STARTTLS due to insufficient privileges to access the server
+private key. This is intended behavior.
 .SH smtpd_tls_session_cache_database (default: empty)
 Name of the file containing the optional Postfix SMTP server
 TLS session cache. Specify a database type that supports enumeration,
@@ -6812,14 +6842,15 @@ purpose.
 .PP
 This feature is available in Postfix 2.2 and later.
 .SH smtpd_use_tls (default: no)
-Opportunistic mode: announce STARTTLS support to SMTP clients,
+Opportunistic TLS: announce STARTTLS support to SMTP clients,
 but do not require that clients use TLS encryption.
 .PP
 Note: when invoked via "\fBsendmail -bs\fR", Postfix will never offer
 STARTTLS due to insufficient privileges to access the server private
 key. This is intended behavior.
 .PP
-This feature is available in Postfix 2.2 and later.
+This feature is available in Postfix 2.2 and later. With
+Postfix 2.3 and later use smtpd_tls_security_level instead.
 .SH soft_bounce (default: no)
 Safety net to keep mail queued that would otherwise be returned to
 the sender.  This parameter disables locally-generated bounces,
diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8
index 2facc965f..cdb5fb019 100644
--- a/postfix/man/man8/smtp.8
+++ b/postfix/man/man8/smtp.8
@@ -286,9 +286,9 @@ for authentication.
 Detailed information about STARTTLS configuration may be found
 in the TLS_README document.
 .IP "\fBsmtp_tls_security_level (empty)\fR"
-The default SMTP TLS security level for all destinations; when
-a non-empty value is specified, this overrides the obsolete parameters
-smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
+The default SMTP TLS security level for the Postfix SMTP client;
+when a non-empty value is specified, this overrides the obsolete
+parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
 .IP "\fBsmtp_sasl_tls_security_options ($smtp_sasl_security_options)\fR"
 The SASL authentication security options that the Postfix SMTP
 client uses for TLS encrypted SMTP sessions.
diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8
index 4a2d1fe37..75f17799c 100644
--- a/postfix/man/man8/smtpd.8
+++ b/postfix/man/man8/smtpd.8
@@ -295,10 +295,10 @@ for authentication.
 Detailed information about STARTTLS configuration may be
 found in the TLS_README document.
 .IP "\fBsmtpd_use_tls (no)\fR"
-Opportunistic mode: announce STARTTLS support to SMTP clients,
+Opportunistic TLS: announce STARTTLS support to SMTP clients,
 but do not require that clients use TLS encryption.
 .IP "\fBsmtpd_enforce_tls (no)\fR"
-Enforcement mode: announce STARTTLS support to SMTP clients,
+Mandatory TLS: announce STARTTLS support to SMTP clients,
 and require that clients use TLS encryption.
 .IP "\fBsmtpd_sasl_tls_security_options ($smtpd_sasl_security_options)\fR"
 The SASL authentication security options that the Postfix SMTP
@@ -342,7 +342,7 @@ File with the Postfix SMTP server RSA private key in PEM format.
 .IP "\fBsmtpd_tls_loglevel (0)\fR"
 Enable additional Postfix SMTP server logging of TLS activity.
 .IP "\fBsmtpd_tls_protocols (empty)\fR"
-The list of TLS protocols supported by the server.
+The list of TLS protocols supported by the Postfix SMTP server.
 .IP "\fBsmtpd_tls_received_header (no)\fR"
 Request that the Postfix SMTP server produces Received:  message
 headers that include information about the protocol and cipher used,
@@ -364,6 +364,12 @@ instead of using the STARTTLS command.
 The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
 process requests from the \fBtlsmgr\fR(8) server in order to seed its
 internal pseudo random number generator (PRNG).
+.PP
+Available in Postfix version 2.3 and later:
+.IP "\fBsmtpd_tls_security_level (empty)\fR"
+The SMTP TLS security level for the Postfix SMTP server; when
+a non-empty value is specified, this overrides the obsolete parameters
+smtpd_use_tls and smtpd_enforce_tls.
 .IP "\fBtls_high_cipherlist (!EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH)\fR"
 The OpenSSL cipherlist for "HIGH" grade ciphers.
 .IP "\fBtls_medium_cipherlist (!EXPORT:!LOW:ALL:+RC4:@STRENGTH)\fR"
diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink
index 5d4c6edd0..cebb2798b 100755
--- a/postfix/mantools/postlink
+++ b/postfix/mantools/postlink
@@ -566,6 +566,7 @@ while (<>) {
     s;\bsmtpd_tls_dh512_param_file\b;$&;g;
     s;\bsmtpd_tls_dkey_file\b;$&;g;
     s;\bsmtpd_tls_key_file\b;$&;g;
+    s;\bsmtpd_tls_security_level\b;$&;g;
     s;\bsmtpd_tls_loglevel\b;$&;g;
     s;\bsmtpd_tls_protocols\b;$&;g;
     s;\bsmtpd_tls_received_header\b;$&;g;
diff --git a/postfix/proto/INSTALL.html b/postfix/proto/INSTALL.html
index 22a5e1446..02335fdb6 100644
--- a/postfix/proto/INSTALL.html
+++ b/postfix/proto/INSTALL.html
@@ -156,7 +156,7 @@ OPENSTEP 4.x 

 OSF1.V3 - OSF1.V5 (Digital UNIX) 

 Reliant UNIX 5.x 

 Rhapsody 5.x 

-SunOS 4.1.4 (December 2005) 

+SunOS 4.1.4 (July 2006) 

 SunOS 5.4 - 5.9 (Solaris 2.4..9) 

 Ultrix 4.x (well, that was long ago) 

 

diff --git a/postfix/proto/TLS_README.html b/postfix/proto/TLS_README.html
index 8a17a9623..d4b5f73da 100644
--- a/postfix/proto/TLS_README.html
+++ b/postfix/proto/TLS_README.html
@@ -248,8 +248,7 @@ be unable to receive email from most TLS enabled clients. To avoid
 accidental configurations with no certificates, Postfix 2.3 enables
 certificate-less operation only when the administrator explicitly sets
 "smtpd_tls_cert_file = none". This ensures that new Postfix
-configurations with just "smtpd_use_tls = yes" added, will
-not accidentally run with no certificates. 

+configurations will not accidentally run with no certificates. 

 
 
 Both RSA and DSA certificates are supported. Typically you will
 only have RSA certificates issued by a commercial CA. In addition,
@@ -437,13 +436,18 @@ since the headers may be changed by intermediate servers. 

 
 
 By default, TLS is disabled in the Postfix SMTP server, so no
 difference to plain Postfix is visible.  Explicitly switch it on
-using "smtpd_use_tls = yes". 

+with "smtpd_tls_security_level = may" (Postfix 2.3 and
+later) or "smtpd_use_tls = yes" (obsolete but still
+supported). 

 
 
 Example: 

  
 

 
 /etc/postfix/main.cf:
+    # Postfix 2.3 and later
+    smtpd_tls_security_level = may
+    # Obsolete, but still supported
     smtpd_use_tls = yes
 

 

@@ -456,18 +460,23 @@ SMTP clients, but does not require that clients use TLS encryption.
 is never offered due to insufficient privileges to access the server
 private key. This is intended behavior. 

 
-
 You can ENFORCE the use of TLS, so that
-the Postfix SMTP server announces STARTTLS and accepts no mail without
-TLS encryption, by setting "smtpd_enforce_tls = yes". According
-to RFC 2487 this MUST NOT be applied in case of a publicly-referenced
-Postfix SMTP server.  This option is off by default and should only
-seldom be used. 

+
 You can ENFORCE the use of TLS,
+so that the Postfix SMTP server announces STARTTLS and accepts no
+mail without TLS encryption, by setting
+"smtpd_tls_security_level = encrypt" (Postfix 2.3 and
+later) or "smtpd_enforce_tls = yes" (obsolete but still
+supported). According to RFC 2487 this MUST NOT be applied in case
+of a publicly-referenced Postfix SMTP server.  This option is off
+by default and should only seldom be used. 

 
 
 Example: 

  
 

 
 /etc/postfix/main.cf:
+    # Postfix 2.3 and later
+    smtpd_tls_security_level = encrypt
+    # Obsolete, but still supported
     smtpd_enforce_tls = yes
 

 

@@ -517,8 +526,11 @@ when the server is configured to ask for client certificates. 

 

 
 /etc/postfix/main.cf:
-    smtpd_use_tls = yes
     smtpd_tls_ask_ccert = yes
+    # Postfix 2.3 and later
+    smtpd_tls_security_level = may
+    # Obsolete, but still supported
+    smtpd_use_tls = yes
 

 

 
@@ -534,8 +546,11 @@ logged. 

 

 
 /etc/postfix/main.cf:
-    smtpd_enforce_tls = yes
     smtpd_tls_req_ccert = yes
+    # Postfix 2.3 and later
+    smtpd_tls_security_level = encrypt
+    # Obsolete, but still supported
+    smtpd_enforce_tls = yes
 

 

 
@@ -556,15 +571,18 @@ CA issues special CA which then issues the actual certificate...)
 
 
Supporting AUTH over TLS only

 
-
 Sending AUTH data over an unencrypted channel poses a security risk.
-When TLS layer encryption is required (smtpd_enforce_tls = yes),
-the Postfix SMTP server will announce and accept AUTH only
-after the TLS layer has been activated with STARTTLS. When TLS
-layer encryption is optional (smtpd_enforce_tls = no), it may
-however still be useful to only offer AUTH when TLS is active. To
-maintain compatibility with non-TLS clients, the default is to
-accept AUTH without encryption. In order to change this behavior,
-set "smtpd_tls_auth_only = yes". 

+
 Sending AUTH data over an unencrypted channel poses a security
+risk.  When TLS layer encryption is required
+("smtpd_tls_security_level = encrypt" or the obsolete
+"smtpd_enforce_tls = yes"), the Postfix SMTP server will
+announce and accept AUTH only after the TLS layer has been activated
+with STARTTLS. When TLS layer encryption is optional
+("smtpd_tls_security_level = may" or the obsolete
+"smtpd_enforce_tls = no"), it may however still be useful
+to only offer AUTH when TLS is active. To maintain compatibility
+with non-TLS clients, the default is to accept AUTH without encryption.
+In order to change this behavior, set
+"smtpd_tls_auth_only = yes". 

 
 
 Example: 

  
@@ -715,12 +733,14 @@ and not specifying an smtpd_tls_dcert_file. 

 

 
 /etc/postfix/main.cf:
-    smtpd_use_tls = yes
-    smtpd_enforce_tls = yes
     smtpd_tls_cert_file = /etc/postfix/cert.pem
     smtpd_tls_key_file = /etc/postfix/key.pem
     smtpd_tls_ciphers = medium
     smtpd_tls_exclude_ciphers = aNULL, MD5
+    # Postfix 2.3 and later
+    smtpd_tls_security_level = encrypt
+    # Obsolete, but still supported
+    smtpd_enforce_tls = yes
 

 

 
@@ -1257,12 +1277,12 @@ on TLS limitations above. 

 
 
 At the "encrypt" TLS security level, messages are sent only
 over TLS encrypted sessions. The SMTP transaction is aborted unless
-the STARTTLS ESMTP feature is supported by the server. If no
-suitable servers are found, the message will be deferred. With Postfix
-2.3 and later, mandatory TLS encryption can be configured by setting
-"smtp_tls_security_level = encrypt". Even though TLS encryption
-is always used, mail delivery continues if the server certificate is
-untrusted or bears the wrong name. 

+the STARTTLS ESMTP feature is supported by the server. If no suitable
+servers are found, the message will be deferred. With Postfix 2.3
+and later, mandatory TLS encryption can be configured by setting
+"smtp_tls_security_level = encrypt". Even though TLS
+encryption is always used, mail delivery continues if the server
+certificate is untrusted or bears the wrong name. 

 
 
 At this security level and higher, the smtp_tls_mandatory_protocols
 and smtp_tls_mandatory_ciphers configuration parameters determine
@@ -1382,15 +1402,15 @@ use the new policy table instead. 

 
 Mandatory server certificate verification 
 

 
-
 At the "verify" TLS security level, messages are sent only
-over TLS encrypted sessions for which server certificate verification
-succeeds. If no suitable servers are found, the message will be
-deferred. With Postfix 2.3 and later, mandatory server certificate
-verification can be configured by setting
-"smtp_tls_security_level = verify", the
+
 At the "verify" TLS security level, messages are sent only over
+TLS encrypted sessions if the server certificate is valid (not
+expired or revoked, and signed by a trusted certificate authority)
+and if the server certificate name matches a known pattern.  Mandatory
+server certificate verification can be configured by setting
+"smtp_tls_security_level = verify".  The
 smtp_tls_verify_cert_match parameter can override the default
-"hostname" certificate match strategy. Fine-tuning the matching
-strategy is generally only appropriate for secure-channel destinations. 

 
 
 With Postfix 2.2 and earlier, or when smtp_tls_security_level
@@ -1676,33 +1696,51 @@ describe the corresponding table syntax: 

 
Opportunistic TLS. No additional attributes are supported at this
 level. 

 
-
encrypt
 
Mandatory TLS encryption. At this level and
-higher the optional "ciphers" attribute overrides the main.cf
-smtp_tls_mandatory_ciphers parameter and the optional "protocols"
-keyword overrides the main.cf smtp_tls_mandatory_protocols parameter.
-In the policy table, multiple protocols must be separated by colons,
-as attribute values may not contain whitespace or commas.

+
encrypt
 
Mandatory TLS encryption. Mail is
+delivered only if remote SMTP server offers STARTTLS and the TLS
+handshake succeeds.  At this level and higher the optional "ciphers"
+attribute overrides the main.cf smtp_tls_mandatory_ciphers parameter
+and the optional "protocols" keyword overrides the main.cf
+smtp_tls_mandatory_protocols parameter. 

 
-
verify

-
Mandatory server certificate verification. The optional "match"
-attribute overrides the main.cf smtp_tls_verify_cert_match parameter.
-In the policy table, multiple match patterns and strategies must
-be separated by colons. 

+
verify
 
Mandatory server certificate verification.
+Mail is delivered only if the TLS handshake succeeds, if the server
+certificate can be validated (not expired or revoked, and signed
+by a trusted certificate authority), and if the server certificate
+name matches the optional "match" attribute (or the main.cf
+smtp_tls_verify_cert_match parameter value when no optional "match"
+attribute is specified).  

 
-
secure
 
Secure-channel TLS. The optional "match"
-attribute overrides the main.cf smtp_tls_secure_cert_match parameter. In
-the policy table, multiple match patterns and strategies must be separated
-by colons. The match attribute is useful when additional domains are
-supported by common server, the policy entries for the additional domains
-specify matching rules for the primary domain certificate. While transport
-table overrides routing secondary domains to the primary nexthop also
-allow secure verification, they risk delivery to the wrong destination
-when domains change hands or are re-assigned to new gateways. With the
-"match" attribute approach, routing is not perturbed, and mail is deferred
-if verification of a new MX host fails. 

+
secure
 
Secure-channel TLS. Mail is delivered
+only if the TLS handshake succeeds, if the server certificate can
+be validated (not expired or revoked, and signed by a trusted
+certificate authority), and if the server certificate name matches
+the optional "match" attribute (or the main.cf smtp_tls_secure_cert_match
+parameter value when no optional "match" attribute is specified).
+

 
 
 
+
 Notes: 

+
+
    
+
+
  •  
     The "match" attribute is especially useful to verify TLS
+certificates for domains that are hosted on a shared server.  In
+that case, specify "match" rules for the shared server's name.
+While secure verification can also be achieved with manual routing
+overrides in Postfix transport(5) tables, that approach can deliver
+mail to the wrong host when domains are assigned to new gateway
+hosts.  The "match" attribute approach avoids the problems of manual
+routing overrides; mail is deferred if verification of a new MX
+host fails.  
    
+
+
  •  
     When a policy table entry specifies multiple match patterns,
+multiple match strategies, or multiple protocols, these must be
+separated by colons.  
    
+
+

+
 

 Example:
 

@@ -2238,18 +2276,22 @@ but don't require them from all clients. 

 
 

 
-smtp_tls_CAfile = /etc/postfix/cacert.pem
-smtp_tls_session_cache_database =
-    btree:/var/spool/postfix/smtp_tls_session_cache
-smtp_use_tls = yes
-smtpd_tls_CAfile = /etc/postfix/cacert.pem
-smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
-smtpd_tls_key_file = /etc/postfix/FOO-key.pem
-smtpd_tls_received_header = yes
-smtpd_tls_session_cache_database =
-    btree:/var/spool/postfix/smtpd_tls_session_cache
-smtpd_use_tls = yes
-tls_random_source = dev:/dev/urandom
+/etc/postfix/main.cf:
+    smtp_tls_CAfile = /etc/postfix/cacert.pem
+    smtp_tls_session_cache_database =
+	btree:/var/spool/postfix/smtp_tls_session_cache
+    smtp_use_tls = yes
+    smtpd_tls_CAfile = /etc/postfix/cacert.pem
+    smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
+    smtpd_tls_key_file = /etc/postfix/FOO-key.pem
+    smtpd_tls_received_header = yes
+    smtpd_tls_session_cache_database =
+	btree:/var/spool/postfix/smtpd_tls_session_cache
+    tls_random_source = dev:/dev/urandom
+    # Postfix 2.3 and later
+    smtpd_tls_security_level = may
+    # Obsolete, but still supported
+    smtpd_use_tls = yes
 

 

 
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 1b0de24cb..19233b2e3 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -8068,15 +8068,15 @@ able to authenticate the server, but unless it is running Postfix 2.3 or
 similar software, it will still insist on a server certificate. 

 
 
 For servers that are not public Internet MX hosts, Postfix
-2.3 supports configurations with no certificates. This entails the use
-of just the anonymous TLS ciphers, which are not supported by typical
-SMTP clients. Since such clients will not, as a rule, fall back to plain
-text after a TLS handshake failure, the server will be unable to receive
-email from TLS enabled clients. To avoid accidental configurations with
-no certificates, Postfix 2.3 enables certificate-less operation only
-when the administrator explicitly sets "smtpd_tls_cert_file = none". This
-ensures that new Postfix configurations with just "smtpd_use_tls = yes"
-added, will not accidentally run with no certificates. 

+2.3 supports configurations with no certificates. This entails the
+use of just the anonymous TLS ciphers, which are not supported by
+typical SMTP clients. Since such clients will not, as a rule, fall
+back to plain text after a TLS handshake failure, the server will
+be unable to receive email from TLS enabled clients. To avoid
+accidental configurations with no certificates, Postfix 2.3 enables
+certificate-less operation only when the administrator explicitly
+sets "smtpd_tls_cert_file = none". This ensures that new Postfix
+configurations will not accidentally run with no certificates. 

 
 
 Both RSA and DSA certificates are supported.  When both types
 are present, the cipher used determines which certificate will be
@@ -8225,30 +8225,32 @@ that was recorded by the final destination can be trusted. 

 
 %PARAM smtpd_use_tls no
 
-
 Opportunistic mode: announce STARTTLS support to SMTP clients,
+
 Opportunistic TLS: announce STARTTLS support to SMTP clients,
 but do not require that clients use TLS encryption. 

 
 
 Note: when invoked via "sendmail -bs", Postfix will never offer
 STARTTLS due to insufficient privileges to access the server private
 key. This is intended behavior. 

 
-
 This feature is available in Postfix 2.2 and later.  

+
 This feature is available in Postfix 2.2 and later. With
+Postfix 2.3 and later use smtpd_tls_security_level instead. 

 
 %PARAM smtpd_enforce_tls no
 
-
 Enforcement mode: announce STARTTLS support to SMTP clients,
+
 Mandatory TLS: announce STARTTLS support to SMTP clients,
 and require that clients use TLS encryption.  According to RFC 2487
 this MUST NOT be applied in case of a publicly-referenced SMTP
 server.  This option is off by default and should be used only on
 dedicated servers. 

 
-
 Note 1: this mode implies "smtpd_tls_auth_only = yes". 

+
 Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes". 

 
 
 Note 2: when invoked via "sendmail -bs", Postfix will never offer
 STARTTLS due to insufficient privileges to access the server private  
 key. This is intended behavior. 

 
-
 This feature is available in Postfix 2.2 and later.  

+
 This feature is available in Postfix 2.2 and later. With
+Postfix 2.3 and later use smtpd_tls_security_level instead. 

 
 %PARAM smtpd_tls_wrappermode no
 
@@ -9772,17 +9774,15 @@ configuration parameter. See there for details. 

 
 %PARAM smtpd_tls_protocols
 
-
 The list of TLS protocols supported by the server. If empty the
-default list of protocols is used (i.e. all TLS protocol versions are
-supported). Any non-empty value is interpreted as a list of protocol
-names separated by whitespace, commas or colons. The supported protocol
-names are "SSLv2", "SSLv3" and "TLSv1", and are not
-case-sensitive. 

+
 The list of TLS protocols supported by the Postfix SMTP server.
+If the list is empty, the server supports all available TLS protocol
+versions.  A non-empty value is a list of protocol names separated
+by whitespace, commas or colons. The supported protocol names are
+"SSLv2", "SSLv3" and "TLSv1", and are not case sensitive. 

 
-
 DO NOT set this to a non-default value on an MX-host,
-as some clients may not support any of the narrower set of protocols,
-and may be unable to fallback to plaintext sessions. If you restrict
-the protocol list on an MX host, you may lose mail. 

+
 DO NOT set this to a non-default value on an Internet MX host,
+as this may cause inter-operability problems.  If you restrict the
+protocol list on an Internet MX host, you may lose mail. 

 
 
 Example: 

 
@@ -9794,9 +9794,10 @@ smtpd_tls_protocols = SSLv3, TLSv1
 
 %PARAM smtp_tls_security_level
 
-
 The default SMTP TLS security level for all destinations; when
-a non-empty value is specified, this overrides the obsolete parameters
-smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.  

+
 The default SMTP TLS security level for the Postfix SMTP client;
+when a non-empty value is specified, this overrides the obsolete
+parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
+

 
 
 Specify one of the following security levels: 

 
@@ -10360,3 +10361,41 @@ login/password information for that server. 

 configuration parameter.  See there for details. 

 
 
 This feature is available in Postfix 2.3 and later. 

+
+%PARAM smtpd_tls_security_level
+
+
 The SMTP TLS security level for the Postfix SMTP server; when
+a non-empty value is specified, this overrides the obsolete parameters
+smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with
+"smtpd_tls_wrappermode = yes".  

+
+
 Specify one of the following security levels: 

+
+

+
+
none
 
 TLS will not be used. 

+
+
may
 
 Opportunistic TLS: announce STARTTLS support
+to SMTP clients, but do not require that clients use TLS encryption.
+

+
+
encrypt
 
Mandatory TLS encryption: announce
+STARTTLS support to SMTP clients, and require that clients use TLS
+encryption. According to RFC 2487 this MUST NOT be applied in case
+of a publicly-referenced SMTP server. Instead, this option should
+be used only on dedicated servers. 

+
+

+
+
 Note 1: the "verify" and "secure" levels are not supported.
+The Postfix SMTP server logs a warning and uses "encrypt" instead.
+To verify SMTP client certificates, see TLS_README for a discussion
+of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and permit_tls_clientcerts
+features.  

+
+
 Note 2: The parameter setting "smtpd_tls_security_level =
+encrypt" implies "smtpd_tls_auth_only = yes".

+
+
 Note 3: when invoked via "sendmail -bs", Postfix will never
+offer STARTTLS due to insufficient privileges to access the server
+private key. This is intended behavior.

diff --git a/postfix/src/cleanup/cleanup_milter.c b/postfix/src/cleanup/cleanup_milter.c
index f675c34a7..f5d49c102 100644
--- a/postfix/src/cleanup/cleanup_milter.c
+++ b/postfix/src/cleanup/cleanup_milter.c
@@ -1178,6 +1178,10 @@ static const char *cleanup_repl_body(void *context, VSTRING *body)
 {
     const char *myname = "cleanup_repl_body";
 
+    /*
+     * XXX Sendmail compatibility: milters don't see the first body line, so
+     * don't expect they will send one.
+     */
     msg_panic("%s: message body replace operation is not implemented", myname);
 }
 
diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index 44d6738e9..73a12a195 100644
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -1091,6 +1091,10 @@ extern char *var_smtpd_forbid_cmds;
 #define DEF_SMTPD_TLS_WRAPPER	0
 extern bool var_smtpd_tls_wrappermode;
 
+#define VAR_SMTPD_TLS_LEVEL	"smtpd_tls_security_level"
+#define DEF_SMTPD_TLS_LEVEL	""
+extern char *var_smtpd_tls_level;
+
 #define VAR_SMTPD_USE_TLS	"smtpd_use_tls"
 #define DEF_SMTPD_USE_TLS	0
 extern bool var_smtpd_use_tls;
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 996bdf5c1..ba8d07ea0 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20060707"
-#define MAIL_VERSION_NUMBER	"2.3-RC8"
+#define MAIL_RELEASE_DATE	"20060709"
+#define MAIL_VERSION_NUMBER	"2.3-RC9"
 
 #define VAR_MAIL_VERSION	"mail_version"
 #define DEF_MAIL_VERSION	MAIL_VERSION_NUMBER
diff --git a/postfix/src/milter/milter8.c b/postfix/src/milter/milter8.c
index bf0753f7e..c2df1b732 100644
--- a/postfix/src/milter/milter8.c
+++ b/postfix/src/milter/milter8.c
@@ -1886,7 +1886,8 @@ static void milter8_disc_event(MILTER *m)
 typedef struct {
     MILTER8 *milter;			/* milter client */
     ARGV   *macros;			/* end-of-body macros */
-    int     hdr_count;			/* header counter */
+    int     first_header;		/* first header */
+    int     first_body;			/* first body line */
     const char *resp;			/* milter application response */
 } MILTER_MSG_CONTEXT;
 
@@ -1916,8 +1917,10 @@ static void milter8_header(void *ptr, int unused_header_class,
      * dk-filter signature will be inserted at the wrong position. It should
      * precede the headers that it signs.
      */
-    if (msg_ctx->hdr_count++ == 0)
+    if (msg_ctx->first_header) {
+	msg_ctx->first_header = 0;
 	return;
+    }
 
     /*
      * Sendmail 8 sends multi-line headers as text separated by newline.
@@ -1982,6 +1985,14 @@ static void milter8_body(void *ptr, int rec_type,
     ssize_t space;
     ssize_t count;
 
+    /*
+     * XXX Sendmail compatibility: don't expose our first body line.
+     */
+    if (msg_ctx->first_body) {
+	msg_ctx->first_body = 0;
+	return;
+    }
+
     /*
      * XXX I thought I was going to delegate all the on-the-wire formatting
      * to a common lower layer, but unfortunately it's not practical. If we
@@ -2082,7 +2093,8 @@ static const char *milter8_message(MILTER *m, VSTREAM *qfile,
 	}
 	msg_ctx.milter = milter;
 	msg_ctx.macros = macros;
-	msg_ctx.hdr_count = 0;
+	msg_ctx.first_header = 1;
+	msg_ctx.first_body = 1;
 	msg_ctx.resp = 0;
 	mime_state =
 	    mime_state_alloc(MIME_OPT_DISABLE_MIME,
diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c
index a7f5bdd5c..103cbb95f 100644
--- a/postfix/src/smtp/smtp.c
+++ b/postfix/src/smtp/smtp.c
@@ -256,9 +256,9 @@
 /*	Detailed information about STARTTLS configuration may be found
 /*	in the TLS_README document.
 /* .IP "\fBsmtp_tls_security_level (empty)\fR"
-/*	The default SMTP TLS security level for all destinations; when
-/*	a non-empty value is specified, this overrides the obsolete parameters
-/*	smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
+/*	The default SMTP TLS security level for the Postfix SMTP client;
+/*	when a non-empty value is specified, this overrides the obsolete
+/*	parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
 /* .IP "\fBsmtp_sasl_tls_security_options ($smtp_sasl_security_options)\fR"
 /*	The SASL authentication security options that the Postfix SMTP
 /*	client uses for TLS encrypted SMTP sessions.
@@ -716,8 +716,6 @@ SSL_CTX *smtp_tls_ctx;
 
 #endif
 
-extern NAME_CODE smtp_tls_levels[];	/* smtp_session.c name_code table */
-
 /* deliver_message - deliver message with extreme prejudice */
 
 static int deliver_message(const char *service, DELIVER_REQUEST *request)
@@ -853,8 +851,7 @@ static void pre_init(char *unused_name, char **unused_argv)
     /*
      * Initialize the TLS data before entering the chroot jail
      */
-    if (name_code(smtp_tls_levels, NAME_CODE_FLAG_NONE,
-		  var_smtp_tls_level) > TLS_LEV_NONE ||
+    if (tls_level_lookup(var_smtp_tls_level) > TLS_LEV_NONE ||
 	var_smtp_use_tls || var_smtp_enforce_tls ||
 	var_smtp_tls_per_site[0] || var_smtp_tls_policy[0]) {
 #ifdef USE_TLS
diff --git a/postfix/src/smtp/smtp_session.c b/postfix/src/smtp/smtp_session.c
index 4ea8dceb7..b0b487c8a 100644
--- a/postfix/src/smtp/smtp_session.c
+++ b/postfix/src/smtp/smtp_session.c
@@ -126,15 +126,6 @@
 #include "smtp.h"
 #include "smtp_sasl.h"
 
-NAME_CODE smtp_tls_levels[] = {
-    "none", TLS_LEV_NONE,
-    "may", TLS_LEV_MAY,
-    "encrypt", TLS_LEV_ENCRYPT,
-    "verify", TLS_LEV_VERIFY,
-    "secure", TLS_LEV_SECURE,
-    0, TLS_LEV_NOTFOUND,
-};
-
 #ifdef USE_TLS
 
 static MAPS *tls_policy;		/* lookup table(s) */
@@ -162,7 +153,7 @@ void    smtp_tls_list_init(void)
 
 static const char *policy_name(int tls_level)
 {
-    const char *name = str_name_code(smtp_tls_levels, tls_level);
+    const char *name = str_tls_level(tls_level);
 
     if (name == 0)
 	name = "unknown";
@@ -241,7 +232,7 @@ static int tls_policy_lookup_one(SMTP_SESSION *session,
 	msg_warn("ignoring empty tls policy for %s", site_name);
 	FREE_RETURN(1);				/* No further lookups */
     }
-    *site_level = name_code(smtp_tls_levels, NAME_CODE_FLAG_NONE, tok);
+    *site_level = tls_level_lookup(tok);
     if (*site_level == TLS_LEV_NOTFOUND) {
 	msg_warn("%s: unknown security level '%s' ignored",
 		 str_context(cbuf, site_class, site_name), tok);
@@ -418,8 +409,7 @@ static void session_tls_init(SMTP_SESSION *session, const char *dest,
      * per-site policy.
      */
     if (*var_smtp_tls_level) {
-	global_level = name_code(smtp_tls_levels, NAME_CODE_FLAG_NONE,
-				 var_smtp_tls_level);
+	global_level = tls_level_lookup(var_smtp_tls_level);
 	if (global_level == TLS_LEV_NOTFOUND) {
 	    msg_fatal("%s: unknown TLS security level '%s'",
 		      lmtp ? VAR_LMTP_TLS_LEVEL : VAR_SMTP_TLS_LEVEL,
diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index 1e47ae720..d5a005687 100644
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -263,10 +263,10 @@
 /*	Detailed information about STARTTLS configuration may be
 /*	found in the TLS_README document.
 /* .IP "\fBsmtpd_use_tls (no)\fR"
-/*	Opportunistic mode: announce STARTTLS support to SMTP clients,
+/*	Opportunistic TLS: announce STARTTLS support to SMTP clients,
 /*	but do not require that clients use TLS encryption.
 /* .IP "\fBsmtpd_enforce_tls (no)\fR"
-/*	Enforcement mode: announce STARTTLS support to SMTP clients,
+/*	Mandatory TLS: announce STARTTLS support to SMTP clients,
 /*	and require that clients use TLS encryption.
 /* .IP "\fBsmtpd_sasl_tls_security_options ($smtpd_sasl_security_options)\fR"
 /*	The SASL authentication security options that the Postfix SMTP
@@ -310,7 +310,7 @@
 /* .IP "\fBsmtpd_tls_loglevel (0)\fR"
 /*	Enable additional Postfix SMTP server logging of TLS activity.
 /* .IP "\fBsmtpd_tls_protocols (empty)\fR"
-/*	The list of TLS protocols supported by the server.
+/*	The list of TLS protocols supported by the Postfix SMTP server.
 /* .IP "\fBsmtpd_tls_received_header (no)\fR"
 /*	Request that the Postfix SMTP server produces Received:  message
 /*	headers that include information about the protocol and cipher used,
@@ -332,6 +332,12 @@
 /*	The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
 /*	process requests from the \fBtlsmgr\fR(8) server in order to seed its
 /*	internal pseudo random number generator (PRNG).
+/* .PP
+/*	Available in Postfix version 2.3 and later:
+/* .IP "\fBsmtpd_tls_security_level (empty)\fR"
+/*	The SMTP TLS security level for the Postfix SMTP server; when
+/*	a non-empty value is specified, this overrides the obsolete parameters
+/*	smtpd_use_tls and smtpd_enforce_tls.
 /* .IP "\fBtls_high_cipherlist (!EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH)\fR"
 /*	The OpenSSL cipherlist for "HIGH" grade ciphers.
 /* .IP "\fBtls_medium_cipherlist (!EXPORT:!LOW:ALL:+RC4:@STRENGTH)\fR"
@@ -1019,6 +1025,7 @@ char   *var_local_rwr_clients;
 char   *var_smtpd_ehlo_dis_words;
 char   *var_smtpd_ehlo_dis_maps;
 
+char   *var_smtpd_tls_level;
 bool    var_smtpd_use_tls;
 bool    var_smtpd_enforce_tls;
 bool    var_smtpd_tls_wrappermode;
@@ -4109,8 +4116,8 @@ static void pre_accept(char *unused_name, char **unused_argv)
 
 static void pre_jail_init(char *unused_name, char **unused_argv)
 {
-    int     enforce_tls = var_smtpd_tls_wrappermode || var_smtpd_enforce_tls;
-    int     use_tls = var_smtpd_use_tls || enforce_tls;
+    int     enforce_tls;
+    int     use_tls;
 
     /*
      * Initialize blacklist/etc. patterns before entering the chroot jail, in
@@ -4139,10 +4146,42 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
 		 VAR_SMTPD_SASL_ENABLE);
 #endif
 
+    /*
+     * XXX Temporary fix to pretend that we consistently implement TLS
+     * security levels. We implement only a subset for now. If we implement
+     * more levels, wrappermode should override only weaker TLS security
+     * levels.
+     */
+    if (!var_smtpd_tls_wrappermode && *var_smtpd_tls_level) {
+	switch (tls_level_lookup(var_smtpd_tls_level)) {
+	default:
+	    msg_warn("%s: ignoring unknown TLS level \"%s\"",
+		     VAR_SMTPD_TLS_LEVEL, var_smtpd_tls_level);
+	    break;
+	case TLS_LEV_SECURE:
+	case TLS_LEV_VERIFY:
+	    msg_warn("%s: unsupported TLS level \"%s\", using \"encrypt\"",
+		     VAR_SMTPD_TLS_LEVEL, var_smtpd_tls_level);
+	    /* FALLTHROUGH */
+	case TLS_LEV_ENCRYPT:
+	    var_smtpd_enforce_tls = var_smtpd_use_tls = 1;
+	    break;
+	case TLS_LEV_MAY:
+	    var_smtpd_enforce_tls = 0;
+	    var_smtpd_use_tls = 1;
+	    break;
+	case TLS_LEV_NONE:
+	    var_smtpd_enforce_tls = var_smtpd_use_tls = 0;
+	    break;
+	}
+    }
+    enforce_tls = var_smtpd_tls_wrappermode || var_smtpd_enforce_tls;
+    use_tls = var_smtpd_use_tls || enforce_tls;
+
     /*
      * Keys can only be loaded when running with suitable permissions. When
-     * called from "sendmail -bs" this is not the case, but STARTTLS is not
-     * used in this scenario anyhow.
+     * called from "sendmail -bs" this is not the case, so we must not
+     * announce STARTTLS support.
      */
     if (getuid() == 0 || getuid() == var_owner_uid) {
 	if (use_tls) {
@@ -4442,6 +4481,7 @@ int     main(int argc, char **argv)
 	VAR_SMTPD_TLS_512_FILE, DEF_SMTPD_TLS_512_FILE, &var_smtpd_tls_dh512_param_file, 0, 0,
 	VAR_SMTPD_TLS_1024_FILE, DEF_SMTPD_TLS_1024_FILE, &var_smtpd_tls_dh1024_param_file, 0, 0,
 #endif
+	VAR_SMTPD_TLS_LEVEL, DEF_SMTPD_TLS_LEVEL, &var_smtpd_tls_level, 0, 0,
 	VAR_SMTPD_SASL_TYPE, DEF_SMTPD_SASL_TYPE, &var_smtpd_sasl_type, 1, 0,
 	VAR_SMTPD_MILTERS, DEF_SMTPD_MILTERS, &var_smtpd_milters, 0, 0,
 	VAR_MILT_CONN_MACROS, DEF_MILT_CONN_MACROS, &var_milt_conn_macros, 0, 0,
diff --git a/postfix/src/smtpd/smtpd.h b/postfix/src/smtpd/smtpd.h
index 262f73819..6f3f324d2 100644
--- a/postfix/src/smtpd/smtpd.h
+++ b/postfix/src/smtpd/smtpd.h
@@ -30,9 +30,7 @@
  /*
   * Postfix TLS library.
   */
-#ifdef USE_TLS
 #include 
-#endif
 
  /*
   * Milter library.
diff --git a/postfix/src/tls/Makefile.in b/postfix/src/tls/Makefile.in
index 0210029dd..8b8d254bf 100644
--- a/postfix/src/tls/Makefile.in
+++ b/postfix/src/tls/Makefile.in
@@ -2,11 +2,13 @@ SHELL	= /bin/sh
 SRCS	= tls_prng_dev.c tls_prng_egd.c tls_prng_file.c \
 	tls_prng_exch.c tls_stream.c tls_bio_ops.c tls_misc.c tls_dh.c \
 	tls_rsa.c tls_verify.c tls_certkey.c tls_session.c \
-	tls_client.c tls_server.c tls_scache.c tls_mgr.c tls_seed.c
+	tls_client.c tls_server.c tls_scache.c tls_mgr.c tls_seed.c \
+	tls_level.c
 OBJS	= tls_prng_dev.o tls_prng_egd.o tls_prng_file.o \
 	tls_prng_exch.o tls_stream.o tls_bio_ops.o tls_misc.o tls_dh.o \
 	tls_rsa.o tls_verify.o tls_certkey.o tls_session.o \
-	tls_client.o tls_server.o tls_scache.o tls_mgr.o tls_seed.o
+	tls_client.o tls_server.o tls_scache.o tls_mgr.o tls_seed.o \
+	tls_level.o
 HDRS	= tls.h tls_prng.h tls_scache.h tls_mgr.h
 TESTSRC	= 
 DEFS	= -I. -I$(INC_DIR) -D$(SYSTYPE)
@@ -129,6 +131,14 @@ tls_dh.o: ../../include/vstream.h
 tls_dh.o: ../../include/vstring.h
 tls_dh.o: tls.h
 tls_dh.o: tls_dh.c
+tls_level.o: ../../include/name_code.h
+tls_level.o: ../../include/name_mask.h
+tls_level.o: ../../include/sys_defs.h
+tls_level.o: ../../include/vbuf.h
+tls_level.o: ../../include/vstream.h
+tls_level.o: ../../include/vstring.h
+tls_level.o: tls.h
+tls_level.o: tls_level.c
 tls_mgr.o: ../../include/attr.h
 tls_mgr.o: ../../include/attr_clnt.h
 tls_mgr.o: ../../include/iostuff.h
diff --git a/postfix/src/tls/tls.h b/postfix/src/tls/tls.h
index f33e067a2..8bee86f5d 100644
--- a/postfix/src/tls/tls.h
+++ b/postfix/src/tls/tls.h
@@ -11,6 +11,11 @@
 /* DESCRIPTION
 /* .nf
 
+ /*
+  * Utility library.
+  */
+#include 
+
  /*
   * TLS enforcement levels. Non-sentinel values also be used to indicate
   * the actual security level of a session.
@@ -22,6 +27,11 @@
 #define TLS_LEV_VERIFY		3	/* certificate verified */
 #define TLS_LEV_SECURE		4	/* "secure" verification */
 
+extern NAME_CODE tls_level_table[];
+
+#define tls_level_lookup(s) name_code(tls_level_table, NAME_CODE_FLAG_NONE, (s))
+#define str_tls_level(l) str_name_code(tls_level_table, (l))
+
 #ifdef USE_TLS
 
  /*
diff --git a/postfix/src/tls/tls_level.c b/postfix/src/tls/tls_level.c
new file mode 100644
index 000000000..03affcfdc
--- /dev/null
+++ b/postfix/src/tls/tls_level.c
@@ -0,0 +1,60 @@
+/*++
+/* NAME
+/*	tls_level 3
+/* SUMMARY
+/*	TLS security level conversion
+/* SYNOPSIS
+/*	#include 
+/*
+/*	int	tls_level_lookup(name)
+/*	const char *name;
+/*
+/*	const char *str_tls_level(level)
+/*	int	level;
+/* DESCRIPTION
+/*	The macros in this module convert TLS levels from symbolic
+/*	name to internal form and vice versa. The macros are safe
+/*	because they evaluate their arguments only once.
+/*
+/*	tls_level_lookup() converts a TLS level from symbolic name
+/*	to internal form. The result is TLS_NOTFOUND for an unknown
+/*	level.
+/*
+/*	str_tls_level() converts a TLS level from internal form to
+/*	symbolic name. The result is a null pointer for an unknown
+/*	level.
+/* SEE ALSO
+/*	name_code(3) name to number mapping
+/* LICENSE
+/* .ad
+/* .fi
+/*	The Secure Mailer license must be distributed with this software.
+/* AUTHOR(S)
+/*	Wietse Venema
+/*	IBM T.J. Watson Research
+/*	P.O. Box 704
+/*	Yorktown Heights, NY 10598, USA
+/*--*/
+
+/* System library. */
+
+#include 
+
+/* Utility library. */
+
+#include 
+
+/* TLS library. */
+
+#include 
+
+/* Application-specific. */
+
+NAME_CODE tls_level_table[] = {
+    "none", TLS_LEV_NONE,
+    "may", TLS_LEV_MAY,
+    "encrypt", TLS_LEV_ENCRYPT,
+    "verify", TLS_LEV_VERIFY,
+    "secure", TLS_LEV_SECURE,
+    0, TLS_LEV_NOTFOUND,
+};