The stable Postfix release is called postfix-3.0.x where 3=major
release number, 0=minor release number, x=patchlevel. The stable release never changes except for patches that address bugs or emergencies. Patches change the patchlevel and the release date. New features are developed in snapshot releases. These are called postfix-3.1-yyyymmdd where yyyymmdd is the release date (yyyy=year, mm=month, dd=day). Patches are never issued for snapshot releases; instead, a new snapshot is released. The mail_release_date configuration parameter (format: yyyymmdd) specifies the release date of a stable release or snapshot release. If you upgrade from Postfix 2.10 or earlier, read RELEASE_NOTES-2.11 before proceeding. Notes for distribution maintainers ---------------------------------- * New backwards-compatibility safety net. With NEW Postfix installs, you MUST install a main.cf file with the setting "compatibility_level = 2". See conf/main.cf for an example. With UPGRADES of existing Postfix systems, you MUST NOT change the main.cf compatibility_level setting, nor add this setting if it does not exist. Several Postfix default settings have changed with Postfix 3.0. To avoid massive frustration with existing Postfix installations, Postfix 3.0 comes with a safety net that forces Postfix to keep running with backwards-compatible main.cf and master.cf default settings. This safety net depends on the main.cf compatibility_level setting (default: 0). Details are in COMPATIBILITY_README. * New Postfix build system. The Postfix build/install procedure has changed to support Postfix dynamically-linked libraries and database plugins. These must not be "shared" with non-Postfix programs, and therefore must not be installed in a public directory. To avoid massive frustration due to broken patches, PLEASE BUILD POSTFIX FIRST WITHOUT APPLYING ANY PATCHES. Follow the INSTALL instructions (see "Building with Postfix dynamically-linked libraries and database plugins"), and see how things work and what the dynamically-linked libraries, database plugin, and configuration files look like. Then, go ahead and perform your platform-specific customizations. The INSTALL section "Tips for distribution maintainers" has further suggestions. Major changes - critical ------------------------ [Incompat 20140714] After upgrading Postfix, "postfix reload" (or start/stop) is required. Several Postfix-internal protocols have been extended to support SMTPUTF8. Failure to reload or restart will result in mail staying queued, while Postfix daemons log warning messages about unexpected attributes. Major changes - default settings -------------------------------- [Incompat 20141009] The default settings have changed for relay_domains (new: empty, old: $mydestination) and mynetworks_style (new: host, old: subnet). However the backwards-compatibility safety net will prevent these changes from taking effect, giving the system administrator the option to make an old default setting permanent in main.cf or to adopt the new default setting, before turning off backwards compatibility. See COMPATIBILITY_README for details. [Incompat 20141001] A new backwards-compatibility safety net forces Postfix to run with backwards-compatible main.cf and master.cf default settings after an upgrade to a newer but incompatible Postfix version. See COMPATIBILITY_README for details. While the backwards-compatible default settings are in effect, Postfix logs what services or what email would be affected by the incompatible change. Based on this the administrator can make some backwards-compatibility settings permanent in main.cf or master.cf, before turning off backwards compatibility. See postconf.5.html#compatibility_level for details. [Incompat 20141001] The default settings have changed for append_dot_mydomain (new: no. old: yes), master.cf chroot (new: n, old: y), and smtputf8 (new: yes, old: no). Major changes - access control ------------------------------ [Feature 20141119] Support for BCC actions in header/body_checks and milter_header_checks. There is no limit on the number of BCC actions that may be specified, other than the implicit limit due to finite storage. BCC support will not be implemented in Postfix delivery agent header/body_checks. It works in the same way as always_bcc and sender/recipient_bcc_maps: there can be only one address per action, recipients are added with the NOTIFY=NONE delivery status notification option, and duplicate recipients are ignored (with the same delivery status notification options). [Incompat 20141009] The default settings have changed for relay_domains (new: empty, old: $mydestination) and mynetworks_style (new: host, old: subnet). However the backwards-compatibility safety net will prevent these changes from taking effect, giving the system administrator the option to make an old default setting permanent in main.cf or to adopt the new default setting, before turning off backwards compatibility. See COMPATIBILITY_README for details. [Feature 20140618] New INFO action in access(5) tables, for consistency with header/body_checks. [Feature 20140620] New check_xxx_a_access (for xxx in client, reverse_client, helo, sender, recipient) implements access control on all A and AAAA IP addresses for respectively the client hostname, helo parameter, sender domain or recipient domain. This complements the existing check_xxx_mx_access and check_xxx_ns_access features. Major changes - address rewriting --------------------------------- [Incompat 20141001] The default settings have changed for append_dot_mydomain (new: no. old: yes), master.cf chroot (new: n, old: y), and smtputf8 (new: yes, old: no). Major changes - address verification ------------------------------------ [Feature 20141227] The new smtp_address_verify_target parameter (default: rcpt) specifies what protocol stage decides if a recipient is valid. Specify "data" for servers that reject invalid recipients in response to the DATA command. Major changes - database support -------------------------------- [Feature 20140512] Support for Berkeley DB version 6. [Feature 20140618] The "randmap" lookup table performs random selection. This may be used to implement load balancing, for example: /etc/postfix/transport: # Deliver my own domain as usual. example.com : .example.com : /etc/postfix/main.cf: transport_maps = # Deliver my own domain as usual. hash:/etc/postfix/transport # Deliver other domains via randomly-selected relayhosts randmap:{smtp:smtp0.example.com, smtp:smtp1.example.com} A variant of this can randomly select SMTP clients with different smtp_bind_address settings. To implement different weights, specify lookup results multiple times. For example, to choose smtp:smtp1.example.com twice as often as smtp:smtp0.example.com, specify smtp:smtp1.example.com twice. A future version may support randmap:/path/to/file to load a list of results from file. [Feature 20140618] As the name suggests, the "pipemap" table implements a pipeline of lookup tables. The name of the table specifies the pipeline as a sequence of tables. For example, the following prevents SMTP mail to system accounts that have "nologin" as their login shell: /etc/postfix/main.cf: local_recipient_maps = pipemap:{unix:passwd.byname, pcre:/etc/postfix/no-nologin.pcre} alias_maps /etc/postfix/no-nologin.pcre: !/nologin/ whatever Each "pipemap:" query is given to the first table. Each table lookup result becomes the query for the next table in the pipeline, and the last table produces the final result. When any table lookup produces no result, the entire pipeline produces no result. A future version may support pipemap:/path/to/file to load a list of lookup tables from file. [Feature 20140924] Support for unionmap, with the same syntax as pipemap. This sends a query to all tables, and concatenates non-empty results, separated by comma. [Feature 20131121] The "static" lookup table now supports whitespace when invoked as "static:{ text with whitespace }", so that it can be used, for example, at the end of smtpd_mumble_restrictions as "check_mumble_access static:{reject text...}". [Feature 20141126] "inline:{key=value, { key = text with comma/space}}" avoids the need to create a database for just a few entries. Major changes - delivery status notifications --------------------------------------------- [Feature 20140321] Delivery status filter support, to replace the delivery status codes and explanatory text of successful or unsuccessful deliveries by Postfix mail delivery agents. This was originally implemented for sites that want to turn certain soft delivery errors into hard delivery errors, but it can also be used to censor out information from delivery confirmation reports. This feature is implemented as a filter that replaces the three-number enhanced status code and descriptive text in Postfix delivery agent success, bounce, or defer messages. Note: this will not override "soft_bounce=yes", and this will not change a successful delivery status into an unsuccessful status or vice versa. The first example turns specific soft TLS errors into hard errors, by overriding the first number in the enhanced status code. /etc/postfix/main.cf: smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter /etc/postfix/smtp_dsn_filter: /^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/ 5$1 /^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/ 5$1 The second example removes the destination command name and file name from local(8) successful delivery reports, so that they will not be reported when a sender requests confirmation of delivery. /etc/postfix/main.cf: local_delivery_status_filter = pcre:/etc/postfix/local_dsn_filter /etc/postfix/local_dsn_filter: /^(2\S+ delivered to file).+/ $1 /^(2\S+ delivered to command).+/ $1 This feature is supported in the lmtp(8), local(8), pipe(8), smtp(8) and virtual(8) delivery agents. That is, all delivery agents that actually deliver mail. It will not be implemented in the error and retry pseudo-delivery agents. The new main.cf parameters and default values are: default_delivery_status_filter = lmtp_delivery_status_filter = $default_delivery_status_filter local_delivery_status_filter = $default_delivery_status_filter pipe_delivery_status_filter = $default_delivery_status_filter smtp_delivery_status_filter = $default_delivery_status_filter virtual_delivery_status_filter = $default_delivery_status_filter See the postconf(5) manpage for more details. [Incompat 20140618] The pipe(8) delivery agent will now log a limited amount of command output upon successful delivery, and will report that output in "SUCCESS" delivery status reports. This is another good reason to disable inbound DSN requests at the Internet perimeter. [Feature 20140907] With "confirm_delay_cleared = yes", Postfix informs the sender when delayed mail leaves the queue (this is in addition to the delay_warning_time feature that warns when mail is still queued). This feature is disabled by default, because it can result in a sudden burst of notifications when the queue drains at the end of a prolonged network outage. Major changes - dns ------------------- [Feature 20141128] Support for DNS server reply filters in the Postfix SMTP/LMTP client and SMTP server. This helps to work around mail delivery problems with sites that have incorrect DNS information. Note: this has no effect on the implicit DNS lookups that are made by nsswitch.conf or equivalent mechanisms. This feature renders each lookup result as one line of text in standard zone-file format as shown below. The class field is always "IN", the preference field exists only for MX records, the names of hosts, domains, etc. end in ".", and those names are in ASCII form (xn--mumble form for internationalized domain names). name ttl class type preference value --------------------------------------------------------- postfix.org. 86400 IN MX 10 mail.cloud9.net. Typically, one would match this text with a regexp: or pcre: table. When a match is found, the table lookup result specifies an action. By default, the table query and the action name are case-insensitive. Currently, only the IGNORE action is implemented. For safety reasons, Postfix logs a warning or defers mail delivery when a DNS reply filter removes all lookup results from a successful query. The Postfix SMTP/LMTP client uses the smtp_dns_reply_filter and lmtp_dns_reply_filter features only for Postfix SMTP client lookups of MX, A, and AAAAA records to locate a remote SMTP or LMTP server, including lookups that implement the features reject_unverified_sender and reject_unverified_recipient. The filters are not used for lookups made through nsswitch.conf and similar mechanisms. The Postfix SMTP server uses the smtpd_dns_reply_filter feature only for Postfix SMTP server lookups of MX, A, AAAAA, and TXT records to implement the features reject_unknown_helo_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_*, and reject_rhsbl_*. The filter is not used for lookups made through nsswitch.conf and similar mechanisms, such as lookups of the remote SMTP client name. [Feature 20141126] Nullmx support (MX records with a null hostname). This change affects error messages only. The Postfix SMTP client already bounced mail for such domains, and the Postfix SMTP server already rejected such domains with reject_unknown_sender/recipient_domain. This feature introduces a new SMTP server configuration parameter nullmx_reject_code (default: 556). Major changes - dynamic linking ------------------------------- [Feature 20140530] Support to build Postfix with Postfix dynamically-linked libraries, and with dynamically-loadable database clients. These MUST NOT be used by non-Postfix programs. Postfix dynamically-linked libraries introduce minor runtime overhead and result in smaller Postfix executable files. Dynamically-loadable database clients are useful when you distribute or install pre-compiled packages. Postfix 3.0 supports dynamic loading for CDB, LDAP, LMDB, MYSQL, PCRE, PGSQL, SDBM, and SQLITE database clients. This implementation is based on Debian code by LaMont Jones, initially ported by Viktor Dukhovni. Currently, support exists for recent versions of Linux, FreeBSD, MacOS X, and for the ancient Solaris 9. To support Postfix dynamically-linked libraries and dynamically-loadable database clients, the Postfix build procedure had to be changed (specifically, the files makedefs and Makefile.in, and the files postfix-install and post-install that install or update Postfix). [Incompat 20140530] The Postfix 3.0 build procedure expects that you specify database library dependencies with variables named AUXLIBS_CDB, AUXLIBS_LDAP, etc. With Postfix 3.0 and later, the old AUXLIBS variable still supports building a statically-loaded CDB etc. database client, but only the new AUXLIBS_CDB etc. variables support building a dynamically-loaded or statically-loaded CDB etc. database client. See CDB_README, LDAP_README, etc. for details. Failure to follow this advice will defeat the purpose of dynamic database client loading. Every Postfix executable file will have database library dependencies. And that was exactly what dynamic database client loading was meant to avoid. Major changes - future proofing ------------------------------- [Cleanup 20141224] The changes described here have no visible effect on Postfix behavior, but they make Postfix code easier to maintain, and therefore make new functionality easier to add. * Compile-time argument typechecks of non-printf/scanf-like variadic function argument lists. * Deprecating the use of "char *" for non-text purposes such as memory allocation and pointers to application context for call-back functions. This dates from long-past days before void * became universally available. * Replace integer types for counters and sizes with size_t or ssize_t equivalents. This eliminates some wasteful 64<->32bit conversions on 64-bit systems. Major changes - installation pathnames -------------------------------------- [Incompat 20140625] For compliance with file system policies, some non-executable files have been moved from $daemon_directory to the directory specified with the new meta_directory configuration parameter which has the same default value as the config_directory parameter. This change affects non-executable files that are shared between multiple Postfix instances such as postfix-files, dynamicmaps.cf, and multi-instance template files. For backwards compatibility with Postfix 2.6 .. 2.11, specify "meta_directory = $daemon_directory" in main.cf before installing or upgrading Postfix, or specify "meta_directory = /path/name" on the "make makefiles", "make install" or "make upgrade" command line. Major changes - milter ---------------------- [Feature 20140928] Support for per-Milter settings that override main.cf parameters. For details see the section "Advanced policy client configuration" in the SMTPD_POLICY_README document. Here is an example that uses both old and new syntax: smtpd_milters = { inet:127.0.0.1:port1, default_action=accept, ... }, inet:127.0.0.1:port2, ... The supported attribute names are: command_timeout, connect_timeout, content_timeout, default_action, and protocol. These have the same names as the corresponding main.cf parameters, without the "milter_" prefix. The per-milter settings are specified as attribute=value pairs separated by comma or space; specify { name = value } to allow spaces around the "=" or within an attribute value. [Feature 20141018] DMARC compatibility: when a Milter inserts a header ABOVE Postfix's own Received: header, Postfix no longer exposes its own Received: header to Milters (violating protocol) and Postfix no longer hides the Milter-inserted header from Milters (wtf). Major changes - parameter syntax -------------------------------- [Feature 20140921] In preparation for configurable mail headers and logging, new main.cf support for if-then-else expressions: ${name?{text1}:{text2}} and for logical expressions: ${{text1}=={text2}?{text3}:{text4}} ${{text1}!={text2}?{text3}:{text4}} Whitespace before and after {text} is ignored. This can help to make complex expressions more readable. See the postconf(5) manpage for further details. [Feature 20140928] Support for whitespace in daemon command-line arguments. For details, see the "Command name + arguments" section in the master(5) manpage. Example: smtpd -o { parameter = value containing whitespace } ... The { ... } form is also available for non-option command-line arguments in master.cf, for example: pipe ... argv=command { argument containing whitespace } ... In both cases, whitespace immediately after "{" and before "}" is ignored. [Feature 20141005] Postfix import_environment and export_environment now allow "{ name=value }" to protect whitespace in attribute values. [Feature 20141006] The new message_drop_header parameter replaces a hard-coded table that specifies what message headers the cleanup daemon will remove. The list of supported header names covers RFC 5321, 5322, MIME RFCs, and some historical names. Major changes - pipe daemon --------------------------- [Incompat 20140618] The pipe(8) delivery agent will now log a limited amount of command output upon successful delivery, and will report that output in "SUCCESS" delivery status reports. This is another good reason to disable inbound DSN requests at the Internet perimeter. Major changes - policy client ----------------------------- [Feature 20140703] This release introduces three new configuration parameters that control error recovery for failed SMTPD policy requests. * smtpd_policy_service_default_action (default: 451 4.3.5 Server configuration problem): The default action when an SMTPD policy service request fails. * smtpd_policy_service_try_limit (default: 2): The maximal number of attempts to send an SMTPD policy service request before giving up. This must be a number greater than zero. * smtpd_policy_service_retry_delay (default: 1s): The delay between attempts to resend a failed SMTPD policy service request. This must be a number greater than zero. See postconf(5) for details and limitations. [Feature 20140928] Support for per-policy service settings that override main.cf parameters. For details see the section "Different settings for different Milter applications" in the MILTER_README document. Here is an example that uses both old and new syntax: smtpd_recipient_restrictions = ... check_policy_service { inet:127.0.0.1:port3, default_action=DUNNO } check_policy_service inet:127.0.0.1:port4 ... The per-policy service settings are specified as attribute=value pairs separated by comma or space; specify { name = value } to allow spaces around the "=" or within an attribute value. The supported attribute names are: default_action, max_idle, max_ttl, request_limit, retry_delay, timeout, try_limit. These have the same names as the corresponding main.cf parameters, without the "smtpd_policy_service_" prefix. [Feature 20140505] A client port attribute was added to the policy delegation protocol. [Feature 20140630] New smtpd_policy_service_request_limit feature to limit the number of requests per Postfix SMTP server policy connection. This is a workaround to avoid error-recovery delays with policy servers that cannot maintain a persistent connection. Major changes - position-independent executables ------------------------------------------------ [Feature 20150205] Preliminary support for building position-independent executables (PIE), tested on Fedora Core 20, Ubuntu 14.04, FreeBSD 9 and 10, and NetBSD 6. Specify: $ make makefiles pie=yes ...other arguments... On some systems, PIE is used by the ASLR exploit mitigation technique (ASLR = Address-Space Layout Randomization). Whether specifying "pie=yes" has any effect at all depends on the compiler. Reportedly, some compilers always produce PIE executables. Major changes - postscreen -------------------------- [Feature 20140501] Configurable time limit (postscreen_dnsbl_timeout) for DNSBL or DNSWL lookups. This is separate from the timeouts in the dnsblog(8) daemon which are controlled by system resolver(3) routines. Major changes - session fingerprint ----------------------------------- [Feature 20140801] The Postfix SMTP server now logs at the end of a session how many times an SMTP command was successfully invoked, followed by the total number of invocations if some invocations were unsuccessful. This logging will enough to diagnose many problems without using verbose logging or network sniffer. Normal session, no TLS: disconnect from name[addr] ehlo=1 mail=1 rcpt=1 data=1 quit=1 Normal session. with TLS: disconnect from name[addr] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 All recipients rejected, no ESMTP command pipelining: disconnect from name[addr] ehlo=1 mail=1 rcpt=0/1 quit=1 All recipients rejected, with ESMTP command pipelining: disconnect from name[addr] ehlo=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 Password guessing bot, hangs up without QUIT: disconnect from name[addr] ehlo=1 auth=0/1 Mis-configured client trying to use TLS wrappermode on port 587: disconnect from name[addr] unknown=0/1 Logfile analyzers can trigger on the presence of "/". It indicates that Postfix rejected at least one command. [Feature 20150118] As a late addition, the SMTP server now also logs the total number of commands (as "commands=x/y") even when the client did not send any commands. This helps logfile analyzers to recognize sessions without commands. Major changes - smtp client --------------------------- [Feature 20141227] The new smtp_address_verify_target parameter (default: rcpt) determines what protocol stage decides if a recipient is valid. Specify "data" for servers that reject recipients after the DATA command. Major changes - smtputf8 ------------------------ [Incompat 20141001] The default settings have changed for append_dot_mydomain (new: no, old: yes), master.cf chroot (new: n, old: y), and smtputf8 (new: yes, old: no). [Incompat 20140714] After upgrading Postfix, "postfix reload" (or start/stop) is required. Several Postfix-internal protocols have been extended to support SMTPUTF8. Failure to reload or restart will result in mail staying queued, while Postfix daemons log warning messages about unexpected attributes. [Feature 20140715] Support for Email Address Internationalization (EAI) as defined in RFC 6531..6533. This supports UTF-8 in SMTP/LMTP sender addresses, recipient addresses, and message header values. The implementation is based on initial work by Arnt Gulbrandsen that was funded by CNNIC. See SMTPUTF8_README for a description of Postfix SMTPUTF8 support. [Feature 20150112] UTF-8 Casefolding support for Postfix lookup tables and matchlists (mydestination, relay_domains, etc.). This is enabled only with "smtpuf8 = yes". [Feature 20150112] With smtputf8_enable=yes, SMTP commands with UTF-8 syntax errors are rejected, table lookup results with invalid UTF-8 syntax are handled as configuration errors, and UTF-8 syntax errors in policy server replies result in execution of the policy server's default action. Major changes - tls support --------------------------- (see "Major changes - delivery status notifications" above for turning 4XX soft errors into 5XX bounces when a remote SMTP server does not offer STARTTLS support). [Feature 20140209] the Postfix SMTP client now also falls back to plaintext when TLS fails AFTER the TLS protocol handshake. [Feature 20140218] The Postfix SMTP client now requires that a queue file is older than $minimal_backoff_time, before falling back from failed TLS to plaintext (both during or after the TLS handshake). [Feature 20141021] Per IETF TLS WG consensus, the tls_session_ticket_cipher default setting was changed from aes-128-cbc to aes-256-cbc. [Feature 20150116] TLS wrappermode support in the Postfix smtp(8) client (new smtp_tls_wrappermode parameter) and in posttls-finger(1) (new -w option). There still is life in that deprecated protocol, and people should not have to jump hoops with stunnel.
This commit is contained in:
parent
7d343bc869
commit
e262b48e47
2677
external/ibm-public/postfix/dist/HISTORY
vendored
2677
external/ibm-public/postfix/dist/HISTORY
vendored
File diff suppressed because it is too large
Load Diff
769
external/ibm-public/postfix/dist/INSTALL
vendored
769
external/ibm-public/postfix/dist/INSTALL
vendored
File diff suppressed because it is too large
Load Diff
5
external/ibm-public/postfix/dist/Makefile
vendored
5
external/ibm-public/postfix/dist/Makefile
vendored
@ -1,7 +1,8 @@
|
||||
# Usage:
|
||||
# make makefiles [CC=compiler] [OPT=compiler-flags] [DEBUG=debug-flags]
|
||||
# make makefiles [name=value]...
|
||||
#
|
||||
# The defaults are: CC=gcc, OPT=-O, and DEBUG=-g. Examples:
|
||||
# See makedefs for a descripton of available options.
|
||||
# Examples:
|
||||
#
|
||||
# make makefiles
|
||||
# make makefiles CC="purify cc"
|
||||
|
103
external/ibm-public/postfix/dist/Makefile.in
vendored
103
external/ibm-public/postfix/dist/Makefile.in
vendored
@ -1,7 +1,7 @@
|
||||
SHELL = /bin/sh
|
||||
WARN = -Wmissing-prototypes -Wformat -Wno-comment
|
||||
OPTS = 'CC=$(CC)'
|
||||
DIRS = src/util src/global src/dns src/tls src/xsasl src/milter src/master \
|
||||
OPTS = 'WARN=$(WARN)'
|
||||
DIRS = src/util src/global src/dns src/tls src/xsasl src/master src/milter \
|
||||
src/postfix src/fsstone src/smtpstone \
|
||||
src/sendmail src/error src/pickup src/cleanup src/smtpd src/local \
|
||||
src/trivial-rewrite src/qmgr src/oqmgr src/smtp src/bounce \
|
||||
@ -12,50 +12,101 @@ DIRS = src/util src/global src/dns src/tls src/xsasl src/milter src/master \
|
||||
src/postmulti src/postscreen src/dnsblog src/tlsproxy \
|
||||
src/posttls-finger
|
||||
MANDIRS = proto man html
|
||||
LIBEXEC = libexec/post-install libexec/postfix-files libexec/postfix-script \
|
||||
libexec/postfix-wrapper libexec/main.cf libexec/master.cf \
|
||||
libexec/postmulti-script
|
||||
LIBEXEC = libexec/post-install libexec/postfix-script libexec/postfix-wrapper \
|
||||
libexec/postmulti-script libexec/postfix-tls-script
|
||||
PLUGINS = meta/dynamicmaps.cf
|
||||
META = meta/main.cf.proto meta/master.cf.proto meta/postfix-files \
|
||||
meta/makedefs.out $(PLUGINS)
|
||||
EXPAND = sed -e "s;\$${LIB_PREFIX};$(LIB_PREFIX);" \
|
||||
-e "s;\$${LIB_SUFFIX};$(LIB_SUFFIX);"
|
||||
SHLIB_DIR_OVERRIDE = \
|
||||
$${shlib_directory:-`$(SHLIB_ENV) bin/postconf -dhx shlib_directory`}
|
||||
|
||||
default: update
|
||||
|
||||
makefiles Makefiles:
|
||||
# While generating the top-level Makefile, we must get the PLUGIN_LD
|
||||
# setting directly from the latest makedefs.out result.
|
||||
|
||||
makefiles Makefiles conf/makedefs.out:
|
||||
(echo "# Do not edit -- this file documents how Postfix was built for your machine."; $(SHELL) makedefs) >makedefs.tmp
|
||||
set +e; if cmp makedefs.tmp conf/makedefs.out; then rm makedefs.tmp; \
|
||||
else mv makedefs.tmp conf/makedefs.out; fi >/dev/null 2>/dev/null
|
||||
set -e; for i in $(DIRS); do \
|
||||
(set -e; echo "[$$i]"; cd $$i; rm -f Makefile; \
|
||||
$(MAKE) -f Makefile.in Makefile MAKELEVEL=) || exit 1; \
|
||||
done;
|
||||
rm -f Makefile; (cat conf/makedefs.out Makefile.in) >Makefile
|
||||
done
|
||||
@set -- `grep '^PLUGIN_LD' conf/makedefs.out`; \
|
||||
rm -f Makefile; (cat conf/makedefs.out; \
|
||||
case "$$3" in \
|
||||
""|":") grep -v '^PLUGINS' Makefile.in;; \
|
||||
*) cat Makefile.in;; \
|
||||
esac) >Makefile
|
||||
|
||||
update printfck tests root_tests:
|
||||
set -e; for i in $(DIRS); do \
|
||||
(set -e; echo "[$$i]"; cd $$i; $(MAKE) $(OPTS) $@ MAKELEVEL=) || exit 1; \
|
||||
done
|
||||
|
||||
update: $(LIBEXEC)
|
||||
update: $(META) $(LIBEXEC)
|
||||
|
||||
libexec/post-install: conf/post-install
|
||||
rm -f $@ && ln -f $? $@
|
||||
|
||||
libexec/postfix-files: conf/postfix-files
|
||||
rm -f $@ && ln -f $? $@
|
||||
# Censor out build directory information.
|
||||
|
||||
meta/makedefs.out: conf/makedefs.out
|
||||
grep -v SHLIB_ENV $? > $@
|
||||
|
||||
meta/postfix-files: conf/postfix-files conf/makedefs.out Makefile
|
||||
rm -f $@
|
||||
(if [ "${SHLIB_DIR}" = "no" -o "${SHLIB_DIR}" = "" ]; then \
|
||||
sed -e '/^\$$shlib_directory/d' \
|
||||
-e '/dynamicmaps.cf/d' conf/postfix-files; \
|
||||
elif [ "${PLUGIN_LD}" = ":" -o "${PLUGIN_LD}" = "" ]; then \
|
||||
sed -e '/dynamicmaps.cf/d' \
|
||||
-e '/^\$$shlib_directory\/\$${LIB_PREFIX}/d' \
|
||||
conf/postfix-files | $(EXPAND); \
|
||||
else \
|
||||
$(EXPAND) conf/postfix-files | awk -F: ' \
|
||||
BEGIN { \
|
||||
count = split("'"$(DEFINED_MAP_TYPES)"'", names, " "); \
|
||||
for (n = 1; n <= count; n++) \
|
||||
have["$$shlib_directory/$(LIB_PREFIX)" names[n] \
|
||||
"$(LIB_SUFFIX)"] = 1; } \
|
||||
/^[$$]shlib_directory.$(LIB_PREFIX)/ { \
|
||||
if (have[$$1]) print; next } \
|
||||
{ print } \
|
||||
'; \
|
||||
fi) | case "$(MAKE_FIX)" in \
|
||||
*) cat;; \
|
||||
esac > $@
|
||||
|
||||
libexec/postfix-script: conf/postfix-script
|
||||
rm -f $@ && ln -f $? $@
|
||||
|
||||
libexec/postfix-tls-script: conf/postfix-tls-script
|
||||
rm -f $@ && ln -f $? $@
|
||||
|
||||
libexec/postfix-wrapper: conf/postfix-wrapper
|
||||
rm -f $@ && ln -f $? $@
|
||||
|
||||
libexec/main.cf: conf/main.cf
|
||||
meta/main.cf.proto: conf/main.cf
|
||||
rm -f $@ && ln -f $? $@
|
||||
|
||||
libexec/master.cf: conf/master.cf
|
||||
meta/master.cf.proto: conf/master.cf
|
||||
rm -f $@ && ln -f $? $@
|
||||
|
||||
libexec/postmulti-script: conf/postmulti-script
|
||||
rm -f $@ && ln -f $? $@
|
||||
|
||||
meta/dynamicmaps.cf: conf/dynamicmaps.cf Makefile
|
||||
rm -f $@ && $(EXPAND) conf/dynamicmaps.cf | $(AWK) ' \
|
||||
BEGIN { split("'"$(DEFINED_MAP_TYPES)"'", map_types); \
|
||||
for (n in map_types) has_type[map_types[n]] = n } \
|
||||
/^#/ { print } \
|
||||
/^[a-z]/ { if (has_type[$$1]) print } \
|
||||
' >$@
|
||||
|
||||
manpages:
|
||||
set -e; for i in $(MANDIRS); do \
|
||||
(set -e; echo "[$$i]"; cd $$i; $(MAKE) -f Makefile.in $(OPTS) MAKELEVEL=) || exit 1; \
|
||||
@ -63,17 +114,31 @@ manpages:
|
||||
|
||||
printfck: update
|
||||
|
||||
# The build-time shlib_directory setting must take precedence over
|
||||
# the installed main.cf settings, otherwise we can't update an
|
||||
# installed system from dynamicmaps=yes<->dynamicmaps=no or from
|
||||
# shared=yes<->shared=no.
|
||||
|
||||
install: update
|
||||
$(SHELL) postfix-install
|
||||
SHLIB_ENV_VAR= SHLIB_ENV_VAL= \
|
||||
$(SHLIB_ENV) shlib_directory=$(SHLIB_DIR_OVERRIDE) $(SHELL) \
|
||||
postfix-install
|
||||
|
||||
package: update
|
||||
$(SHELL) postfix-install -package
|
||||
SHLIB_ENV_VAR= SHLIB_ENV_VAL= \
|
||||
$(SHLIB_ENV) shlib_directory=$(SHLIB_DIR_OVERRIDE) $(SHELL) \
|
||||
postfix-install -package
|
||||
|
||||
upgrade: update
|
||||
$(SHELL) postfix-install -non-interactive
|
||||
SHLIB_ENV_VAR= SHLIB_ENV_VAL= \
|
||||
$(SHLIB_ENV) shlib_directory=$(SHLIB_DIR_OVERRIDE) $(SHELL) \
|
||||
postfix-install -non-interactive
|
||||
|
||||
|
||||
non-interactive-package: update
|
||||
$(SHELL) postfix-install -non-interactive -package
|
||||
SHLIB_ENV_VAR= SHLIB_ENV_VAL= \
|
||||
$(SHLIB_ENV) shlib_directory=$(SHLIB_DIR_OVERRIDE) $(SHELL) \
|
||||
postfix-install -non-interactive -package
|
||||
|
||||
depend clean:
|
||||
set -e; for i in $(DIRS); do \
|
||||
@ -92,6 +157,8 @@ tidy: clean
|
||||
rm -f README_FILES/RELEASE_NOTES
|
||||
ln -s ../RELEASE_NOTES README_FILES
|
||||
rm -f bin/[!CRS]* lib/[!CRS]* include/[!CRS]* libexec/[!CRS]* \
|
||||
src/*/libpostfix-*.so src/*/libpostfix-*.dylib \
|
||||
src/*/postfix-*.so src/*/postfix-*.dylib \
|
||||
junk */junk */*/junk \
|
||||
*core */*core */*/*core \
|
||||
.nfs* */.nfs* */*/.nfs* \
|
||||
@ -105,7 +172,7 @@ tidy: clean
|
||||
*.bak */*.bak */*/*.bak \
|
||||
make.err */make.err */*/make.err \
|
||||
*.gmon */*.gmon */*/*.gmon \
|
||||
conf/main.cf.default conf/bounce.cf.default
|
||||
conf/main.cf.default conf/bounce.cf.default meta/*
|
||||
find . -type s -print | xargs rm -f
|
||||
find . -type d -print | xargs chmod 755
|
||||
find . -type f -print | xargs chmod a+r
|
||||
|
@ -1,7 +1,8 @@
|
||||
# Usage:
|
||||
# make makefiles [CC=compiler] [OPT=compiler-flags] [DEBUG=debug-flags]
|
||||
# make makefiles [name=value]...
|
||||
#
|
||||
# The defaults are: CC=gcc, OPT=-O, and DEBUG=-g. Examples:
|
||||
# See makedefs for a descripton of available options.
|
||||
# Examples:
|
||||
#
|
||||
# make makefiles
|
||||
# make makefiles CC="purify cc"
|
||||
|
@ -12,7 +12,9 @@ GGeenneerraall ccoonnffiigguurraattiioonn
|
||||
* TLS_README: TLS Encryption and authentication
|
||||
* FORWARD_SECRECY_README: TLS Forward Secrecy
|
||||
* IPV6_README: IP Version 6 Support
|
||||
* MULTI_INSTANCE_README: Multiple-instance management
|
||||
* IPV6_README: IP Version 6 Support
|
||||
* SMTPUTF8_README: SMTPUTF8 Support
|
||||
* COMPATIBILITY_README: Backwards-Compatibility Safety Net
|
||||
* INSTALL: Installation from source code
|
||||
|
||||
PPrroobblleemm ssoollvviinngg
|
||||
|
@ -164,7 +164,8 @@ WWhhaatt cclliieennttss ttoo rreellaayy mmaaiill ffrroo
|
||||
|
||||
By default, Postfix will forward mail from clients in authorized network blocks
|
||||
to any destination. Authorized networks are defined with the mynetworks
|
||||
configuration parameter. The default is to authorize all clients in the IP
|
||||
configuration parameter. The current default is to authorize the local machine
|
||||
only. Prior to Postfix 3.0, the default was to authorize all clients in the IP
|
||||
subnetworks that the local machine is attached to.
|
||||
|
||||
Postfix can also be configured to relay mail from "mobile" clients that send
|
||||
|
@ -52,6 +52,8 @@ Topics covered by this document:
|
||||
* Limitations of Postfix header/body checks
|
||||
* Preventing daily mail status reports from being blocked
|
||||
* Configuring header/body checks for mail from outside users only
|
||||
* Configuring different header/body checks for MX service and submission
|
||||
service
|
||||
* Configuring header/body checks for mail to some domains only
|
||||
|
||||
WWhhaatt mmaaiill iiss ssuubbjjeecctteedd ttoo hheeaaddeerr//bbooddyy cchheecckkss
|
||||
@ -105,8 +107,9 @@ make the decision in the cleanup(8) server, as this program receives mail from
|
||||
so many different sources. Instead, header/body checks are requested by the
|
||||
source. Examples of how to turn off header/body checks for mail received with
|
||||
smtpd(8), qmqpd(8) or pickup(8) are given below under "Configuring header/body
|
||||
checks for mail from outside users only" and "Configuring header/body checks
|
||||
for mail to some domains only".
|
||||
checks for mail from outside users only", "Configuring different header/body
|
||||
checks for MX service and submission service", and "Configuring header/body
|
||||
checks for mail to some domains only".
|
||||
|
||||
LLiimmiittaattiioonnss ooff PPoossttffiixx hheeaaddeerr//bbooddyy cchheecckkss
|
||||
|
||||
@ -248,6 +251,50 @@ server IP addresses in master.cf:
|
||||
# =================================================================
|
||||
1.2.3.5:smtp inet n - n - - smtpd
|
||||
|
||||
CCoonnffiigguurriinngg ddiiffffeerreenntt hheeaaddeerr//bbooddyy cchheecckkss ffoorr MMXX sseerrvviiccee aanndd ssuubbmmiissssiioonn sseerrvviiccee
|
||||
|
||||
If authorized user submissions require different header/body checks than mail
|
||||
from remote MTAs, then this is possible as long as you have separate mail
|
||||
streams for authorized users and for MX service.
|
||||
|
||||
The example below assumes that authorized users connect to TCP port 587
|
||||
(submission) or 465 (smtps), and that remote MTAs connect to TCP port 25
|
||||
(smtp).
|
||||
|
||||
First, we define a few "user-defined" parameters that will override settings
|
||||
for the submission and smtps services.
|
||||
|
||||
/etc/postfix/main.cf:
|
||||
msa_cleanup_service_name = msa_cleanup
|
||||
msa_header_checks = pcre:/etc/postfix/msa_header_checks
|
||||
msa_body_checks = pcre:/etc/postfix/msa_body_checks
|
||||
|
||||
Next, we define msa_cleanup as a dedicated cleanup service that will be used
|
||||
only by the submission and smtps services. This service uses the header_checks
|
||||
and body_checks overrides that were defined above.
|
||||
|
||||
/etc/postfix.master.cf:
|
||||
# =================================================================
|
||||
# service type private unpriv chroot wakeup maxproc command
|
||||
# (yes) (yes) (yes) (never) (100)
|
||||
# =================================================================
|
||||
smtp inet n - n - - smtpd
|
||||
msa_cleanup unix n - n - 0 cleanup
|
||||
-o header_checks=$msa_header_checks
|
||||
-o body_checks=$msa_body_checks
|
||||
submission inet n - n - - smtpd
|
||||
-o cleanup_service_name=$msa_cleanup_service_name
|
||||
-o syslog_name=postfix/submission
|
||||
...[see sample master.cf file for more]...
|
||||
smtps inet n - n - - smtpd
|
||||
-o cleanup_service_name=$msa_cleanup_service_name
|
||||
-o syslog_name=postfix/smtps
|
||||
-o smtpd_tls_wrappermode=yes
|
||||
...[see sample master.cf file for more]...
|
||||
|
||||
By keeping the "msa_xxx" parameter settings in main.cf, you keep your master.cf
|
||||
file simple, and you minimize the amount of duplication.
|
||||
|
||||
CCoonnffiigguurriinngg hheeaaddeerr//bbooddyy cchheecckkss ffoorr mmaaiill ttoo ssoommee ddoommaaiinnss oonnllyy
|
||||
|
||||
The following information applies to Postfix 2.1. Earlier Postfix versions do
|
||||
|
@ -42,7 +42,7 @@ To build Postfix after you have installed tinycdb, use something like:
|
||||
% make tidy
|
||||
% CDB=../../../tinycdb-0.5
|
||||
% make -f Makefile.init makefiles "CCARGS=-DHAS_CDB -I$CDB" \
|
||||
"AUXLIBS=$CDB/libcdb.a"
|
||||
"AUXLIBS_CDB=$CDB/libcdb.a"
|
||||
% make
|
||||
|
||||
Alternatively, for the D.J.B. version of CDB:
|
||||
@ -50,9 +50,20 @@ Alternatively, for the D.J.B. version of CDB:
|
||||
% make tidy
|
||||
% CDB=../../../cdb-0.75
|
||||
% make -f Makefile.init makefiles "CCARGS=-DHAS_CDB -I$CDB" \
|
||||
"AUXLIBS=$CDB/cdb.a $CDB/alloc.a $CDB/buffer.a $CDB/unix.a $CDB/byte.a"
|
||||
"AUXLIBS_CDB=$CDB/cdb.a $CDB/alloc.a $CDB/buffer.a $CDB/unix.a $CDB/
|
||||
byte.a"
|
||||
% make
|
||||
|
||||
Postfix versions before 3.0 use AUXLIBS instead of AUXLIBS_CDB. With Postfix
|
||||
3.0 and later, the old AUXLIBS variable still supports building a statically-
|
||||
loaded CDB database client, but only the new AUXLIBS_CDB variable supports
|
||||
building a dynamically-loaded or statically-loaded CDB database client.
|
||||
|
||||
Failure to use the AUXLIBS_CDB variable will defeat the purpose of dynamic
|
||||
database client loading. Every Postfix executable file will have CDB
|
||||
database library dependencies. And that was exactly what dynamic database
|
||||
client loading was meant to avoid.
|
||||
|
||||
After Postfix has been built with cdb support, you can use "cdb" tables
|
||||
wherever you can use read-only "hash", "btree" or "dbm" tables. However, the
|
||||
"ppoossttmmaapp --ii" (incremental record insertion) and "ppoossttmmaapp --dd" (incremental
|
||||
|
205
external/ibm-public/postfix/dist/README_FILES/COMPATIBILITY_README
vendored
Normal file
205
external/ibm-public/postfix/dist/README_FILES/COMPATIBILITY_README
vendored
Normal file
@ -0,0 +1,205 @@
|
||||
PPoossttffiixx BBaacckkwwaarrddss--CCoommppaattiibbiilliittyy SSaaffeettyy NNeett
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
|
||||
PPuurrppoossee ooff tthhiiss ddooccuummeenntt
|
||||
|
||||
Postfix 3.0 introduces a safety net that runs Postfix programs with backwards-
|
||||
compatible default settings after an upgrade. The safety net will log a warning
|
||||
whenever a "new" default setting could have an negative effect on your mail
|
||||
flow.
|
||||
|
||||
This document provides information on the following topics:
|
||||
|
||||
* Detailed descriptions of Postfix backwards-compatibility warnings.
|
||||
|
||||
* What backwards-compatible settings you may have to make permanent in
|
||||
main.cf or master.cf.
|
||||
|
||||
* How to turn off Postfix backwards-compatibility warnings.
|
||||
|
||||
OOvveerrvviieeww
|
||||
|
||||
With backwards compatibility turned on, Postfix logs a message whenever a
|
||||
backwards-compatible default setting may be required for continuity of service.
|
||||
Based on this logging the system administrator can decide if any backwards-
|
||||
compatible settings need to be made permanent in main.cf or master.cf, before
|
||||
turning off the backwards-compatibility safety net as described at the end of
|
||||
this document.
|
||||
|
||||
The following messages may be logged:
|
||||
|
||||
* Using backwards-compatible default setting append_dot_mydomain=yes
|
||||
|
||||
* Using backwards-compatible default setting chroot=y
|
||||
|
||||
* Using backwards-compatible default setting mynetworks_style=subnet
|
||||
|
||||
* Using backwards-compatible default setting relay_domains=$mydestination
|
||||
|
||||
* Using backwards-compatible default setting smtputf8_enable=no
|
||||
|
||||
If such a message is logged in the context of a legitimate request, the system
|
||||
administrator should make the backwards-compatible setting permanent in main.cf
|
||||
or master.cf, as detailed in the sections that follow.
|
||||
|
||||
When no more backwards-compatible settings need to be made permanent, the
|
||||
system administrator should turn off the backwards-compatibility safety net as
|
||||
described at the end of this document.
|
||||
|
||||
UUssiinngg bbaacckkwwaarrddss--ccoommppaattiibbllee ddeeffaauulltt sseettttiinngg aappppeenndd__ddoott__mmyyddoommaaiinn==yyeess
|
||||
|
||||
The append_dot_mydomain default value has changed from "yes" to "no". As long
|
||||
as the append_dot_mydomain parameter is left at its implicit default value, and
|
||||
the backwards-compatible default setting is turned on, Postfix may log one of
|
||||
the following messages:
|
||||
|
||||
* Messages about missing "localhost" in mydestination or other address class:
|
||||
|
||||
postfix/trivial-rewrite[14777]: using backwards-compatible
|
||||
default setting append_dot_mydomain=yes to rewrite
|
||||
"localhost" to "localhost.example.com"; please add
|
||||
"localhost" to mydestination or other address class
|
||||
|
||||
If Postfix logs the above message, add "localhost" to mydestination (or
|
||||
virtual_alias_domains, virtual_mailbox_domains, or relay_domains) and
|
||||
execute the command "ppoossttffiixx rreellooaadd".
|
||||
|
||||
* Messages about incomplete domains in email addresses:
|
||||
|
||||
postfix/trivial-rewrite[25835]: using backwards-compatible
|
||||
default setting append_dot_mydomain=yes to rewrite "foo" to
|
||||
"foo.example.com"
|
||||
|
||||
If Postfix logs the above message for domains different from "localhost",
|
||||
and the sender cannot be changed to use complete domain names in email
|
||||
addresses, then the system administrator should make the backwards-
|
||||
compatible setting "append_dot_mydomain = yes" permanent in main.cf:
|
||||
|
||||
# ppoossttccoonnff aappppeenndd__ddoott__mmyyddoommaaiinn==yyeess
|
||||
# ppoossttffiixx rreellooaadd
|
||||
|
||||
UUssiinngg bbaacckkwwaarrddss--ccoommppaattiibbllee ddeeffaauulltt sseettttiinngg cchhrroooott==yy
|
||||
|
||||
The master.cf chroot default value has changed from "y" (yes) to "n" (no). As
|
||||
long as a master.cf chroot field is left at its implicit default value, and the
|
||||
backwards-compatible default setting is turned on, Postfix may log the
|
||||
following message while it reads the master.cf file:
|
||||
|
||||
postfix/master[27664]: /etc/postfix/master.cf: line 72: using
|
||||
backwards-compatible default setting chroot=y
|
||||
|
||||
If this service should remain chrooted, then the system administrator should
|
||||
make the backwards-compatible setting "chroot = y" permanent in master.cf. For
|
||||
example, to update the chroot setting for the "smtp inet" service:
|
||||
|
||||
# ppoossttccoonnff --FF ssmmttpp//iinneett//cchhrroooott==yy
|
||||
# ppoossttffiixx rreellooaadd
|
||||
|
||||
UUssiinngg bbaacckkwwaarrddss--ccoommppaattiibbllee ddeeffaauulltt sseettttiinngg mmyynneettwwoorrkkss__ssttyyllee==ssuubbnneett
|
||||
|
||||
The mynetworks_style default value has changed from "subnet" to "host". This
|
||||
parameter is used to implement the "permit_mynetworks" feature. As long as the
|
||||
mynetworks and mynetworks_style parameters are left at their implicit default
|
||||
values, and the backwards-compatible default setting is turned on, the Postfix
|
||||
SMTP server may log one of the following messages:
|
||||
|
||||
postfix/smtpd[17375]: using backwards-compatible default setting
|
||||
mynetworks_style=subnet to permit request from client
|
||||
"foo.example.com[10.1.1.1]"
|
||||
|
||||
postfix/postscreen[24982]: using backwards-compatible default
|
||||
setting mynetworks_style=subnet to permit request from client
|
||||
"10.1.1.1"
|
||||
|
||||
If the client request should not be rejected, then the system administrator
|
||||
should make the backwards-compatible setting "mynetworks_style = subnet"
|
||||
permanent in main.cf:
|
||||
|
||||
# ppoossttccoonnff mmyynneettwwoorrkkss__ssttyyllee==ssuubbnneett
|
||||
# ppoossttffiixx rreellooaadd
|
||||
|
||||
UUssiinngg bbaacckkwwaarrddss--ccoommppaattiibbllee ddeeffaauulltt sseettttiinngg rreellaayy__ddoommaaiinnss==$$mmyyddeessttiinnaattiioonn
|
||||
|
||||
The relay_domains default value has changed from "$mydestination" to the empty
|
||||
value. As long as the relay_domains parameter is left at its implicit default
|
||||
value, and the backwards-compatible default setting is turned on, Postfix may
|
||||
log one of the following messages.
|
||||
|
||||
* Messages about accepting mail for a remote domain:
|
||||
|
||||
postfix/smtpd[19052]: using backwards-compatible default setting
|
||||
relay_domains=$mydestination to accept mail for domain
|
||||
"foo.example.com"
|
||||
|
||||
postfix/smtpd[19052]: using backwards-compatible default setting
|
||||
relay_domains=$mydestination to accept mail for address
|
||||
"user@foo.example.com"
|
||||
|
||||
* Messages about providing ETRN service for a remote domain:
|
||||
|
||||
postfix/smtpd[19138]: using backwards-compatible default setting
|
||||
relay_domains=$mydestination to flush mail for domain
|
||||
"bar.example.com"
|
||||
|
||||
postfix/smtp[13945]: using backwards-compatible default setting
|
||||
relay_domains=$mydestination to update fast-flush logfile for
|
||||
domain "bar.example.com"
|
||||
|
||||
If Postfix should continue to accept mail for that domain or continue to
|
||||
provide ETRN service for that domain, then the system administrator should make
|
||||
the backwards-compatible setting "relay_domains = $mydestination" permanent in
|
||||
main.cf:
|
||||
|
||||
# ppoossttccoonnff ''rreellaayy__ddoommaaiinnss==$$mmyyddeessttiinnaattiioonn''
|
||||
# ppoossttffiixx rreellooaadd
|
||||
|
||||
Note: quotes are required as indicated above.
|
||||
|
||||
Instead of $mydestination, it may be better to specify an explicit list of
|
||||
domain names.
|
||||
|
||||
UUssiinngg bbaacckkwwaarrddss--ccoommppaattiibbllee ddeeffaauulltt sseettttiinngg ssmmttppuuttff88__eennaabbllee==nnoo
|
||||
|
||||
The smtputf8_enable default value has changed from "no" to "yes. With the new
|
||||
"yes" setting, the Postfix SMTP server rejects non-ASCII addresses from clients
|
||||
that don't request SMTPUTF8 support. With the old "no" setting, Postfix will
|
||||
accept such addresses, even if such addresses are not permitted by traditional
|
||||
SMTP standards.
|
||||
|
||||
As long as the smtputf8_enable parameter is left at its implicit default value,
|
||||
and the backwards-compatible default setting is turned on, Postfix logs a
|
||||
warning each time an SMTP command uses a non-ASCII address localpart without
|
||||
requesting SMTPUTF8 support:
|
||||
|
||||
postfix/smtpd[27560]: using backwards-compatible default setting
|
||||
smtputf8_enable=no to accept non-ASCII sender address
|
||||
"??@example.org" from localhost[127.0.0.1]
|
||||
|
||||
postfix/smtpd[27560]: using backwards-compatible default setting
|
||||
smtputf8_enable=no to accept non-ASCII recipient address
|
||||
"??@example.com" from localhost[127.0.0.1]
|
||||
|
||||
If the address should not be rejected, and the client cannot be updated to use
|
||||
SMTPUTF8, then the system administrator should make the backwards-compatible
|
||||
setting "smtputf8_enable = no" permanent in main.cf:
|
||||
|
||||
# ppoossttccoonnff ssmmttppuuttff88__eennaabbllee==nnoo
|
||||
# ppoossttffiixx rreellooaadd
|
||||
|
||||
TTuurrnniinngg ooffff tthhee bbaacckkwwaarrddss--ccoommppaattiibbiilliittyy ssaaffeettyy nneett
|
||||
|
||||
Backwards compatibility is turned off by updating the compatibility_level
|
||||
setting in main.cf.
|
||||
|
||||
# ppoossttccoonnff ccoommppaattiibbiilliittyy__lleevveell==NN
|
||||
# ppoossttffiixx rreellooaadd
|
||||
|
||||
For N specify the number that is logged in your postfix(1) warning message:
|
||||
|
||||
warning: To disable backwards compatibility use "postconf
|
||||
compatibility_level=N" and "postfix reload"
|
||||
|
||||
Sites that don't care about backwards compatibility may set
|
||||
"compatibility_level = 9999" at their own risk.
|
||||
|
@ -212,6 +212,12 @@ To find out what database types your Postfix system supports, use the "ppooss
|
||||
are created with the postmap(1) or postalias(1) command, and private
|
||||
databases are maintained by Postfix daemons. The database name as used
|
||||
in "hash:table" is the database file name without the ".db" suffix.
|
||||
iinnlliinnee (read-only)
|
||||
A non-shared, in-memory lookup table. Example: "inline:{ key=value,
|
||||
{ key = text with whitespace or comma }}". Key-value pairs are
|
||||
separated by whitespace or comma; whitespace after "{" and before "}"
|
||||
is ignored. Inline tables eliminate the need to create a database file
|
||||
for just a few fixed elements. See also the static: map type.
|
||||
iinntteerrnnaall
|
||||
A non-shared, in-memory hash table. Its content are lost when a process
|
||||
terminates.
|
||||
@ -242,12 +248,26 @@ To find out what database types your Postfix system supports, use the "ppooss
|
||||
A lookup table based on Perl Compatible Regular Expressions. The file
|
||||
format is described in pcre_table(5). The lookup table name as used in
|
||||
"pcre:table" is the name of the regular expression file.
|
||||
ppiippeemmaapp (read-only)
|
||||
A pipeline of lookup tables. Example: "pipemap:{type1:name1, ...,
|
||||
typen:namen}". Each "pipemap:" query is given to the first table. Each
|
||||
lookup result becomes the query for the next table in the pipeline, and
|
||||
the last table produces the final result. When any table lookup
|
||||
produces no result, the pipeline produces no result. The first and last
|
||||
characters of the "pipemap:" table name must be "{" and "}". Within
|
||||
these, individual maps are separated with comma or whitespace.
|
||||
ppggssqqll (read-only)
|
||||
PostgreSQL database client. Configuration details are given in
|
||||
pgsql_table(5).
|
||||
pprrooxxyy
|
||||
Postfix proxymap(8) client for shared access to Postfix databases. The
|
||||
lookup table name syntax is "proxy:type:table".
|
||||
rraannddmmaapp (read-only)
|
||||
An in-memory table that performs random selection. Example: "randmap:
|
||||
{result1. ..., resultn}". Each table query returns a random choice from
|
||||
the specified results. The first and last characters of the "randmap:
|
||||
" table name must be "{" and "}". Within these, individual maps are
|
||||
separated with comma or whitespace.
|
||||
rreeggeexxpp (read-only)
|
||||
A lookup table based on regular expressions. The file format is
|
||||
described in regexp_table(5). The lookup table name as used in "regexp:
|
||||
@ -268,6 +288,9 @@ To find out what database types your Postfix system supports, use the "ppooss
|
||||
ssttaattiicc (read-only)
|
||||
A table that always returns its name as the lookup result. For example,
|
||||
"static:foobar" always returns the string "foobar" as lookup result.
|
||||
Specify "static:{ text with whitespace }" when the result contains
|
||||
whitespace; this form ignores whitespace after "{" and before "}". See
|
||||
also the inline: map type.
|
||||
ttccpp
|
||||
TCP/IP client. The protocol is described in tcp_table(5). The lookup
|
||||
table name is "tcp:host:port" where "host" specifies a symbolic
|
||||
@ -279,6 +302,10 @@ To find out what database types your Postfix system supports, use the "ppooss
|
||||
and that texthash: does not detect changes after the file is read. The
|
||||
lookup table name is "texthash:filename", where the file name is taken
|
||||
literally; no suffix is appended.
|
||||
uunniioonnmmaapp (read-only)
|
||||
A table that sends each query to multiple lookup tables and that
|
||||
concatenates all found results, separated by comma. The table name
|
||||
syntax is the same as for pipemap tables.
|
||||
uunniixx (read-only)
|
||||
A limited view of the UNIX authentication database. The following
|
||||
tables are implemented:
|
||||
|
@ -373,8 +373,12 @@ When reporting a problem, be sure to include the following information.
|
||||
host names consistently. Replace each letter by "A", each digit by "D" so
|
||||
that the helpers can still recognize syntactical errors.
|
||||
|
||||
* Output from "ppoossttccoonnff --nn". Please do not send your main.cf file, or 500+
|
||||
lines of ppoossttccoonnff output.
|
||||
* Command output from:
|
||||
|
||||
o "ppoossttccoonnff --nn". Please do not send your main.cf file, or 1000+ lines of
|
||||
ppoossttccoonnff command output.
|
||||
|
||||
o "ppoossttccoonnff --MMff" (Postfix 2.9 or later).
|
||||
|
||||
* Better, provide output from the ppoossttffiinnggeerr tool. This can be found at http:
|
||||
//ftp.wl0.org/SOURCES/postfinger.
|
||||
|
@ -124,7 +124,8 @@ EEDDHH SSeerrvveerr ssuuppppoorrtt
|
||||
Postfix >= 2.2 support 1024-bit-prime EDH out of the box, with no additional
|
||||
configuration, but you may want to override the default prime to be 2048 bits
|
||||
long, and you may want to regenerate your primes periodically. See the quick-
|
||||
start section for details.
|
||||
start section for details. With Postfix >= 3.1 the out of the box (compiled-in)
|
||||
EDH prime size is 2048 bits.
|
||||
|
||||
With prime-field EDH, OpenSSL wants the server to provide two explicitly-
|
||||
selected (prime, generator) combinations. One for the now long-obsolete
|
||||
@ -135,7 +136,9 @@ configured overrides.
|
||||
* The "export" EDH parameters are used only with the obsolete "export"
|
||||
ciphers. To use a non-default prime, generate a 512-bit DH parameter file
|
||||
and set smtpd_tls_dh512_param_file to the filename (see the quick-start
|
||||
section for details).
|
||||
section for details). With Postfix releases after the middle of 2015 the
|
||||
default opportunistic TLS cipher grade (smtpd_tls_ciphers) is "medium" or
|
||||
stronger, and export ciphers are no longer used.
|
||||
|
||||
* The non-export EDH parameters are used for all other EDH cipher suites. To
|
||||
use a non-default prime, generate a 1024-bit or 2048-bit DH parameter file
|
||||
@ -143,9 +146,10 @@ configured overrides.
|
||||
is simply the non-export parameter file and the prime need not actually be
|
||||
1024 bits long (see the quick-start section for details).
|
||||
|
||||
It turns out that (inadvisably-patched in some Debian releases) Exim SMTP
|
||||
clients require a >= 2048-bit length for the non-export prime. See the quick-
|
||||
start section for the recommended configuration to work around this issue.
|
||||
As of mid-2015, SMTP clients are starting to reject TLS handshakes with primes
|
||||
smaller than 2048 bits. Each site needs to determine which prime size works
|
||||
best for the majority of its clients. See the quick-start section for the
|
||||
recommended configuration to work around this issue.
|
||||
|
||||
EEEECCDDHH SSeerrvveerr ssuuppppoorrtt
|
||||
|
||||
@ -181,31 +185,38 @@ main.cf.
|
||||
FFoorrwwaarrdd SSeeccrreeccyy iinn tthhee PPoossttffiixx SSMMTTPP CClliieenntt
|
||||
|
||||
The Postfix >= 2.2 SMTP client supports forward secrecy in its default
|
||||
configuration. No configuration changes are needed besides turning on elliptic-
|
||||
curve support with Postfix 2.6 and 2.7 (see the quick-start section). If the
|
||||
remote SMTP server supports cipher suites with forward secrecy (and does not
|
||||
override the SMTP client's cipher preference), then the traffic between the
|
||||
server and client will resist decryption even if the server's long-term
|
||||
authentication keys are later compromised.
|
||||
configuration. All supported OpenSSL releases support EDH key exchange. OpenSSL
|
||||
releases >= 1.0.0 also support EECDH key exchange (provided elliptic-curve
|
||||
support has not been disabled by the vendor as in some versions of RedHat
|
||||
Linux). If the remote SMTP server supports cipher suites with forward secrecy
|
||||
(and does not override the SMTP client's cipher preference), then the traffic
|
||||
between the server and client will resist decryption even if the server's long-
|
||||
term authentication keys are later compromised.
|
||||
|
||||
The default Postfix SMTP client cipher lists are correctly ordered to prefer
|
||||
EECDH and EDH cipher suites ahead of similar cipher suites that don't implement
|
||||
forward secrecy. Administrators are strongly discouraged from changing the
|
||||
cipher list definitions. It is likely safe to set "smtp_tls_ciphers = medium"
|
||||
if you wish to disable the obsolete "export" and "low" grade ciphers even with
|
||||
opportunistic TLS. Setting a minimum strength does not change the preference
|
||||
order. Note that strengths higher than "medium" exclude Exchange 2003 and
|
||||
likely other widely used MTAs, thus "high" grade ciphers should only be used on
|
||||
a case-by-case basis via the TLS policy table.
|
||||
cipher list definitions.
|
||||
|
||||
The default minimum cipher grade for opportunistic TLS is "medium" for Postfix
|
||||
releases after the middle of 2015, "export" for older releases. Changing the
|
||||
minimum cipher grade does not change the cipher preference order. Note that
|
||||
cipher grades higher than "medium" exclude Exchange 2003 and likely other MTAs,
|
||||
thus a "high" cipher grade should be chosen only on a case-by-case basis via
|
||||
the TLS policy table.
|
||||
|
||||
GGeettttiinngg ssttaarrtteedd,, qquuiicckk aanndd ddiirrttyy
|
||||
|
||||
EEEECCDDHH CClliieenntt aanndd sseerrvveerr ssuuppppoorrtt ((PPoossttffiixx >>== 22..66 wwiitthh OOppeennSSSSLL >>== 11..00..00))
|
||||
EEEECCDDHH CClliieenntt ssuuppppoorrtt ((PPoossttffiixx >>== 22..22 wwiitthh OOppeennSSSSLL >>== 11..00..00))
|
||||
|
||||
This works "out of the box" without additional configuration.
|
||||
|
||||
EEEECCDDHH SSeerrvveerr ssuuppppoorrtt ((PPoossttffiixx >>== 22..66 wwiitthh OOppeennSSSSLL >>== 11..00..00))
|
||||
|
||||
With Postfix 2.6 and 2.7, enable elliptic-curve support in the Postfix SMTP
|
||||
client and server. This is the default with Postfix >= 2.8. Note, however, that
|
||||
elliptic-curve support may be disabled by the vendor, as in some versions of
|
||||
RedHat Linux.
|
||||
server. This is the default with Postfix >= 2.8. Note, however, that elliptic-
|
||||
curve support may be disabled by the vendor, as in some versions of RedHat
|
||||
Linux.
|
||||
|
||||
/etc/postfix/main.cf:
|
||||
# Postfix 2.6 or 2.7 only. This is default with Postfix 2.8 and later.
|
||||
@ -251,7 +262,10 @@ the submission entry in master.cf accordingly:
|
||||
/etc/postfix/master.cf:
|
||||
submission inet n - n - - smtpd
|
||||
# Some submission clients may not yet do 2048-bit EDH, if such
|
||||
# clients use your MSA, configure 1024-bit EDH instead:
|
||||
# clients use your MSA, configure 1024-bit EDH instead. However,
|
||||
# as of mid-2015, many submission clients no longer accept primes
|
||||
# with less than 2048-bits. Each site needs to determine which
|
||||
# type of client is more important to support.
|
||||
-o smtpd_tls_dh1024_param_file=${config_directory}/dh1024.pem
|
||||
-o smtpd_tls_security_level=encrypt
|
||||
-o smtpd_sasl_auth_enable=yes
|
||||
@ -402,8 +416,8 @@ peer certificate with expected public-key or certificate fingerprint)
|
||||
|
||||
PPoossttffiixx SSMMTTPP sseerrvveerr:: The status is never "Verified", because the Postfix
|
||||
SMTP server never verifies the remote SMTP client name against the names in
|
||||
the client certificate, and because the Postfix SMTP does not expect a
|
||||
specific fingerprint in the client public key or certificate.
|
||||
the client certificate, and because the Postfix SMTP server does not expect
|
||||
a specific fingerprint in the client public key or certificate.
|
||||
|
||||
CCrreeddiittss
|
||||
|
||||
|
@ -52,14 +52,24 @@ this in the top level of your Postfix source tree should work:
|
||||
|
||||
% make tidy
|
||||
% make makefiles CCARGS="-I/usr/local/include -DHAS_LDAP" \
|
||||
AUXLIBS="-L/usr/local/lib -lldap -L/usr/local/lib -llber"
|
||||
AUXLIBS_LDAP="-L/usr/local/lib -lldap -L/usr/local/lib -llber"
|
||||
|
||||
Postfix versions before 3.0 use AUXLIBS instead of AUXLIBS_LDAP. With Postfix
|
||||
3.0 and later, the old AUXLIBS variable still supports building a statically-
|
||||
loaded LDAP database client, but only the new AUXLIBS_LDAP variable supports
|
||||
building a dynamically-loaded or statically-loaded LDAP database client.
|
||||
|
||||
Failure to use the AUXLIBS_LDAP variable will defeat the purpose of dynamic
|
||||
database client loading. Every Postfix executable file will have LDAP
|
||||
database library dependencies. And that was exactly what dynamic database
|
||||
client loading was meant to avoid.
|
||||
|
||||
On Solaris 2.x you may have to specify run-time link information, otherwise
|
||||
ld.so will not find some of the shared libraries:
|
||||
|
||||
% make tidy
|
||||
% make makefiles CCARGS="-I/usr/local/include -DHAS_LDAP" \
|
||||
AUXLIBS="-L/usr/local/lib -R/usr/local/lib -lldap \
|
||||
AUXLIBS_LDAP="-L/usr/local/lib -R/usr/local/lib -lldap \
|
||||
-L/usr/local/lib -R/usr/local/lib -llber"
|
||||
|
||||
The 'make tidy' command is needed only if you have previously built Postfix
|
||||
|
@ -28,13 +28,23 @@ Postfix normally does not enable LMDB support. To build Postfix with LMDB
|
||||
support, use something like:
|
||||
|
||||
% make makefiles CCARGS="-DHAS_LMDB -I/usr/local/include" \
|
||||
AUXLIBS="-L/usr/local/lib -llmdb"
|
||||
AUXLIBS_LMDB="-L/usr/local/lib -llmdb"
|
||||
% make
|
||||
|
||||
Postfix versions before 3.0 use AUXLIBS instead of AUXLIBS_LMDB. With Postfix
|
||||
3.0 and later, the old AUXLIBS variable still supports building a statically-
|
||||
loaded LMDB database client, but only the new AUXLIBS_LMDB variable supports
|
||||
building a dynamically-loaded or statically-loaded LMDB database client.
|
||||
|
||||
Failure to use the AUXLIBS_LMDB variable will defeat the purpose of dynamic
|
||||
database client loading. Every Postfix executable file will have LMDB
|
||||
database library dependencies. And that was exactly what dynamic database
|
||||
client loading was meant to avoid.
|
||||
|
||||
Solaris may need this:
|
||||
|
||||
% make makefiles CCARGS="-DHAS_LMDB -I/usr/local/include" \
|
||||
AUXLIBS="-R/usr/local/lib -L/usr/local/lib -llmdb"
|
||||
AUXLIBS_LMDB="-R/usr/local/lib -L/usr/local/lib -llmdb"
|
||||
% make
|
||||
|
||||
The exact pathnames depend on how LMDB was installed.
|
||||
@ -47,7 +57,7 @@ When building Postfix fails with:
|
||||
|
||||
Add the "-lpthread" library to the "make makefiles" command.
|
||||
|
||||
% make makefiles .... AUXLIBS="... -lpthread"
|
||||
% make makefiles .... AUXLIBS_LMDB="... -lpthread"
|
||||
|
||||
CCoonnffiigguurriinngg LLMMDDBB sseettttiinnggss
|
||||
|
||||
|
@ -12,11 +12,9 @@ is queued.
|
||||
|
||||
The reason for adding Milter support to Postfix is that there exists a large
|
||||
collection of applications, not only to block unwanted mail, but also to verify
|
||||
authenticity (examples: OpenDKIM, DomainKeys Identified Mail (DKIM),
|
||||
SenderID+SPF and DomainKeys) or to digitally sign mail (examples: OpenDKIM,
|
||||
DomainKeys Identified Mail (DKIM), DomainKeys). Having yet another Postfix-
|
||||
specific version of all that software is a poor use of human and system
|
||||
resources.
|
||||
authenticity (examples: OpenDKIM and DMARC) or to digitally sign mail (example:
|
||||
OpenDKIM). Having yet another Postfix-specific version of all that software is
|
||||
a poor use of human and system resources.
|
||||
|
||||
The Milter protocol has evolved over time, and different Postfix versions
|
||||
implement different feature sets. See the workarounds and limitations sections
|
||||
@ -89,51 +87,26 @@ deals with C applications only. For these, you need an object library that
|
||||
implements the Sendmail 8 Milter protocol. Postfix currently does not provide
|
||||
such a library, but Sendmail does.
|
||||
|
||||
* The first option is to use a pre-compiled library. Some systems install the
|
||||
Sendmail libmilter library by default. With other systems, libmilter may be
|
||||
provided by a package (called "sendmail-devel" on some Linux systems).
|
||||
Some systems install the Sendmail libmilter library by default. With other
|
||||
systems, libmilter may be provided by a package (called "sendmail-devel" on
|
||||
some Linux systems).
|
||||
|
||||
Once libmilter is installed, applications such as OpenDKIM, dkim-milter and
|
||||
sid-milter build out of the box without requiring any tinkering:
|
||||
Once libmilter is installed, applications such as OpenDKIM and OpenDMARC build
|
||||
out of the box without requiring any tinkering:
|
||||
|
||||
$ ggzzccaatt ooppeennddkkiimm--xx..yy..zz..ttaarr..ggzz || ttaarr xxff --
|
||||
$ ccdd ooppeennddkkiimm--xx..yy..zz
|
||||
$ ..//ccoonnffiigguurree ......ooppttiioonnss......
|
||||
$ mmaakkee
|
||||
[...lots of output omitted...]
|
||||
$ mmaakkee iinnssttaallll
|
||||
|
||||
$ ggzzccaatt ddkkiimm--mmiilltteerr--xx..yy..zz..ttaarr..ggzz || ttaarr xxff --
|
||||
$ ccdd ddkkiimm--mmiilltteerr--xx..yy..zz
|
||||
$ mmaakkee
|
||||
[...lots of output omitted...]
|
||||
|
||||
* The other option is to build the libmilter library from Sendmail source
|
||||
code:
|
||||
|
||||
$ ggzzccaatt sseennddmmaaiill--xx..yy..zz..ttaarr..ggzz || ttaarr xxff --
|
||||
$ ccdd sseennddmmaaiill--xx..yy..zz//lliibbmmiilltteerr
|
||||
$ mmaakkee
|
||||
[...lots of output omitted...]
|
||||
|
||||
After building your own libmilter library, follow the installation
|
||||
instructions in the Milter application source distribution to specify the
|
||||
location of the libmilter include files and object library. Typically,
|
||||
these settings are configured in a file named sid-filter/Makefile.m4 or
|
||||
similar:
|
||||
|
||||
APPENDDEF(`confINCDIRS', `-I/some/where/sendmail-x.y.z/include')
|
||||
APPENDDEF(`confLIBDIRS', `-L/some/where/sendmail-x.y.z/obj.systemtype/
|
||||
libmilter')
|
||||
|
||||
Then build the Milter application.
|
||||
$ ggzzccaatt ooppeennddkkiimm--xx..yy..zz..ttaarr..ggzz || ttaarr xxff --
|
||||
$ ccdd ooppeennddkkiimm--xx..yy..zz
|
||||
$ ..//ccoonnffiigguurree ......ooppttiioonnss......
|
||||
$ mmaakkee
|
||||
[...lots of output omitted...]
|
||||
$ mmaakkee iinnssttaallll
|
||||
|
||||
RRuunnnniinngg MMiilltteerr aapppplliiccaattiioonnss
|
||||
|
||||
To run a Milter application, see the documentation of the filter for options. A
|
||||
typical command looks like this:
|
||||
|
||||
# //ssoommee//wwhheerree//ddkkiimm--ffiilltteerr --uu uusseerriidd --pp iinneett::ppoorrttnnuummbbeerr@@llooccaallhhoosstt ......ootthheerr
|
||||
# //ssoommee//wwhheerree//ooppeennddkkiimm --ll --uu uusseerriidd --pp iinneett::ppoorrttnnuummbbeerr@@llooccaallhhoosstt ......ootthheerr
|
||||
ooppttiioonnss......
|
||||
|
||||
Please specify a userid value that isn't used for other applications (not
|
||||
@ -142,10 +115,9 @@ Please specify a userid value that isn't used for other applications (not
|
||||
CCoonnffiigguurriinngg PPoossttffiixx
|
||||
|
||||
Like Sendmail, Postfix has a lot of configuration options that control how it
|
||||
talks to Milter applications. With the initial Postfix Milter protocol
|
||||
implementation, many options are global, that is, they apply to all Milter
|
||||
applications. Future Postfix versions may support per-Milter timeouts, per-
|
||||
Milter error handling, etc.
|
||||
talks to Milter applications. Besides global options that apply to all Milter
|
||||
applications, Postfix 3.0 and later support per-Milter timeouts, per-Milter
|
||||
error handling, etc.
|
||||
|
||||
Information in this section:
|
||||
|
||||
@ -154,7 +126,9 @@ Information in this section:
|
||||
* Milter error handling
|
||||
* Milter protocol version
|
||||
* Milter protocol timeouts
|
||||
* Different settings for different Milter applications
|
||||
* Sendmail macro emulation
|
||||
* What macros will Postfix send to Milters?
|
||||
|
||||
SSMMTTPP--OOnnllyy MMiilltteerr aapppplliiccaattiioonnss
|
||||
|
||||
@ -164,10 +138,11 @@ mail from authorized SMTP clients. Mail that arrives via the Postfix smtpd(8)
|
||||
server is not filtered by the non-SMTP filters that are described in the next
|
||||
section.
|
||||
|
||||
NOTE: Do not use the header_checks(5) IGNORE action to remove Postfix's own
|
||||
Received: message header. This causes problems with mail signing filters.
|
||||
Instead, keep Postfix's own Received: message header and use the header_checks
|
||||
(5) REPLACE action to sanitize information.
|
||||
NOTE for Postfix versions that have a mail_release_date before 20141018: do
|
||||
not use the header_checks(5) IGNORE action to remove Postfix's own
|
||||
Received: message header. This causes problems with mail signing filters.
|
||||
Instead, keep Postfix's own Received: message header and use the
|
||||
header_checks(5) REPLACE action to sanitize information.
|
||||
|
||||
You specify SMTP-only Milter applications (there can be more than one) with the
|
||||
smtpd_milters parameter. Each Milter application is identified by the name of
|
||||
@ -247,7 +222,22 @@ must not REJECT or TEMPFAIL simulated RCPT TO commands. When a
|
||||
non_smtpd_milters application REJECTs or TEMPFAILs a recipient, Postfix will
|
||||
report a configuration error, and mail will stay in the queue.
|
||||
|
||||
None of this is a problem for mail filters that digitally sign mail.
|
||||
SSiiggnniinngg iinntteerrnnaallllyy--ggeenneerraatteedd bboouunnccee mmeessssaaggeess
|
||||
|
||||
Postfix normally does not apply content filters to mail that is generated
|
||||
internally such as bounces or Postmaster notifications. Filtering internally-
|
||||
generated bounces would result in loss of mail when a filter rejects a message,
|
||||
as the resulting double-bounce message would almost certainly also be blocked.
|
||||
|
||||
To sign Postfix's own bounce messages, enable filtering of internally-generated
|
||||
bounces (line 2 below), and don't reject any internally-generated bounces with
|
||||
non_smtpd_milters, header_checks or body_checks (lines 3-5 below).
|
||||
|
||||
1 /etc/postfix/main.cf:
|
||||
2 internal_mail_filter_classes = bounce
|
||||
3 non_smtpd_milters = don't reject internally-generated bounces
|
||||
4 header_checks = don't reject internally-generated bounces
|
||||
5 body_checks = don't reject internally-generated bounces
|
||||
|
||||
MMiilltteerr eerrrroorr hhaannddlliinngg
|
||||
|
||||
@ -263,6 +253,9 @@ the message in the "hold" queue, and is available with Postfix 2.6 or later.
|
||||
# or quarantine (Postfix 2.6 or later).
|
||||
milter_default_action = tempfail
|
||||
|
||||
See "Different settings for different Milter applications" for advanced
|
||||
configuration options.
|
||||
|
||||
MMiilltteerr pprroottooccooll vveerrssiioonn
|
||||
|
||||
As Postfix is not built with the Sendmail libmilter library, you may need to
|
||||
@ -298,6 +291,9 @@ The remedy is to lower the Postfix milter_protocol version number. Postfix 2.8
|
||||
and later will automatically turn off protocol features that the application's
|
||||
libmilter library does not expect.
|
||||
|
||||
See "Different settings for different Milter applications" for advanced
|
||||
configuration options.
|
||||
|
||||
MMiilltteerr pprroottooccooll ttiimmeeoouuttss
|
||||
|
||||
Postfix uses different time limits at different Milter protocol stages. The
|
||||
@ -319,6 +315,40 @@ lookups. However, if you increase the above timeouts too much, remote SMTP
|
||||
clients may hang up and mail may be delivered multiple times. This is an
|
||||
inherent problem with before-queue filtering.
|
||||
|
||||
See "Different settings for different Milter applications" for advanced
|
||||
configuration options.
|
||||
|
||||
DDiiffffeerreenntt sseettttiinnggss ffoorr ddiiffffeerreenntt MMiilltteerr aapppplliiccaattiioonnss
|
||||
|
||||
The previous sections list a number of Postfix main.cf parameters that control
|
||||
time limits and other settings for all Postfix Milter clients. This is
|
||||
sufficient for simple configurations. With more complex configurations it
|
||||
becomes desirable to have different settings for different Milter clients. This
|
||||
is supported with Postfix 3.0 and later.
|
||||
|
||||
The following example shows a "non-critical" Milter client with a short connect
|
||||
timeout, and with "accept" as default action when the service is unvailable.
|
||||
|
||||
1 /etc/postfix/main.cf:
|
||||
2 smtpd_milters = { inet:host:port,
|
||||
3 connect_timeout=10s, default_action=accept }
|
||||
|
||||
Instead of a server endpoint, we now have a list enclosed in {}.
|
||||
|
||||
* Line 2: The first item in the list is the server endpoint. This supports
|
||||
the exact same "inet" and "unix" syntax as described earlier.
|
||||
|
||||
* Line 3: The remainder of the list contains per-Milter settings. These
|
||||
settings override global main.cf parameters, and have the same name as
|
||||
those parameters, without the "milter_" prefix. The per-Milter settings
|
||||
that are supported as of Postfix 3.0 are command_timeout, connect_timeout,
|
||||
content_timeout, default_action, and protocol.
|
||||
|
||||
Inside the list, syntax is similar to what we already know from main.cf: items
|
||||
separated by space or comma. There is one difference: yyoouu mmuusstt eenncclloossee aa
|
||||
sseettttiinngg iinn ppaarreenntthheesseess,, aass iinn ""{{ nnaammee == vvaalluuee }}"",, iiff yyoouu wwaanntt ttoo hhaavvee ssppaaccee oorr
|
||||
ccoommmmaa wwiitthhiinn aa vvaalluuee oorr aarroouunndd ""=="".
|
||||
|
||||
SSeennddmmaaiill mmaaccrroo eemmuullaattiioonn
|
||||
|
||||
Postfix emulates a limited number of Sendmail macros, as shown in the table.
|
||||
@ -409,10 +439,12 @@ Sendmail. See the workarounds section below for solutions.
|
||||
|v |Always |value of milter_macro_v |
|
||||
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|
||||
|
||||
WWhhaatt mmaaccrrooss wwiillll PPoossttffiixx sseenndd ttoo MMiilltteerrss??
|
||||
|
||||
Postfix sends specific sets of macros at different Milter protocol stages. The
|
||||
sets are configured with the parameters as described in the table (EOH = end of
|
||||
headers; EOM = end of message). The protocol version is a number that Postfix
|
||||
sends at the beginning of the Milter protocol handshake.
|
||||
sets are configured with the parameters as shown in the table below (EOH = end
|
||||
of headers; EOM = end of message). The protocol version is a number that
|
||||
Postfix sends at the beginning of the Milter protocol handshake.
|
||||
|
||||
As of Sendmail 8.14.0, Milter applications can specify what macros they want to
|
||||
receive at different Milter protocol stages. An application-specified list
|
||||
@ -439,6 +471,16 @@ takes precedence over a Postfix-specified list.
|
||||
|milter_unknown_command_macros|3 or higher |unknown command |
|
||||
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|
||||
|
||||
By default, Postfix will send only macros whose values have been updated with
|
||||
information from main.cf or master.cf, from an SMTP session (for example; SASL
|
||||
login, or TLS certificates) or from a Mail delivery transaction (for example;
|
||||
queue ID, sender, or recipient).
|
||||
|
||||
To force a macro to be sent even when its value has not been updated, you may
|
||||
specify macro default values with the milter_macro_defaults parameter. Specify
|
||||
zero or more name=value pairs separated by comma or whitespace; you may even
|
||||
specify macro names that Postfix does know about!
|
||||
|
||||
WWoorrkkaarroouunnddss
|
||||
|
||||
* To avoid breaking DKIM etc. signatures with an SMTP-based content filter,
|
||||
@ -552,11 +594,6 @@ the CONTENT_INSPECTION_README document for a discussion.
|
||||
commands. When this rule is violated, Postfix will report a configuration
|
||||
error, and mail will stay in the queue.
|
||||
|
||||
* Postfix currently does not apply content filters to mail that is forwarded
|
||||
or aliased internally, or to mail that is generated internally such as
|
||||
bounces or Postmaster notifications. This may be a problem when you want to
|
||||
apply a signing Milter to such mail.
|
||||
|
||||
* When you use the before-queue content filter for incoming SMTP mail (see
|
||||
SMTPD_PROXY_README), Milter applications have access only to the SMTP
|
||||
command information; they have no access to the message header or body, and
|
||||
|
@ -33,17 +33,27 @@ obtained from:
|
||||
|
||||
In order to build Postfix with mysql map support, you will need to add -
|
||||
DHAS_MYSQL and -I for the directory containing the mysql headers, and the
|
||||
mysqlclient library (and libm) to AUXLIBS, for example:
|
||||
mysqlclient library (and libm) to AUXLIBS_MYSQL, for example:
|
||||
|
||||
make -f Makefile.init makefiles \
|
||||
'CCARGS=-DHAS_MYSQL -I/usr/local/mysql/include' \
|
||||
'AUXLIBS=-L/usr/local/mysql/lib -lmysqlclient -lz -lm'
|
||||
'AUXLIBS_MYSQL=-L/usr/local/mysql/lib -lmysqlclient -lz -lm'
|
||||
|
||||
Postfix versions before 3.0 use AUXLIBS instead of AUXLIBS_MYSQL. With Postfix
|
||||
3.0 and later, the old AUXLIBS variable still supports building a statically-
|
||||
loaded MySQL database client, but only the new AUXLIBS_MYSQL variable supports
|
||||
building a dynamically-loaded or statically-loaded MySQL database client.
|
||||
|
||||
Failure to use the AUXLIBS_MYSQL variable will defeat the purpose of
|
||||
dynamic database client loading. Every Postfix executable file will have
|
||||
MYSQL database library dependencies. And that was exactly what dynamic
|
||||
database client loading was meant to avoid.
|
||||
|
||||
On Solaris, use this instead:
|
||||
|
||||
make -f Makefile.init makefiles \
|
||||
'CCARGS=-DHAS_MYSQL -I/usr/local/mysql/include' \
|
||||
'AUXLIBS=-L/usr/local/mysql/lib -R/usr/local/mysql/lib \
|
||||
'AUXLIBS_MYSQL=-L/usr/local/mysql/lib -R/usr/local/mysql/lib \
|
||||
-lmysqlclient -lz -lm'
|
||||
|
||||
Then, just run 'make'. This requires libz, the compression library. Older mysql
|
||||
@ -84,8 +94,20 @@ where_field = alias
|
||||
# Don't forget the leading "AND"!
|
||||
additional_conditions = AND status = 'paid'
|
||||
|
||||
# This is necessary to make UTF8 queries work for Postfix 2.11 .. 3.1,
|
||||
# and is the default setting as of Postfix 3.2,
|
||||
option_group = client
|
||||
|
||||
AAddddiittiioonnaall nnootteess
|
||||
|
||||
Postfix 3.2 and later read [[cclliieenntt]] option group settings by default. To
|
||||
disable this, specify no ooppttiioonn__ffiillee and specify "ooppttiioonn__ggrroouupp ==" (i.e. an
|
||||
empty value).
|
||||
|
||||
Postfix 3.1 and earlier don't read [[cclliieenntt]] option group settings unless a non-
|
||||
empty ooppttiioonn__ffiillee or ooppttiioonn__ggrroouupp value are specified. To enable this, specify,
|
||||
for example "ooppttiioonn__ggrroouupp == cclliieenntt".
|
||||
|
||||
The MySQL configuration interface setup allows for multiple mysql databases:
|
||||
you can use one for a virtual table, one for an access table, and one for an
|
||||
aliases table if you want.
|
||||
|
@ -57,6 +57,12 @@ installation parameters on the command line:
|
||||
With Postfix versions before 2.2 you must invoke the post-install script
|
||||
directly (% sshh ppoosstt--iinnssttaallll --nnoonn--iinntteerraaccttiivvee iinnssttaallll__rroooott......).
|
||||
|
||||
With Postfix 3.0 and later, the command "make package name=value ..." will
|
||||
replace the string MAIL_VERSION in a configuration parameter value with the
|
||||
Postfix release version. Do not try to specify something like $mail_version on
|
||||
this command line. This produces inconsistent results with different versions
|
||||
of the make(1) command.
|
||||
|
||||
BBeeggiinn SSeeccuurriittyy AAlleerrtt
|
||||
|
||||
WWhheenn bbuuiillddiinngg aann aarrcchhiivvee ffoorr ddiissttrriibbuuttiioonn,, bbee ssuurree ttoo aarrcchhiivvee oonnllyy ffiilleess aanndd
|
||||
|
@ -35,18 +35,22 @@ which can be obtained from:
|
||||
NOTE: pcre versions prior to 2.06 cannot be used.
|
||||
|
||||
In order to build Postfix with PCRE support you need to add -DHAS_PCRE and a -
|
||||
I for the PCRE include file to CCARGS, and add the path to the PCRE library to
|
||||
AUXLIBS, for example:
|
||||
I option for the PCRE include file to CCARGS, and add the path to the PCRE
|
||||
library to AUXLIBS_PCRE, for example:
|
||||
|
||||
make -f Makefile.init makefiles \
|
||||
"CCARGS=-DHAS_PCRE -I/usr/local/include" \
|
||||
"AUXLIBS=-L/usr/local/lib -lpcre"
|
||||
"CCARGS=-DHAS_PCRE `pcre-config --cflags`" \
|
||||
"AUXLIBS_PCRE=`pcre-config --libs`"
|
||||
|
||||
Solaris needs run-time path information too:
|
||||
Postfix versions before 3.0 use AUXLIBS instead of AUXLIBS_PCRE. With Postfix
|
||||
3.0 and later, the old AUXLIBS variable still supports building a statically-
|
||||
loaded PCRE database client, but only the new AUXLIBS_PCRE variable supports
|
||||
building a dynamically-loaded or statically-loaded PCRE database client.
|
||||
|
||||
make -f Makefile.init makefiles \
|
||||
"CCARGS=-DHAS_PCRE -I/usr/local/include" \
|
||||
"AUXLIBS=-L/usr/local/lib -R/usr/local/lib -lpcre"
|
||||
Failure to use the AUXLIBS_PCRE variable will defeat the purpose of dynamic
|
||||
database client loading. Every Postfix executable file will have PCRE
|
||||
library dependencies. And that was exactly what dynamic database client
|
||||
loading was meant to avoid.
|
||||
|
||||
TThhiinnggss ttoo kknnooww
|
||||
|
||||
|
@ -34,7 +34,18 @@ For example:
|
||||
% make tidy
|
||||
% make -f Makefile.init makefiles \
|
||||
'CCARGS=-DHAS_PGSQL -I/usr/local/include/pgsql' \
|
||||
'AUXLIBS=-L/usr/local/lib -lpq'
|
||||
'AUXLIBS_PGSQL=-L/usr/local/lib -lpq'
|
||||
|
||||
Postfix versions before 3.0 use AUXLIBS instead of AUXLIBS_PGSQL. With Postfix
|
||||
3.0 and later, the old AUXLIBS variable still supports building a statically-
|
||||
loaded PostgreSQL database client, but only the new AUXLIBS_PGSQL variable
|
||||
supports building a dynamically-loaded or statically-loaded PostgreSQL database
|
||||
client.
|
||||
|
||||
Failure to use the AUXLIBS_PGSQL variable will defeat the purpose of
|
||||
dynamic database client loading. Every Postfix executable file will have
|
||||
PGSQL database library dependencies. And that was exactly what dynamic
|
||||
database client loading was meant to avoid.
|
||||
|
||||
Then just run 'make'.
|
||||
|
||||
|
@ -622,8 +622,8 @@ mail:
|
||||
postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
|
||||
|
||||
/etc/postfix/dnsbl_reply:
|
||||
# Secret DNSBL name Name in postscreen(8) replies
|
||||
secret.zen.spamhaus.org zen.spamhaus.org
|
||||
# Secret DNSBL name Name in postscreen(8) replies
|
||||
secret.zen.dq.spamhaus.net zen.spamhaus.org
|
||||
|
||||
The texthash: format is similar to hash: except that there is no need to
|
||||
run postmap(1) before the file can be used, and that it does not detect
|
||||
@ -704,14 +704,17 @@ more of:
|
||||
disconnect.
|
||||
|
||||
When the good client comes back in a later session, it is allowed to talk
|
||||
directly to a Postfix SMTP server. See "after_220 Tests after the 220 SMTP
|
||||
server greeting above for limitations with AUTH and other features that
|
||||
clients may need.
|
||||
directly to a Postfix SMTP server. See "Tests after the 220 SMTP server
|
||||
greeting" above for limitations with AUTH and other features that clients
|
||||
may need.
|
||||
|
||||
An unexpected benefit from "deep protocol tests" is that some "good"
|
||||
clients don't return after the 4XX reply; these clients were not so good
|
||||
after all. Wietse enables "deep protocol tests" on his own internet-facing
|
||||
mail server.
|
||||
after all.
|
||||
|
||||
Unfortunately, some senders will retry requests from different IP
|
||||
addresses, and may never get whitelisted. For this reason, Wietse stopped
|
||||
using "deep protocol tests" on his own internet-facing mail server.
|
||||
|
||||
* There is also support for permanent blacklisting and whitelisting; see the
|
||||
description of the postscreen_access_list parameter for details.
|
||||
|
@ -1,26 +1,161 @@
|
||||
The stable Postfix release is called postfix-2.11.x where 2=major
|
||||
release number, 11=minor release number, x=patchlevel. The stable
|
||||
This is the Postfix 3.1 (stable) release.
|
||||
|
||||
The stable Postfix release is called postfix-3.1.x where 3=major
|
||||
release number, 1=minor release number, x=patchlevel. The stable
|
||||
release never changes except for patches that address bugs or
|
||||
emergencies. Patches change the patchlevel and the release date.
|
||||
|
||||
New features are developed in snapshot releases. These are called
|
||||
postfix-2.12-yyyymmdd where yyyymmdd is the release date (yyyy=year,
|
||||
postfix-3.2-yyyymmdd where yyyymmdd is the release date (yyyy=year,
|
||||
mm=month, dd=day). Patches are never issued for snapshot releases;
|
||||
instead, a new snapshot is released.
|
||||
|
||||
The mail_release_date configuration parameter (format: yyyymmdd)
|
||||
specifies the release date of a stable release or snapshot release.
|
||||
|
||||
If you upgrade from Postfix 2.9 or earlier, read RELEASE_NOTES-2.10
|
||||
If you upgrade from Postfix 2.11 or earlier, read RELEASE_NOTES-3.0
|
||||
before proceeding.
|
||||
|
||||
Incompatible change with Postfix 2.11.6
|
||||
---------------------------------------
|
||||
Workaround - UTF8 support in Postfix MySQL queries
|
||||
--------------------------------------------------
|
||||
|
||||
As of the middle of 2015, all supported Postfix releases no longer
|
||||
enable "export" grade ciphers for opportunistic TLS, and no longer
|
||||
use the deprecated SSLv2 and SSLv3 protocols for mandatory or
|
||||
opportunistic TLS.
|
||||
Someone reported false "not found" errors with MySQL map queries
|
||||
that contain UTF8-encoded text. To avoid such errors, specify
|
||||
"option_group = client" in Postfix MySQL configuration files. This
|
||||
will be the default setting with Postfix 3.2 and later.
|
||||
|
||||
Major changes - address verification safety
|
||||
-------------------------------------------
|
||||
|
||||
[Feature 20151227] The new address_verify_pending_request_limit
|
||||
parameter introduces a safety limit for the number of address
|
||||
verification probes in the active queue. The default limit is 1/4
|
||||
of the active queue maximum size. The queue manager enforces the
|
||||
limit by tempfailing probe messages that exceed the limit. This
|
||||
design avoids dependencies on global counters that get out of sync
|
||||
after a process or system crash.
|
||||
|
||||
Tempfailing verify requests is not as bad as one might think. The
|
||||
Postfix verify cache proactively updates active addresses weeks
|
||||
before they expire. The address_verify_pending_request_limit affects
|
||||
only unknown addresses, and inactive addresses that have expired
|
||||
from the address verify cache (by default, after 31 days).
|
||||
|
||||
Major changes - json support
|
||||
----------------------------
|
||||
|
||||
[Feature 20151129] Machine-readable, JSON-formatted queue listing
|
||||
with "postqueue -j" (no "mailq" equivalent). The output is a stream
|
||||
of JSON objects, one per queue file. To simplify parsing, each
|
||||
JSON object is formatted as one text line followed by one newline
|
||||
character. See the postqueue(1) manpage for a detailed description
|
||||
of the output format.
|
||||
|
||||
Major changes - milter support
|
||||
------------------------------
|
||||
|
||||
[Feature 20150523] The milter_macro_defaults feature provides an
|
||||
optional list of macro name=value pairs. These specify default
|
||||
values for Milter macros when no value is available from the SMTP
|
||||
session context.
|
||||
|
||||
For example, with "milter_macro_defaults = auth_type=TLS", the
|
||||
Postfix SMTP server will send an auth_type of "TLS" to a Milter,
|
||||
unless the remote client authenticates with SASL.
|
||||
|
||||
This feature was originally implemented for a submission service
|
||||
that may authenticate clients with a TLS certificate, without having
|
||||
to make changes to the code that implements TLS support.
|
||||
|
||||
Major changes - output rate control
|
||||
-----------------------------------
|
||||
|
||||
[Feature 20150710] Destination-independent delivery rate delay
|
||||
|
||||
Support to enforce a destination-independent delay between email
|
||||
deliveries. The following example inserts 20 seconds of delay
|
||||
between all deliveries with the SMTP transport, limiting the delivery
|
||||
rate to at most three messages per minute.
|
||||
|
||||
/etc/postfix/main.cf:
|
||||
smtp_transport_rate_delay = 20s
|
||||
|
||||
For details, see the description of default_transport_rate_delay
|
||||
and transport_transport_rate_delay in the postconf(5) manpage.
|
||||
|
||||
Major changes - postscreen dnsbl
|
||||
--------------------------------
|
||||
|
||||
[Feature 20150710] postscreen support for the TTL of DNSBL and DNSWL
|
||||
lookup results
|
||||
|
||||
Historically, the default setting "postscreen_dnsbl_ttl = 1h" assumes
|
||||
that a "not found" result from a DNSBL server will be valid for one
|
||||
hour. This may have been adequate five years ago when postscreen
|
||||
was first implemented, but nowadays, that one hour can result in
|
||||
missed opportunities to block new spambots.
|
||||
|
||||
To address this, postscreen now respects the TTL of DNSBL "not
|
||||
found" replies, as well as the TTL of DNSWL replies (both "found"
|
||||
and "not found"). The TTL for a "not found" reply is determined
|
||||
according to RFC 2308 (the TTL of an SOA record in the reply).
|
||||
|
||||
Support for DNSBL or DNSWL reply TTL values is controlled by two
|
||||
configuration parameters:
|
||||
|
||||
postscreen_dnsbl_min_ttl (default: 60 seconds).
|
||||
|
||||
This parameter specifies a minimum for the amount of time that
|
||||
a DNSBL or DNSWL result will be cached in the postscreen_cache_map.
|
||||
This prevents an excessive number of postscreen cache updates
|
||||
when a DNSBL or DNSWL server specifies a very small reply TTL.
|
||||
|
||||
postscreen_dnsbl_max_ttl (default: $postscreen_dnsbl_ttl or 1 hour)
|
||||
|
||||
This parameter specifies a maximum for the amount of time that
|
||||
a DNSBL or DNSWL result will be cached in the postscreen_cache_map.
|
||||
This prevents cache pollution when a DNSBL or DNSWL server
|
||||
specifies a very large reply TTL.
|
||||
|
||||
The postscreen_dnsbl_ttl parameter is now obsolete, and has become
|
||||
the default value for the new postscreen_dnsbl_max_ttl parameter.
|
||||
|
||||
Major changes - sasl auth safety
|
||||
--------------------------------
|
||||
|
||||
[Feature 20151031] New "smtpd_client_auth_rate_limit" feature, to
|
||||
enforce an optional rate limit on AUTH commands per SMTP client IP
|
||||
address. Similar to other smtpd_client_*_rate_limit features, this
|
||||
enforces a limit on the number of requests per $anvil_rate_time_unit.
|
||||
|
||||
Major changes - smtpd policy
|
||||
----------------------------
|
||||
|
||||
[Feature 20150913] New SMTPD policy service attribute "policy_context",
|
||||
with a corresponding "smtpd_policy_service_policy_context" configuration
|
||||
parameter. Originally, this was implemented to share the same SMTPD
|
||||
policy service endpoint among multiple check_policy_service clients.
|
||||
|
||||
Major changes - tls
|
||||
-------------------
|
||||
|
||||
[Feature 20160207] A new "postfix tls" command to quickly enable
|
||||
opportunistic TLS in the Postfix SMTP client or server, and to
|
||||
manage SMTP server keys and certificates, including certificate
|
||||
signing requests and TLSA DNS records for DANE. See the postfix-tls(1)
|
||||
manpage for a detailed description.
|
||||
|
||||
[Feature 20160103] The Postfix SMTP client by default enables DANE
|
||||
policies when an MX host has a (DNSSEC) secure TLSA DNS record,
|
||||
even if the MX DNS record was obtained with insecure lookups. The
|
||||
existence of a secure TLSA record implies that the host wants to
|
||||
talk TLS and not plaintext. For details see the
|
||||
smtp_tls_dane_insecure_mx_policy configuration parameter.
|
||||
|
||||
[Incompat 20150721] As of the middle of 2015, all supported Postfix
|
||||
releases no longer enable "export" grade ciphers for opportunistic
|
||||
TLS, and no longer use the deprecated SSLv2 and SSLv3 protocols for
|
||||
mandatory or opportunistic TLS.
|
||||
|
||||
These changes are very unlikely to cause problems with server-to-server
|
||||
communication over the Internet, but they may result in interoperability
|
||||
@ -48,267 +183,12 @@ selective, use "-o name=value" parameter overrides on specific
|
||||
services in master.cf. Execute the command "postfix reload" to make
|
||||
the changes effective.
|
||||
|
||||
Major changes - tls
|
||||
-------------------
|
||||
[Incompat 20150719] The default Diffie-Hellman non-export prime was
|
||||
updated from 1024 to 2048 bits, because SMTP clients are starting
|
||||
to reject TLS handshakes with primes smaller than 2048 bits.
|
||||
|
||||
[Documentation 20131218] The new FORWARD_SECRECY_README document
|
||||
conveniently presents all information about Postfix "perfect" forward
|
||||
secrecy support in one place: what forward secrecy is, how to tweak
|
||||
settings, and what you can expect to see when Postfix uses ciphers
|
||||
with forward secrecy.
|
||||
Historically, this prime size is not negotiable, and each site needs
|
||||
to determine which prime size works best for the majority of its
|
||||
clients. See FORWARD_SECRECY_README for some hints in the quick-start
|
||||
section.
|
||||
|
||||
[Feature 20130602] Support for PKI-less TLS server certificate
|
||||
verification, where the CA public key or the server certificate is
|
||||
identified via DNSSEC lookup.
|
||||
|
||||
This feature introduces new TLS security levels called "dane" and
|
||||
"dane-only" (DNS-based Authentication of Named Entities) that use
|
||||
DNSSEC to look up CA or server certificate information. The details
|
||||
of DANE core protocols are still evolving, as are the details of
|
||||
how DANE should be used in the context of SMTP. Postfix implements
|
||||
what appears to be a "rational" subset of the DANE profiles that
|
||||
is suitable for SMTP.
|
||||
|
||||
The problem with conventional PKI is that there are literally
|
||||
hundreds of organizations world-wide that can provide a certificate
|
||||
in anyone's name. There have been widely-published incidents in
|
||||
recent history where a certificate authority gave out an inappropriate
|
||||
certificate (e.g., a certificate in the name of Microsoft to someone
|
||||
who did not represent Microsoft), where a CA was compromised (e.g.,
|
||||
DigiNotar, Comodo), or where a CA made operational mistakes (e.g.,
|
||||
TURKTRUST). Another concern is that a legitimate CA might be coerced
|
||||
to provide a certificate that allows its government to play
|
||||
man-in-the-middle on TLS traffic and observe the plaintext.
|
||||
|
||||
Major changes - LMDB database support
|
||||
-------------------------------------
|
||||
|
||||
LMDB is a memory-mapped database that was originally developed as
|
||||
part of OpenLDAP. The Postfix LMDB driver was originally contributed
|
||||
by Howard Chu, LMDB's creator.
|
||||
|
||||
LMDB can be used for all Postfix lookup tables and caches. It is
|
||||
the first persistent Postfix database that can be shared among
|
||||
multiple writers such as postscreen daemons (Postfix already supported
|
||||
shared non-persistent memcached caches). See lmdb_table(5) and
|
||||
LMDB_README for further information, including how to access Postfix
|
||||
LMDB databases with non-Postfix programs.
|
||||
|
||||
Postfix currently requires LMDB version 0.9.11 or later. The minimum
|
||||
version may change over time in the light of deployment experience.
|
||||
|
||||
Major changes - postscreen whitelisting
|
||||
---------------------------------------
|
||||
|
||||
[Feature 20130512] Allow a remote SMTP client to skip postscreen(8)
|
||||
tests based on its postscreen_dnsbl_sites score.
|
||||
|
||||
Specify a negative "postscreen_dnsbl_whitelist_threshold" value to
|
||||
enable this feature. When a client passes the threshold value
|
||||
without having failed other tests, all pending or disabled tests
|
||||
are flagged as completed.
|
||||
|
||||
This feature can mitigate the email delays due to "after 220 greeting"
|
||||
protocol tests, which otherwise require that a client reconnects
|
||||
before it can deliver mail. Some providers such as Google don't
|
||||
retry from the same IP address. This can result in large email
|
||||
delivery delays.
|
||||
|
||||
Major changes - recipient_delimiter
|
||||
-----------------------------------
|
||||
|
||||
[Feature 20130405] The recipient_delimiter parameter can now specify
|
||||
a set of characters. A user name is now separated from its address
|
||||
extension by the first character that matches the recipient_delimiter
|
||||
set.
|
||||
|
||||
For example, specify "recipient_delimiter = +-" to support both the
|
||||
Postfix-style "+" and the qmail-style "-" extension delimiter.
|
||||
|
||||
As before, this implementation recognizes one delimiter character
|
||||
per email address, and one address extension per email address.
|
||||
|
||||
Major changes - smtpd access control
|
||||
------------------------------------
|
||||
|
||||
[Feature 20131031] The check_sasl_access feature can be used to
|
||||
block hijacked logins. Like other check_mumble_access features it
|
||||
queries a lookup table (in this case with the SASL login name), and
|
||||
it supports the same actions as any Postfix access(5) table.
|
||||
|
||||
[Feature 20130924] The reject_known_sender_login_mismatch feature
|
||||
applies reject_sender_login_mismatch only to MAIL FROM addresses
|
||||
that are known in $smtpd_sender_login_maps.
|
||||
|
||||
Major changes - MacOS X
|
||||
-----------------------
|
||||
|
||||
[Feature 20130325] Full support for kqueue() event handling which
|
||||
scales better with large numbers of file handles, plus a workaround
|
||||
for timeout handling on file handles (such as /dev/urandom) that
|
||||
still do not correctly support poll().
|
||||
|
||||
Major changes - master
|
||||
----------------------
|
||||
|
||||
[Incompat 20131217] The master_service_disable parameter value
|
||||
syntax has changed: use "service/type" instead of "service.type".
|
||||
The new form is consistent with postconf(1) namespaces for master.cf.
|
||||
The old form is still supported to avoid breaking existing
|
||||
configurations.
|
||||
|
||||
Major changes - milter
|
||||
----------------------
|
||||
|
||||
[Feature 20131126] Support for ESMTP parameters "NOTIFY" and "ORCPT"
|
||||
in the SMFIR_ADDRCPT_PAR (add recipient with parameters) request.
|
||||
Credits: Andrew Ayer.
|
||||
|
||||
Major changes - mysql
|
||||
---------------------
|
||||
|
||||
[Feature 20131117] MySQL client support for option_file, option_group,
|
||||
tls_cert_file, tls_key_file, tls_CAfile, tls_CApath, tls_verify_cert.
|
||||
Credits: Gareth Palmer.
|
||||
|
||||
Major changes - postconf
|
||||
------------------------
|
||||
|
||||
[Feature 20131217] Support for advanced master.cf query and update
|
||||
operations. This was implemented primarily to support automated
|
||||
system management tools.
|
||||
|
||||
The goal is to make all Postfix master.cf details accessible as
|
||||
lists of "name=value" pairs, where the names are organized into
|
||||
structured name spaces. This allows other programs to query
|
||||
information or request updates, without having to worry about the
|
||||
exact layout of master.cf files.
|
||||
|
||||
Managing master.cf service attributes
|
||||
-------------------------------------
|
||||
|
||||
First, an example that shows the smtp/inet service in the traditional
|
||||
form:
|
||||
|
||||
$ postconf -M smtp/inet
|
||||
smtp inet n - n - - smtpd
|
||||
|
||||
Different variants of this command show different amounts of output.
|
||||
For example, "postconf -M smtp" enumerates all services that have
|
||||
a name "smtp" and any service type ("inet", "unix", etc.), and
|
||||
"postconf -M" enumerates all master.cf services.
|
||||
|
||||
General rule: each name component that is not present becomes a "*"
|
||||
wildcard.
|
||||
|
||||
Coming back to the above example, the postconf -F option can now
|
||||
enumerate the smtp/inet service fields as follows:
|
||||
|
||||
$ postconf -F smtp/inet
|
||||
smtp/inet/service = smtp
|
||||
smtp/inet/type = inet
|
||||
smtp/inet/private = n
|
||||
smtp/inet/unprivileged = -
|
||||
smtp/inet/chroot = n
|
||||
smtp/inet/wakeup = -
|
||||
smtp/inet/process_limit = -
|
||||
smtp/inet/command = smtpd
|
||||
|
||||
This form makes it very easy to change one field in master.cf.
|
||||
For example to turn on chroot on the smtp/inet service you use:
|
||||
|
||||
$ postconf -F smtp/inet/chroot=y
|
||||
$ postfix reload
|
||||
|
||||
Moreover, with "-F" you can specify "*" for service name or service
|
||||
type to get a wild-card match. For example, to turn off chroot on
|
||||
all Postfix daemons, use this:
|
||||
|
||||
$ postconf -F '*/*/chroot=n'
|
||||
$ postfix reload
|
||||
|
||||
Managing master.cf service "-o parameter=value" settings
|
||||
--------------------------------------------------------
|
||||
|
||||
For a second example, let's look at the submission service. This
|
||||
service typically has multiple "-o parameter=value" overrides. First
|
||||
the traditional view:
|
||||
|
||||
$ postconf -Mf submission
|
||||
submission inet n - n - - smtpd
|
||||
-o smtpd_tls_security_level=encrypt
|
||||
-o smtpd_sasl_auth_enable=yes
|
||||
...
|
||||
|
||||
The postconf -P option can now enumerate these parameters as follows:
|
||||
|
||||
$ postconf -P submission
|
||||
submission/inet/smtpd_sasl_auth_enable = yes
|
||||
submission/inet/smtpd_tls_security_level = encrypt
|
||||
...
|
||||
|
||||
Again, this form makes it very easy to modify one parameter
|
||||
setting. For example, to change the smtpd_tls_security_level setting
|
||||
for the submission/inet service:
|
||||
|
||||
$ postconf -P 'submission/inet/smtpd_tls_security_level=may'
|
||||
|
||||
You can create or remove a parametername=parametervalue setting:
|
||||
|
||||
Create:
|
||||
$ postconf -P 'submission/inet/parametername=parametervalue'
|
||||
|
||||
Remove:
|
||||
$ postconf -PX submission/inet/parametername
|
||||
|
||||
Finally, always execute "postfix reload" after updating master.cf.
|
||||
|
||||
Managing master.cf service entries
|
||||
----------------------------------
|
||||
|
||||
Finally, adding master.cf entries is possible, but currently this
|
||||
does not yet have "advanced" support. It can only be done at the
|
||||
level of the traditional master.cf file format.
|
||||
|
||||
Suppose that you need to configure a Postfix SMTP client that will
|
||||
handle slow email deliveries. To implement this you need to clone
|
||||
the smtp/unix service settings and create a new delay/unix service.
|
||||
|
||||
First, you would enumerate the smtp/unix service like this:
|
||||
|
||||
$ postconf -M smtp/unix
|
||||
smtp unix - - n - - smtp
|
||||
|
||||
Then you would copy those fields (except the first field) by hand
|
||||
to create the delay/unix service:
|
||||
|
||||
$ postconf -M delay/unix="delay unix - - n - - smtp"
|
||||
|
||||
To combine the above steps in one command:
|
||||
|
||||
$ postconf -M delay/unix="`postconf -M smtp/unix|awk '{$1 = "delay"}'`"
|
||||
|
||||
This is perhaps not super-convenient for manual cloning, but it
|
||||
should be sufficient for programmatic configuration management.
|
||||
|
||||
Again, always execute "postfix reload" after updating master.cf.
|
||||
|
||||
Deleting or commenting out master.cf entries
|
||||
--------------------------------------------
|
||||
|
||||
The -X (delete entry) and -# (comment out entry) options already
|
||||
exist for main.cf, and they now also work work for entire master.cf
|
||||
entries:
|
||||
|
||||
Remove main.cf or master.cf entry:
|
||||
$ postconf -X parametername
|
||||
$ postconf -MX delay/unix
|
||||
|
||||
Comment out main.cf or master.cf entry:
|
||||
$ postconf -# parametername
|
||||
$ postconf -M# delay/unix
|
||||
|
||||
As with main.cf, there is no support to "undo" master.cf changes
|
||||
that are made with -X or -#.
|
||||
|
||||
Again, always execute "postfix reload" after updating master.cf.
|
||||
|
@ -975,12 +975,12 @@ authentication information:
|
||||
|
||||
The mmmmeennccooddee command is part of the metamail software.
|
||||
|
||||
* Using Perl MMIIMMEE::::BBaassee6644:
|
||||
* Using Perl MMIIMMEE::::BBaassee6644 (from http://www.cpan.org/):
|
||||
|
||||
% ppeerrll --MMMMIIMMEE::::BBaassee6644 --ee \\
|
||||
''pprriinntt eennccooddee__bbaassee6644((""\\00uusseerrnnaammee\\00ppaasssswwoorrdd""));;''
|
||||
|
||||
MIME::Base64 is available from http://www.cpan.org/.
|
||||
If the username or password contain "@", you must specify "\@".
|
||||
|
||||
* Using the ggeenn--aauutthh script:
|
||||
|
||||
@ -1029,6 +1029,8 @@ username/password information.
|
||||
|
||||
/etc/postfix/main.cf:
|
||||
smtp_sasl_auth_enable = yes
|
||||
smtp_tls_security_level = encrypt
|
||||
smtp_sasl_tls_security_options = noanonymous
|
||||
relayhost = [mail.isp.example]
|
||||
# Alternative form:
|
||||
# relayhost = [mail.isp.example]:submission
|
||||
@ -1038,6 +1040,10 @@ username/password information.
|
||||
will configure the client's username and password information in the second
|
||||
part of the example.
|
||||
|
||||
* The smtp_tls_security_level setting ensures that the connection to the
|
||||
remote smtp server will be encrypted, and smtp_sasl_tls_security_options
|
||||
removes the prohibition on plaintext passwords.
|
||||
|
||||
* The relayhost setting forces the Postfix SMTP to send all remote messages
|
||||
to the specified mail server instead of trying to deliver them directly to
|
||||
their destination.
|
||||
@ -1114,7 +1120,7 @@ final resort.
|
||||
|
||||
/etc/postfix/sasl_passwd:
|
||||
# Per-sender authentication; see also /etc/postfix/sender_relay.
|
||||
user1@example.com username2:password2
|
||||
user1@example.com username1:password1
|
||||
user2@example.net username2:password2
|
||||
# Login information for the default relayhost.
|
||||
[mail.isp.example] username:password
|
||||
|
@ -146,6 +146,7 @@ Examples of simple restriction lists are:
|
||||
# (available with Postfix 2.10 and later).
|
||||
reject_unauth_destination
|
||||
reject_rbl_client zen.spamhaus.org,
|
||||
reject_rhsbl_reverse_client dbl.spamhaus.org,
|
||||
reject_rhsbl_helo dbl.spamhaus.org,
|
||||
reject_rhsbl_sender dbl.spamhaus.org
|
||||
|
||||
@ -156,7 +157,7 @@ Examples of simple restriction lists are:
|
||||
smtpd_end_of_data_restrictions = check_policy_service unix:private/policy
|
||||
|
||||
Each restriction list is evaluated from left to right until some restriction
|
||||
produces a result of PERMIT, REJECT or DEFER (try again later). The end of the
|
||||
produces a result of PERMIT, REJECT or DEFER (try again later). The end of each
|
||||
list is equivalent to a PERMIT result. By placing a PERMIT restriction before a
|
||||
REJECT restriction you can make exceptions for specific clients or users. This
|
||||
is called whitelisting; the fourth example above allows mail from local
|
||||
|
@ -26,7 +26,8 @@ incoming SMTP connections.
|
||||
This document covers the following topics:
|
||||
|
||||
* Policy protocol description
|
||||
* Policy client/server configuration
|
||||
* Simple policy client/server configuration
|
||||
* Advanced policy client configuration
|
||||
* Example: greylist policy server
|
||||
* Greylisting mail from frequently forged domains
|
||||
* Greylisting all your mail
|
||||
@ -73,6 +74,10 @@ a delegated SMTPD access policy request:
|
||||
stress=
|
||||
PPoossttffiixx vveerrssiioonn 22..99 aanndd llaatteerr::
|
||||
ccert_pubkey_fingerprint=68:B3:29:DA:98:93:E3:40:99:C7:D8:AD:5C:B9:C9:40
|
||||
PPoossttffiixx vveerrssiioonn 33..00 aanndd llaatteerr::
|
||||
client_port=1234
|
||||
PPoossttffiixx vveerrssiioonn 33..11 aanndd llaatteerr::
|
||||
policy_context=submission
|
||||
[empty line]
|
||||
|
||||
Notes:
|
||||
@ -142,6 +147,9 @@ Notes:
|
||||
* The "stress" attribute is either empty or "yes". See the STRESS_README
|
||||
document for further information.
|
||||
|
||||
* The "policy_context" attribute provides a way to pass information that is
|
||||
not available via other attributes (Postfix version 3.1 and later).
|
||||
|
||||
The following is specific to SMTPD delegated policy requests:
|
||||
|
||||
* Protocol names are ESMTP or SMTP.
|
||||
@ -164,7 +172,7 @@ In case of trouble the policy server must not send a reply. Instead the server
|
||||
must log a warning and disconnect. Postfix will retry the request at some later
|
||||
time.
|
||||
|
||||
PPoolliiccyy cclliieenntt//sseerrvveerr ccoonnffiigguurraattiioonn
|
||||
SSiimmppllee ppoolliiccyy cclliieenntt//sseerrvveerr ccoonnffiigguurraattiioonn
|
||||
|
||||
The Postfix delegated policy client can connect to a TCP socket or to a UNIX-
|
||||
domain socket. Examples:
|
||||
@ -194,6 +202,7 @@ use something like this:
|
||||
9 check_policy_service unix:private/policy
|
||||
10 ...
|
||||
11 policy_time_limit = 3600
|
||||
12 # smtpd_policy_service_request_limit = 1
|
||||
|
||||
NOTES:
|
||||
|
||||
@ -225,6 +234,9 @@ NOTES:
|
||||
(in the above example, "policy") and a built-in suffix (in the above
|
||||
example: "_time_limit").
|
||||
|
||||
* Line 12: specify smtpd_policy_service_request_limit to avoid error-recovery
|
||||
delays with policy servers that cannot maintain a persistent connection.
|
||||
|
||||
* With Solaris < 9, or Postfix < 2.10 on any Solaris version, use TCP sockets
|
||||
instead of UNIX-domain sockets:
|
||||
|
||||
@ -239,9 +251,14 @@ NOTES:
|
||||
9 check_policy_service inet:127.0.0.1:9998
|
||||
10 ...
|
||||
11 127.0.0.1:9998_time_limit = 3600
|
||||
12 # smtpd_policy_service_request_limit = 1
|
||||
|
||||
Other configuration parameters that control the client side of the policy
|
||||
delegation protocol:
|
||||
Configuration parameters that control the client side of the policy delegation
|
||||
protocol:
|
||||
|
||||
* smtpd_policy_service_default_action (default: 451 4.3.5 Server
|
||||
configuration problem): The default action when an SMTPD policy service
|
||||
request fails. Available with Postfix 3.0 and later.
|
||||
|
||||
* smtpd_policy_service_max_idle (default: 300s): The amount of time before
|
||||
the Postfix SMTP server closes an unused policy client connection.
|
||||
@ -249,9 +266,82 @@ delegation protocol:
|
||||
* smtpd_policy_service_max_ttl (default: 1000s): The amount of time before
|
||||
the Postfix SMTP server closes an active policy client connection.
|
||||
|
||||
* smtpd_policy_service_request_limit (default: 0): The maximal number of
|
||||
requests per policy connection, or zero (no limit). Available with Postfix
|
||||
3.0 and later.
|
||||
|
||||
* smtpd_policy_service_timeout (default: 100s): The time limit to connect to,
|
||||
send to or receive from a policy server.
|
||||
|
||||
* smtpd_policy_service_try_limit (default: 2): The maximal number of attempts
|
||||
to send an SMTPD policy service request before giving up. Available with
|
||||
Postfix 3.0 and later.
|
||||
|
||||
* smtpd_policy_service_retry_delay (default: 1s): The delay between attempts
|
||||
to resend a failed SMTPD policy service request. Available with Postfix 3.0
|
||||
and later.
|
||||
|
||||
* smtpd_policy_service_policy_context (default: empty): Optional information
|
||||
that is passed in the "policy_context" attribute of an SMTPD policy service
|
||||
request (originally, to share the same SMTPD service endpoint among
|
||||
multiple check_policy_service clients). Available with Postfix 3.1 and
|
||||
later.
|
||||
|
||||
Configuration parameters that control the server side of the policy delegation
|
||||
protocol:
|
||||
|
||||
* transport_time_limit ($command_time_limit): The maximal amount of time the
|
||||
policy daemon is allowed to run before it is terminated. The transport is
|
||||
the service name of the master.cf entry for the policy daemon service. In
|
||||
the above examples, the service name is "policy" or "127.0.0.1:9998".
|
||||
|
||||
AAddvvaanncceedd ppoolliiccyy cclliieenntt ccoonnffiigguurraattiioonn
|
||||
|
||||
The previous section lists a number of Postfix main.cf parameters that control
|
||||
time limits and other settings for all policy clients. This is sufficient for
|
||||
simple configurations. With more complex configurations it becomes desirable to
|
||||
have different settings per policy client. This is supported with Postfix 3.0
|
||||
and later.
|
||||
|
||||
The following example shows a "non-critical" policy service with a short
|
||||
timeout, and with "DUNNO" as default action when the service is unvailable. The
|
||||
"DUNNO" action causes Postfix to ignore the result.
|
||||
|
||||
1 /etc/postfix/main.cf:
|
||||
2 smtpd_recipient_restrictions =
|
||||
3 ...
|
||||
4 reject_unauth_destination
|
||||
5 check_policy_service { inet:host:port,
|
||||
6 timeout=10s, default_action=DUNNO }
|
||||
8 ...
|
||||
|
||||
Instead of a server endpoint, we now have a list enclosed in {}.
|
||||
|
||||
* Line 5: The first item in the list is the server endpoint. This supports
|
||||
the exact same "inet" and "unix" syntax as described earlier.
|
||||
|
||||
* Line 6: The remainder of the list contains per-client settings. These
|
||||
settings override global main.cf parameters, and have the same name as
|
||||
those parameters, without the "smtpd_policy_service_" prefix.
|
||||
|
||||
Inside the list, syntax is similar to what we already know from main.cf: items
|
||||
separated by space or comma. There is one difference: yyoouu mmuusstt eenncclloossee aa
|
||||
sseettttiinngg iinn ppaarreenntthheesseess,, aass iinn ""{{ nnaammee == vvaalluuee }}"",, iiff yyoouu wwaanntt ttoo hhaavvee ssppaaccee oorr
|
||||
ccoommmmaa wwiitthhiinn aa vvaalluuee oorr aarroouunndd ""=="". This comes in handy when different policy
|
||||
servers require different default actions with different SMTP status codes or
|
||||
text:
|
||||
|
||||
1 /etc/postfix/main.cf:
|
||||
2 smtpd_recipient_restrictions =
|
||||
3 ...
|
||||
4 reject_unauth_destination
|
||||
5 check_policy_service {
|
||||
6 inet:host:port1,
|
||||
7 { default_action = 451 4.3.5 See http://www.example.com/
|
||||
support1 }
|
||||
8 }
|
||||
9 ...
|
||||
|
||||
EExxaammppllee:: ggrreeyylliisstt ppoolliiccyy sseerrvveerr
|
||||
|
||||
Greylisting is a defense against junk email that is described at http://
|
||||
@ -307,6 +397,7 @@ socket that is accessible by Postfix processes only:
|
||||
9 reject_unauth_destination
|
||||
10 check_policy_service unix:private/greylist
|
||||
11 ...
|
||||
12 # smtpd_policy_service_request_limit = 1
|
||||
|
||||
Notes:
|
||||
|
||||
@ -338,6 +429,9 @@ Notes:
|
||||
service name (in the above example, "greylist") and a built-in suffix
|
||||
(in the above example: "_time_limit").
|
||||
|
||||
* Line 12: specify smtpd_policy_service_request_limit to avoid error-recovery
|
||||
delays with policy servers that cannot maintain a persistent connection.
|
||||
|
||||
With Solaris < 9, or Postfix < 2.10 on any Solaris version, use inet: style
|
||||
sockets instead of unix: style, as detailed in the "Policy client/server
|
||||
configuration" section above.
|
||||
@ -353,6 +447,7 @@ configuration" section above.
|
||||
9 reject_unauth_destination
|
||||
10 check_policy_service inet:127.0.0.1:9998
|
||||
11 ...
|
||||
12 # smtpd_policy_service_request_limit = 1
|
||||
|
||||
GGrreeyylliissttiinngg mmaaiill ffrroomm ffrreeqquueennttllyy ffoorrggeedd ddoommaaiinnss
|
||||
|
||||
|
@ -102,8 +102,8 @@ From then on mail is processed as usual.
|
||||
|
||||
The content filter itself is not described here. You can use any filter that is
|
||||
SMTP enabled. For non-SMTP capable content filtering software, Bennett Todd's
|
||||
SMTP proxy implements a nice PERL/SMTP content filtering framework. See: http:/
|
||||
/bent.latency.net/smtpprox/.
|
||||
SMTP proxy implements a nice Perl-based framework. See: http://
|
||||
bent.latency.net/smtpprox/ or https://github.com/jnorell/smtpprox.
|
||||
|
||||
Postfix
|
||||
Postfix filter on SMTP server Postfix Postfix
|
||||
|
268
external/ibm-public/postfix/dist/README_FILES/SMTPUTF8_README
vendored
Normal file
268
external/ibm-public/postfix/dist/README_FILES/SMTPUTF8_README
vendored
Normal file
@ -0,0 +1,268 @@
|
||||
PPoossttffiixx SSMMTTPPUUTTFF88 ssuuppppoorrtt
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
|
||||
OOvveerrvviieeww
|
||||
|
||||
This document describes Postfix support for Email Address Internationalization
|
||||
(EAI) as defined in RFC 6531 (SMTPUTF8 extension), RFC 6532 (Internationalized
|
||||
email headers) and RFC 6533 (Internationalized delivery status notifications).
|
||||
Introduced with Postfix version 3.0, this fully supports UTF-8 email addresses
|
||||
and UTF-8 message header values.
|
||||
|
||||
Topics covered in this document:
|
||||
|
||||
* Building with/without SMTPUTF8 support
|
||||
* Enabling Postfix SMTPUTF8 support
|
||||
* Using Postfix SMTPUTF8 support
|
||||
* SMTPUTF8 autodetection
|
||||
* Limitations of the current implementation
|
||||
* Compatibility with pre-SMTPUTF8 environments
|
||||
* Credits
|
||||
|
||||
BBuuiillddiinngg PPoossttffiixx wwiitthh//wwiitthhoouutt SSMMTTPPUUTTFF88 ssuuppppoorrtt
|
||||
|
||||
Postfix will build with SMTPUTF8 support if the ICU library and header files
|
||||
are installed on the system. The package name varies with the OS distribution
|
||||
(and version). The table shows package names for a number of platforms at the
|
||||
time this text was written.
|
||||
|
||||
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
|
||||
|OOSS DDiissttrriibbuuttiioonn |PPaacckkaaggee |
|
||||
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ |
|
||||
|FreeBSD, NetBSD, etc.|icu |
|
||||
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ |
|
||||
|Centos, Fedora, RHEL |libicu-devel|
|
||||
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ |
|
||||
|Debian, Ubuntu |libicu-dev |
|
||||
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ |
|
||||
|
||||
To force Postfix to build without SMTPUTF8, specify:
|
||||
|
||||
$ mmaakkee mmaakkeeffiilleess CCCCAARRGGSS==""--DDNNOO__EEAAII ......""
|
||||
|
||||
See the INSTALL document for more "make makefiles" options.
|
||||
|
||||
EEnnaabblliinngg PPoossttffiixx SSMMTTPPUUTTFF88 ssuuppppoorrtt
|
||||
|
||||
There is more to SMTPUTF8 than just Postfix itself. The rest of your email
|
||||
infrastructure also needs to be able to handle UTF-8 email addresses and
|
||||
message header values. This includes SMTPUTF8 protocol support in SMTP-based
|
||||
content filters (Amavisd), LMTP servers (Dovecot), and down-stream SMTP
|
||||
servers.
|
||||
|
||||
Postfix SMTPUTF8 support is enabled by default, but it may be disabled as part
|
||||
of a backwards-compatibility safety net (see the COMPATIBILITY_README file).
|
||||
|
||||
SMTPUTF8 support is enabled by setting the smtputf8_enable parameter in
|
||||
main.cf:
|
||||
|
||||
# ppoossttccoonnff ""ssmmttppuuttff88__eennaabbllee == yyeess""
|
||||
# ppoossttffiixx rreellooaadd
|
||||
|
||||
With SMTPUTF8 support enabled, Postfix changes behavior with respect to earlier
|
||||
Postfix releases:
|
||||
|
||||
* UTF-8 is permitted in the myorigin parameter value. However, the myhostname
|
||||
and mydomain parameters must currently specify ASCII-only domain names.
|
||||
This limitation may be removed later.
|
||||
|
||||
* UTF-8 is the only form of non-ASCII text that Postfix supports in access
|
||||
tables, address rewriting tables, and other tables that are indexed with an
|
||||
email address, hostname, or domain name.
|
||||
|
||||
* The header_checks-like and body_checks-like features are not UTF-8 enabled,
|
||||
and therefore they do not enforce UTF-8 syntax rules on inputs and outputs.
|
||||
The reason is that non-ASCII text may be sent in encodings other than UTF-
|
||||
8, and that real email sometimes contains malformed headers. Instead of
|
||||
skipping non-UTF-8 content, Postfix should be able to filter it. You may
|
||||
try to enable UTF-8 processing by starting a PCRE pattern with the sequence
|
||||
(*UTF8), but this is will result in "message not accepted, try again later"
|
||||
errors when the PCRE pattern matcher encounters non-UTF-8 input. Other
|
||||
features that are not UTF-8 enabled are smtpd_command_filter,
|
||||
smtp_reply_filter, the *_delivery_status_filter features, and the
|
||||
*_dns_reply_filter features (the latter because DNS is by definition an
|
||||
ASCII protocol).
|
||||
|
||||
* The Postfix SMTP server announces SMTPUTF8 support in the EHLO response.
|
||||
|
||||
220 server.example.com ESMTP Postfix
|
||||
EEHHLLOO cclliieenntt..eexxaammppllee..ccoomm
|
||||
250-server.example.com
|
||||
250-PIPELINING
|
||||
250-SIZE 10240000
|
||||
250-VRFY
|
||||
250-ETRN
|
||||
250-STARTTLS
|
||||
250-AUTH PLAIN LOGIN
|
||||
250-ENHANCEDSTATUSCODES
|
||||
250-8BITMIME
|
||||
250-DSN
|
||||
250 SMTPUTF8
|
||||
|
||||
* The Postfix SMTP server accepts the SMTPUTF8 request in MAIL FROM and VRFY
|
||||
commands.
|
||||
|
||||
MMAAIILL FFRROOMM::<<aaddddrreessss>> SSMMTTPPUUTTFF88 ......
|
||||
|
||||
VVRRFFYY aaddddrreessss SSMMTTPPUUTTFF88
|
||||
|
||||
* The Postfix SMTP client may issue the SMTPUTF8 request in MAIL FROM
|
||||
commands.
|
||||
|
||||
* The Postfix SMTP server accepts UTF-8 in email address domains, but only
|
||||
after the remote SMTP client issues the SMTPUTF8 request in MAIL FROM or
|
||||
VRFY commands.
|
||||
|
||||
Postfix already permitted UTF-8 in message header values and in address
|
||||
localparts. This does not change.
|
||||
|
||||
UUssiinngg PPoossttffiixx SSMMTTPPUUTTFF88 ssuuppppoorrtt
|
||||
|
||||
After Postfix SMTPUTF8 support is turned on, Postfix behavior will depend on 1)
|
||||
whether a remote SMTP client requests SMTPUTF8 support, 2) the presence of UTF-
|
||||
8 content in the message envelope and headers, and 3) whether a down-stream
|
||||
SMTP (or LMTP) server announces SMTPUTF8 support.
|
||||
|
||||
* When the Postfix SMTP server receives a message WITHOUT the SMTPUTF8
|
||||
request, Postfix handles the message as it has always done (at least that
|
||||
is the default, see autodetection below). Specifically, the Postfix SMTP
|
||||
server does not accept UTF-8 in the envelope sender domain name or envelope
|
||||
recipient domain name, and the Postfix SMTP client does not issue the
|
||||
SMTPUTF8 request when delivering that message to an SMTP or LMTP server
|
||||
that announces SMTPUTF8 support (again, that is the default). Postfix will
|
||||
accept UTF-8 in message header values and in the localpart of envelope
|
||||
sender and recipient addresses, because it has always done that.
|
||||
|
||||
* When the Postfix SMTP server receives a message WITH the SMTPUTF8 request,
|
||||
Postfix will issue the SMTPUTF8 request when delivering that message to an
|
||||
SMTP or LMTP server that announces SMTPUTF8 support. This is not
|
||||
configurable.
|
||||
|
||||
* When a message is received with the SMTPUTF8 request, Postfix will deliver
|
||||
the message to a non-SMTPUTF8 SMTP or LMTP server ONLY if:
|
||||
|
||||
o No message header value contains UTF-8.
|
||||
|
||||
o The envelope sender address contains no UTF-8,
|
||||
|
||||
o No envelope recipient address for that specific SMTP/LMTP delivery
|
||||
transaction contains UTF-8.
|
||||
|
||||
NOTE: Recipients in other email delivery transactions for that same
|
||||
message may still contain UTF-8.
|
||||
|
||||
Otherwise, Postfix will return the recipient(s) for that email delivery
|
||||
transaction as undeliverable. The delivery status notification message will
|
||||
be an SMTPUTF8 message. It will therefore be subject to the same
|
||||
restrictions as email that is received with the SMTPUTF8 request.
|
||||
|
||||
* When the Postfix SMTP server receives a message with the SMTPUTF8 request,
|
||||
that request also applies after the message is forwarded via a virtual or
|
||||
local alias, or $HOME/.forward file.
|
||||
|
||||
SSMMTTPPUUTTFF88 aauuttooddeetteeccttiioonn
|
||||
|
||||
This section applies only to systems that have SMTPUTF8 support turned on
|
||||
(smtputf8_enable = yes).
|
||||
|
||||
For compatibility with pre-SMTPUTF8 environments, Postfix does not
|
||||
automatically set the "SMTPUTF8 requested" flag on messages from non-SMTPUTF8
|
||||
clients that contain an UTF-8 header value or UTF-8 address localpart. This
|
||||
would make such messages undeliverable to non-SMTPUTF8 servers, and could be a
|
||||
barrier to SMTPUTF8 adoption.
|
||||
|
||||
By default, Postfix sets the "SMTPUTF8 requested" flag only on address
|
||||
verification probes and on Postfix sendmail submissions that contain UTF-8 in
|
||||
the sender address, UTF-8 in a recipient address, or UTF-8 in a message header
|
||||
value.
|
||||
|
||||
/etc/postfix/main.cf:
|
||||
smtputf8_autodetect_classes = sendmail, verify
|
||||
|
||||
However, if you have a non-ASCII myorigin or mydomain setting, or if you have a
|
||||
configuration that introduces UTF-8 addresses with virtual aliases, canonical
|
||||
mappings, or BCC mappings, then you may have to apply SMTPUTF8 autodetection to
|
||||
all email:
|
||||
|
||||
/etc/postfix/main.cf:
|
||||
smtputf8_autodetect_classes = all
|
||||
|
||||
This will, of course, also flag email that was received without SMTPUTF8
|
||||
request, but that contains UTF-8 in a sender address localpart, receiver
|
||||
address localpart, or message header value. Such email was not standards-
|
||||
compliant, but Postfix would have delivered it if SMTPUTF8 support was
|
||||
disabled.
|
||||
|
||||
LLiimmiittaattiioonnss ooff tthhee ccuurrrreenntt iimmpplleemmeennttaattiioonn
|
||||
|
||||
The Postfix implementation is a work in progress; limitations are steadily
|
||||
being removed. The text below describes the situation at one point in time.
|
||||
|
||||
NNoo aauuttoommaattiicc ccoonnvveerrssiioonnss bbeettwweeeenn AASSCCIIII aanndd UUTTFF--88 ddoommaaiinn nnaammeess..
|
||||
|
||||
Some background: According to RFC 6530 and related documents, an
|
||||
internationalized domain name can appear in two forms: the UTF-8 form, and the
|
||||
ASCII (xn--mumble) form. An internationalized address localpart must be encoded
|
||||
in UTF-8; the RFCs do not define an ASCII alternative form.
|
||||
|
||||
Postfix currently does not convert internationalized domain names from UTF-
|
||||
8 into ASCII (or from ASCII into UTF-8) before using domain names in SMTP
|
||||
commands and responses, before looking up domain names in lists such as
|
||||
mydestination, relay_domains or in lookup tables such as access tables, etc.,
|
||||
before using domain names in a policy daemon or Milter request, or before
|
||||
logging events.
|
||||
|
||||
Postfix does, however, casefold domain names and email addresses before
|
||||
matching them against a Postfix configuration parameter or lookup table.
|
||||
|
||||
In order to use Postfix SMTPUTF8 support:
|
||||
|
||||
* The Postfix parameters myhostname and mydomain must be in ASCII form. One
|
||||
is a substring of the other, and the myhostname value is used in SMTP
|
||||
commands and responses that require ASCII. The parameter myorigin (added to
|
||||
local addresses without domain) supports UTF-8.
|
||||
|
||||
* You need to configure both the ASCII and UTF-8 forms of an
|
||||
Internationalized domain name in Postfix parameters such as mydestination
|
||||
and relay_domains, as well as lookup table search keys.
|
||||
|
||||
* Milters, content filters, policy servers and logfile analysis tools need to
|
||||
be able to handle both the ASCII and UTF-8 forms of Internationalized
|
||||
domain names.
|
||||
|
||||
CCoommppaattiibbiilliittyy wwiitthh pprree--SSMMTTPPUUTTFF88 eennvviirroonnmmeennttss
|
||||
|
||||
MMaaiilliinngg lliissttss wwiitthh UUTTFF--88 aanndd nnoonn--UUTTFF--88 ssuubbssccrriibbeerrss
|
||||
|
||||
With Postfix, there is no need to split mailing lists into UTF-8 and non-UTF-
|
||||
8 members. Postfix will try to deliver the non-UTF8 subscribers over
|
||||
"traditional" non-SMTPUTF8 sessions, as long as the message has an ASCII
|
||||
envelope sender address and all-ASCII header values. The mailing list manager
|
||||
may have to apply RFC 2047 encoding to satisfy that last condition.
|
||||
|
||||
PPrree--eexxiissttiinngg nnoonn--AASSCCIIII eemmaaiill fflloowwss
|
||||
|
||||
With "smtputf8_enable = no", Postfix handles email with non-ASCII in address
|
||||
localparts (and in headers) as before. The vast majority of email software is
|
||||
perfectly capable of handling such email, even if pre-SMTPUTF8 standards do not
|
||||
support such practice.
|
||||
|
||||
However, when you specify "smtputf8_enable = yes", Postfix requires that non-
|
||||
ASCII address information is encoded in UTF-8 and will reject other encodings
|
||||
such as ISO-8859. It is not practical for Postfix to support multiple encodings
|
||||
at the same time. There is no problem with RFC 2047 encodings such as "=?ISO-
|
||||
8859-1?Q?text?=", because those use only characters from the ASCII
|
||||
characterset.
|
||||
|
||||
CCrreeddiittss
|
||||
|
||||
* May 15, 2014: Arnt Gulbrandsen posted his patch for Unicode email support.
|
||||
This work was sponsored by CNNIC.
|
||||
|
||||
* July 15, 2014: Wietse integrated Arnt Gulbrandsen's code and released
|
||||
Postfix with SMTPUTF8 support.
|
||||
|
||||
* January 2015: Wietse added UTF-8 support for casefolding in Postfix lookup
|
||||
tables and caseless string comparison in Postfix list-based features.
|
||||
|
@ -169,6 +169,8 @@ username/password information.
|
||||
|
||||
/etc/postfix/main.cf:
|
||||
smtp_sasl_auth_enable = yes
|
||||
smtp_tls_security_level = encrypt
|
||||
smtp_sasl_tls_security_options = noanonymous
|
||||
relayhost = [mail.isp.example]
|
||||
# Alternative form:
|
||||
# relayhost = [mail.isp.example]:submission
|
||||
@ -178,6 +180,10 @@ username/password information.
|
||||
will configure the client's username and password information in the second
|
||||
part of the example.
|
||||
|
||||
* The smtp_tls_security_level setting ensures that the connection to the
|
||||
remote smtp server will be encrypted, and smtp_sasl_tls_security_options
|
||||
removes the prohibition on plaintext passwords.
|
||||
|
||||
* The relayhost setting forces the Postfix SMTP to send all remote messages
|
||||
to the specified mail server instead of trying to deliver them directly to
|
||||
their destination.
|
||||
@ -254,7 +260,7 @@ final resort.
|
||||
|
||||
/etc/postfix/sasl_passwd:
|
||||
# Per-sender authentication; see also /etc/postfix/sender_relay.
|
||||
user1@example.com username2:password2
|
||||
user1@example.com username1:password1
|
||||
user2@example.net username2:password2
|
||||
# Login information for the default relayhost.
|
||||
[mail.isp.example] username:password
|
||||
|
@ -24,7 +24,18 @@ For example:
|
||||
|
||||
make -f Makefile.init makefiles \
|
||||
'CCARGS=-DHAS_SQLITE -I/usr/local/include' \
|
||||
'AUXLIBS=-L/usr/local/lib -lsqlite3 -lpthread'
|
||||
'AUXLIBS_SQLITE=-L/usr/local/lib -lsqlite3 -lpthread'
|
||||
|
||||
Postfix versions before 3.0 use AUXLIBS instead of AUXLIBS_SQLITE. With Postfix
|
||||
3.0 and later, the old AUXLIBS variable still supports building a statically-
|
||||
loaded SQLite database client, but only the new AUXLIBS_SQLITE variable
|
||||
supports building a dynamically-loaded or statically-loaded SQLite database
|
||||
client.
|
||||
|
||||
Failure to use the AUXLIBS_SQLITE variable will defeat the purpose of
|
||||
dynamic database client loading. Every Postfix executable file will have
|
||||
SQLITE database library dependencies. And that was exactly what dynamic
|
||||
database client loading was meant to avoid.
|
||||
|
||||
Then, just run 'make'.
|
||||
|
||||
|
@ -97,13 +97,16 @@ The "stress" parameter value is the key to making main.cf parameter settings
|
||||
stress adaptive. The following settings are the default with Postfix 2.6 and
|
||||
later.
|
||||
|
||||
1 smtpd_timeout = ${stress?10}${stress:300}s
|
||||
2 smtpd_hard_error_limit = ${stress?1}${stress:20}
|
||||
3 smtpd_junk_command_limit = ${stress?1}${stress:100}
|
||||
1 smtpd_timeout = ${stress?{10}:{300}}s
|
||||
2 smtpd_hard_error_limit = ${stress?{1}:{20}}
|
||||
3 smtpd_junk_command_limit = ${stress?{1}:{100}}
|
||||
4 # Parameters added after Postfix 2.6:
|
||||
5 smtpd_per_record_deadline = ${stress?yes}${stress:no}
|
||||
6 smtpd_starttls_timeout = ${stress?10}${stress:300}s
|
||||
7 address_verify_poll_count = ${stress?1}${stress:3}
|
||||
5 smtpd_per_record_deadline = ${stress?{yes}:{no}}
|
||||
6 smtpd_starttls_timeout = ${stress?{10}:{300}}s
|
||||
7 address_verify_poll_count = ${stress?{1}:{3}}
|
||||
|
||||
Postfix versions before 3.0 use the older form ${stress?x}${stress:y} instead
|
||||
of the newer form ${stress?{x}:{y}}.
|
||||
|
||||
Translation:
|
||||
|
||||
@ -146,8 +149,8 @@ Translation:
|
||||
$unverified_sender_tempfail_action. No mail should be lost, as long as this
|
||||
measure is used only temporarily.
|
||||
|
||||
The syntax of ${name?value} and ${name:value} is explained at the beginning of
|
||||
the postconf(5) manual page.
|
||||
The syntax of ${name?{value}:{value}}, ${name?value} and ${name:value} is
|
||||
explained at the beginning of the postconf(5) manual page.
|
||||
|
||||
NOTE: Please keep in mind that the stress-adaptive feature is a fairly
|
||||
desperate measure to keep ssoommee legitimate mail flowing under overload
|
||||
|
@ -178,7 +178,7 @@ Their DSA counterparts:
|
||||
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
|
||||
|
||||
To verify a remote SMTP client certificate, the Postfix SMTP server needs to
|
||||
trust the certificates of the issuing certification authorities. These
|
||||
trust the certificates of the issuing Certification Authorities. These
|
||||
certificates in "pem" format can be stored in a single $smtpd_tls_CAfile or in
|
||||
multiple files, one CA per file in the $smtpd_tls_CApath directory. If you use
|
||||
a directory, don't forget to create the necessary "hash" links with:
|
||||
@ -565,7 +565,7 @@ Their DSA counterparts:
|
||||
smtp_tls_dkey_file = $smtp_tls_dcert_file
|
||||
|
||||
To verify a remote SMTP server certificate, the Postfix SMTP client needs to
|
||||
trust the certificates of the issuing certification authorities. These
|
||||
trust the certificates of the issuing Certification Authorities. These
|
||||
certificates in "pem" format can be stored in a single $smtp_tls_CAfile or in
|
||||
multiple files, one CA per file in the $smtp_tls_CApath directory. If you use a
|
||||
directory, don't forget to create the necessary "hash" links with:
|
||||
@ -700,8 +700,8 @@ Despite the potential for eliminating "man-in-the-middle" and other attacks,
|
||||
mandatory certificate/peername verification is not viable as a default Internet
|
||||
mail delivery policy at this time. A significant fraction of TLS enabled MTAs
|
||||
uses self-signed certificates, or certificates that are signed by a private
|
||||
certificate authority. On a machine that delivers mail to the Internet, if you
|
||||
set smtp_enforce_tls = yes, you should probably also set
|
||||
Certification Authority. On a machine that delivers mail to the Internet, if
|
||||
you set smtp_enforce_tls = yes, you should probably also set
|
||||
smtp_tls_enforce_peername = no. You can use the per-site TLS policies (see
|
||||
below) to enable full peer verification for specific destinations that are
|
||||
known to have verifiable TLS server certificates.
|
||||
@ -956,16 +956,16 @@ The following steps will get you started quickly. Because you sign your own
|
||||
Postfix public key certificate, you get TLS encryption but no TLS
|
||||
authentication. This is sufficient for testing, and for exchanging email with
|
||||
sites that you have no trust relationship with. For real authentication, your
|
||||
Postfix public key certificate needs to be signed by a recognized Certificate
|
||||
Postfix public key certificate needs to be signed by a recognized Certification
|
||||
Authority, and Postfix needs to be configured with a list of public key
|
||||
certificates of Certificate Authorities, so that Postfix can verify the public
|
||||
key certificates of remote hosts.
|
||||
certificates of Certification Authorities, so that Postfix can verify the
|
||||
public key certificates of remote hosts.
|
||||
|
||||
In the examples below, user input is shown in bboolldd font, and a "#" prompt
|
||||
indicates a super-user shell.
|
||||
|
||||
* Become your own Certificate Authority, so that you can sign your own public
|
||||
keys. This example uses the CA.pl script that ships with OpenSSL. By
|
||||
* Become your own Certification Authority, so that you can sign your own
|
||||
public keys. This example uses the CA.pl script that ships with OpenSSL. By
|
||||
default, OpenSSL installs this as /usr/local/ssl/misc/CA.pl, but your
|
||||
mileage may vary. The script creates a private key in ./demoCA/private/
|
||||
cakey.pem and a public key in ./demoCA/cacert.pem.
|
||||
|
@ -173,6 +173,10 @@ the smtpd(8) server against abuse by out-of-control clients.
|
||||
The maximum number of new TLS sessions (without using the TLS session
|
||||
cache) that an SMTP client may negotiate in the time interval specified
|
||||
with anvil_rate_time_unit (default: 60s).
|
||||
smtpd_client_auth_rate_limit (default: no limit)
|
||||
The maximum number of AUTH commands that an SMTP client may send in the
|
||||
time interval specified with anvil_rate_time_unit (default: 60s).
|
||||
Available in Postfix 3.1 and later.
|
||||
smtpd_client_event_limit_exceptions (default: $mynetworks)
|
||||
SMTP clients that are excluded from connection and rate limits
|
||||
specified above.
|
||||
|
@ -80,7 +80,8 @@ Note 1: syntactically valid NAME and HELO attribute-value elements can be up to
|
||||
255 characters long. The client must not send XCLIENT commands that exceed the
|
||||
512 character limit for SMTP commands. To avoid exceeding the limit the client
|
||||
should send the information in multiple XCLIENT commands; for example, send
|
||||
NAME and ADDR first, then HELO and PROTO.
|
||||
NAME and ADDR last, after HELO and PROTO. Once ADDR is sent, the client is
|
||||
usually no longer authorized to send XCLIENT commands.
|
||||
|
||||
Note 2: [UNAVAILABLE], [TEMPUNAVAIL] and IPV6: may be specified in upper case,
|
||||
lower case or mixed case.
|
||||
|
424
external/ibm-public/postfix/dist/RELEASE_NOTES
vendored
424
external/ibm-public/postfix/dist/RELEASE_NOTES
vendored
@ -1,26 +1,161 @@
|
||||
The stable Postfix release is called postfix-2.11.x where 2=major
|
||||
release number, 11=minor release number, x=patchlevel. The stable
|
||||
This is the Postfix 3.1 (stable) release.
|
||||
|
||||
The stable Postfix release is called postfix-3.1.x where 3=major
|
||||
release number, 1=minor release number, x=patchlevel. The stable
|
||||
release never changes except for patches that address bugs or
|
||||
emergencies. Patches change the patchlevel and the release date.
|
||||
|
||||
New features are developed in snapshot releases. These are called
|
||||
postfix-2.12-yyyymmdd where yyyymmdd is the release date (yyyy=year,
|
||||
postfix-3.2-yyyymmdd where yyyymmdd is the release date (yyyy=year,
|
||||
mm=month, dd=day). Patches are never issued for snapshot releases;
|
||||
instead, a new snapshot is released.
|
||||
|
||||
The mail_release_date configuration parameter (format: yyyymmdd)
|
||||
specifies the release date of a stable release or snapshot release.
|
||||
|
||||
If you upgrade from Postfix 2.9 or earlier, read RELEASE_NOTES-2.10
|
||||
If you upgrade from Postfix 2.11 or earlier, read RELEASE_NOTES-3.0
|
||||
before proceeding.
|
||||
|
||||
Incompatible change with Postfix 2.11.6
|
||||
---------------------------------------
|
||||
Workaround - UTF8 support in Postfix MySQL queries
|
||||
--------------------------------------------------
|
||||
|
||||
As of the middle of 2015, all supported Postfix releases no longer
|
||||
enable "export" grade ciphers for opportunistic TLS, and no longer
|
||||
use the deprecated SSLv2 and SSLv3 protocols for mandatory or
|
||||
opportunistic TLS.
|
||||
Someone reported false "not found" errors with MySQL map queries
|
||||
that contain UTF8-encoded text. To avoid such errors, specify
|
||||
"option_group = client" in Postfix MySQL configuration files. This
|
||||
will be the default setting with Postfix 3.2 and later.
|
||||
|
||||
Major changes - address verification safety
|
||||
-------------------------------------------
|
||||
|
||||
[Feature 20151227] The new address_verify_pending_request_limit
|
||||
parameter introduces a safety limit for the number of address
|
||||
verification probes in the active queue. The default limit is 1/4
|
||||
of the active queue maximum size. The queue manager enforces the
|
||||
limit by tempfailing probe messages that exceed the limit. This
|
||||
design avoids dependencies on global counters that get out of sync
|
||||
after a process or system crash.
|
||||
|
||||
Tempfailing verify requests is not as bad as one might think. The
|
||||
Postfix verify cache proactively updates active addresses weeks
|
||||
before they expire. The address_verify_pending_request_limit affects
|
||||
only unknown addresses, and inactive addresses that have expired
|
||||
from the address verify cache (by default, after 31 days).
|
||||
|
||||
Major changes - json support
|
||||
----------------------------
|
||||
|
||||
[Feature 20151129] Machine-readable, JSON-formatted queue listing
|
||||
with "postqueue -j" (no "mailq" equivalent). The output is a stream
|
||||
of JSON objects, one per queue file. To simplify parsing, each
|
||||
JSON object is formatted as one text line followed by one newline
|
||||
character. See the postqueue(1) manpage for a detailed description
|
||||
of the output format.
|
||||
|
||||
Major changes - milter support
|
||||
------------------------------
|
||||
|
||||
[Feature 20150523] The milter_macro_defaults feature provides an
|
||||
optional list of macro name=value pairs. These specify default
|
||||
values for Milter macros when no value is available from the SMTP
|
||||
session context.
|
||||
|
||||
For example, with "milter_macro_defaults = auth_type=TLS", the
|
||||
Postfix SMTP server will send an auth_type of "TLS" to a Milter,
|
||||
unless the remote client authenticates with SASL.
|
||||
|
||||
This feature was originally implemented for a submission service
|
||||
that may authenticate clients with a TLS certificate, without having
|
||||
to make changes to the code that implements TLS support.
|
||||
|
||||
Major changes - output rate control
|
||||
-----------------------------------
|
||||
|
||||
[Feature 20150710] Destination-independent delivery rate delay
|
||||
|
||||
Support to enforce a destination-independent delay between email
|
||||
deliveries. The following example inserts 20 seconds of delay
|
||||
between all deliveries with the SMTP transport, limiting the delivery
|
||||
rate to at most three messages per minute.
|
||||
|
||||
/etc/postfix/main.cf:
|
||||
smtp_transport_rate_delay = 20s
|
||||
|
||||
For details, see the description of default_transport_rate_delay
|
||||
and transport_transport_rate_delay in the postconf(5) manpage.
|
||||
|
||||
Major changes - postscreen dnsbl
|
||||
--------------------------------
|
||||
|
||||
[Feature 20150710] postscreen support for the TTL of DNSBL and DNSWL
|
||||
lookup results
|
||||
|
||||
Historically, the default setting "postscreen_dnsbl_ttl = 1h" assumes
|
||||
that a "not found" result from a DNSBL server will be valid for one
|
||||
hour. This may have been adequate five years ago when postscreen
|
||||
was first implemented, but nowadays, that one hour can result in
|
||||
missed opportunities to block new spambots.
|
||||
|
||||
To address this, postscreen now respects the TTL of DNSBL "not
|
||||
found" replies, as well as the TTL of DNSWL replies (both "found"
|
||||
and "not found"). The TTL for a "not found" reply is determined
|
||||
according to RFC 2308 (the TTL of an SOA record in the reply).
|
||||
|
||||
Support for DNSBL or DNSWL reply TTL values is controlled by two
|
||||
configuration parameters:
|
||||
|
||||
postscreen_dnsbl_min_ttl (default: 60 seconds).
|
||||
|
||||
This parameter specifies a minimum for the amount of time that
|
||||
a DNSBL or DNSWL result will be cached in the postscreen_cache_map.
|
||||
This prevents an excessive number of postscreen cache updates
|
||||
when a DNSBL or DNSWL server specifies a very small reply TTL.
|
||||
|
||||
postscreen_dnsbl_max_ttl (default: $postscreen_dnsbl_ttl or 1 hour)
|
||||
|
||||
This parameter specifies a maximum for the amount of time that
|
||||
a DNSBL or DNSWL result will be cached in the postscreen_cache_map.
|
||||
This prevents cache pollution when a DNSBL or DNSWL server
|
||||
specifies a very large reply TTL.
|
||||
|
||||
The postscreen_dnsbl_ttl parameter is now obsolete, and has become
|
||||
the default value for the new postscreen_dnsbl_max_ttl parameter.
|
||||
|
||||
Major changes - sasl auth safety
|
||||
--------------------------------
|
||||
|
||||
[Feature 20151031] New "smtpd_client_auth_rate_limit" feature, to
|
||||
enforce an optional rate limit on AUTH commands per SMTP client IP
|
||||
address. Similar to other smtpd_client_*_rate_limit features, this
|
||||
enforces a limit on the number of requests per $anvil_rate_time_unit.
|
||||
|
||||
Major changes - smtpd policy
|
||||
----------------------------
|
||||
|
||||
[Feature 20150913] New SMTPD policy service attribute "policy_context",
|
||||
with a corresponding "smtpd_policy_service_policy_context" configuration
|
||||
parameter. Originally, this was implemented to share the same SMTPD
|
||||
policy service endpoint among multiple check_policy_service clients.
|
||||
|
||||
Major changes - tls
|
||||
-------------------
|
||||
|
||||
[Feature 20160207] A new "postfix tls" command to quickly enable
|
||||
opportunistic TLS in the Postfix SMTP client or server, and to
|
||||
manage SMTP server keys and certificates, including certificate
|
||||
signing requests and TLSA DNS records for DANE. See the postfix-tls(1)
|
||||
manpage for a detailed description.
|
||||
|
||||
[Feature 20160103] The Postfix SMTP client by default enables DANE
|
||||
policies when an MX host has a (DNSSEC) secure TLSA DNS record,
|
||||
even if the MX DNS record was obtained with insecure lookups. The
|
||||
existence of a secure TLSA record implies that the host wants to
|
||||
talk TLS and not plaintext. For details see the
|
||||
smtp_tls_dane_insecure_mx_policy configuration parameter.
|
||||
|
||||
[Incompat 20150721] As of the middle of 2015, all supported Postfix
|
||||
releases no longer enable "export" grade ciphers for opportunistic
|
||||
TLS, and no longer use the deprecated SSLv2 and SSLv3 protocols for
|
||||
mandatory or opportunistic TLS.
|
||||
|
||||
These changes are very unlikely to cause problems with server-to-server
|
||||
communication over the Internet, but they may result in interoperability
|
||||
@ -48,267 +183,12 @@ selective, use "-o name=value" parameter overrides on specific
|
||||
services in master.cf. Execute the command "postfix reload" to make
|
||||
the changes effective.
|
||||
|
||||
Major changes - tls
|
||||
-------------------
|
||||
[Incompat 20150719] The default Diffie-Hellman non-export prime was
|
||||
updated from 1024 to 2048 bits, because SMTP clients are starting
|
||||
to reject TLS handshakes with primes smaller than 2048 bits.
|
||||
|
||||
[Documentation 20131218] The new FORWARD_SECRECY_README document
|
||||
conveniently presents all information about Postfix "perfect" forward
|
||||
secrecy support in one place: what forward secrecy is, how to tweak
|
||||
settings, and what you can expect to see when Postfix uses ciphers
|
||||
with forward secrecy.
|
||||
Historically, this prime size is not negotiable, and each site needs
|
||||
to determine which prime size works best for the majority of its
|
||||
clients. See FORWARD_SECRECY_README for some hints in the quick-start
|
||||
section.
|
||||
|
||||
[Feature 20130602] Support for PKI-less TLS server certificate
|
||||
verification, where the CA public key or the server certificate is
|
||||
identified via DNSSEC lookup.
|
||||
|
||||
This feature introduces new TLS security levels called "dane" and
|
||||
"dane-only" (DNS-based Authentication of Named Entities) that use
|
||||
DNSSEC to look up CA or server certificate information. The details
|
||||
of DANE core protocols are still evolving, as are the details of
|
||||
how DANE should be used in the context of SMTP. Postfix implements
|
||||
what appears to be a "rational" subset of the DANE profiles that
|
||||
is suitable for SMTP.
|
||||
|
||||
The problem with conventional PKI is that there are literally
|
||||
hundreds of organizations world-wide that can provide a certificate
|
||||
in anyone's name. There have been widely-published incidents in
|
||||
recent history where a certificate authority gave out an inappropriate
|
||||
certificate (e.g., a certificate in the name of Microsoft to someone
|
||||
who did not represent Microsoft), where a CA was compromised (e.g.,
|
||||
DigiNotar, Comodo), or where a CA made operational mistakes (e.g.,
|
||||
TURKTRUST). Another concern is that a legitimate CA might be coerced
|
||||
to provide a certificate that allows its government to play
|
||||
man-in-the-middle on TLS traffic and observe the plaintext.
|
||||
|
||||
Major changes - LMDB database support
|
||||
-------------------------------------
|
||||
|
||||
LMDB is a memory-mapped database that was originally developed as
|
||||
part of OpenLDAP. The Postfix LMDB driver was originally contributed
|
||||
by Howard Chu, LMDB's creator.
|
||||
|
||||
LMDB can be used for all Postfix lookup tables and caches. It is
|
||||
the first persistent Postfix database that can be shared among
|
||||
multiple writers such as postscreen daemons (Postfix already supported
|
||||
shared non-persistent memcached caches). See lmdb_table(5) and
|
||||
LMDB_README for further information, including how to access Postfix
|
||||
LMDB databases with non-Postfix programs.
|
||||
|
||||
Postfix currently requires LMDB version 0.9.11 or later. The minimum
|
||||
version may change over time in the light of deployment experience.
|
||||
|
||||
Major changes - postscreen whitelisting
|
||||
---------------------------------------
|
||||
|
||||
[Feature 20130512] Allow a remote SMTP client to skip postscreen(8)
|
||||
tests based on its postscreen_dnsbl_sites score.
|
||||
|
||||
Specify a negative "postscreen_dnsbl_whitelist_threshold" value to
|
||||
enable this feature. When a client passes the threshold value
|
||||
without having failed other tests, all pending or disabled tests
|
||||
are flagged as completed.
|
||||
|
||||
This feature can mitigate the email delays due to "after 220 greeting"
|
||||
protocol tests, which otherwise require that a client reconnects
|
||||
before it can deliver mail. Some providers such as Google don't
|
||||
retry from the same IP address. This can result in large email
|
||||
delivery delays.
|
||||
|
||||
Major changes - recipient_delimiter
|
||||
-----------------------------------
|
||||
|
||||
[Feature 20130405] The recipient_delimiter parameter can now specify
|
||||
a set of characters. A user name is now separated from its address
|
||||
extension by the first character that matches the recipient_delimiter
|
||||
set.
|
||||
|
||||
For example, specify "recipient_delimiter = +-" to support both the
|
||||
Postfix-style "+" and the qmail-style "-" extension delimiter.
|
||||
|
||||
As before, this implementation recognizes one delimiter character
|
||||
per email address, and one address extension per email address.
|
||||
|
||||
Major changes - smtpd access control
|
||||
------------------------------------
|
||||
|
||||
[Feature 20131031] The check_sasl_access feature can be used to
|
||||
block hijacked logins. Like other check_mumble_access features it
|
||||
queries a lookup table (in this case with the SASL login name), and
|
||||
it supports the same actions as any Postfix access(5) table.
|
||||
|
||||
[Feature 20130924] The reject_known_sender_login_mismatch feature
|
||||
applies reject_sender_login_mismatch only to MAIL FROM addresses
|
||||
that are known in $smtpd_sender_login_maps.
|
||||
|
||||
Major changes - MacOS X
|
||||
-----------------------
|
||||
|
||||
[Feature 20130325] Full support for kqueue() event handling which
|
||||
scales better with large numbers of file handles, plus a workaround
|
||||
for timeout handling on file handles (such as /dev/urandom) that
|
||||
still do not correctly support poll().
|
||||
|
||||
Major changes - master
|
||||
----------------------
|
||||
|
||||
[Incompat 20131217] The master_service_disable parameter value
|
||||
syntax has changed: use "service/type" instead of "service.type".
|
||||
The new form is consistent with postconf(1) namespaces for master.cf.
|
||||
The old form is still supported to avoid breaking existing
|
||||
configurations.
|
||||
|
||||
Major changes - milter
|
||||
----------------------
|
||||
|
||||
[Feature 20131126] Support for ESMTP parameters "NOTIFY" and "ORCPT"
|
||||
in the SMFIR_ADDRCPT_PAR (add recipient with parameters) request.
|
||||
Credits: Andrew Ayer.
|
||||
|
||||
Major changes - mysql
|
||||
---------------------
|
||||
|
||||
[Feature 20131117] MySQL client support for option_file, option_group,
|
||||
tls_cert_file, tls_key_file, tls_CAfile, tls_CApath, tls_verify_cert.
|
||||
Credits: Gareth Palmer.
|
||||
|
||||
Major changes - postconf
|
||||
------------------------
|
||||
|
||||
[Feature 20131217] Support for advanced master.cf query and update
|
||||
operations. This was implemented primarily to support automated
|
||||
system management tools.
|
||||
|
||||
The goal is to make all Postfix master.cf details accessible as
|
||||
lists of "name=value" pairs, where the names are organized into
|
||||
structured name spaces. This allows other programs to query
|
||||
information or request updates, without having to worry about the
|
||||
exact layout of master.cf files.
|
||||
|
||||
Managing master.cf service attributes
|
||||
-------------------------------------
|
||||
|
||||
First, an example that shows the smtp/inet service in the traditional
|
||||
form:
|
||||
|
||||
$ postconf -M smtp/inet
|
||||
smtp inet n - n - - smtpd
|
||||
|
||||
Different variants of this command show different amounts of output.
|
||||
For example, "postconf -M smtp" enumerates all services that have
|
||||
a name "smtp" and any service type ("inet", "unix", etc.), and
|
||||
"postconf -M" enumerates all master.cf services.
|
||||
|
||||
General rule: each name component that is not present becomes a "*"
|
||||
wildcard.
|
||||
|
||||
Coming back to the above example, the postconf -F option can now
|
||||
enumerate the smtp/inet service fields as follows:
|
||||
|
||||
$ postconf -F smtp/inet
|
||||
smtp/inet/service = smtp
|
||||
smtp/inet/type = inet
|
||||
smtp/inet/private = n
|
||||
smtp/inet/unprivileged = -
|
||||
smtp/inet/chroot = n
|
||||
smtp/inet/wakeup = -
|
||||
smtp/inet/process_limit = -
|
||||
smtp/inet/command = smtpd
|
||||
|
||||
This form makes it very easy to change one field in master.cf.
|
||||
For example to turn on chroot on the smtp/inet service you use:
|
||||
|
||||
$ postconf -F smtp/inet/chroot=y
|
||||
$ postfix reload
|
||||
|
||||
Moreover, with "-F" you can specify "*" for service name or service
|
||||
type to get a wild-card match. For example, to turn off chroot on
|
||||
all Postfix daemons, use this:
|
||||
|
||||
$ postconf -F '*/*/chroot=n'
|
||||
$ postfix reload
|
||||
|
||||
Managing master.cf service "-o parameter=value" settings
|
||||
--------------------------------------------------------
|
||||
|
||||
For a second example, let's look at the submission service. This
|
||||
service typically has multiple "-o parameter=value" overrides. First
|
||||
the traditional view:
|
||||
|
||||
$ postconf -Mf submission
|
||||
submission inet n - n - - smtpd
|
||||
-o smtpd_tls_security_level=encrypt
|
||||
-o smtpd_sasl_auth_enable=yes
|
||||
...
|
||||
|
||||
The postconf -P option can now enumerate these parameters as follows:
|
||||
|
||||
$ postconf -P submission
|
||||
submission/inet/smtpd_sasl_auth_enable = yes
|
||||
submission/inet/smtpd_tls_security_level = encrypt
|
||||
...
|
||||
|
||||
Again, this form makes it very easy to modify one parameter
|
||||
setting. For example, to change the smtpd_tls_security_level setting
|
||||
for the submission/inet service:
|
||||
|
||||
$ postconf -P 'submission/inet/smtpd_tls_security_level=may'
|
||||
|
||||
You can create or remove a parametername=parametervalue setting:
|
||||
|
||||
Create:
|
||||
$ postconf -P 'submission/inet/parametername=parametervalue'
|
||||
|
||||
Remove:
|
||||
$ postconf -PX submission/inet/parametername
|
||||
|
||||
Finally, always execute "postfix reload" after updating master.cf.
|
||||
|
||||
Managing master.cf service entries
|
||||
----------------------------------
|
||||
|
||||
Finally, adding master.cf entries is possible, but currently this
|
||||
does not yet have "advanced" support. It can only be done at the
|
||||
level of the traditional master.cf file format.
|
||||
|
||||
Suppose that you need to configure a Postfix SMTP client that will
|
||||
handle slow email deliveries. To implement this you need to clone
|
||||
the smtp/unix service settings and create a new delay/unix service.
|
||||
|
||||
First, you would enumerate the smtp/unix service like this:
|
||||
|
||||
$ postconf -M smtp/unix
|
||||
smtp unix - - n - - smtp
|
||||
|
||||
Then you would copy those fields (except the first field) by hand
|
||||
to create the delay/unix service:
|
||||
|
||||
$ postconf -M delay/unix="delay unix - - n - - smtp"
|
||||
|
||||
To combine the above steps in one command:
|
||||
|
||||
$ postconf -M delay/unix="`postconf -M smtp/unix|awk '{$1 = "delay"}'`"
|
||||
|
||||
This is perhaps not super-convenient for manual cloning, but it
|
||||
should be sufficient for programmatic configuration management.
|
||||
|
||||
Again, always execute "postfix reload" after updating master.cf.
|
||||
|
||||
Deleting or commenting out master.cf entries
|
||||
--------------------------------------------
|
||||
|
||||
The -X (delete entry) and -# (comment out entry) options already
|
||||
exist for main.cf, and they now also work work for entire master.cf
|
||||
entries:
|
||||
|
||||
Remove main.cf or master.cf entry:
|
||||
$ postconf -X parametername
|
||||
$ postconf -MX delay/unix
|
||||
|
||||
Comment out main.cf or master.cf entry:
|
||||
$ postconf -# parametername
|
||||
$ postconf -M# delay/unix
|
||||
|
||||
As with main.cf, there is no support to "undo" master.cf changes
|
||||
that are made with -X or -#.
|
||||
|
||||
Again, always execute "postfix reload" after updating master.cf.
|
||||
|
280
external/ibm-public/postfix/dist/RELEASE_NOTES-2.11
vendored
Normal file
280
external/ibm-public/postfix/dist/RELEASE_NOTES-2.11
vendored
Normal file
@ -0,0 +1,280 @@
|
||||
The stable Postfix release is called postfix-2.11.x where 2=major
|
||||
release number, 11=minor release number, x=patchlevel. The stable
|
||||
release never changes except for patches that address bugs or
|
||||
emergencies. Patches change the patchlevel and the release date.
|
||||
|
||||
New features are developed in snapshot releases. These are called
|
||||
postfix-2.12-yyyymmdd where yyyymmdd is the release date (yyyy=year,
|
||||
mm=month, dd=day). Patches are never issued for snapshot releases;
|
||||
instead, a new snapshot is released.
|
||||
|
||||
The mail_release_date configuration parameter (format: yyyymmdd)
|
||||
specifies the release date of a stable release or snapshot release.
|
||||
|
||||
If you upgrade from Postfix 2.9 or earlier, read RELEASE_NOTES-2.10
|
||||
before proceeding.
|
||||
|
||||
Major changes - tls
|
||||
-------------------
|
||||
|
||||
[Documentation 20131218] The new FORWARD_SECRECY_README document
|
||||
conveniently presents all information about Postfix "perfect" forward
|
||||
secrecy support in one place: what forward secrecy is, how to tweak
|
||||
settings, and what you can expect to see when Postfix uses ciphers
|
||||
with forward secrecy.
|
||||
|
||||
[Feature 20130602] Support for PKI-less TLS server certificate
|
||||
verification, where the CA public key or the server certificate is
|
||||
identified via DNSSEC lookup.
|
||||
|
||||
This feature introduces new TLS security levels called "dane" and
|
||||
"dane-only" (DNS-based Authentication of Named Entities) that use
|
||||
DNSSEC to look up CA or server certificate information. The details
|
||||
of DANE core protocols are still evolving, as are the details of
|
||||
how DANE should be used in the context of SMTP. Postfix implements
|
||||
what appears to be a "rational" subset of the DANE profiles that
|
||||
is suitable for SMTP.
|
||||
|
||||
The problem with conventional PKI is that there are literally
|
||||
hundreds of organizations world-wide that can provide a certificate
|
||||
in anyone's name. There have been widely-published incidents in
|
||||
recent history where a certificate authority gave out an inappropriate
|
||||
certificate (e.g., a certificate in the name of Microsoft to someone
|
||||
who did not represent Microsoft), where a CA was compromised (e.g.,
|
||||
DigiNotar, Comodo), or where a CA made operational mistakes (e.g.,
|
||||
TURKTRUST). Another concern is that a legitimate CA might be coerced
|
||||
to provide a certificate that allows its government to play
|
||||
man-in-the-middle on TLS traffic and observe the plaintext.
|
||||
|
||||
Major changes - LMDB database support
|
||||
-------------------------------------
|
||||
|
||||
LMDB is a memory-mapped database that was originally developed as
|
||||
part of OpenLDAP. The Postfix LMDB driver was originally contributed
|
||||
by Howard Chu, LMDB's creator.
|
||||
|
||||
LMDB can be used for all Postfix lookup tables and caches. It is
|
||||
the first persistent Postfix database that can be shared among
|
||||
multiple writers such as postscreen daemons (Postfix already supported
|
||||
shared non-persistent memcached caches). See lmdb_table(5) and
|
||||
LMDB_README for further information, including how to access Postfix
|
||||
LMDB databases with non-Postfix programs.
|
||||
|
||||
Postfix currently requires LMDB version 0.9.11 or later. The minimum
|
||||
version may change over time in the light of deployment experience.
|
||||
|
||||
Major changes - postscreen whitelisting
|
||||
---------------------------------------
|
||||
|
||||
[Feature 20130512] Allow a remote SMTP client to skip postscreen(8)
|
||||
tests based on its postscreen_dnsbl_sites score.
|
||||
|
||||
Specify a negative "postscreen_dnsbl_whitelist_threshold" value to
|
||||
enable this feature. When a client passes the threshold value
|
||||
without having failed other tests, all pending or disabled tests
|
||||
are flagged as completed.
|
||||
|
||||
This feature can mitigate the email delays due to "after 220 greeting"
|
||||
protocol tests, which otherwise require that a client reconnects
|
||||
before it can deliver mail. Some providers such as Google don't
|
||||
retry from the same IP address. This can result in large email
|
||||
delivery delays.
|
||||
|
||||
Major changes - recipient_delimiter
|
||||
-----------------------------------
|
||||
|
||||
[Feature 20130405] The recipient_delimiter parameter can now specify
|
||||
a set of characters. A user name is now separated from its address
|
||||
extension by the first character that matches the recipient_delimiter
|
||||
set.
|
||||
|
||||
For example, specify "recipient_delimiter = +-" to support both the
|
||||
Postfix-style "+" and the qmail-style "-" extension delimiter.
|
||||
|
||||
As before, this implementation recognizes one delimiter character
|
||||
per email address, and one address extension per email address.
|
||||
|
||||
Major changes - smtpd access control
|
||||
------------------------------------
|
||||
|
||||
[Feature 20131031] The check_sasl_access feature can be used to
|
||||
block hijacked logins. Like other check_mumble_access features it
|
||||
queries a lookup table (in this case with the SASL login name), and
|
||||
it supports the same actions as any Postfix access(5) table.
|
||||
|
||||
[Feature 20130924] The reject_known_sender_login_mismatch feature
|
||||
applies reject_sender_login_mismatch only to MAIL FROM addresses
|
||||
that are known in $smtpd_sender_login_maps.
|
||||
|
||||
Major changes - MacOS X
|
||||
-----------------------
|
||||
|
||||
[Feature 20130325] Full support for kqueue() event handling which
|
||||
scales better with large numbers of file handles, plus a workaround
|
||||
for timeout handling on file handles (such as /dev/urandom) that
|
||||
still do not correctly support poll().
|
||||
|
||||
Major changes - master
|
||||
----------------------
|
||||
|
||||
[Incompat 20131217] The master_service_disable parameter value
|
||||
syntax has changed: use "service/type" instead of "service.type".
|
||||
The new form is consistent with postconf(1) namespaces for master.cf.
|
||||
The old form is still supported to avoid breaking existing
|
||||
configurations.
|
||||
|
||||
Major changes - milter
|
||||
----------------------
|
||||
|
||||
[Feature 20131126] Support for ESMTP parameters "NOTIFY" and "ORCPT"
|
||||
in the SMFIR_ADDRCPT_PAR (add recipient with parameters) request.
|
||||
Credits: Andrew Ayer.
|
||||
|
||||
Major changes - mysql
|
||||
---------------------
|
||||
|
||||
[Feature 20131117] MySQL client support for option_file, option_group,
|
||||
tls_cert_file, tls_key_file, tls_CAfile, tls_CApath, tls_verify_cert.
|
||||
Credits: Gareth Palmer.
|
||||
|
||||
Major changes - postconf
|
||||
------------------------
|
||||
|
||||
[Feature 20131217] Support for advanced master.cf query and update
|
||||
operations. This was implemented primarily to support automated
|
||||
system management tools.
|
||||
|
||||
The goal is to make all Postfix master.cf details accessible as
|
||||
lists of "name=value" pairs, where the names are organized into
|
||||
structured name spaces. This allows other programs to query
|
||||
information or request updates, without having to worry about the
|
||||
exact layout of master.cf files.
|
||||
|
||||
Managing master.cf service attributes
|
||||
-------------------------------------
|
||||
|
||||
First, an example that shows the smtp/inet service in the traditional
|
||||
form:
|
||||
|
||||
$ postconf -M smtp/inet
|
||||
smtp inet n - n - - smtpd
|
||||
|
||||
Different variants of this command show different amounts of output.
|
||||
For example, "postconf -M smtp" enumerates all services that have
|
||||
a name "smtp" and any service type ("inet", "unix", etc.), and
|
||||
"postconf -M" enumerates all master.cf services.
|
||||
|
||||
General rule: each name component that is not present becomes a "*"
|
||||
wildcard.
|
||||
|
||||
Coming back to the above example, the postconf -F option can now
|
||||
enumerate the smtp/inet service fields as follows:
|
||||
|
||||
$ postconf -F smtp/inet
|
||||
smtp/inet/service = smtp
|
||||
smtp/inet/type = inet
|
||||
smtp/inet/private = n
|
||||
smtp/inet/unprivileged = -
|
||||
smtp/inet/chroot = n
|
||||
smtp/inet/wakeup = -
|
||||
smtp/inet/process_limit = -
|
||||
smtp/inet/command = smtpd
|
||||
|
||||
This form makes it very easy to change one field in master.cf.
|
||||
For example to turn on chroot on the smtp/inet service you use:
|
||||
|
||||
$ postconf -F smtp/inet/chroot=y
|
||||
$ postfix reload
|
||||
|
||||
Moreover, with "-F" you can specify "*" for service name or service
|
||||
type to get a wild-card match. For example, to turn off chroot on
|
||||
all Postfix daemons, use this:
|
||||
|
||||
$ postconf -F '*/*/chroot=n'
|
||||
$ postfix reload
|
||||
|
||||
Managing master.cf service "-o parameter=value" settings
|
||||
--------------------------------------------------------
|
||||
|
||||
For a second example, let's look at the submission service. This
|
||||
service typically has multiple "-o parameter=value" overrides. First
|
||||
the traditional view:
|
||||
|
||||
$ postconf -Mf submission
|
||||
submission inet n - n - - smtpd
|
||||
-o smtpd_tls_security_level=encrypt
|
||||
-o smtpd_sasl_auth_enable=yes
|
||||
...
|
||||
|
||||
The postconf -P option can now enumerate these parameters as follows:
|
||||
|
||||
$ postconf -P submission
|
||||
submission/inet/smtpd_sasl_auth_enable = yes
|
||||
submission/inet/smtpd_tls_security_level = encrypt
|
||||
...
|
||||
|
||||
Again, this form makes it very easy to modify one parameter
|
||||
setting. For example, to change the smtpd_tls_security_level setting
|
||||
for the submission/inet service:
|
||||
|
||||
$ postconf -P 'submission/inet/smtpd_tls_security_level=may'
|
||||
|
||||
You can create or remove a parametername=parametervalue setting:
|
||||
|
||||
Create:
|
||||
$ postconf -P 'submission/inet/parametername=parametervalue'
|
||||
|
||||
Remove:
|
||||
$ postconf -PX submission/inet/parametername
|
||||
|
||||
Finally, always execute "postfix reload" after updating master.cf.
|
||||
|
||||
Managing master.cf service entries
|
||||
----------------------------------
|
||||
|
||||
Finally, adding master.cf entries is possible, but currently this
|
||||
does not yet have "advanced" support. It can only be done at the
|
||||
level of the traditional master.cf file format.
|
||||
|
||||
Suppose that you need to configure a Postfix SMTP client that will
|
||||
handle slow email deliveries. To implement this you need to clone
|
||||
the smtp/unix service settings and create a new delay/unix service.
|
||||
|
||||
First, you would enumerate the smtp/unix service like this:
|
||||
|
||||
$ postconf -M smtp/unix
|
||||
smtp unix - - n - - smtp
|
||||
|
||||
Then you would copy those fields (except the first field) by hand
|
||||
to create the delay/unix service:
|
||||
|
||||
$ postconf -M delay/unix="delay unix - - n - - smtp"
|
||||
|
||||
To combine the above steps in one command:
|
||||
|
||||
$ postconf -M delay/unix="`postconf -M smtp/unix|awk '{$1 = "delay"}'`"
|
||||
|
||||
This is perhaps not super-convenient for manual cloning, but it
|
||||
should be sufficient for programmatic configuration management.
|
||||
|
||||
Again, always execute "postfix reload" after updating master.cf.
|
||||
|
||||
Deleting or commenting out master.cf entries
|
||||
--------------------------------------------
|
||||
|
||||
The -X (delete entry) and -# (comment out entry) options already
|
||||
exist for main.cf, and they now also work work for entire master.cf
|
||||
entries:
|
||||
|
||||
Remove main.cf or master.cf entry:
|
||||
$ postconf -X parametername
|
||||
$ postconf -MX delay/unix
|
||||
|
||||
Comment out main.cf or master.cf entry:
|
||||
$ postconf -# parametername
|
||||
$ postconf -M# delay/unix
|
||||
|
||||
As with main.cf, there is no support to "undo" master.cf changes
|
||||
that are made with -X or -#.
|
||||
|
||||
Again, always execute "postfix reload" after updating master.cf.
|
628
external/ibm-public/postfix/dist/RELEASE_NOTES-3.0
vendored
Normal file
628
external/ibm-public/postfix/dist/RELEASE_NOTES-3.0
vendored
Normal file
@ -0,0 +1,628 @@
|
||||
The stable Postfix release is called postfix-3.0.x where 3=major
|
||||
release number, 0=minor release number, x=patchlevel. The stable
|
||||
release never changes except for patches that address bugs or
|
||||
emergencies. Patches change the patchlevel and the release date.
|
||||
|
||||
New features are developed in snapshot releases. These are called
|
||||
postfix-3.1-yyyymmdd where yyyymmdd is the release date (yyyy=year,
|
||||
mm=month, dd=day). Patches are never issued for snapshot releases;
|
||||
instead, a new snapshot is released.
|
||||
|
||||
The mail_release_date configuration parameter (format: yyyymmdd)
|
||||
specifies the release date of a stable release or snapshot release.
|
||||
|
||||
If you upgrade from Postfix 2.10 or earlier, read RELEASE_NOTES-2.11
|
||||
before proceeding.
|
||||
|
||||
Notes for distribution maintainers
|
||||
----------------------------------
|
||||
|
||||
* New backwards-compatibility safety net.
|
||||
|
||||
With NEW Postfix installs, you MUST install a main.cf file with
|
||||
the setting "compatibility_level = 2". See conf/main.cf for an
|
||||
example.
|
||||
|
||||
With UPGRADES of existing Postfix systems, you MUST NOT change the
|
||||
main.cf compatibility_level setting, nor add this setting if it
|
||||
does not exist.
|
||||
|
||||
Several Postfix default settings have changed with Postfix 3.0. To
|
||||
avoid massive frustration with existing Postfix installations,
|
||||
Postfix 3.0 comes with a safety net that forces Postfix to keep
|
||||
running with backwards-compatible main.cf and master.cf default
|
||||
settings. This safety net depends on the main.cf compatibility_level
|
||||
setting (default: 0). Details are in COMPATIBILITY_README.
|
||||
|
||||
* New Postfix build system.
|
||||
|
||||
The Postfix build/install procedure has changed to support Postfix
|
||||
dynamically-linked libraries and database plugins. These must not
|
||||
be "shared" with non-Postfix programs, and therefore must not be
|
||||
installed in a public directory.
|
||||
|
||||
To avoid massive frustration due to broken patches, PLEASE BUILD
|
||||
POSTFIX FIRST WITHOUT APPLYING ANY PATCHES. Follow the INSTALL
|
||||
instructions (see "Building with Postfix dynamically-linked libraries
|
||||
and database plugins"), and see how things work and what the
|
||||
dynamically-linked libraries, database plugin, and configuration
|
||||
files look like. Then, go ahead and perform your platform-specific
|
||||
customizations. The INSTALL section "Tips for distribution maintainers"
|
||||
has further suggestions.
|
||||
|
||||
Major changes - critical
|
||||
------------------------
|
||||
|
||||
[Incompat 20140714] After upgrading Postfix, "postfix reload" (or
|
||||
start/stop) is required. Several Postfix-internal protocols have
|
||||
been extended to support SMTPUTF8. Failure to reload or restart
|
||||
will result in mail staying queued, while Postfix daemons log
|
||||
warning messages about unexpected attributes.
|
||||
|
||||
Major changes - default settings
|
||||
--------------------------------
|
||||
|
||||
[Incompat 20141009] The default settings have changed for relay_domains
|
||||
(new: empty, old: $mydestination) and mynetworks_style (new: host,
|
||||
old: subnet). However the backwards-compatibility safety net will
|
||||
prevent these changes from taking effect, giving the system
|
||||
administrator the option to make an old default setting permanent
|
||||
in main.cf or to adopt the new default setting, before turning off
|
||||
backwards compatibility. See COMPATIBILITY_README for details.
|
||||
|
||||
[Incompat 20141001] A new backwards-compatibility safety net forces
|
||||
Postfix to run with backwards-compatible main.cf and master.cf
|
||||
default settings after an upgrade to a newer but incompatible Postfix
|
||||
version. See COMPATIBILITY_README for details.
|
||||
|
||||
While the backwards-compatible default settings are in effect,
|
||||
Postfix logs what services or what email would be affected by the
|
||||
incompatible change. Based on this the administrator can make some
|
||||
backwards-compatibility settings permanent in main.cf or master.cf,
|
||||
before turning off backwards compatibility.
|
||||
|
||||
See postconf.5.html#compatibility_level for details.
|
||||
|
||||
[Incompat 20141001] The default settings
|
||||
have changed for append_dot_mydomain (new: no. old: yes), master.cf
|
||||
chroot (new: n, old: y), and smtputf8 (new: yes, old: no).
|
||||
|
||||
Major changes - access control
|
||||
------------------------------
|
||||
|
||||
[Feature 20141119] Support for BCC actions in header/body_checks
|
||||
and milter_header_checks. There is no limit on the number of BCC
|
||||
actions that may be specified, other than the implicit limit due
|
||||
to finite storage. BCC support will not be implemented in Postfix
|
||||
delivery agent header/body_checks.
|
||||
|
||||
It works in the same way as always_bcc and sender/recipient_bcc_maps:
|
||||
there can be only one address per action, recipients are added with
|
||||
the NOTIFY=NONE delivery status notification option, and duplicate
|
||||
recipients are ignored (with the same delivery status notification
|
||||
options).
|
||||
|
||||
[Incompat 20141009] The default settings have changed for relay_domains
|
||||
(new: empty, old: $mydestination) and mynetworks_style (new: host,
|
||||
old: subnet). However the backwards-compatibility safety net will
|
||||
prevent these changes from taking effect, giving the system
|
||||
administrator the option to make an old default setting permanent
|
||||
in main.cf or to adopt the new default setting, before turning off
|
||||
backwards compatibility. See COMPATIBILITY_README for details.
|
||||
|
||||
[Feature 20140618] New INFO action in access(5) tables, for consistency
|
||||
with header/body_checks.
|
||||
|
||||
[Feature 20140620] New check_xxx_a_access (for xxx in client,
|
||||
reverse_client, helo, sender, recipient) implements access control
|
||||
on all A and AAAA IP addresses for respectively the client hostname,
|
||||
helo parameter, sender domain or recipient domain. This complements
|
||||
the existing check_xxx_mx_access and check_xxx_ns_access features.
|
||||
|
||||
Major changes - address rewriting
|
||||
---------------------------------
|
||||
|
||||
[Incompat 20141001] The default settings have changed for
|
||||
append_dot_mydomain (new: no. old: yes), master.cf chroot (new:
|
||||
n, old: y), and smtputf8 (new: yes, old: no).
|
||||
|
||||
Major changes - address verification
|
||||
------------------------------------
|
||||
|
||||
[Feature 20141227] The new smtp_address_verify_target parameter
|
||||
(default: rcpt) specifies what protocol stage decides if a recipient
|
||||
is valid. Specify "data" for servers that reject invalid recipients
|
||||
in response to the DATA command.
|
||||
|
||||
Major changes - database support
|
||||
--------------------------------
|
||||
|
||||
[Feature 20140512] Support for Berkeley DB version 6.
|
||||
|
||||
[Feature 20140618] The "randmap" lookup table performs random
|
||||
selection. This may be used to implement load balancing, for example:
|
||||
|
||||
/etc/postfix/transport:
|
||||
# Deliver my own domain as usual.
|
||||
example.com :
|
||||
.example.com :
|
||||
|
||||
/etc/postfix/main.cf:
|
||||
transport_maps =
|
||||
# Deliver my own domain as usual.
|
||||
hash:/etc/postfix/transport
|
||||
# Deliver other domains via randomly-selected relayhosts
|
||||
randmap:{smtp:smtp0.example.com, smtp:smtp1.example.com}
|
||||
|
||||
A variant of this can randomly select SMTP clients with different
|
||||
smtp_bind_address settings.
|
||||
|
||||
To implement different weights, specify lookup results multiple
|
||||
times. For example, to choose smtp:smtp1.example.com twice as often
|
||||
as smtp:smtp0.example.com, specify smtp:smtp1.example.com twice.
|
||||
|
||||
A future version may support randmap:/path/to/file to load a list
|
||||
of results from file.
|
||||
|
||||
[Feature 20140618] As the name suggests, the "pipemap" table
|
||||
implements a pipeline of lookup tables. The name of the table
|
||||
specifies the pipeline as a sequence of tables. For example, the
|
||||
following prevents SMTP mail to system accounts that have "nologin"
|
||||
as their login shell:
|
||||
|
||||
/etc/postfix/main.cf:
|
||||
local_recipient_maps =
|
||||
pipemap:{unix:passwd.byname, pcre:/etc/postfix/no-nologin.pcre}
|
||||
alias_maps
|
||||
|
||||
/etc/postfix/no-nologin.pcre:
|
||||
!/nologin/ whatever
|
||||
|
||||
Each "pipemap:" query is given to the first table. Each table
|
||||
lookup result becomes the query for the next table in the pipeline,
|
||||
and the last table produces the final result. When any table lookup
|
||||
produces no result, the entire pipeline produces no result.
|
||||
|
||||
A future version may support pipemap:/path/to/file to load a list
|
||||
of lookup tables from file.
|
||||
|
||||
[Feature 20140924] Support for unionmap, with the same syntax as
|
||||
pipemap. This sends a query to all tables, and concatenates non-empty
|
||||
results, separated by comma.
|
||||
|
||||
[Feature 20131121] The "static" lookup table now supports whitespace
|
||||
when invoked as "static:{ text with whitespace }", so that it can
|
||||
be used, for example, at the end of smtpd_mumble_restrictions as
|
||||
"check_mumble_access static:{reject text...}".
|
||||
|
||||
[Feature 20141126] "inline:{key=value, { key = text with comma/space}}"
|
||||
avoids the need to create a database for just a few entries.
|
||||
|
||||
Major changes - delivery status notifications
|
||||
---------------------------------------------
|
||||
|
||||
[Feature 20140321] Delivery status filter support, to replace the
|
||||
delivery status codes and explanatory text of successful or
|
||||
unsuccessful deliveries by Postfix mail delivery agents.
|
||||
|
||||
This was originally implemented for sites that want to turn certain
|
||||
soft delivery errors into hard delivery errors, but it can also be
|
||||
used to censor out information from delivery confirmation reports.
|
||||
|
||||
This feature is implemented as a filter that replaces the three-number
|
||||
enhanced status code and descriptive text in Postfix delivery agent
|
||||
success, bounce, or defer messages. Note: this will not override
|
||||
"soft_bounce=yes", and this will not change a successful delivery
|
||||
status into an unsuccessful status or vice versa.
|
||||
|
||||
The first example turns specific soft TLS errors into hard
|
||||
errors, by overriding the first number in the enhanced status code.
|
||||
|
||||
/etc/postfix/main.cf:
|
||||
smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter
|
||||
|
||||
/etc/postfix/smtp_dsn_filter:
|
||||
/^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/ 5$1
|
||||
/^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/ 5$1
|
||||
|
||||
The second example removes the destination command name and file
|
||||
name from local(8) successful delivery reports, so that they will
|
||||
not be reported when a sender requests confirmation of delivery.
|
||||
|
||||
/etc/postfix/main.cf:
|
||||
local_delivery_status_filter = pcre:/etc/postfix/local_dsn_filter
|
||||
|
||||
/etc/postfix/local_dsn_filter:
|
||||
/^(2\S+ delivered to file).+/ $1
|
||||
/^(2\S+ delivered to command).+/ $1
|
||||
|
||||
This feature is supported in the lmtp(8), local(8), pipe(8), smtp(8)
|
||||
and virtual(8) delivery agents. That is, all delivery agents that
|
||||
actually deliver mail. It will not be implemented in the error and
|
||||
retry pseudo-delivery agents.
|
||||
|
||||
The new main.cf parameters and default values are:
|
||||
|
||||
default_delivery_status_filter =
|
||||
lmtp_delivery_status_filter = $default_delivery_status_filter
|
||||
local_delivery_status_filter = $default_delivery_status_filter
|
||||
pipe_delivery_status_filter = $default_delivery_status_filter
|
||||
smtp_delivery_status_filter = $default_delivery_status_filter
|
||||
virtual_delivery_status_filter = $default_delivery_status_filter
|
||||
|
||||
See the postconf(5) manpage for more details.
|
||||
|
||||
[Incompat 20140618] The pipe(8) delivery agent will now log a limited
|
||||
amount of command output upon successful delivery, and will report
|
||||
that output in "SUCCESS" delivery status reports. This is another
|
||||
good reason to disable inbound DSN requests at the Internet perimeter.
|
||||
|
||||
[Feature 20140907] With "confirm_delay_cleared = yes", Postfix
|
||||
informs the sender when delayed mail leaves the queue (this is in
|
||||
addition to the delay_warning_time feature that warns when mail is
|
||||
still queued). This feature is disabled by default, because it can
|
||||
result in a sudden burst of notifications when the queue drains at
|
||||
the end of a prolonged network outage.
|
||||
|
||||
Major changes - dns
|
||||
-------------------
|
||||
|
||||
[Feature 20141128] Support for DNS server reply filters in the
|
||||
Postfix SMTP/LMTP client and SMTP server. This helps to work around
|
||||
mail delivery problems with sites that have incorrect DNS information.
|
||||
Note: this has no effect on the implicit DNS lookups that are made
|
||||
by nsswitch.conf or equivalent mechanisms.
|
||||
|
||||
This feature renders each lookup result as one line of text in
|
||||
standard zone-file format as shown below. The class field is always
|
||||
"IN", the preference field exists only for MX records, the names
|
||||
of hosts, domains, etc. end in ".", and those names are in ASCII
|
||||
form (xn--mumble form for internationalized domain names).
|
||||
|
||||
name ttl class type preference value
|
||||
---------------------------------------------------------
|
||||
postfix.org. 86400 IN MX 10 mail.cloud9.net.
|
||||
|
||||
Typically, one would match this text with a regexp: or pcre: table.
|
||||
When a match is found, the table lookup result specifies an action.
|
||||
By default, the table query and the action name are case-insensitive.
|
||||
Currently, only the IGNORE action is implemented.
|
||||
|
||||
For safety reasons, Postfix logs a warning or defers mail delivery
|
||||
when a DNS reply filter removes all lookup results from a successful
|
||||
query.
|
||||
|
||||
The Postfix SMTP/LMTP client uses the smtp_dns_reply_filter and
|
||||
lmtp_dns_reply_filter features only for Postfix SMTP client lookups
|
||||
of MX, A, and AAAAA records to locate a remote SMTP or LMTP server,
|
||||
including lookups that implement the features reject_unverified_sender
|
||||
and reject_unverified_recipient. The filters are not used for lookups
|
||||
made through nsswitch.conf and similar mechanisms.
|
||||
|
||||
The Postfix SMTP server uses the smtpd_dns_reply_filter feature
|
||||
only for Postfix SMTP server lookups of MX, A, AAAAA, and TXT records
|
||||
to implement the features reject_unknown_helo_hostname,
|
||||
reject_unknown_sender_domain, reject_unknown_recipient_domain,
|
||||
reject_rbl_*, and reject_rhsbl_*. The filter is not used for lookups
|
||||
made through nsswitch.conf and similar mechanisms, such as lookups
|
||||
of the remote SMTP client name.
|
||||
|
||||
[Feature 20141126] Nullmx support (MX records with a null hostname).
|
||||
This change affects error messages only. The Postfix SMTP client
|
||||
already bounced mail for such domains, and the Postfix SMTP server
|
||||
already rejected such domains with reject_unknown_sender/recipient_domain.
|
||||
This feature introduces a new SMTP server configuration parameter
|
||||
nullmx_reject_code (default: 556).
|
||||
|
||||
Major changes - dynamic linking
|
||||
-------------------------------
|
||||
|
||||
[Feature 20140530] Support to build Postfix with Postfix
|
||||
dynamically-linked libraries, and with dynamically-loadable database
|
||||
clients. These MUST NOT be used by non-Postfix programs. Postfix
|
||||
dynamically-linked libraries introduce minor runtime overhead and
|
||||
result in smaller Postfix executable files. Dynamically-loadable
|
||||
database clients are useful when you distribute or install pre-compiled
|
||||
packages. Postfix 3.0 supports dynamic loading for CDB, LDAP, LMDB,
|
||||
MYSQL, PCRE, PGSQL, SDBM, and SQLITE database clients.
|
||||
|
||||
This implementation is based on Debian code by LaMont Jones, initially
|
||||
ported by Viktor Dukhovni. Currently, support exists for recent
|
||||
versions of Linux, FreeBSD, MacOS X, and for the ancient Solaris 9.
|
||||
|
||||
To support Postfix dynamically-linked libraries and dynamically-loadable
|
||||
database clients, the Postfix build procedure had to be changed
|
||||
(specifically, the files makedefs and Makefile.in, and the files
|
||||
postfix-install and post-install that install or update Postfix).
|
||||
|
||||
[Incompat 20140530] The Postfix 3.0 build procedure expects that
|
||||
you specify database library dependencies with variables named
|
||||
AUXLIBS_CDB, AUXLIBS_LDAP, etc. With Postfix 3.0 and later, the
|
||||
old AUXLIBS variable still supports building a statically-loaded
|
||||
CDB etc. database client, but only the new AUXLIBS_CDB etc. variables
|
||||
support building a dynamically-loaded or statically-loaded CDB etc.
|
||||
database client. See CDB_README, LDAP_README, etc. for details.
|
||||
|
||||
Failure to follow this advice will defeat the purpose of dynamic
|
||||
database client loading. Every Postfix executable file will have
|
||||
database library dependencies. And that was exactly what dynamic
|
||||
database client loading was meant to avoid.
|
||||
|
||||
Major changes - future proofing
|
||||
-------------------------------
|
||||
|
||||
[Cleanup 20141224] The changes described here have no visible effect
|
||||
on Postfix behavior, but they make Postfix code easier to maintain,
|
||||
and therefore make new functionality easier to add.
|
||||
|
||||
* Compile-time argument typechecks of non-printf/scanf-like variadic
|
||||
function argument lists.
|
||||
|
||||
* Deprecating the use of "char *" for non-text purposes such as
|
||||
memory allocation and pointers to application context for call-back
|
||||
functions. This dates from long-past days before void * became
|
||||
universally available.
|
||||
|
||||
* Replace integer types for counters and sizes with size_t or ssize_t
|
||||
equivalents. This eliminates some wasteful 64<->32bit conversions
|
||||
on 64-bit systems.
|
||||
|
||||
Major changes - installation pathnames
|
||||
--------------------------------------
|
||||
|
||||
[Incompat 20140625] For compliance with file system policies, some
|
||||
non-executable files have been moved from $daemon_directory to the
|
||||
directory specified with the new meta_directory configuration
|
||||
parameter which has the same default value as the config_directory
|
||||
parameter. This change affects non-executable files that are shared
|
||||
between multiple Postfix instances such as postfix-files, dynamicmaps.cf,
|
||||
and multi-instance template files.
|
||||
|
||||
For backwards compatibility with Postfix 2.6 .. 2.11, specify
|
||||
"meta_directory = $daemon_directory" in main.cf before installing
|
||||
or upgrading Postfix, or specify "meta_directory = /path/name" on
|
||||
the "make makefiles", "make install" or "make upgrade" command line.
|
||||
|
||||
Major changes - milter
|
||||
----------------------
|
||||
|
||||
[Feature 20140928] Support for per-Milter settings that override
|
||||
main.cf parameters. For details see the section "Advanced policy
|
||||
client configuration" in the SMTPD_POLICY_README document.
|
||||
|
||||
Here is an example that uses both old and new syntax:
|
||||
|
||||
smtpd_milters = { inet:127.0.0.1:port1, default_action=accept, ... },
|
||||
inet:127.0.0.1:port2, ...
|
||||
|
||||
The supported attribute names are: command_timeout, connect_timeout,
|
||||
content_timeout, default_action, and protocol. These have the same
|
||||
names as the corresponding main.cf parameters, without the "milter_"
|
||||
prefix.
|
||||
|
||||
The per-milter settings are specified as attribute=value pairs
|
||||
separated by comma or space; specify { name = value } to allow
|
||||
spaces around the "=" or within an attribute value.
|
||||
|
||||
[Feature 20141018] DMARC compatibility: when a Milter inserts a
|
||||
header ABOVE Postfix's own Received: header, Postfix no longer
|
||||
exposes its own Received: header to Milters (violating protocol)
|
||||
and Postfix no longer hides the Milter-inserted header from Milters
|
||||
(wtf).
|
||||
|
||||
Major changes - parameter syntax
|
||||
--------------------------------
|
||||
|
||||
[Feature 20140921] In preparation for configurable mail headers and
|
||||
logging, new main.cf support for if-then-else expressions:
|
||||
|
||||
${name?{text1}:{text2}}
|
||||
|
||||
and for logical expressions:
|
||||
|
||||
${{text1}=={text2}?{text3}:{text4}}
|
||||
${{text1}!={text2}?{text3}:{text4}}
|
||||
|
||||
Whitespace before and after {text} is ignored. This can help to
|
||||
make complex expressions more readable. See the postconf(5) manpage
|
||||
for further details.
|
||||
|
||||
[Feature 20140928] Support for whitespace in daemon command-line
|
||||
arguments. For details, see the "Command name + arguments" section
|
||||
in the master(5) manpage. Example:
|
||||
|
||||
smtpd -o { parameter = value containing whitespace } ...
|
||||
|
||||
The { ... } form is also available for non-option command-line
|
||||
arguments in master.cf, for example:
|
||||
|
||||
pipe ... argv=command { argument containing whitespace } ...
|
||||
|
||||
In both cases, whitespace immediately after "{" and before "}"
|
||||
is ignored.
|
||||
|
||||
[Feature 20141005] Postfix import_environment and export_environment
|
||||
now allow "{ name=value }" to protect whitespace in attribute values.
|
||||
|
||||
[Feature 20141006] The new message_drop_header parameter replaces
|
||||
a hard-coded table that specifies what message headers the cleanup
|
||||
daemon will remove. The list of supported header names covers RFC
|
||||
5321, 5322, MIME RFCs, and some historical names.
|
||||
|
||||
Major changes - pipe daemon
|
||||
---------------------------
|
||||
|
||||
[Incompat 20140618] The pipe(8) delivery agent will now log a limited
|
||||
amount of command output upon successful delivery, and will report
|
||||
that output in "SUCCESS" delivery status reports. This is another
|
||||
good reason to disable inbound DSN requests at the Internet perimeter.
|
||||
|
||||
Major changes - policy client
|
||||
-----------------------------
|
||||
|
||||
[Feature 20140703] This release introduces three new configuration
|
||||
parameters that control error recovery for failed SMTPD policy
|
||||
requests.
|
||||
|
||||
* smtpd_policy_service_default_action (default: 451 4.3.5 Server
|
||||
configuration problem): The default action when an SMTPD policy
|
||||
service request fails.
|
||||
|
||||
* smtpd_policy_service_try_limit (default: 2): The maximal number
|
||||
of attempts to send an SMTPD policy service request before
|
||||
giving up. This must be a number greater than zero.
|
||||
|
||||
* smtpd_policy_service_retry_delay (default: 1s): The delay between
|
||||
attempts to resend a failed SMTPD policy service request. This
|
||||
must be a number greater than zero.
|
||||
|
||||
See postconf(5) for details and limitations.
|
||||
|
||||
[Feature 20140928] Support for per-policy service settings that
|
||||
override main.cf parameters. For details see the section "Different
|
||||
settings for different Milter applications" in the MILTER_README
|
||||
document.
|
||||
|
||||
Here is an example that uses both old and new syntax:
|
||||
|
||||
smtpd_recipient_restrictions = ...
|
||||
check_policy_service { inet:127.0.0.1:port3, default_action=DUNNO }
|
||||
check_policy_service inet:127.0.0.1:port4
|
||||
...
|
||||
|
||||
The per-policy service settings are specified as attribute=value pairs
|
||||
separated by comma or space; specify { name = value } to allow
|
||||
spaces around the "=" or within an attribute value.
|
||||
|
||||
The supported attribute names are: default_action, max_idle, max_ttl,
|
||||
request_limit, retry_delay, timeout, try_limit. These have the same
|
||||
names as the corresponding main.cf parameters, without the
|
||||
"smtpd_policy_service_" prefix.
|
||||
|
||||
[Feature 20140505] A client port attribute was added to the policy
|
||||
delegation protocol.
|
||||
|
||||
[Feature 20140630] New smtpd_policy_service_request_limit feature to
|
||||
limit the number of requests per Postfix SMTP server policy connection.
|
||||
This is a workaround to avoid error-recovery delays with policy
|
||||
servers that cannot maintain a persistent connection.
|
||||
|
||||
Major changes - position-independent executables
|
||||
------------------------------------------------
|
||||
|
||||
[Feature 20150205] Preliminary support for building position-independent
|
||||
executables (PIE), tested on Fedora Core 20, Ubuntu 14.04, FreeBSD
|
||||
9 and 10, and NetBSD 6. Specify:
|
||||
|
||||
$ make makefiles pie=yes ...other arguments...
|
||||
|
||||
On some systems, PIE is used by the ASLR exploit mitigation technique
|
||||
(ASLR = Address-Space Layout Randomization). Whether specifying
|
||||
"pie=yes" has any effect at all depends on the compiler. Reportedly,
|
||||
some compilers always produce PIE executables.
|
||||
|
||||
Major changes - postscreen
|
||||
--------------------------
|
||||
|
||||
[Feature 20140501] Configurable time limit (postscreen_dnsbl_timeout)
|
||||
for DNSBL or DNSWL lookups. This is separate from the timeouts in
|
||||
the dnsblog(8) daemon which are controlled by system resolver(3)
|
||||
routines.
|
||||
|
||||
Major changes - session fingerprint
|
||||
-----------------------------------
|
||||
|
||||
[Feature 20140801] The Postfix SMTP server now logs at the end of
|
||||
a session how many times an SMTP command was successfully invoked,
|
||||
followed by the total number of invocations if some invocations
|
||||
were unsuccessful.
|
||||
|
||||
This logging will enough to diagnose many problems without using
|
||||
verbose logging or network sniffer.
|
||||
|
||||
Normal session, no TLS:
|
||||
disconnect from name[addr] ehlo=1 mail=1 rcpt=1 data=1 quit=1
|
||||
|
||||
Normal session. with TLS:
|
||||
disconnect from name[addr] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1
|
||||
|
||||
All recipients rejected, no ESMTP command pipelining:
|
||||
disconnect from name[addr] ehlo=1 mail=1 rcpt=0/1 quit=1
|
||||
|
||||
All recipients rejected, with ESMTP command pipelining:
|
||||
disconnect from name[addr] ehlo=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1
|
||||
|
||||
Password guessing bot, hangs up without QUIT:
|
||||
disconnect from name[addr] ehlo=1 auth=0/1
|
||||
|
||||
Mis-configured client trying to use TLS wrappermode on port 587:
|
||||
disconnect from name[addr] unknown=0/1
|
||||
|
||||
Logfile analyzers can trigger on the presence of "/". It indicates
|
||||
that Postfix rejected at least one command.
|
||||
|
||||
[Feature 20150118] As a late addition, the SMTP server now also
|
||||
logs the total number of commands (as "commands=x/y") even when the
|
||||
client did not send any commands. This helps logfile analyzers to
|
||||
recognize sessions without commands.
|
||||
|
||||
Major changes - smtp client
|
||||
---------------------------
|
||||
|
||||
[Feature 20141227] The new smtp_address_verify_target parameter
|
||||
(default: rcpt) determines what protocol stage decides if a recipient
|
||||
is valid. Specify "data" for servers that reject recipients after
|
||||
the DATA command.
|
||||
|
||||
Major changes - smtputf8
|
||||
------------------------
|
||||
|
||||
[Incompat 20141001] The default settings have changed for
|
||||
append_dot_mydomain (new: no, old: yes), master.cf chroot (new:
|
||||
n, old: y), and smtputf8 (new: yes, old: no).
|
||||
|
||||
[Incompat 20140714] After upgrading Postfix, "postfix reload" (or
|
||||
start/stop) is required. Several Postfix-internal protocols have
|
||||
been extended to support SMTPUTF8. Failure to reload or restart
|
||||
will result in mail staying queued, while Postfix daemons log
|
||||
warning messages about unexpected attributes.
|
||||
|
||||
[Feature 20140715] Support for Email Address Internationalization
|
||||
(EAI) as defined in RFC 6531..6533. This supports UTF-8 in SMTP/LMTP
|
||||
sender addresses, recipient addresses, and message header values.
|
||||
The implementation is based on initial work by Arnt Gulbrandsen
|
||||
that was funded by CNNIC.
|
||||
|
||||
See SMTPUTF8_README for a description of Postfix SMTPUTF8 support.
|
||||
|
||||
[Feature 20150112] UTF-8 Casefolding support for Postfix lookup
|
||||
tables and matchlists (mydestination, relay_domains, etc.). This
|
||||
is enabled only with "smtpuf8 = yes".
|
||||
|
||||
[Feature 20150112] With smtputf8_enable=yes, SMTP commands with
|
||||
UTF-8 syntax errors are rejected, table lookup results with invalid
|
||||
UTF-8 syntax are handled as configuration errors, and UTF-8 syntax
|
||||
errors in policy server replies result in execution of the policy
|
||||
server's default action.
|
||||
|
||||
Major changes - tls support
|
||||
---------------------------
|
||||
|
||||
(see "Major changes - delivery status notifications" above for
|
||||
turning 4XX soft errors into 5XX bounces when a remote SMTP server
|
||||
does not offer STARTTLS support).
|
||||
|
||||
[Feature 20140209] the Postfix SMTP client now also falls back to
|
||||
plaintext when TLS fails AFTER the TLS protocol handshake.
|
||||
|
||||
[Feature 20140218] The Postfix SMTP client now requires that a queue
|
||||
file is older than $minimal_backoff_time, before falling back from
|
||||
failed TLS to plaintext (both during or after the TLS handshake).
|
||||
|
||||
[Feature 20141021] Per IETF TLS WG consensus, the tls_session_ticket_cipher
|
||||
default setting was changed from aes-128-cbc to aes-256-cbc.
|
||||
|
||||
[Feature 20150116] TLS wrappermode support in the Postfix smtp(8)
|
||||
client (new smtp_tls_wrappermode parameter) and in posttls-finger(1)
|
||||
(new -w option). There still is life in that deprecated protocol,
|
||||
and people should not have to jump hoops with stunnel.
|
45
external/ibm-public/postfix/dist/conf/access
vendored
45
external/ibm-public/postfix/dist/conf/access
vendored
@ -29,12 +29,12 @@
|
||||
# LDAP or SQL, the same lookups are done as for ordinary
|
||||
# indexed files.
|
||||
#
|
||||
# Alternatively, the table can be provided as a regular-
|
||||
# expression map where patterns are given as regular expres-
|
||||
# sions, or lookups can be directed to TCP-based server. In
|
||||
# those cases, the lookups are done in a slightly different
|
||||
# way as described below under "REGULAR EXPRESSION TABLES"
|
||||
# or "TCP-BASED TABLES".
|
||||
# Alternatively, the table can be provided as a regu-
|
||||
# lar-expression map where patterns are given as regular
|
||||
# expressions, or lookups can be directed to TCP-based
|
||||
# server. In those cases, the lookups are done in a slightly
|
||||
# different way as described below under "REGULAR EXPRESSION
|
||||
# TABLES" or "TCP-BASED TABLES".
|
||||
#
|
||||
# CASE FOLDING
|
||||
# The search string is folded to lowercase before database
|
||||
@ -202,11 +202,11 @@
|
||||
# 421 text (Postfix 2.3 and later)
|
||||
#
|
||||
# 521 text (Postfix 2.6 and later)
|
||||
# After responding with the numerical three-
|
||||
# digit code and text, disconnect immediately
|
||||
# from the SMTP client. This frees up SMTP
|
||||
# server resources so that they can be made
|
||||
# available to another SMTP client.
|
||||
# After responding with the numerical
|
||||
# three-digit code and text, disconnect imme-
|
||||
# diately from the SMTP client. This frees up
|
||||
# SMTP server resources so that they can be
|
||||
# made available to another SMTP client.
|
||||
#
|
||||
# Note: The "521" response should be used only
|
||||
# with botnets and other malware where inter-
|
||||
@ -265,8 +265,7 @@
|
||||
# same SMTP MAIL transaction, only the last action
|
||||
# will be used.
|
||||
#
|
||||
# This feature is not part of the stable Postfix
|
||||
# release.
|
||||
# This feature is available in Postfix 3.0 and later.
|
||||
#
|
||||
# DISCARD optional text...
|
||||
# Claim successful delivery and silently discard the
|
||||
@ -356,13 +355,22 @@
|
||||
# REDIRECT user@domain
|
||||
# After the message is queued, send the message to
|
||||
# the specified address instead of the intended
|
||||
# recipient(s).
|
||||
# recipient(s). When multiple REDIRECT actions fire,
|
||||
# only the last one takes effect.
|
||||
#
|
||||
# Note: this action overrides the FILTER action, and
|
||||
# currently affects all recipients of the message.
|
||||
# Note: this action overrides the FILTER action, and
|
||||
# currently overrides all recipients of the message.
|
||||
#
|
||||
# This feature is available in Postfix 2.1 and later.
|
||||
#
|
||||
# INFO optional text...
|
||||
# Log an informational record with the optional text,
|
||||
# together with client information and if available,
|
||||
# with helo, sender, recipient and protocol informa-
|
||||
# tion.
|
||||
#
|
||||
# This feature is available in Postfix 3.0 and later.
|
||||
#
|
||||
# WARN optional text...
|
||||
# Log a warning with the optional text, together with
|
||||
# client information and if available, with helo,
|
||||
@ -477,4 +485,9 @@
|
||||
# P.O. Box 704
|
||||
# Yorktown Heights, NY 10598, USA
|
||||
#
|
||||
# Wietse Venema
|
||||
# Google, Inc.
|
||||
# 111 8th Avenue
|
||||
# New York, NY 10011, USA
|
||||
#
|
||||
# ACCESS(5)
|
||||
|
15
external/ibm-public/postfix/dist/conf/aliases
vendored
15
external/ibm-public/postfix/dist/conf/aliases
vendored
@ -60,11 +60,11 @@ decode: root
|
||||
# LDAP or SQL, the same lookups are done as for ordinary
|
||||
# indexed files.
|
||||
#
|
||||
# Alternatively, the table can be provided as a regular-
|
||||
# expression map where patterns are given as regular expres-
|
||||
# sions. In this case, the lookups are done in a slightly
|
||||
# different way as described below under "REGULAR EXPRESSION
|
||||
# TABLES".
|
||||
# Alternatively, the table can be provided as a regu-
|
||||
# lar-expression map where patterns are given as regular
|
||||
# expressions. In this case, the lookups are done in a
|
||||
# slightly different way as described below under "REGULAR
|
||||
# EXPRESSION TABLES".
|
||||
#
|
||||
# Users can control delivery of their own mail by setting up
|
||||
# .forward files in their home directory. Lines in per-user
|
||||
@ -254,4 +254,9 @@ decode: root
|
||||
# P.O. Box 704
|
||||
# Yorktown Heights, NY 10598, USA
|
||||
#
|
||||
# Wietse Venema
|
||||
# Google, Inc.
|
||||
# 111 8th Avenue
|
||||
# New York, NY 10011, USA
|
||||
#
|
||||
# ALIASES(5)
|
||||
|
17
external/ibm-public/postfix/dist/conf/canonical
vendored
17
external/ibm-public/postfix/dist/conf/canonical
vendored
@ -27,12 +27,12 @@
|
||||
# LDAP or SQL, the same lookups are done as for ordinary
|
||||
# indexed files.
|
||||
#
|
||||
# Alternatively, the table can be provided as a regular-
|
||||
# expression map where patterns are given as regular expres-
|
||||
# sions, or lookups can be directed to TCP-based server. In
|
||||
# those cases, the lookups are done in a slightly different
|
||||
# way as described below under "REGULAR EXPRESSION TABLES"
|
||||
# or "TCP-BASED TABLES".
|
||||
# Alternatively, the table can be provided as a regu-
|
||||
# lar-expression map where patterns are given as regular
|
||||
# expressions, or lookups can be directed to TCP-based
|
||||
# server. In those cases, the lookups are done in a slightly
|
||||
# different way as described below under "REGULAR EXPRESSION
|
||||
# TABLES" or "TCP-BASED TABLES".
|
||||
#
|
||||
# By default the canonical(5) mapping affects both message
|
||||
# header addresses (i.e. addresses that appear inside mes-
|
||||
@ -275,4 +275,9 @@
|
||||
# P.O. Box 704
|
||||
# Yorktown Heights, NY 10598, USA
|
||||
#
|
||||
# Wietse Venema
|
||||
# Google, Inc.
|
||||
# 111 8th Avenue
|
||||
# New York, NY 10011, USA
|
||||
#
|
||||
# CANONICAL(5)
|
||||
|
11
external/ibm-public/postfix/dist/conf/dynamicmaps.cf
vendored
Normal file
11
external/ibm-public/postfix/dist/conf/dynamicmaps.cf
vendored
Normal file
@ -0,0 +1,11 @@
|
||||
# $NetBSD: dynamicmaps.cf,v 1.1.1.1 2017/02/14 01:13:34 christos Exp $
|
||||
#
|
||||
# dict-type so-name (pathname) dict-function mkmap-function
|
||||
cdb ${LIB_PREFIX}cdb${LIB_SUFFIX} dict_cdb_open mkmap_cdb_open
|
||||
ldap ${LIB_PREFIX}ldap${LIB_SUFFIX} dict_ldap_open
|
||||
lmdb ${LIB_PREFIX}lmdb${LIB_SUFFIX} dict_lmdb_open mkmap_lmdb_open
|
||||
mysql ${LIB_PREFIX}mysql${LIB_SUFFIX} dict_mysql_open
|
||||
pcre ${LIB_PREFIX}pcre${LIB_SUFFIX} dict_pcre_open
|
||||
pgsql ${LIB_PREFIX}pgsql${LIB_SUFFIX} dict_pgsql_open
|
||||
sdbm ${LIB_PREFIX}sdbm${LIB_SUFFIX} dict_sdbm_open mkmap_sdbm_open
|
||||
sqlite ${LIB_PREFIX}sqlite${LIB_SUFFIX} dict_sqlite_open
|
17
external/ibm-public/postfix/dist/conf/generic
vendored
17
external/ibm-public/postfix/dist/conf/generic
vendored
@ -40,12 +40,12 @@
|
||||
# LDAP or SQL, the same lookups are done as for ordinary
|
||||
# indexed files.
|
||||
#
|
||||
# Alternatively, the table can be provided as a regular-
|
||||
# expression map where patterns are given as regular expres-
|
||||
# sions, or lookups can be directed to TCP-based server. In
|
||||
# those case, the lookups are done in a slightly different
|
||||
# way as described below under "REGULAR EXPRESSION TABLES"
|
||||
# or "TCP-BASED TABLES".
|
||||
# Alternatively, the table can be provided as a regu-
|
||||
# lar-expression map where patterns are given as regular
|
||||
# expressions, or lookups can be directed to TCP-based
|
||||
# server. In those case, the lookups are done in a slightly
|
||||
# different way as described below under "REGULAR EXPRESSION
|
||||
# TABLES" or "TCP-BASED TABLES".
|
||||
#
|
||||
# CASE FOLDING
|
||||
# The search string is folded to lowercase before database
|
||||
@ -237,4 +237,9 @@
|
||||
# P.O. Box 704
|
||||
# Yorktown Heights, NY 10598, USA
|
||||
#
|
||||
# Wietse Venema
|
||||
# Google, Inc.
|
||||
# 111 8th Avenue
|
||||
# New York, NY 10011, USA
|
||||
#
|
||||
# GENERIC(5)
|
||||
|
@ -130,18 +130,18 @@
|
||||
#
|
||||
# if /pattern/flags
|
||||
#
|
||||
# endif Match the input string against the patterns between
|
||||
# if and endif, if and only if the same input string
|
||||
# also matches /pattern/. The if..endif can nest.
|
||||
# endif If the input string matches /pattern/, then match
|
||||
# that input string against the patterns between if
|
||||
# and endif. The if..endif can nest.
|
||||
#
|
||||
# Note: do not prepend whitespace to patterns inside
|
||||
# if..endif.
|
||||
#
|
||||
# if !/pattern/flags
|
||||
#
|
||||
# endif Match the input string against the patterns between
|
||||
# if and endif, if and only if the same input string
|
||||
# does not match /pattern/. The if..endif can nest.
|
||||
# endif If the input string does not match /pattern/, then
|
||||
# match that input string against the patterns
|
||||
# between if and endif. The if..endif can nest.
|
||||
#
|
||||
# blank lines and comments
|
||||
# Empty lines and whitespace-only lines are ignored,
|
||||
@ -175,8 +175,30 @@
|
||||
# Action names are case insensitive. They are shown in upper
|
||||
# case for consistency with other Postfix documentation.
|
||||
#
|
||||
# BCC user@domain
|
||||
# Add the specified address as a BCC recipient, and
|
||||
# inspect the next input line. The address must have
|
||||
# a local part and domain part. The number of BCC
|
||||
# addresses that can be added is limited only by the
|
||||
# amount of available storage space.
|
||||
#
|
||||
# Note 1: the BCC address is added as if it was spec-
|
||||
# ified with NOTIFY=NONE. The sender will not be
|
||||
# notified when the BCC address is undeliverable, as
|
||||
# long as all down-stream software implements RFC
|
||||
# 3461.
|
||||
#
|
||||
# Note 2: this ignores duplicate addresses (with the
|
||||
# same delivery status notification options).
|
||||
#
|
||||
# This feature is available in Postfix 3.0 and later.
|
||||
#
|
||||
# This feature is not supported with smtp header/body
|
||||
# checks.
|
||||
#
|
||||
# DISCARD optional text...
|
||||
# Claim successful delivery and silently discard the
|
||||
# Claim successful delivery and silently discard the
|
||||
# message. Do not inspect the remainder of the input
|
||||
# message. Log the optional text if specified, oth-
|
||||
# erwise log a generic message.
|
||||
#
|
||||
@ -203,14 +225,16 @@
|
||||
# This feature is available in Postfix 2.1 and later.
|
||||
#
|
||||
# FILTER transport:destination
|
||||
# After the message is queued, send the entire mes-
|
||||
# sage through the specified external content filter.
|
||||
# The transport name specifies the first field of a
|
||||
# mail delivery agent definition in master.cf; the
|
||||
# syntax of the next-hop destination is described in
|
||||
# the manual page of the corresponding delivery
|
||||
# agent. More information about external content
|
||||
# filters is in the Postfix FILTER_README file.
|
||||
# Override the content_filter parameter setting, and
|
||||
# inspect the next input line. After the message is
|
||||
# queued, send the entire message through the speci-
|
||||
# fied external content filter. The transport name
|
||||
# specifies the first field of a mail delivery agent
|
||||
# definition in master.cf; the syntax of the next-hop
|
||||
# destination is described in the manual page of the
|
||||
# corresponding delivery agent. More information
|
||||
# about external content filters is in the Postfix
|
||||
# FILTER_README file.
|
||||
#
|
||||
# Note 1: do not use $number regular expression sub-
|
||||
# stitutions for transport or destination unless you
|
||||
@ -293,8 +317,8 @@
|
||||
# line, the prepended text must begin with a
|
||||
# valid message header label.
|
||||
#
|
||||
# o This action cannot be used to prepend multi-
|
||||
# line text.
|
||||
# o This action cannot be used to prepend
|
||||
# multi-line text.
|
||||
#
|
||||
# This feature is available in Postfix 2.1 and later.
|
||||
#
|
||||
@ -339,9 +363,10 @@
|
||||
# headers.
|
||||
#
|
||||
# REJECT optional text...
|
||||
# Reject the entire message. Reply with optional
|
||||
# text... when the optional text is specified, other-
|
||||
# wise reply with a generic error message.
|
||||
# Reject the entire message. Do not inspect the
|
||||
# remainder of the input message. Reply with
|
||||
# optional text... when the optional text is speci-
|
||||
# fied, otherwise reply with a generic error message.
|
||||
#
|
||||
# Note: this action disables further header or
|
||||
# body_checks inspection of the current message and
|
||||
@ -445,7 +470,7 @@
|
||||
# header_checks = pcre:/etc/postfix/header_checks.pcre
|
||||
#
|
||||
# /etc/postfix/header_checks.pcre:
|
||||
# /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
|
||||
# /^Content-(Disposition|Type).*name\s*=\s*"?([^;]*(\.|=2E)(
|
||||
# ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
|
||||
# hlp|ht[at]|
|
||||
# inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
|
||||
@ -493,4 +518,9 @@
|
||||
# P.O. Box 704
|
||||
# Yorktown Heights, NY 10598, USA
|
||||
#
|
||||
# Wietse Venema
|
||||
# Google, Inc.
|
||||
# 111 8th Avenue
|
||||
# New York, NY 10011, USA
|
||||
#
|
||||
# HEADER_CHECKS(5)
|
||||
|
@ -1,5 +1,5 @@
|
||||
#!/bin/sh
|
||||
# $NetBSD: post-install,v 1.1.1.6 2014/07/06 19:27:40 tron Exp $
|
||||
# $NetBSD: post-install,v 1.1.1.7 2017/02/14 01:13:34 christos Exp $
|
||||
#
|
||||
|
||||
# To view the formatted manual page of this file, type:
|
||||
@ -42,8 +42,8 @@
|
||||
# Arguments
|
||||
# .IP create-missing
|
||||
# Create missing queue directories with ownerships and permissions
|
||||
# according to the contents of $daemon_directory/postfix-files
|
||||
# and optionally in $daemon_directory/postfix-files.d/*, using
|
||||
# according to the contents of $meta_directory/postfix-files
|
||||
# and optionally in $meta_directory/postfix-files.d/*, using
|
||||
# the mail_owner and setgid_group parameter settings from the
|
||||
# command line, process environment or from the installed
|
||||
# main.cf file.
|
||||
@ -51,8 +51,8 @@
|
||||
# This is required at Postfix start-up time.
|
||||
# .IP set-permissions
|
||||
# Set all file/directory ownerships and permissions according to the
|
||||
# contents of $daemon_directory/postfix-files and optionally
|
||||
# in $daemon_directory/postfix-files.d/*, using the mail_owner
|
||||
# contents of $meta_directory/postfix-files and optionally
|
||||
# in $meta_directory/postfix-files.d/*, using the mail_owner
|
||||
# and setgid_group parameter settings from the command line,
|
||||
# process environment or from the installed main.cf file.
|
||||
# Implies create-missing.
|
||||
@ -62,8 +62,8 @@
|
||||
# settings after Postfix is already installed.
|
||||
# .IP upgrade-permissions
|
||||
# Update ownership and permission of existing files/directories as
|
||||
# specified in $daemon_directory/postfix-files and optionally
|
||||
# in $daemon_directory/postfix-files.d/*, using the mail_owner
|
||||
# specified in $meta_directory/postfix-files and optionally
|
||||
# in $meta_directory/postfix-files.d/*, using the mail_owner
|
||||
# and setgid_group parameter settings from the command line,
|
||||
# process environment or from the installed main.cf file.
|
||||
# Implies create-missing.
|
||||
@ -177,12 +177,21 @@
|
||||
# This feature is obsolete as of Postfix 2.1.
|
||||
# .IP readme_directory
|
||||
# The directory for the Postfix README files.
|
||||
# .IP shlib_directory
|
||||
# The directory for the Postfix shared-library files, and for
|
||||
# the Postfix dabatase plugin files with a relative pathname
|
||||
# in the file dynamicmaps.cf.
|
||||
# .IP meta_directory
|
||||
# The directory for non-executable files that are shared
|
||||
# among multiple Postfix instances, such as postfix-files,
|
||||
# dynamicmaps.cf, as well as the multi-instance template files
|
||||
# main.cf.proto and master.cf.proto.
|
||||
# SEE ALSO
|
||||
# postfix-install(1) Postfix primary installation script.
|
||||
# FILES
|
||||
# $config_directory/main.cf, Postfix installation parameters.
|
||||
# $daemon_directory/postfix-files, installation control file.
|
||||
# $daemon_directory/postfix-files.d/*, optional control files.
|
||||
# $meta_directory/postfix-files, installation control file.
|
||||
# $meta_directory/postfix-files.d/*, optional control files.
|
||||
# $config_directory/install.cf, obsolete configuration file.
|
||||
# LICENSE
|
||||
# .ad
|
||||
@ -207,7 +216,7 @@ debug=:
|
||||
MOST_PARAMETERS="command_directory daemon_directory data_directory
|
||||
html_directory mail_owner mailq_path manpage_directory
|
||||
newaliases_path queue_directory readme_directory sample_directory
|
||||
sendmail_path setgid_group"
|
||||
sendmail_path setgid_group shlib_directory meta_directory"
|
||||
NON_SHARED="config_directory queue_directory data_directory"
|
||||
|
||||
USAGE="Usage: $0 [name=value] command
|
||||
@ -227,6 +236,8 @@ obsolete=; keep_list=;
|
||||
for arg
|
||||
do
|
||||
case $arg in
|
||||
*[" "]*) echo $0: "Error: argument contains whitespace: '$arg'"
|
||||
exit 1;;
|
||||
*=*) IFS= eval $arg; IFS="$BACKUP_IFS";;
|
||||
create-missing) create=1;;
|
||||
set-perm*) create=1; set_perms=1;;
|
||||
@ -289,8 +300,8 @@ do
|
||||
esac
|
||||
done
|
||||
|
||||
test -f $daemon_directory/postfix-files || {
|
||||
echo $0: Error: $daemon_directory/postfix-files is not a file. 1>&2
|
||||
test -f $meta_directory/postfix-files || {
|
||||
echo $0: Error: $meta_directory/postfix-files is not a file. 1>&2
|
||||
exit 1
|
||||
}
|
||||
|
||||
@ -363,7 +374,8 @@ case $setgid_group in
|
||||
esac
|
||||
|
||||
for path in "$daemon_directory" "$command_directory" "$queue_directory" \
|
||||
"$sendmail_path" "$newaliases_path" "$mailq_path" "$manpage_directory"
|
||||
"$sendmail_path" "$newaliases_path" "$mailq_path" "$manpage_directory" \
|
||||
"$meta_directory"
|
||||
do
|
||||
case "$path" in
|
||||
/*) ;;
|
||||
@ -371,7 +383,7 @@ do
|
||||
esac
|
||||
done
|
||||
|
||||
for path in "$html_directory" "$readme_directory"
|
||||
for path in "$html_directory" "$readme_directory" "$shlib_directory"
|
||||
do
|
||||
case "$path" in
|
||||
/*) ;;
|
||||
@ -416,10 +428,37 @@ POSTCONF="$command_directory/postconf"
|
||||
|
||||
# Save settings, allowing command line/environment override.
|
||||
|
||||
# Undo MAIL_VERSION expansion at the end of a parameter value. If
|
||||
# someone really wants the expanded mail version in main.cf, then
|
||||
# we're sorry.
|
||||
|
||||
# Confine side effects from mail_version unexpansion within a subshell.
|
||||
|
||||
(case "$mail_version" in
|
||||
"") mail_version="`$POSTCONF -dhx mail_version`" || exit 1
|
||||
esac
|
||||
|
||||
for name in $MOST_PARAMETERS
|
||||
do
|
||||
eval junk=\$$name
|
||||
case "$junk" in
|
||||
*"$mail_version"*)
|
||||
case "$pattern" in
|
||||
"") pattern=`echo "$mail_version" | sed 's/\./\\\\./g'` || exit 1
|
||||
esac
|
||||
val=`echo "$junk" | sed "s/$pattern"'$/${mail_version}/g'` || exit 1
|
||||
eval ${name}='"$val"'
|
||||
esac
|
||||
done
|
||||
|
||||
# XXX Maybe update main.cf only with first install, upgrade, set
|
||||
# permissions, and what else? Should there be a warning otherwise?
|
||||
|
||||
override=
|
||||
for name in $MOST_PARAMETERS
|
||||
do
|
||||
eval test \"\$$name\" = \"`$POSTCONF -c $config_directory -h $name`\" || {
|
||||
eval junk=\"\$$name\"
|
||||
test "$junk" = "`$POSTCONF -c $config_directory -h $name`" || {
|
||||
override=1
|
||||
break
|
||||
}
|
||||
@ -440,14 +479,16 @@ test -n "$override" && {
|
||||
"manpage_directory = $manpage_directory" \
|
||||
"sample_directory = $sample_directory" \
|
||||
"readme_directory = $readme_directory" \
|
||||
"shlib_directory = $shlib_directory" \
|
||||
"meta_directory = $meta_directory" \
|
||||
|| exit 1
|
||||
}
|
||||
} || exit 0) || exit 1
|
||||
|
||||
# Use file/directory status information in $daemon_directory/postfix-files.
|
||||
# Use file/directory status information in $meta_directory/postfix-files.
|
||||
|
||||
test -n "$create" && {
|
||||
postfix_files_d=$daemon_directory/postfix-files.d
|
||||
for postfix_file in $daemon_directory/postfix-files \
|
||||
postfix_files_d=$meta_directory/postfix-files.d
|
||||
for postfix_file in $meta_directory/postfix-files \
|
||||
`test -d $postfix_files_d && { find $postfix_files_d -type f | sort; }`
|
||||
do
|
||||
exec <$postfix_file || exit 1
|
||||
|
102
external/ibm-public/postfix/dist/conf/postfix-script
vendored
102
external/ibm-public/postfix/dist/conf/postfix-script
vendored
@ -1,5 +1,5 @@
|
||||
#!/bin/sh
|
||||
# $NetBSD: postfix-script,v 1.1.1.3 2013/09/25 19:06:20 tron Exp $
|
||||
# $NetBSD: postfix-script,v 1.1.1.4 2017/02/14 01:13:34 christos Exp $
|
||||
#
|
||||
|
||||
#++
|
||||
@ -66,6 +66,17 @@ cd $config_directory || {
|
||||
$FATAL no Postfix configuration directory $config_directory!
|
||||
exit 1
|
||||
}
|
||||
case $shlib_directory in
|
||||
no) ;;
|
||||
*) cd $shlib_directory || {
|
||||
$FATAL no Postfix shared-library directory $shlib_directory!
|
||||
exit 1
|
||||
}
|
||||
esac
|
||||
cd $meta_directory || {
|
||||
$FATAL no Postfix meta directory $meta_directory!
|
||||
exit 1
|
||||
}
|
||||
cd $queue_directory || {
|
||||
$FATAL no Postfix queue directory $queue_directory!
|
||||
exit 1
|
||||
@ -243,43 +254,55 @@ check-fatal)
|
||||
check-warn)
|
||||
# This command is NOT part of the public interface.
|
||||
|
||||
todo="$config_directory $queue_directory $queue_directory/pid"
|
||||
test -n "$check_shared_files" && todo="$daemon_directory $todo"
|
||||
# Check Postfix root-owned directory owner/permissions.
|
||||
|
||||
for dir in $todo
|
||||
do
|
||||
ls -lLd $dir | (grep " root " >/dev/null ||
|
||||
$WARN not owned by root: $dir)
|
||||
done
|
||||
find $queue_directory/. $queue_directory/pid \
|
||||
-prune ! -user root \
|
||||
-exec $WARN not owned by root: {} \;
|
||||
|
||||
# Some people break Postfix's security model.
|
||||
ls -lLd $queue_directory | egrep '^.....(w|...w)' >/dev/null && \
|
||||
$WARN group or other writable: $queue_directory
|
||||
find $queue_directory/. $queue_directory/pid \
|
||||
-prune \( -perm -020 -o -perm -002 \) \
|
||||
-exec $WARN group or other writable: {} \;
|
||||
|
||||
todo="$config_directory/*"
|
||||
test -n "$check_shared_files" && todo="$daemon_directory/* $todo"
|
||||
|
||||
find $todo ! -user root \
|
||||
-exec $WARN not owned by root: {} \;
|
||||
# Check Postfix root-owned directory tree owner/permissions.
|
||||
|
||||
todo="$config_directory/."
|
||||
test -n "$check_shared_files" && todo="$daemon_directory/. $todo"
|
||||
test -n "$check_shared_files" && {
|
||||
todo="$daemon_directory/. $meta_directory/. $todo"
|
||||
test "$shlib_directory" = "no" ||
|
||||
todo="$shlib_directory/. $todo"
|
||||
}
|
||||
todo=`echo "$todo" | tr ' ' '\12' | sort -u`
|
||||
|
||||
find $todo \
|
||||
\( -perm -020 -o -perm -002 \) -type f \
|
||||
-exec $WARN group or other writable: {} \;
|
||||
find $todo ! -user root \
|
||||
-exec $WARN not owned by root: {} \;
|
||||
|
||||
find $todo \( -perm -020 -o -perm -002 \) \
|
||||
-exec $WARN group or other writable: {} \;
|
||||
|
||||
# Check Postfix mail_owner-owned directory tree owner/permissions.
|
||||
|
||||
find $data_directory/. ! -user $mail_owner \
|
||||
-exec $WARN not owned by $mail_owner: {} \;
|
||||
|
||||
ls -lLd $data_directory | egrep '^.....(w|...w)' >/dev/null && \
|
||||
$WARN group or other writable: $data_directory
|
||||
find $data_directory/. \( -perm -020 -o -perm -002 \) \
|
||||
-exec $WARN group or other writable: {} \;
|
||||
|
||||
# Check Postfix mail_owner-owned directory tree owner.
|
||||
|
||||
find `ls -d $queue_directory/* | \
|
||||
egrep '/(saved|incoming|active|defer|deferred|bounce|hold|trace|corrupt|public|private|flush)$'` \
|
||||
! \( -type p -o -type s \) ! -user $mail_owner \
|
||||
-exec $WARN not owned by $mail_owner: {} \;
|
||||
|
||||
# WARNING: this should not descend into the maildrop directory.
|
||||
# maildrop is the least trusted Postfix directory.
|
||||
|
||||
find $queue_directory/maildrop -prune ! -user $mail_owner \
|
||||
-exec $WARN not owned by $mail_owner: $queue_directory/maildrop \;
|
||||
|
||||
# Check Postfix setgid_group-owned directory and file group/permissions.
|
||||
|
||||
todo="$queue_directory/public $queue_directory/maildrop"
|
||||
test -n "$check_shared_files" &&
|
||||
todo="$command_directory/postqueue $command_directory/postdrop $todo"
|
||||
@ -293,33 +316,27 @@ check-warn)
|
||||
-prune ! -perm -02111 \
|
||||
-exec $WARN not set-gid or not owner+group+world executable: {} \;
|
||||
|
||||
for name in `ls -d $queue_directory/* | \
|
||||
egrep '/(bin|etc|lib|usr)$'` ; \
|
||||
do \
|
||||
find $name ! -user root \
|
||||
-exec $WARN not owned by root: {} \; ; \
|
||||
done
|
||||
|
||||
# WARNING: this should not descend into the maildrop directory.
|
||||
# maildrop is the least trusted Postfix directory.
|
||||
|
||||
find $queue_directory/maildrop/. -prune ! -user $mail_owner \
|
||||
-exec $WARN not owned by $mail_owner: $queue_directory/maildrop \;
|
||||
# Check non-Postfix root-owned directory tree owner/content.
|
||||
|
||||
for dir in bin etc lib sbin usr
|
||||
do
|
||||
test -d $dir && find $dir -type f -print | while read path
|
||||
test -d $dir && {
|
||||
find $dir ! -user root \
|
||||
-exec $WARN not owned by root: $queue_directory/{} \;
|
||||
|
||||
find $dir -type f -print | while read path
|
||||
do
|
||||
test -f /$path && {
|
||||
cmp -s $path /$path ||
|
||||
$WARN $queue_directory/$path and /$path differ
|
||||
}
|
||||
test -f /$path && {
|
||||
cmp -s $path /$path ||
|
||||
$WARN $queue_directory/$path and /$path differ
|
||||
}
|
||||
done
|
||||
}
|
||||
done
|
||||
|
||||
find corrupt -type f -exec $WARN damaged message: {} \;
|
||||
|
||||
# XXX also: look for weird stuff, weird permissions, etc.
|
||||
# Check for non-Postfix MTA remnants.
|
||||
|
||||
test -n "$check_shared_files" -a -f /usr/sbin/sendmail -a \
|
||||
-f /usr/lib/sendmail && {
|
||||
@ -341,6 +358,11 @@ post-install)
|
||||
$daemon_directory/post-install "$@"
|
||||
;;
|
||||
|
||||
tls)
|
||||
shift
|
||||
$daemon_directory/postfix-tls-script "$@"
|
||||
;;
|
||||
|
||||
/*)
|
||||
# Currently not part of the public interface.
|
||||
"$@"
|
||||
|
1156
external/ibm-public/postfix/dist/conf/postfix-tls-script
vendored
Normal file
1156
external/ibm-public/postfix/dist/conf/postfix-tls-script
vendored
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,5 +1,5 @@
|
||||
#! /bin/sh
|
||||
# $NetBSD: postmulti-script,v 1.1.1.2 2009/08/31 17:53:37 tron Exp $
|
||||
# $NetBSD: postmulti-script,v 1.1.1.3 2017/02/14 01:13:34 christos Exp $
|
||||
#
|
||||
|
||||
umask 022
|
||||
@ -16,6 +16,8 @@ umask 022
|
||||
# MAIL_CONFIG - config_directory of primary instance
|
||||
# command_directory - From primary instance
|
||||
# daemon_directory - From primary instance
|
||||
# meta_directory - From primary instance
|
||||
# shlib_directory - From primary instance
|
||||
# config_directroy - config_directory of target instance
|
||||
# queue_directory - queue_directory of target instance
|
||||
# data_directory - data_directory of target instance
|
||||
@ -32,6 +34,8 @@ umask 022
|
||||
: ${MAIL_CONFIG:?"do not invoke this command directly"}
|
||||
: ${command_directory:?"do not invoke this command directly"}
|
||||
: ${daemon_directory:?"do not invoke this command directly"}
|
||||
: ${meta_directory:?"do not invoke this command directly"}
|
||||
: ${shlib_directory:?"do not invoke this command directly"}
|
||||
|
||||
USAGE="$0 -e create|destroy|import|deport|enable|disable|assign|init"
|
||||
usage() { echo "$0: Error: Usage: $USAGE" >&2; exit 1; }
|
||||
@ -111,6 +115,17 @@ init)
|
||||
exit $? ;;
|
||||
esac
|
||||
|
||||
# Backport note: "-x" requires 2.10 or later, and is not essential here.
|
||||
#
|
||||
wrapper=`postconf -hx multi_instance_wrapper` || exit 1
|
||||
enable=`postconf -hx multi_instance_enable` || exit 1
|
||||
|
||||
test -n "$wrapper" ||
|
||||
fatal "multi_instance_wrapper is empty, run 'postmulti -e init' first."
|
||||
|
||||
test "$enable" = "yes" ||
|
||||
fatal "multi_instance_enable!=yes, run 'postmulti -e init' first."
|
||||
|
||||
: ${config_directory:?"Invalid empty target instance config_directory"}
|
||||
|
||||
case $action in
|
||||
@ -129,6 +144,11 @@ create|import)
|
||||
fatal "'$config_directory' lacks a master.cf file"
|
||||
}
|
||||
|
||||
test -f $meta_directory/main.cf.proto ||
|
||||
fatal "Missing main.cf prototype: $meta_directory/main.cf.proto"
|
||||
test -f $meta_directory/master.cf.proto ||
|
||||
fatal "Missing master.cf prototype: $meta_directory/master.cf.proto"
|
||||
|
||||
# Create instance-specific directories
|
||||
#
|
||||
test -d $config_directory ||
|
||||
@ -140,7 +160,7 @@ create|import)
|
||||
|
||||
tmpdir=$config_directory/.tmp
|
||||
(umask 077; mkdir -p $tmpdir) || exit 1
|
||||
cp -p $daemon_directory/main.cf $tmpdir/main.cf || exit 1
|
||||
cp -p $meta_directory/main.cf.proto $tmpdir/main.cf || exit 1
|
||||
|
||||
# Shared install parameters are cloned from user-specified values in
|
||||
# the default instance, but only if explicitly set there. Otherwise,
|
||||
@ -149,6 +169,7 @@ create|import)
|
||||
SHARED_PARAMETERS="
|
||||
command_directory
|
||||
daemon_directory
|
||||
meta_directory
|
||||
mail_owner
|
||||
setgid_group
|
||||
sendmail_path
|
||||
@ -158,6 +179,7 @@ create|import)
|
||||
manpage_directory
|
||||
sample_directory
|
||||
readme_directory
|
||||
shlib_directory
|
||||
"
|
||||
|
||||
shift $# # Needed on SunOS where bare "set --" is NOP!
|
||||
@ -185,7 +207,7 @@ create|import)
|
||||
"$@" || exit 1
|
||||
|
||||
|
||||
cp -p $daemon_directory/master.cf $tmpdir/master.cf || exit 1
|
||||
cp -p $meta_directory/master.cf.proto $tmpdir/master.cf || exit 1
|
||||
mv $tmpdir/main.cf $config_directory/main.cf || exit 1
|
||||
mv $tmpdir/master.cf $config_directory/master.cf || exit 1
|
||||
rmdir $tmpdir 2>/dev/null
|
||||
|
17
external/ibm-public/postfix/dist/conf/relocated
vendored
17
external/ibm-public/postfix/dist/conf/relocated
vendored
@ -22,12 +22,12 @@
|
||||
# LDAP or SQL, the same lookups are done as for ordinary
|
||||
# indexed files.
|
||||
#
|
||||
# Alternatively, the table can be provided as a regular-
|
||||
# expression map where patterns are given as regular expres-
|
||||
# sions, or lookups can be directed to TCP-based server. In
|
||||
# those case, the lookups are done in a slightly different
|
||||
# way as described below under "REGULAR EXPRESSION TABLES"
|
||||
# or "TCP-BASED TABLES".
|
||||
# Alternatively, the table can be provided as a regu-
|
||||
# lar-expression map where patterns are given as regular
|
||||
# expressions, or lookups can be directed to TCP-based
|
||||
# server. In those case, the lookups are done in a slightly
|
||||
# different way as described below under "REGULAR EXPRESSION
|
||||
# TABLES" or "TCP-BASED TABLES".
|
||||
#
|
||||
# Table lookups are case insensitive.
|
||||
#
|
||||
@ -168,4 +168,9 @@
|
||||
# P.O. Box 704
|
||||
# Yorktown Heights, NY 10598, USA
|
||||
#
|
||||
# Wietse Venema
|
||||
# Google, Inc.
|
||||
# 111 8th Avenue
|
||||
# New York, NY 10011, USA
|
||||
#
|
||||
# RELOCATED(5)
|
||||
|
27
external/ibm-public/postfix/dist/conf/transport
vendored
27
external/ibm-public/postfix/dist/conf/transport
vendored
@ -12,11 +12,11 @@
|
||||
#
|
||||
# DESCRIPTION
|
||||
# The optional transport(5) table specifies a mapping from
|
||||
# email addresses to message delivery transports and next-
|
||||
# hop destinations. Message delivery transports such as
|
||||
# local or smtp are defined in the master.cf file, and next-
|
||||
# hop destinations are typically hosts or domain names. The
|
||||
# table is searched by the trivial-rewrite(8) daemon.
|
||||
# email addresses to message delivery transports and
|
||||
# next-hop destinations. Message delivery transports such
|
||||
# as local or smtp are defined in the master.cf file, and
|
||||
# next-hop destinations are typically hosts or domain names.
|
||||
# The table is searched by the trivial-rewrite(8) daemon.
|
||||
#
|
||||
# This mapping overrides the default transport:nexthop
|
||||
# selection that is built into Postfix:
|
||||
@ -59,12 +59,12 @@
|
||||
# LDAP or SQL, the same lookups are done as for ordinary
|
||||
# indexed files.
|
||||
#
|
||||
# Alternatively, the table can be provided as a regular-
|
||||
# expression map where patterns are given as regular expres-
|
||||
# sions, or lookups can be directed to TCP-based server. In
|
||||
# those case, the lookups are done in a slightly different
|
||||
# way as described below under "REGULAR EXPRESSION TABLES"
|
||||
# or "TCP-BASED TABLES".
|
||||
# Alternatively, the table can be provided as a regu-
|
||||
# lar-expression map where patterns are given as regular
|
||||
# expressions, or lookups can be directed to TCP-based
|
||||
# server. In those case, the lookups are done in a slightly
|
||||
# different way as described below under "REGULAR EXPRESSION
|
||||
# TABLES" or "TCP-BASED TABLES".
|
||||
#
|
||||
# CASE FOLDING
|
||||
# The search string is folded to lowercase before database
|
||||
@ -291,4 +291,9 @@
|
||||
# P.O. Box 704
|
||||
# Yorktown Heights, NY 10598, USA
|
||||
#
|
||||
# Wietse Venema
|
||||
# Google, Inc.
|
||||
# 111 8th Avenue
|
||||
# New York, NY 10011, USA
|
||||
#
|
||||
# TRANSPORT(5)
|
||||
|
25
external/ibm-public/postfix/dist/conf/virtual
vendored
25
external/ibm-public/postfix/dist/conf/virtual
vendored
@ -49,12 +49,12 @@
|
||||
# LDAP or SQL, the same lookups are done as for ordinary
|
||||
# indexed files.
|
||||
#
|
||||
# Alternatively, the table can be provided as a regular-
|
||||
# expression map where patterns are given as regular expres-
|
||||
# sions, or lookups can be directed to TCP-based server. In
|
||||
# those case, the lookups are done in a slightly different
|
||||
# way as described below under "REGULAR EXPRESSION TABLES"
|
||||
# or "TCP-BASED TABLES".
|
||||
# Alternatively, the table can be provided as a regu-
|
||||
# lar-expression map where patterns are given as regular
|
||||
# expressions, or lookups can be directed to TCP-based
|
||||
# server. In those case, the lookups are done in a slightly
|
||||
# different way as described below under "REGULAR EXPRESSION
|
||||
# TABLES" or "TCP-BASED TABLES".
|
||||
#
|
||||
# CASE FOLDING
|
||||
# The search string is folded to lowercase before database
|
||||
@ -163,10 +163,10 @@
|
||||
# types.
|
||||
#
|
||||
# /etc/postfix/virtual:
|
||||
# virtual-alias.domain anything (right-hand content does not matter)
|
||||
# postmaster@virtual-alias.domain postmaster
|
||||
# user1@virtual-alias.domain address1
|
||||
# user2@virtual-alias.domain address2, address3
|
||||
# virtual-alias.domain anything (right-hand content does not matter)
|
||||
# postmaster@virtual-alias.domain postmaster
|
||||
# user1@virtual-alias.domain address1
|
||||
# user2@virtual-alias.domain address2, address3
|
||||
#
|
||||
# The virtual-alias.domain anything entry is required for a
|
||||
# virtual alias domain. Without this entry, mail is rejected
|
||||
@ -291,4 +291,9 @@
|
||||
# P.O. Box 704
|
||||
# Yorktown Heights, NY 10598, USA
|
||||
#
|
||||
# Wietse Venema
|
||||
# Google, Inc.
|
||||
# 111 8th Avenue
|
||||
# New York, NY 10011, USA
|
||||
#
|
||||
# VIRTUAL(5)
|
||||
|
@ -254,9 +254,10 @@ hostnames of the machine, including $<a href="postconf.5.html#myhostname">myhost
|
||||
|
||||
<p> By default, Postfix will forward mail from clients in authorized
|
||||
network blocks to any destination. Authorized networks are defined
|
||||
with the <a href="postconf.5.html#mynetworks">mynetworks</a> configuration parameter. The default is to
|
||||
authorize all clients in the IP subnetworks that the local machine
|
||||
is attached to. </p>
|
||||
with the <a href="postconf.5.html#mynetworks">mynetworks</a> configuration parameter. The current default is to
|
||||
authorize the local machine only. Prior to Postfix 3.0, the default
|
||||
was to authorize all clients in the IP subnetworks that the local
|
||||
machine is attached to. </p>
|
||||
|
||||
<p> Postfix can also be configured to relay mail from "mobile"
|
||||
clients that send mail from outside an authorized network block.
|
||||
|
@ -126,6 +126,8 @@ same message repeatedly. </p>
|
||||
|
||||
<li><a href="#remote_only">Configuring header/body checks for mail from outside users only</a>
|
||||
|
||||
<li><a href="#mx_submission">Configuring different header/body checks for MX service and submission service</a>
|
||||
|
||||
<li><a href="#domain_except">Configuring header/body checks for mail to some domains only</a>
|
||||
|
||||
</ul>
|
||||
@ -209,7 +211,9 @@ header/body checks are requested by the source. Examples of how
|
||||
to turn off header/body checks for mail received with <a href="smtpd.8.html">smtpd(8)</a>,
|
||||
<a href="qmqpd.8.html">qmqpd(8)</a> or <a href="pickup.8.html">pickup(8)</a> are given below under "<a
|
||||
href="#remote_only">Configuring header/body checks for mail from
|
||||
outside users only</a>" and "<a href="#domain_except">Configuring
|
||||
outside users only</a>", "<a href="#mx_submission">Configuring
|
||||
different header/body checks for MX service and submission
|
||||
service</a>", and "<a href="#domain_except">Configuring
|
||||
header/body checks for mail to some domains only</a>". </p>
|
||||
|
||||
<h2><a name="limitations">Limitations of Postfix header/body checks </a></h2>
|
||||
@ -393,6 +397,61 @@ header/body filtering turned on via <a href="postconf.5.html">main.cf</a>. </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2><a name="mx_submission">Configuring different header/body checks for MX service and submission service</a></h2>
|
||||
|
||||
<p> If authorized user submissions require different header/body
|
||||
checks than mail from remote MTAs, then this is possible as long
|
||||
as you have separate mail streams for authorized users and for MX
|
||||
service. </p>
|
||||
|
||||
<p> The example below assumes that authorized users connect to TCP
|
||||
port 587 (submission) or 465 (smtps), and that remote MTAs connect
|
||||
to TCP port 25 (smtp). </p>
|
||||
|
||||
<p> First, we define a few "user-defined" parameters that will
|
||||
override settings for the submission and smtps services. </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
|
||||
msa_cleanup_service_name = msa_cleanup
|
||||
msa_header_checks = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/msa_header_checks
|
||||
msa_body_checks = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/msa_body_checks
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> Next, we define msa_cleanup as a dedicated cleanup service that
|
||||
will be used only by the submission and smtps services. This service
|
||||
uses the <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a> overrides that were defined
|
||||
above. </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
/etc/postfix.<a href="master.5.html">master.cf</a>:
|
||||
# =================================================================
|
||||
# service type private unpriv chroot wakeup maxproc command
|
||||
# (yes) (yes) (yes) (never) (100)
|
||||
# =================================================================
|
||||
smtp inet n - n - - smtpd
|
||||
msa_cleanup unix n - n - 0 cleanup
|
||||
-o <a href="postconf.5.html#header_checks">header_checks</a>=$msa_header_checks
|
||||
-o <a href="postconf.5.html#body_checks">body_checks</a>=$msa_body_checks
|
||||
submission inet n - n - - smtpd
|
||||
-o <a href="postconf.5.html#cleanup_service_name">cleanup_service_name</a>=$msa_cleanup_service_name
|
||||
-o <a href="postconf.5.html#syslog_name">syslog_name</a>=postfix/submission
|
||||
<i>...[see sample <a href="master.5.html">master.cf</a> file for more]...</i>
|
||||
smtps inet n - n - - smtpd
|
||||
-o <a href="postconf.5.html#cleanup_service_name">cleanup_service_name</a>=$msa_cleanup_service_name
|
||||
-o <a href="postconf.5.html#syslog_name">syslog_name</a>=postfix/smtps
|
||||
-o <a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a>=yes
|
||||
<i>...[see sample <a href="master.5.html">master.cf</a> file for more]...</i>
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> By keeping the "msa_xxx" parameter settings in <a href="postconf.5.html">main.cf</a>, you
|
||||
keep your <a href="master.5.html">master.cf</a> file simple, and you minimize the amount
|
||||
of duplication. </p>
|
||||
|
||||
<h2><a name="domain_except">Configuring header/body checks for mail to some domains only</a></h2>
|
||||
|
||||
<p> The following information applies to Postfix 2.1. Earlier
|
||||
|
@ -67,7 +67,7 @@ like: </p>
|
||||
% make tidy
|
||||
% CDB=../../../tinycdb-0.5
|
||||
% make -f Makefile.init makefiles "CCARGS=-DHAS_CDB -I$CDB" \
|
||||
"AUXLIBS=$CDB/libcdb.a"
|
||||
"<a href="CDB_README.html">AUXLIBS_CDB</a>=$CDB/libcdb.a"
|
||||
% make
|
||||
</pre>
|
||||
</blockquote>
|
||||
@ -79,11 +79,26 @@ like: </p>
|
||||
% make tidy
|
||||
% CDB=../../../cdb-0.75
|
||||
% make -f Makefile.init makefiles "CCARGS=-DHAS_CDB -I$CDB" \
|
||||
"AUXLIBS=$CDB/cdb.a $CDB/alloc.a $CDB/buffer.a $CDB/unix.a $CDB/byte.a"
|
||||
"<a href="CDB_README.html">AUXLIBS_CDB</a>=$CDB/cdb.a $CDB/alloc.a $CDB/buffer.a $CDB/unix.a $CDB/byte.a"
|
||||
% make
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> Postfix versions before 3.0 use AUXLIBS instead of <a href="CDB_README.html">AUXLIBS_CDB</a>.
|
||||
With Postfix 3.0 and later, the old AUXLIBS variable still supports
|
||||
building a statically-loaded CDB database client, but only the new
|
||||
<a href="CDB_README.html">AUXLIBS_CDB</a> variable supports building a dynamically-loaded or
|
||||
statically-loaded CDB database client. </p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<p> Failure to use the <a href="CDB_README.html">AUXLIBS_CDB</a> variable will defeat the purpose
|
||||
of dynamic database client loading. Every Postfix executable file
|
||||
will have CDB database library dependencies. And that was exactly
|
||||
what dynamic database client loading was meant to avoid. </p>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<p> After Postfix has been built with cdb support, you can use
|
||||
"cdb" tables wherever you can use read-only "hash", "btree" or
|
||||
"dbm" tables. However, the "<b>postmap -i</b>" (incremental record
|
||||
|
334
external/ibm-public/postfix/dist/html/COMPATIBILITY_README.html
vendored
Normal file
334
external/ibm-public/postfix/dist/html/COMPATIBILITY_README.html
vendored
Normal file
@ -0,0 +1,334 @@
|
||||
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
|
||||
"http://www.w3.org/TR/html4/loose.dtd">
|
||||
|
||||
<html>
|
||||
|
||||
<head>
|
||||
|
||||
<title>Postfix Backwards-Compatibility Safety Net</title>
|
||||
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
|
||||
|
||||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix
|
||||
Backwards-Compatibility Safety Net</h1>
|
||||
|
||||
<hr>
|
||||
|
||||
<h2>Purpose of this document </h2>
|
||||
|
||||
<p> Postfix 3.0 introduces a safety net that runs Postfix programs
|
||||
with backwards-compatible default settings after an upgrade. The
|
||||
safety net will log a warning whenever a "new" default setting could
|
||||
have an negative effect on your mail flow. </p>
|
||||
|
||||
<p>This document provides information on the following topics: </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> <a href="#overview">Detailed descriptions</a> of Postfix
|
||||
backwards-compatibility warnings.
|
||||
|
||||
<li> <p> What backwards-compatible settings you may have to make
|
||||
permanent in <a href="postconf.5.html">main.cf</a> or <a href="master.5.html">master.cf</a>. </p>
|
||||
|
||||
<li> <p> <a href="#turnoff">How to turn off</a> Postfix
|
||||
backwards-compatibility warnings. </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2> <a name="overview"> Overview </a> </h2>
|
||||
|
||||
<p> With backwards compatibility turned on, Postfix logs a message
|
||||
whenever a backwards-compatible default setting may be required for
|
||||
continuity of service. Based on this logging the system administrator
|
||||
can decide if any backwards-compatible settings need to be made
|
||||
permanent in main.cf or master.cf, before <a href="#turnoff">turning
|
||||
off the backwards-compatibility safety net</a> as described at the
|
||||
end of this document. </p>
|
||||
|
||||
<p> The following messages may be logged: </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> <a href="#append_dot_mydomain"> Using backwards-compatible
|
||||
default setting append_dot_mydomain=yes </a> </p>
|
||||
|
||||
<li> <p> <a href="#chroot"> Using backwards-compatible default setting
|
||||
chroot=y</a> </p>
|
||||
|
||||
<li> <p> <a href="#mynetworks_style"> Using backwards-compatible
|
||||
default setting mynetworks_style=subnet </a> </p>
|
||||
|
||||
<li> <p> <a href="#relay_domains"> Using backwards-compatible default
|
||||
setting relay_domains=$mydestination </a> </p>
|
||||
|
||||
<li> <p> <a href="#smtputf8_enable"> Using backwards-compatible
|
||||
default setting smtputf8_enable=no</a> </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<p> If such a message is logged in the context of a legitimate
|
||||
request, the system administrator should make the backwards-compatible
|
||||
setting permanent in <a href="postconf.5.html">main.cf</a> or <a href="master.5.html">master.cf</a>, as detailed in the
|
||||
sections that follow. </p>
|
||||
|
||||
<p> When no more backwards-compatible settings need to be made
|
||||
permanent, the system administrator should <a href="#turnoff">turn
|
||||
off the backwards-compatibility safety net</a> as described at the
|
||||
end of this document. </p>
|
||||
|
||||
<h2> <a name="append_dot_mydomain"> Using backwards-compatible default
|
||||
setting append_dot_mydomain=yes</a> </h2>
|
||||
|
||||
<p> The <a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a> default value has changed from "yes"
|
||||
to "no". As long as the <a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a> parameter is left at
|
||||
its implicit default value, and the backwards-compatible default
|
||||
setting is turned on, Postfix may log one of the following messages:</p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> Messages about missing "localhost" in <a href="postconf.5.html#mydestination">mydestination</a> or
|
||||
other address class: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
postfix/trivial-rewrite[14777]: using backwards-compatible
|
||||
default setting <a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a>=yes to rewrite
|
||||
"localhost" to "localhost.example.com"; please add
|
||||
"localhost" to <a href="postconf.5.html#mydestination">mydestination</a> or other address class
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> If Postfix logs the above message, add "localhost" to
|
||||
<a href="postconf.5.html#mydestination">mydestination</a> (or <a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, <a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>,
|
||||
or <a href="postconf.5.html#relay_domains">relay_domains</a>) and execute the command "<b>postfix reload</b>".
|
||||
|
||||
<li> <p> Messages about incomplete domains in email addresses: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
postfix/trivial-rewrite[25835]: using backwards-compatible
|
||||
default setting <a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a>=yes to rewrite "foo" to
|
||||
"foo.example.com"
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> If Postfix logs the above message for domains different from
|
||||
"localhost", and the sender cannot be changed to use complete domain
|
||||
names in email addresses, then the system administrator should make
|
||||
the backwards-compatible setting "<a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a> = yes" permanent
|
||||
in <a href="postconf.5.html">main.cf</a>: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
# <b>postconf <a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a>=yes</b>
|
||||
# <b>postfix reload</b>
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2> <a name="chroot"> Using backwards-compatible default
|
||||
setting chroot=y</a> </h2>
|
||||
|
||||
<p> The <a href="master.5.html">master.cf</a> chroot default value has changed from "y" (yes)
|
||||
to "n" (no). As long as a <a href="master.5.html">master.cf</a> chroot field is left at its
|
||||
implicit default value, and the backwards-compatible default setting
|
||||
is turned on, Postfix may log the following message while it
|
||||
reads the <a href="master.5.html">master.cf</a> file: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
postfix/master[27664]: /etc/postfix/<a href="master.5.html">master.cf</a>: line 72: using
|
||||
backwards-compatible default setting chroot=y
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> If this service should remain chrooted, then the system
|
||||
administrator should make the backwards-compatible setting "chroot
|
||||
= y" permanent in <a href="master.5.html">master.cf</a>. For example, to update the chroot
|
||||
setting for the "smtp inet" service: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
# <b>postconf -F smtp/inet/chroot=y</b>
|
||||
# <b>postfix reload</b>
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<h2> <a name="mynetworks_style"> Using backwards-compatible default
|
||||
setting mynetworks_style=subnet</a> </h2>
|
||||
|
||||
<p> The <a href="postconf.5.html#mynetworks_style">mynetworks_style</a> default value has changed from "subnet"
|
||||
to "host". This parameter is used to implement the "<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>"
|
||||
feature. As long as the <a href="postconf.5.html#mynetworks">mynetworks</a> and <a href="postconf.5.html#mynetworks_style">mynetworks_style</a> parameters
|
||||
are left at their implicit default values, and the backwards-compatible
|
||||
default setting is turned on, the Postfix SMTP server may log one
|
||||
of the following messages: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
postfix/smtpd[17375]: using backwards-compatible default setting
|
||||
<a href="postconf.5.html#mynetworks_style">mynetworks_style</a>=subnet to permit request from client
|
||||
"foo.example.com[10.1.1.1]"
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
postfix/postscreen[24982]: using backwards-compatible default
|
||||
setting <a href="postconf.5.html#mynetworks_style">mynetworks_style</a>=subnet to permit request from client
|
||||
"10.1.1.1"
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> If the client request should not be rejected, then the system
|
||||
administrator should make the backwards-compatible setting
|
||||
"<a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = subnet" permanent in <a href="postconf.5.html">main.cf</a>: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
# <b>postconf <a href="postconf.5.html#mynetworks_style">mynetworks_style</a>=subnet</b>
|
||||
# <b>postfix reload</b>
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<h2><a name="relay_domains"> Using backwards-compatible default
|
||||
setting relay_domains=$mydestination </a> </h2>
|
||||
|
||||
<p> The <a href="postconf.5.html#relay_domains">relay_domains</a> default value has changed from "$<a href="postconf.5.html#mydestination">mydestination</a>"
|
||||
to the empty value. As long as the <a href="postconf.5.html#relay_domains">relay_domains</a> parameter is left
|
||||
at its implicit default value, and the backwards-compatible default
|
||||
setting is turned on, Postfix may log one of the following messages.
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> Messages about accepting mail for a remote domain:</p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
postfix/smtpd[19052]: using backwards-compatible default setting
|
||||
<a href="postconf.5.html#relay_domains">relay_domains</a>=$<a href="postconf.5.html#mydestination">mydestination</a> to accept mail for domain
|
||||
"foo.example.com"
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
postfix/smtpd[19052]: using backwards-compatible default setting
|
||||
<a href="postconf.5.html#relay_domains">relay_domains</a>=$<a href="postconf.5.html#mydestination">mydestination</a> to accept mail for address
|
||||
"user@foo.example.com"
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<li> <p> Messages about providing ETRN service for a remote domain:</p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
postfix/smtpd[19138]: using backwards-compatible default setting
|
||||
<a href="postconf.5.html#relay_domains">relay_domains</a>=$<a href="postconf.5.html#mydestination">mydestination</a> to flush mail for domain
|
||||
"bar.example.com"
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
postfix/smtp[13945]: using backwards-compatible default setting
|
||||
<a href="postconf.5.html#relay_domains">relay_domains</a>=$<a href="postconf.5.html#mydestination">mydestination</a> to update fast-flush logfile for
|
||||
domain "bar.example.com"
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
</ul>
|
||||
|
||||
<p> If Postfix should continue to accept mail for that domain or
|
||||
continue to provide ETRN service for that domain, then the system
|
||||
administrator should make the backwards-compatible setting
|
||||
"<a href="postconf.5.html#relay_domains">relay_domains</a> = $<a href="postconf.5.html#mydestination">mydestination</a>" permanent in <a href="postconf.5.html">main.cf</a>: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
# <b>postconf '<a href="postconf.5.html#relay_domains">relay_domains</a>=$<a href="postconf.5.html#mydestination">mydestination</a>'</b>
|
||||
# <b>postfix reload</b>
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> Note: quotes are required as indicated above. </p>
|
||||
|
||||
<p> Instead of $<a href="postconf.5.html#mydestination">mydestination</a>, it may be better to specify an
|
||||
explicit list of domain names. </p>
|
||||
|
||||
<h2> <a name="smtputf8_enable"> Using backwards-compatible default
|
||||
setting smtputf8_enable=no</a> </h2>
|
||||
|
||||
<p> The <a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> default value has changed from "no" to "yes.
|
||||
With the new "yes" setting, the Postfix SMTP server rejects non-ASCII
|
||||
addresses from clients that don't request SMTPUTF8 support. With
|
||||
the old "no" setting, Postfix will accept such addresses, even if
|
||||
such addresses are not permitted by traditional SMTP standards. </p>
|
||||
|
||||
<p> As long as the <a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> parameter is left at its implicit
|
||||
default value, and the backwards-compatible default setting is
|
||||
turned on, Postfix logs a warning each time an SMTP command uses a
|
||||
non-ASCII address localpart without requesting SMTPUTF8 support: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
postfix/smtpd[27560]: using backwards-compatible default setting
|
||||
<a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a>=no to accept non-ASCII sender address
|
||||
"??@example.org" from localhost[127.0.0.1]
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
postfix/smtpd[27560]: using backwards-compatible default setting
|
||||
<a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a>=no to accept non-ASCII recipient address
|
||||
"??@example.com" from localhost[127.0.0.1]
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> If the address should not be rejected, and the client cannot
|
||||
be updated to use SMTPUTF8, then the system administrator should
|
||||
make the backwards-compatible setting "<a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> = no" permanent
|
||||
in <a href="postconf.5.html">main.cf</a>:
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
# <b>postconf <a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a>=no</b>
|
||||
# <b>postfix reload</b>
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<h2> <a name="turnoff">Turning off the backwards-compatibility safety net</a> </h2>
|
||||
|
||||
<p> Backwards compatibility is turned off by updating the
|
||||
<a href="postconf.5.html#compatibility_level">compatibility_level</a> setting in <a href="postconf.5.html">main.cf</a>. </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
# <b>postconf <a href="postconf.5.html#compatibility_level">compatibility_level</a>=<i>N</i></b>
|
||||
# <b>postfix reload</b>
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> For <i>N</i> specify the number that is logged in your <a href="postfix.1.html">postfix(1)</a>
|
||||
warning message: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
warning: To disable backwards compatibility use "postconf <a href="postconf.5.html#compatibility_level">compatibility_level</a>=<i>N</i>" and "postfix reload"
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> Sites that don't care about backwards compatibility may set
|
||||
"<a href="postconf.5.html#compatibility_level">compatibility_level</a> = 9999" at their own risk. </p>
|
||||
|
||||
</body>
|
||||
|
||||
</html>
|
@ -313,6 +313,15 @@ private databases are maintained by Postfix daemons. The database
|
||||
name as used in "<a href="DATABASE_README.html#types">hash</a>:table" is the database file name without the
|
||||
".db" suffix. </dd>
|
||||
|
||||
<dt> <b>inline</b> (read-only) </dt>
|
||||
|
||||
<dd> A non-shared, in-memory lookup table. Example: "<a href="DATABASE_README.html#types">inline</a>:{
|
||||
<i>key=value</i>, { <i>key = text with whitespace or comma</i> }}".
|
||||
Key-value pairs are separated by whitespace or comma; whitespace
|
||||
after "{" and before "}" is ignored. Inline tables eliminate the
|
||||
need to create a database file for just a few fixed elements. See
|
||||
also the <a href="DATABASE_README.html#types">static</a>: map type. </dd>
|
||||
|
||||
<dt> <b>internal</b> </dt>
|
||||
|
||||
<dd> A non-shared, in-memory hash table. Its content are lost when
|
||||
@ -362,6 +371,18 @@ The file format is described in <a href="pcre_table.5.html">pcre_table(5)</a>. T
|
||||
name as used in "<a href="pcre_table.5.html">pcre</a>:table" is the name of the regular expression
|
||||
file. </dd>
|
||||
|
||||
<dt> <b>pipemap</b> (read-only) </dt>
|
||||
|
||||
<dd> A pipeline of lookup tables. Example:
|
||||
"<a href="DATABASE_README.html#types">pipemap</a>:{<i>type<sub>1</sub>:name<sub>1</sub>, ...,
|
||||
type<sub>n</sub>:name<sub>n</sub></i>}". Each "<a href="DATABASE_README.html#types">pipemap</a>:" query is
|
||||
given to the first table. Each lookup result becomes the query for
|
||||
the next table in the pipeline, and the last table produces the
|
||||
final result. When any table lookup produces no result, the pipeline
|
||||
produces no result. The first and last characters of the "<a href="DATABASE_README.html#types">pipemap</a>:"
|
||||
table name must be "{" and "}". Within these, individual maps are
|
||||
separated with comma or whitespace. </dd>
|
||||
|
||||
<dt> <b>pgsql</b> (read-only) </dt>
|
||||
|
||||
<dd> PostgreSQL database client. Configuration details are given
|
||||
@ -373,6 +394,15 @@ in <a href="pgsql_table.5.html">pgsql_table(5)</a>. </dd>
|
||||
databases. The lookup table name syntax is "<a href="proxymap.8.html">proxy</a>:<a href="DATABASE_README.html">type:table</a>".
|
||||
</dd>
|
||||
|
||||
<dt> <b>randmap</b> (read-only) </dt>
|
||||
|
||||
<dd> An in-memory table that performs random selection. Example:
|
||||
"<a href="DATABASE_README.html#types">randmap</a>:{<i>result<sub>1</sub>. ..., result<sub>n</sub></i>}".
|
||||
Each table query returns a random choice from the specified results.
|
||||
The first and last characters of the "<a href="DATABASE_README.html#types">randmap</a>:" table name must be
|
||||
"{" and "}". Within these, individual maps are separated with comma
|
||||
or whitespace. </dd>
|
||||
|
||||
<dt> <b>regexp</b> (read-only) </dt>
|
||||
|
||||
<dd> A lookup table based on regular expressions. The file format
|
||||
@ -404,7 +434,9 @@ server. See <a href="socketmap_table.5.html">socketmap_table(5)</a> for details.
|
||||
|
||||
<dd> A table that always returns its name as the lookup result.
|
||||
For example, "<a href="DATABASE_README.html#types">static</a>:foobar" always returns the string "foobar" as
|
||||
lookup result. </dd>
|
||||
lookup result. Specify "<a href="DATABASE_README.html#types">static</a>:{ <i>text with whitespace</i> }"
|
||||
when the result contains whitespace; this form ignores whitespace
|
||||
after "{" and before "}". See also the <a href="DATABASE_README.html#types">inline</a>: map type. </dd>
|
||||
|
||||
<dt> <b>tcp</b> </dt>
|
||||
|
||||
@ -421,6 +453,12 @@ use the file, and that <a href="DATABASE_README.html#types">texthash</a>: does n
|
||||
file is read. The lookup table name is "<a href="DATABASE_README.html#types">texthash</a>:filename", where
|
||||
the file name is taken literally; no suffix is appended. </dd>
|
||||
|
||||
<dt> <b>unionmap</b> (read-only) </dt>
|
||||
|
||||
<dd> A table that sends each query to multiple lookup tables and
|
||||
that concatenates all found results, separated by comma. The table
|
||||
name syntax is the same as for pipemap tables. </dd>
|
||||
|
||||
<dt> <b>unix</b> (read-only) </dt>
|
||||
|
||||
<dd> A limited view of the UNIX authentication database. The following
|
||||
|
@ -554,8 +554,16 @@ by "A", each digit
|
||||
by "D" so that the helpers can still recognize syntactical errors.
|
||||
</p>
|
||||
|
||||
<li> <p> Output from "<b>postconf -n</b>". Please do not send your
|
||||
<a href="postconf.5.html">main.cf</a> file, or 500+ lines of <b>postconf</b> output. </p>
|
||||
<li> <p> Command output from:</p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> "<b>postconf -n</b>". Please do not send your <a href="postconf.5.html">main.cf</a> file,
|
||||
or 1000+ lines of <b>postconf</b> command output. </p>
|
||||
|
||||
<li> <p> "<b>postconf -Mf</b>" (Postfix 2.9 or later). </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<li> <p> Better, provide output from the <b>postfinger</b> tool.
|
||||
This can be found at <a href="http://ftp.wl0.org/SOURCES/postfinger">http://ftp.wl0.org/SOURCES/postfinger</a>. </p>
|
||||
|
@ -180,7 +180,8 @@ and is not recommended for now. </p>
|
||||
with no additional configuration, but you may want to override the
|
||||
default prime to be 2048 bits long, and you may want to regenerate
|
||||
your primes periodically. See the <a href="#quick-start">quick-start</a>
|
||||
section for details. </p>
|
||||
section for details. With Postfix ≥ 3.1 the out of the box
|
||||
(compiled-in) EDH prime size is 2048 bits. </p>
|
||||
|
||||
<p> With prime-field EDH, OpenSSL wants the server to provide
|
||||
two explicitly-selected (prime, generator) combinations. One for
|
||||
@ -195,7 +196,9 @@ compiled in, but also supports explicitly-configured overrides.
|
||||
"export" ciphers. To use a non-default prime, generate a 512-bit
|
||||
DH parameter file and set <a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a> to the filename
|
||||
(see the <a href="#quick-start">quick-start</a> section for details).
|
||||
</p>
|
||||
With Postfix releases after the middle of 2015 the default opportunistic
|
||||
TLS cipher grade (<a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>) is "medium" or stronger, and
|
||||
export ciphers are no longer used. </p>
|
||||
|
||||
<li> <p> The non-export EDH parameters are used for all other EDH
|
||||
cipher suites. To use a non-default prime, generate a 1024-bit or
|
||||
@ -207,10 +210,11 @@ parameter file and the prime need not actually be 1024 bits long
|
||||
|
||||
</ul>
|
||||
|
||||
<p> It turns out that (inadvisably-patched in some Debian releases)
|
||||
Exim SMTP clients require a ≥ 2048-bit length for the non-export
|
||||
prime. See the <a href="#quick-start">quick-start</a> section for
|
||||
the recommended configuration to work around this issue. </p>
|
||||
<p> As of mid-2015, SMTP clients are starting to reject TLS
|
||||
handshakes with primes smaller than 2048 bits. Each site needs to
|
||||
determine which prime size works best for the majority of its
|
||||
clients. See the <a href="#quick-start">quick-start</a> section
|
||||
for the recommended configuration to work around this issue. </p>
|
||||
|
||||
<h3> EECDH Server support </h3>
|
||||
|
||||
@ -253,9 +257,10 @@ more curves at the desired security level without any changes to
|
||||
<h2> <a name="client_fs">Forward Secrecy in the Postfix SMTP Client</a> </h2>
|
||||
|
||||
<p> The Postfix ≥ 2.2 SMTP client supports forward secrecy in
|
||||
its default configuration. No configuration changes are needed
|
||||
besides turning on elliptic-curve support with Postfix 2.6 and 2.7
|
||||
(see the <a href="#quick-start"> quick-start</a> section). If the
|
||||
its default configuration. All supported OpenSSL releases support
|
||||
EDH key exchange. OpenSSL releases ≥ 1.0.0 also support EECDH
|
||||
key exchange (provided elliptic-curve support has not been disabled
|
||||
by the vendor as in some versions of RedHat Linux). If the
|
||||
remote SMTP server supports cipher suites with forward secrecy (and
|
||||
does not override the SMTP client's cipher preference), then the
|
||||
traffic between the server and client will resist decryption even
|
||||
@ -265,23 +270,27 @@ compromised. </p>
|
||||
<p> The default Postfix SMTP client cipher lists are correctly
|
||||
ordered to prefer EECDH and EDH cipher suites ahead of similar
|
||||
cipher suites that don't implement forward secrecy. Administrators
|
||||
are strongly discouraged from changing the cipher list definitions.
|
||||
It is likely safe to set "<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> = medium" if you wish
|
||||
to disable the obsolete "export" and "low" grade ciphers even with
|
||||
opportunistic TLS. Setting a minimum strength does not change the
|
||||
preference
|
||||
order. Note that strengths higher than "medium" exclude Exchange
|
||||
2003 and likely other widely used MTAs, thus "high" grade ciphers
|
||||
should only be used on a case-by-case basis via the <a
|
||||
href="TLS_README.html#client_tls_policy">TLS policy</a> table. </p>
|
||||
are strongly discouraged from changing the cipher list definitions. </p>
|
||||
|
||||
<p> The default minimum cipher grade for opportunistic TLS is
|
||||
"medium" for Postfix releases after the middle of 2015, "export"
|
||||
for older releases. Changing the minimum cipher grade does not
|
||||
change the cipher preference order. Note that cipher grades higher
|
||||
than "medium" exclude Exchange 2003 and likely other MTAs, thus a
|
||||
"high" cipher grade should be chosen only on a case-by-case basis
|
||||
via the <a href="TLS_README.html#client_tls_policy">TLS policy</a>
|
||||
table. </p>
|
||||
|
||||
<h2><a name="quick-start">Getting started, quick and dirty</a></h2>
|
||||
|
||||
<h3> EECDH Client and server support (Postfix ≥ 2.6 with OpenSSL
|
||||
≥ 1.0.0) </h3>
|
||||
<h3> EECDH Client support (Postfix ≥ 2.2 with OpenSSL ≥ 1.0.0) </h3>
|
||||
|
||||
<p> This works "out of the box" without additional configuration. </p>
|
||||
|
||||
<h3> EECDH Server support (Postfix ≥ 2.6 with OpenSSL ≥ 1.0.0) </h3>
|
||||
|
||||
<p> With Postfix 2.6 and 2.7, enable elliptic-curve support in the
|
||||
Postfix SMTP client and server. This is the default with Postfix
|
||||
Postfix SMTP server. This is the default with Postfix
|
||||
≥ 2.8. Note, however, that elliptic-curve support may be disabled
|
||||
by the vendor, as in some versions of RedHat Linux. </p>
|
||||
|
||||
@ -347,7 +356,10 @@ need to adjust the submission entry in <a href="master.5.html">master.cf</a> acc
|
||||
/etc/postfix/<a href="master.5.html">master.cf</a>:
|
||||
submission inet n - n - - smtpd
|
||||
# Some submission clients may not yet do 2048-bit EDH, if such
|
||||
# clients use your MSA, configure 1024-bit EDH instead:
|
||||
# clients use your MSA, configure 1024-bit EDH instead. However,
|
||||
# as of mid-2015, many submission clients no longer accept primes
|
||||
# with less than 2048-bits. Each site needs to determine which
|
||||
# type of client is more important to support.
|
||||
-o <a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a>=${<a href="postconf.5.html#config_directory">config_directory</a>}/dh1024.pem
|
||||
-o <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>=encrypt
|
||||
-o <a href="postconf.5.html#smtpd_sasl_auth_enable">smtpd_sasl_auth_enable</a>=yes
|
||||
@ -547,8 +559,8 @@ signature. </p>
|
||||
<p> <b> Postfix SMTP server:</b> The status is never "Verified",
|
||||
because the Postfix SMTP server never verifies the remote SMTP
|
||||
client name against the names in the client certificate, and because
|
||||
the Postfix SMTP does not expect a specific fingerprint in the
|
||||
client public key or certificate. </p>
|
||||
the Postfix SMTP server does not expect a specific fingerprint in
|
||||
the client public key or certificate. </p>
|
||||
|
||||
</dd>
|
||||
|
||||
|
@ -92,10 +92,25 @@ your Postfix source tree should work: </p>
|
||||
<pre>
|
||||
% make tidy
|
||||
% make makefiles CCARGS="-I/usr/local/include -DHAS_LDAP" \
|
||||
AUXLIBS="-L/usr/local/lib -lldap -L/usr/local/lib -llber"
|
||||
<a href="LDAP_README.html">AUXLIBS_LDAP</a>="-L/usr/local/lib -lldap -L/usr/local/lib -llber"
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> Postfix versions before 3.0 use AUXLIBS instead of <a href="LDAP_README.html">AUXLIBS_LDAP</a>.
|
||||
With Postfix 3.0 and later, the old AUXLIBS variable still supports
|
||||
building a statically-loaded LDAP database client, but only the new
|
||||
<a href="LDAP_README.html">AUXLIBS_LDAP</a> variable supports building a dynamically-loaded or
|
||||
statically-loaded LDAP database client. </p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<p> Failure to use the <a href="LDAP_README.html">AUXLIBS_LDAP</a> variable will defeat the purpose
|
||||
of dynamic database client loading. Every Postfix executable file
|
||||
will have LDAP database library dependencies. And that was exactly
|
||||
what dynamic database client loading was meant to avoid. </p>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<p> On Solaris 2.x you may have to specify run-time link information,
|
||||
otherwise ld.so will not find some of the shared libraries: </p>
|
||||
|
||||
@ -103,7 +118,7 @@ otherwise ld.so will not find some of the shared libraries: </p>
|
||||
<pre>
|
||||
% make tidy
|
||||
% make makefiles CCARGS="-I/usr/local/include -DHAS_LDAP" \
|
||||
AUXLIBS="-L/usr/local/lib -R/usr/local/lib -lldap \
|
||||
<a href="LDAP_README.html">AUXLIBS_LDAP</a>="-L/usr/local/lib -R/usr/local/lib -lldap \
|
||||
-L/usr/local/lib -R/usr/local/lib -llber"
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
@ -50,17 +50,33 @@ build Postfix with LMDB support, use something like: </p>
|
||||
<blockquote>
|
||||
<pre>
|
||||
% make makefiles CCARGS="-DHAS_LMDB -I/usr/local/include" \
|
||||
AUXLIBS="-L/usr/local/lib -llmdb"
|
||||
<a href="LMDB_README.html">AUXLIBS_LMDB</a>="-L/usr/local/lib -llmdb"
|
||||
% make
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> Postfix versions before 3.0 use AUXLIBS instead of <a href="LMDB_README.html">AUXLIBS_LMDB</a>.
|
||||
With Postfix 3.0 and later, the old AUXLIBS variable still supports
|
||||
building a statically-loaded LMDB database client, but only the new
|
||||
<a href="LMDB_README.html">AUXLIBS_LMDB</a> variable supports building a dynamically-loaded or
|
||||
statically-loaded LMDB database client. </p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<p> Failure to use the <a href="LMDB_README.html">AUXLIBS_LMDB</a> variable will defeat the purpose
|
||||
of dynamic database client loading. Every Postfix executable file
|
||||
will have LMDB database library dependencies. And that was exactly
|
||||
what dynamic database client loading was meant to avoid. </p>
|
||||
|
||||
</blockquote>
|
||||
|
||||
|
||||
<p> Solaris may need this: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
% make makefiles CCARGS="-DHAS_LMDB -I/usr/local/include" \
|
||||
AUXLIBS="-R/usr/local/lib -L/usr/local/lib -llmdb"
|
||||
<a href="LMDB_README.html">AUXLIBS_LMDB</a>="-R/usr/local/lib -L/usr/local/lib -llmdb"
|
||||
% make
|
||||
</pre>
|
||||
</blockquote>
|
||||
@ -81,7 +97,7 @@ undefined reference to `pthread_mutex_lock'
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
% make makefiles .... AUXLIBS="... -lpthread"
|
||||
% make makefiles .... <a href="LMDB_README.html">AUXLIBS_LMDB</a>="... -lpthread"
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
|
@ -28,16 +28,10 @@ SMTP commands (HELO, MAIL FROM, etc.) as well as mail content
|
||||
<p> The reason for adding Milter support to Postfix is that there
|
||||
exists a large collection of applications, not only to block unwanted
|
||||
mail, but also to verify authenticity (examples: <a
|
||||
href="http://www.opendkim.org/">OpenDKIM</a>, <a
|
||||
href="http://sourceforge.net/projects/dkim-milter/">DomainKeys
|
||||
Identified Mail (DKIM)</a>, <a
|
||||
href="http://sourceforge.net/projects/sid-milter/">SenderID+SPF</a> and
|
||||
<a href="http://sourceforge.net/projects/dk-milter/">DomainKeys</a>)
|
||||
or to digitally sign mail (examples: <a
|
||||
href="http://www.opendkim.org/">OpenDKIM</a>, <a
|
||||
href="http://sourceforge.net/projects/dkim-milter/">DomainKeys
|
||||
Identified Mail (DKIM)</a>, <a
|
||||
href="http://sourceforge.net/projects/dk-milter/">DomainKeys</a>).
|
||||
href="http://www.opendkim.org/">OpenDKIM</a> and <a
|
||||
href="http://www.trusteddomain.org/opendmarc/">DMARC </a>)
|
||||
or to digitally sign mail (example: <a
|
||||
href="http://www.opendkim.org/">OpenDKIM</a>).
|
||||
Having yet another Postfix-specific version of all that software
|
||||
is a poor use of human and system resources. </p>
|
||||
|
||||
@ -206,17 +200,14 @@ an object library that implements the Sendmail 8 Milter protocol.
|
||||
Postfix currently does not provide such a library, but Sendmail
|
||||
does. </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> The first option is to use a pre-compiled library. Some
|
||||
<p> Some
|
||||
systems install the Sendmail libmilter library by default. With
|
||||
other systems, libmilter may be provided by a package (called
|
||||
"sendmail-devel" on some Linux systems). </p>
|
||||
|
||||
<p> Once libmilter is installed, applications such as <a
|
||||
href="http://www.opendkim.org/">OpenDKIM</a>, <a
|
||||
href="http://sourceforge.net/projects/dkim-milter/">dkim-milter</a> and
|
||||
<a href="http://sourceforge.net/projects/sid-milter/">sid-milter</a>
|
||||
href="http://www.opendkim.org/">OpenDKIM</a> and
|
||||
<a href="http://www.trusteddomain.org/opendmarc/">OpenDMARC</a>
|
||||
build out of the box without requiring any tinkering:</p>
|
||||
|
||||
<blockquote>
|
||||
@ -230,44 +221,6 @@ $ <b>make install</b>
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
$ <b>gzcat dkim-milter-<i>x.y.z</i>.tar.gz | tar xf -</b>
|
||||
$ <b>cd dkim-milter-<i>x.y.z</i></b>
|
||||
$ <b>make</b>
|
||||
[...<i>lots of output omitted</i>...]
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<li> <p> The other option is to build the libmilter library from
|
||||
Sendmail source code: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
$ <b>gzcat sendmail-<i>x.y.z</i>.tar.gz | tar xf -</b>
|
||||
$ <b>cd sendmail-<i>x.y.z</i>/libmilter</b>
|
||||
$ <b>make</b>
|
||||
[...<i>lots of output omitted</i>...]
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> After building your own libmilter library, follow the installation
|
||||
instructions in the Milter application source distribution to specify
|
||||
the location of the libmilter include files and object library.
|
||||
Typically, these settings are configured in a file named
|
||||
<tt>sid-filter/Makefile.m4</tt> or similar:
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
APPENDDEF(`confINCDIRS', `-I/some/where/sendmail-x.y.z/include')
|
||||
APPENDDEF(`confLIBDIRS', `-L/some/where/sendmail-x.y.z/obj.<i>systemtype</i>/libmilter')
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p>Then build the Milter application. </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2><a name="running">Running Milter applications</a></h2>
|
||||
|
||||
<p> To run a Milter application, see the documentation of the filter
|
||||
@ -275,7 +228,7 @@ for options. A typical command looks like this:</p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
# <b>/some/where/dkim-filter -u <i>userid</i> -p inet:<i>portnumber</i>@localhost ...<i>other options</i>...</b>
|
||||
# <b>/some/where/opendkim -l -u <i>userid</i> -p inet:<i>portnumber</i>@localhost ...<i>other options</i>...</b>
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
@ -285,9 +238,8 @@ applications (not "postfix", not "www", etc.). </p>
|
||||
<h2><a name="config">Configuring Postfix</a></h2>
|
||||
|
||||
<p> Like Sendmail, Postfix has a lot of configuration options that
|
||||
control how it talks to Milter applications. With the initial Postfix
|
||||
Milter protocol implementation, many options are global, that is,
|
||||
they apply to all Milter applications. Future Postfix versions may
|
||||
control how it talks to Milter applications. Besides global options
|
||||
that apply to all Milter applications, Postfix 3.0 and later
|
||||
support per-Milter timeouts, per-Milter error handling, etc. </p>
|
||||
|
||||
<p> Information in this section: </p>
|
||||
@ -304,8 +256,13 @@ support per-Milter timeouts, per-Milter error handling, etc. </p>
|
||||
|
||||
<li><a href="#timeouts">Milter protocol timeouts</a>
|
||||
|
||||
<li><a href="#per-milter">Different settings for different Milter
|
||||
applications </a>
|
||||
|
||||
<li><a href="#macros">Sendmail macro emulation</a>
|
||||
|
||||
<li><a href="#send-macros">What macros will Postfix send to Milters?</a>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3><a name="smtp-only-milters">SMTP-Only Milter applications</a></h3>
|
||||
@ -316,11 +273,12 @@ unwanted mail, and to sign mail from authorized SMTP clients. Mail
|
||||
that arrives via the Postfix <a href="smtpd.8.html">smtpd(8)</a> server is not filtered by the
|
||||
non-SMTP filters that are described in the next section. </p>
|
||||
|
||||
<p> NOTE: Do not use the <a href="header_checks.5.html">header_checks(5)</a> IGNORE action to remove
|
||||
<blockquote> NOTE for Postfix versions that have a <a href="postconf.5.html#mail_release_date">mail_release_date</a>
|
||||
before 20141018: do not use the <a href="header_checks.5.html">header_checks(5)</a> IGNORE action to remove
|
||||
Postfix's own Received: message header. This causes problems with
|
||||
mail signing filters. Instead, keep Postfix's own Received: message
|
||||
header and use the <a href="header_checks.5.html">header_checks(5)</a> REPLACE action to sanitize
|
||||
information. </p>
|
||||
information. </blockquote>
|
||||
|
||||
<p> You specify SMTP-only Milter applications (there can be more
|
||||
than one) with the <a href="postconf.5.html#smtpd_milters">smtpd_milters</a> parameter. Each Milter application
|
||||
@ -426,8 +384,28 @@ commands. When a <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters<
|
||||
a recipient, Postfix will report a configuration error, and mail
|
||||
will stay in the queue. </p>
|
||||
|
||||
<p> None of this is a problem for mail filters that digitally sign
|
||||
mail. </p>
|
||||
<h4> Signing internally-generated bounce messages </h4>
|
||||
|
||||
<p> Postfix normally does not apply content filters to mail
|
||||
that is generated internally such as bounces or Postmaster
|
||||
notifications. Filtering internally-generated bounces would result
|
||||
in loss of mail when a filter rejects a message, as the resulting
|
||||
double-bounce message would almost certainly also be blocked. </p>
|
||||
|
||||
<p> To sign Postfix's own bounce messages, enable filtering of
|
||||
internally-generated bounces (line 2 below), and don't reject any
|
||||
internally-generated bounces with <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a>
|
||||
or <a href="postconf.5.html#body_checks">body_checks</a> (lines 3-5 below). </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
|
||||
2 <a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> = bounce
|
||||
3 <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a> = <i>don't reject internally-generated bounces</i>
|
||||
4 <a href="postconf.5.html#header_checks">header_checks</a> = <i>don't reject internally-generated bounces</i>
|
||||
5 <a href="postconf.5.html#body_checks">body_checks</a> = <i>don't reject internally-generated bounces</i>
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<h3><a name="errors">Milter error handling</a></h3>
|
||||
|
||||
@ -449,6 +427,9 @@ in the "<a href="QSHAPE_README.html#hold_queue">hold" queue</a>, and is availabl
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> See "<a href="#per-milter">Different settings for different
|
||||
Milter applications</a>" for advanced configuration options. </p>
|
||||
|
||||
<h3><a name="version">Milter protocol version</a></h3>
|
||||
|
||||
<p> As Postfix is not built with the Sendmail libmilter library,
|
||||
@ -499,6 +480,9 @@ number. Postfix 2.8 and later will automatically turn off protocol
|
||||
features that the application's libmilter library does not expect.
|
||||
</p>
|
||||
|
||||
<p> See "<a href="#per-milter">Different settings for different
|
||||
Milter applications</a>" for advanced configuration options. </p>
|
||||
|
||||
<h3><a name="timeouts">Milter protocol timeouts</a></h3>
|
||||
|
||||
<p> Postfix uses different time limits at different Milter protocol
|
||||
@ -532,6 +516,54 @@ too much, remote SMTP clients may hang up and mail may be delivered
|
||||
multiple times. This is an inherent problem with before-queue
|
||||
filtering. </p>
|
||||
|
||||
<p> See "<a href="#per-milter">Different settings for different
|
||||
Milter applications</a>" for advanced configuration options. </p>
|
||||
|
||||
<h3><a name="per-milter">Different settings for different Milter
|
||||
applications </a></h3>
|
||||
|
||||
<p> The previous sections list a number of Postfix <a href="postconf.5.html">main.cf</a> parameters
|
||||
that control time limits and other settings for all Postfix Milter
|
||||
clients. This is sufficient for simple configurations. With more
|
||||
complex configurations it becomes desirable to have different
|
||||
settings for different Milter clients. This is supported with Postfix
|
||||
3.0 and later. </p>
|
||||
|
||||
<p> The following example shows a "non-critical" Milter client with
|
||||
a short connect timeout, and with "accept" as default action when
|
||||
the service is unvailable. </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
|
||||
2 <a href="postconf.5.html#smtpd_milters">smtpd_milters</a> = { inet:host:port,
|
||||
3 connect_timeout=10s, default_action=accept }
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> Instead of a server endpoint, we now have a list enclosed in {}. </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> Line 2: The first item in the list is the server endpoint.
|
||||
This supports the exact same "inet" and "unix" syntax as described
|
||||
earlier. </p>
|
||||
|
||||
<li> <p> Line 3: The remainder of the list contains per-Milter
|
||||
settings. These settings override global <a href="postconf.5.html">main.cf</a> parameters, and
|
||||
have the same name as those parameters, without the "milter_" prefix.
|
||||
The per-Milter settings that are supported as of Postfix 3.0 are
|
||||
command_timeout, connect_timeout, content_timeout, default_action,
|
||||
and protocol. </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<p> Inside the list, syntax is similar to what we already know from
|
||||
<a href="postconf.5.html">main.cf</a>: items separated by space or comma. There is one difference:
|
||||
<b>you must enclose a setting in parentheses, as in "{ name = value
|
||||
}", if you want to have space or comma within a value or around
|
||||
"="</b>. </p>
|
||||
|
||||
<h3><a name="macros">Sendmail macro emulation</a></h3>
|
||||
|
||||
<p> Postfix emulates a limited number of Sendmail macros, as shown
|
||||
@ -632,9 +664,11 @@ With rejected recipient: "error" </td> </tr>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<h3><a name="send-macros">What macros will Postfix send to Milters?</a></h3>
|
||||
|
||||
<p> Postfix sends specific sets of macros at different Milter protocol
|
||||
stages. The sets are configured with the parameters as described
|
||||
in the table (EOH = end of headers; EOM = end of message). The
|
||||
stages. The sets are configured with the parameters as shown in the
|
||||
table below (EOH = end of headers; EOM = end of message). The
|
||||
protocol version is a number that Postfix sends at the beginning
|
||||
of the Milter protocol handshake. </p>
|
||||
|
||||
@ -678,6 +712,17 @@ TO </td> </tr>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<p> By default, Postfix will send only macros whose values have been
|
||||
updated with information from <a href="postconf.5.html">main.cf</a> or <a href="master.5.html">master.cf</a>, from an SMTP session
|
||||
(for example; SASL login, or TLS certificates) or from a Mail delivery
|
||||
transaction (for example; queue ID, sender, or recipient). </p>
|
||||
|
||||
<p> To force a macro to be sent even when its value has not been updated,
|
||||
you may specify macro default values with the <a href="postconf.5.html#milter_macro_defaults">milter_macro_defaults</a>
|
||||
parameter. Specify zero or more <i>name=value</i> pairs separated by
|
||||
comma or whitespace; you may even specify macro names that Postfix does
|
||||
know about! </p>
|
||||
|
||||
<h2><a name="workarounds">Workarounds</a></h2>
|
||||
|
||||
<ul>
|
||||
@ -831,12 +876,6 @@ TEMPFAIL simulated RCPT TO commands. When this rule is violated,
|
||||
Postfix will report a configuration error, and mail will stay in
|
||||
the queue. </p>
|
||||
|
||||
<li> <p> Postfix currently does not apply content filters to mail
|
||||
that is forwarded or aliased internally, or to mail that is generated
|
||||
internally such as bounces or Postmaster notifications. This may
|
||||
be a problem when you want to apply a signing Milter to such mail.
|
||||
</p>
|
||||
|
||||
<li> <p> When you use the before-queue content filter for incoming
|
||||
SMTP mail (see <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a>), Milter applications have access
|
||||
only to the SMTP command information; they have no access to the
|
||||
|
@ -52,23 +52,38 @@ which can be obtained from: </p>
|
||||
|
||||
<p> In order to build Postfix with mysql map support, you will need to add
|
||||
-DHAS_MYSQL and -I for the directory containing the mysql headers, and
|
||||
the mysqlclient library (and libm) to AUXLIBS, for example: </p>
|
||||
the mysqlclient library (and libm) to <a href="MYSQL_README.html">AUXLIBS_MYSQL</a>, for example: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
make -f Makefile.init makefiles \
|
||||
'CCARGS=-DHAS_MYSQL -I/usr/local/mysql/include' \
|
||||
'AUXLIBS=-L/usr/local/mysql/lib -lmysqlclient -lz -lm'
|
||||
'<a href="MYSQL_README.html">AUXLIBS_MYSQL</a>=-L/usr/local/mysql/lib -lmysqlclient -lz -lm'
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> Postfix versions before 3.0 use AUXLIBS instead of <a href="MYSQL_README.html">AUXLIBS_MYSQL</a>.
|
||||
With Postfix 3.0 and later, the old AUXLIBS variable still supports
|
||||
building a statically-loaded MySQL database client, but only the new
|
||||
<a href="MYSQL_README.html">AUXLIBS_MYSQL</a> variable supports building a dynamically-loaded or
|
||||
statically-loaded MySQL database client. </p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<p> Failure to use the <a href="MYSQL_README.html">AUXLIBS_MYSQL</a> variable will defeat the purpose
|
||||
of dynamic database client loading. Every Postfix executable file
|
||||
will have MYSQL database library dependencies. And that was exactly
|
||||
what dynamic database client loading was meant to avoid. </p>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<p> On Solaris, use this instead: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
make -f Makefile.init makefiles \
|
||||
'CCARGS=-DHAS_MYSQL -I/usr/local/mysql/include' \
|
||||
'AUXLIBS=-L/usr/local/mysql/lib -R/usr/local/mysql/lib \
|
||||
'<a href="MYSQL_README.html">AUXLIBS_MYSQL</a>=-L/usr/local/mysql/lib -R/usr/local/mysql/lib \
|
||||
-lmysqlclient -lz -lm'
|
||||
</pre>
|
||||
</blockquote>
|
||||
@ -115,10 +130,23 @@ table = mxaliases
|
||||
where_field = alias
|
||||
# Don't forget the leading "AND"!
|
||||
additional_conditions = AND status = 'paid'
|
||||
|
||||
# This is necessary to make UTF8 queries work for Postfix 2.11 .. 3.1,
|
||||
# and is the default setting as of Postfix 3.2,
|
||||
option_group = client
|
||||
</pre>
|
||||
|
||||
<h2>Additional notes</h2>
|
||||
|
||||
<p> Postfix 3.2 and later read <b>[client]</b> option group settings
|
||||
by default. To disable this, specify no <b>option_file</b> and
|
||||
specify "<b>option_group =</b>" (i.e. an empty value). </p>
|
||||
|
||||
<p> Postfix 3.1 and earlier don't read <b>[client]</b> option group
|
||||
settings unless a non-empty <b>option_file</b> or <b>option_group</b>
|
||||
value are specified. To enable this, specify, for example
|
||||
"<b>option_group = client</b>". </p>
|
||||
|
||||
<p> The MySQL configuration interface setup allows for multiple
|
||||
mysql databases: you can use one for a virtual table, one for an
|
||||
access table, and one for an aliases table if you want. </p>
|
||||
|
@ -15,7 +15,7 @@ COMMANDS= mailq.1.html newaliases.1.html postalias.1.html postcat.1.html \
|
||||
postqueue.1.html postsuper.1.html sendmail.1.html \
|
||||
smtp-source.1.html smtp-sink.1.html posttls-finger.1.html \
|
||||
qmqp-source.1.html qmqp-sink.1.html \
|
||||
qshape.1.html
|
||||
qshape.1.html postfix-tls.1.html
|
||||
CONFIG = access.5.html aliases.5.html canonical.5.html relocated.5.html \
|
||||
transport.5.html virtual.5.html pcre_table.5.html regexp_table.5.html \
|
||||
cidr_table.5.html tcp_table.5.html header_checks.5.html \
|
||||
@ -26,7 +26,7 @@ CONFIG = access.5.html aliases.5.html canonical.5.html relocated.5.html \
|
||||
OTHER = postfix-manuals.html
|
||||
AWK = awk '{ print; if (NR == 2) print ".pl 99999\n.ll 78" }'
|
||||
MAN2HTML = man2html -t "Postfix manual - `IFS=.; set \`echo $@\`; echo \"$$1($$2)\"`"
|
||||
NROFF = GROFF_NO_SGR=1 nroff
|
||||
NROFF = LANG=C GROFF_NO_SGR=1 nroff
|
||||
|
||||
update: $(DAEMONS) $(COMMANDS) $(CONFIG) $(OTHER)
|
||||
|
||||
@ -177,6 +177,10 @@ postfix.1.html: ../src/postfix/postfix.c
|
||||
PATH=../mantools:$$PATH; \
|
||||
srctoman $? | $(AWK) | $(NROFF) -man | uniq | $(MAN2HTML) | postlink >$@
|
||||
|
||||
postfix-tls.1.html: ../conf/postfix-tls-script
|
||||
PATH=../mantools:$$PATH; \
|
||||
srctoman - $? | $(AWK) | $(NROFF) -man | uniq | $(MAN2HTML) | postlink >$@
|
||||
|
||||
postkick.1.html: ../src/postkick/postkick.c
|
||||
PATH=../mantools:$$PATH; \
|
||||
srctoman $? | $(AWK) | $(NROFF) -man | uniq | $(MAN2HTML) | postlink >$@
|
||||
|
@ -85,6 +85,13 @@ non-default installation parameters on the command line: </p>
|
||||
script directly (<tt>% <b>sh post-install -non-interactive
|
||||
install_root...</b></tt>). </p>
|
||||
|
||||
<p> With Postfix 3.0 and later, the command "make package name=value
|
||||
..." will replace the string MAIL_VERSION in a configuration parameter
|
||||
value with the Postfix release version. Do not try to specify
|
||||
something like $<a href="postconf.5.html#mail_version">mail_version</a> on this command line. This produces
|
||||
inconsistent results with different versions of the make(1) command.
|
||||
</p>
|
||||
|
||||
<h2>Begin Security Alert</h2>
|
||||
|
||||
<p> <b> When building an archive for distribution, be sure to
|
||||
|
@ -55,25 +55,30 @@ Expressions), which can be obtained from: </p>
|
||||
<p> NOTE: pcre versions prior to 2.06 cannot be used. </p>
|
||||
|
||||
<p> In order to build Postfix with PCRE support you need to add
|
||||
-DHAS_PCRE and a -I for the PCRE include file to CCARGS, and add
|
||||
the path to the PCRE library to AUXLIBS, for example: </p>
|
||||
-DHAS_PCRE and a -I option for the PCRE include file to CCARGS, and
|
||||
add the path to the PCRE library to <a href="PCRE_README.html">AUXLIBS_PCRE</a>, for example: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
make -f Makefile.init makefiles \
|
||||
"CCARGS=-DHAS_PCRE -I/usr/local/include" \
|
||||
"AUXLIBS=-L/usr/local/lib -lpcre"
|
||||
"CCARGS=-DHAS_PCRE `pcre-config --cflags`" \
|
||||
"<a href="PCRE_README.html">AUXLIBS_PCRE</a>=`pcre-config --libs`"
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> Solaris needs run-time path information too: </p>
|
||||
<p> Postfix versions before 3.0 use AUXLIBS instead of <a href="PCRE_README.html">AUXLIBS_PCRE</a>.
|
||||
With Postfix 3.0 and later, the old AUXLIBS variable still supports
|
||||
building a statically-loaded PCRE database client, but only the new
|
||||
<a href="PCRE_README.html">AUXLIBS_PCRE</a> variable supports building a dynamically-loaded or
|
||||
statically-loaded PCRE database client. </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
make -f Makefile.init makefiles \
|
||||
"CCARGS=-DHAS_PCRE -I/usr/local/include" \
|
||||
"AUXLIBS=-L/usr/local/lib -R/usr/local/lib -lpcre"
|
||||
</pre>
|
||||
|
||||
<p> Failure to use the <a href="PCRE_README.html">AUXLIBS_PCRE</a> variable will defeat the purpose
|
||||
of dynamic database client loading. Every Postfix executable file
|
||||
will have PCRE library dependencies. And that was exactly
|
||||
what dynamic database client loading was meant to avoid. </p>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<h2>Things to know</h2>
|
||||
|
@ -53,10 +53,25 @@ the location of the libpq library file. </p>
|
||||
% make tidy
|
||||
% make -f Makefile.init makefiles \
|
||||
'CCARGS=-DHAS_PGSQL -I/usr/local/include/pgsql' \
|
||||
'AUXLIBS=-L/usr/local/lib -lpq'
|
||||
'<a href="PGSQL_README.html">AUXLIBS_PGSQL</a>=-L/usr/local/lib -lpq'
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> Postfix versions before 3.0 use AUXLIBS instead of <a href="PGSQL_README.html">AUXLIBS_PGSQL</a>.
|
||||
With Postfix 3.0 and later, the old AUXLIBS variable still supports
|
||||
building a statically-loaded PostgreSQL database client, but only
|
||||
the new <a href="PGSQL_README.html">AUXLIBS_PGSQL</a> variable supports building a dynamically-loaded
|
||||
or statically-loaded PostgreSQL database client. </p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<p> Failure to use the <a href="PGSQL_README.html">AUXLIBS_PGSQL</a> variable will defeat the purpose
|
||||
of dynamic database client loading. Every Postfix executable file
|
||||
will have PGSQL database library dependencies. And that was exactly
|
||||
what dynamic database client loading was meant to avoid. </p>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<p> Then just run 'make'. </p>
|
||||
|
||||
<h2>Configuring PostgreSQL lookup tables</h2>
|
||||
|
@ -872,8 +872,8 @@ For example: </p>
|
||||
|
||||
<pre>
|
||||
/etc/postfix/dnsbl_reply:
|
||||
# Secret DNSBL name Name in <a href="postscreen.8.html">postscreen(8)</a> replies
|
||||
secret.zen.spamhaus.org zen.spamhaus.org
|
||||
# Secret DNSBL name Name in <a href="postscreen.8.html">postscreen(8)</a> replies
|
||||
secret.zen.dq.spamhaus.net zen.spamhaus.org
|
||||
</pre>
|
||||
|
||||
<p> The <a href="DATABASE_README.html#types">texthash</a>: format is similar to <a href="DATABASE_README.html#types">hash</a>: except that there is
|
||||
@ -982,16 +982,18 @@ helo/sender/recipient information, and waits for the client to
|
||||
disconnect. </p>
|
||||
|
||||
<p> When the good client comes back in a later session, it is allowed
|
||||
to talk directly to a Postfix SMTP server. See "after_220 <a
|
||||
href="#after_220">Tests after the 220 SMTP server greeting</a> above
|
||||
for limitations with AUTH and other features that clients may need.
|
||||
</p>
|
||||
to talk directly to a Postfix SMTP server. See "<a href="#after_220">Tests
|
||||
after the 220 SMTP server greeting</a>" above for limitations with
|
||||
AUTH and other features that clients may need. </p>
|
||||
|
||||
<p> An unexpected benefit from "<a href="#after_220">deep protocol
|
||||
tests</a>" is that some "good" clients don't return after the 4XX
|
||||
reply; these clients were not so good after all. Wietse enables
|
||||
"<a href="#after_220">deep protocol tests</a>" on his own internet-facing
|
||||
mail server. </p>
|
||||
reply; these clients were not so good after all. </p>
|
||||
|
||||
<p> Unfortunately, some senders will retry requests from different
|
||||
IP addresses, and may never get whitelisted. For this reason,
|
||||
Wietse stopped using "<a href="#after_220">deep protocol tests</a>"
|
||||
on his own internet-facing mail server. </p>
|
||||
|
||||
<li> <p> There is also support for permanent blacklisting and
|
||||
whitelisting; see the description of the <a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a>
|
||||
|
@ -34,7 +34,7 @@ mail to remote destinations when the client's IP address is in the
|
||||
|
||||
<p> SMTP clients outside the SMTP server's network need a different
|
||||
way to get "same network" privileges. To address this need, Postfix
|
||||
supports SASL authentication (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>, formerly RFC 2554). With
|
||||
supports SASL authentication (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>, formerly <a href="http://tools.ietf.org/html/rfc2554">RFC 2554</a>). With
|
||||
this a remote SMTP client can authenticate to the Postfix SMTP
|
||||
server, and the Postfix SMTP client can authenticate to a remote
|
||||
SMTP server. Once a client is authenticated, a server can give it
|
||||
@ -1564,7 +1564,7 @@ encoded authentication information: </p>
|
||||
<p> The <strong>mmencode</strong> command is part of the metamail
|
||||
software. </p>
|
||||
|
||||
<li> <p> Using Perl <b>MIME::Base64</b>: </p>
|
||||
<li> <p> Using Perl <b>MIME::Base64</b> (from <a href="http://www.cpan.org/">http://www.cpan.org/</a>): </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
@ -1573,7 +1573,7 @@ software. </p>
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> MIME::Base64 is available from <a href="http://www.cpan.org/">http://www.cpan.org/</a>. </p>
|
||||
<p> If the username or password contain "@", you must specify "\@". </p>
|
||||
|
||||
<li> <p> Using the <b>gen-auth</b> script: </p>
|
||||
|
||||
@ -1659,6 +1659,8 @@ second part sets up the username/password information. </p>
|
||||
<pre>
|
||||
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
|
||||
<a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> = yes
|
||||
<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt
|
||||
<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> = noanonymous
|
||||
<a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example]
|
||||
# Alternative form:
|
||||
# <a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example]:submission
|
||||
@ -1673,6 +1675,11 @@ client-side authentication. We will configure the client's username
|
||||
and password information in the second part of the example. </p>
|
||||
</li>
|
||||
|
||||
<li> <p> The <code><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a></code> setting ensures
|
||||
that the connection to the remote smtp server will be encrypted, and
|
||||
<code><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a></code> removes the prohibition on
|
||||
plaintext passwords. </p>
|
||||
|
||||
<li> <p> The <code><a href="postconf.5.html#relayhost">relayhost</a></code> setting forces the Postfix SMTP
|
||||
to send all remote messages to the specified mail server instead
|
||||
of trying to deliver them directly to their destination. </p> </li>
|
||||
@ -1781,7 +1788,7 @@ resort. </p>
|
||||
<pre>
|
||||
/etc/postfix/sasl_passwd:
|
||||
# Per-sender authentication; see also /etc/postfix/sender_relay.
|
||||
user1@example.com username2:password2
|
||||
user1@example.com username1:password1
|
||||
user2@example.net username2:password2
|
||||
# Login information for the default <a href="postconf.5.html#relayhost">relayhost</a>.
|
||||
[mail.isp.example] username:password
|
||||
|
@ -202,6 +202,7 @@ described in the <a href="postconf.5.html">postconf(5)</a> manual page. </p>
|
||||
# (available with Postfix 2.10 and later).
|
||||
<a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
|
||||
<a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> zen.spamhaus.org,
|
||||
<a href="postconf.5.html#reject_rhsbl_reverse_client">reject_rhsbl_reverse_client</a> dbl.spamhaus.org,
|
||||
<a href="postconf.5.html#reject_rhsbl_helo">reject_rhsbl_helo</a> dbl.spamhaus.org,
|
||||
<a href="postconf.5.html#reject_rhsbl_sender">reject_rhsbl_sender</a> dbl.spamhaus.org
|
||||
|
||||
@ -214,7 +215,7 @@ described in the <a href="postconf.5.html">postconf(5)</a> manual page. </p>
|
||||
|
||||
<p> Each restriction list is evaluated from left to right until
|
||||
some restriction produces a result of PERMIT, REJECT or DEFER (try
|
||||
again later). The end of the list is equivalent to a PERMIT result.
|
||||
again later). The end of each list is equivalent to a PERMIT result.
|
||||
By placing a PERMIT restriction before a REJECT restriction you
|
||||
can make exceptions for specific clients or users. This is called
|
||||
whitelisting; the fourth example above allows mail from local
|
||||
|
@ -47,7 +47,9 @@ multiple times, for up to $<a href="postconf.5.html#max_use">max_use</a> incomin
|
||||
|
||||
<li><a href="#protocol">Policy protocol description</a>
|
||||
|
||||
<li><a href="#client_config">Policy client/server configuration</a>
|
||||
<li><a href="#client_config">Simple policy client/server configuration</a>
|
||||
|
||||
<li><a href="#advanced">Advanced policy client configuration</a>
|
||||
|
||||
<li><a href="#greylist">Example: greylist policy server</a>
|
||||
|
||||
@ -104,6 +106,10 @@ etrn_domain=
|
||||
stress=
|
||||
<b>Postfix version 2.9 and later:</b>
|
||||
ccert_pubkey_fingerprint=68:B3:29:DA:98:93:E3:40:99:C7:D8:AD:5C:B9:C9:40
|
||||
<b>Postfix version 3.0 and later:</b>
|
||||
client_port=1234
|
||||
<b>Postfix version 3.1 and later:</b>
|
||||
policy_context=submission
|
||||
[empty line]
|
||||
</pre>
|
||||
</blockquote>
|
||||
@ -191,6 +197,10 @@ ccert_pubkey_fingerprint=68:B3:29:DA:98:93:E3:40:99:C7:D8:AD:5C:B9:C9:40
|
||||
<li> <p> The "stress" attribute is either empty or "yes". See
|
||||
the <a href="STRESS_README.html">STRESS_README</a> document for further information. </p>
|
||||
|
||||
<li> <p> The "policy_context" attribute provides a way to pass
|
||||
information that is not available via other attributes (Postfix
|
||||
version 3.1 and later). </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<p> The following is specific to SMTPD delegated policy requests:
|
||||
@ -227,7 +237,7 @@ the request permanently. </p>
|
||||
Instead the server must log a warning and disconnect. Postfix will
|
||||
retry the request at some later time. </p>
|
||||
|
||||
<h2><a name="client_config">Policy client/server configuration</a></h2>
|
||||
<h2><a name="client_config">Simple policy client/server configuration</a></h2>
|
||||
|
||||
<p> The Postfix delegated policy client can connect to a TCP socket
|
||||
or to a UNIX-domain socket. Examples: </p>
|
||||
@ -264,6 +274,7 @@ daemon, you would use something like this: </p>
|
||||
9 <a href="postconf.5.html#check_policy_service">check_policy_service</a> unix:private/policy
|
||||
10 ...
|
||||
11 <a href="postconf.5.html#transport_time_limit">policy_time_limit</a> = 3600
|
||||
12 # <a href="postconf.5.html#smtpd_policy_service_request_limit">smtpd_policy_service_request_limit</a> = 1
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
@ -303,6 +314,10 @@ of a <a href="master.5.html">master.cf</a> service name (in the above example, "
|
||||
built-in suffix (in the above example: "_time_limit"). </p>
|
||||
</blockquote>
|
||||
|
||||
<li> <p> Line 12: specify <a href="postconf.5.html#smtpd_policy_service_request_limit">smtpd_policy_service_request_limit</a> to
|
||||
avoid error-recovery delays with policy servers that cannot
|
||||
maintain a persistent connection. </p>
|
||||
|
||||
<li> <p> With Solaris < 9, or Postfix < 2.10 on any Solaris
|
||||
version, use TCP sockets instead of UNIX-domain sockets: </p>
|
||||
|
||||
@ -321,14 +336,20 @@ version, use TCP sockets instead of UNIX-domain sockets: </p>
|
||||
9 <a href="postconf.5.html#check_policy_service">check_policy_service</a> inet:127.0.0.1:9998
|
||||
10 ...
|
||||
11 127.0.0.1:9998_time_limit = 3600
|
||||
12 # <a href="postconf.5.html#smtpd_policy_service_request_limit">smtpd_policy_service_request_limit</a> = 1
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> Other configuration parameters that control the client side of
|
||||
the policy delegation protocol: </p>
|
||||
<p> Configuration parameters that control the client side of the
|
||||
policy delegation protocol: </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> <a href="postconf.5.html#smtpd_policy_service_default_action">smtpd_policy_service_default_action</a> (default: 451 4.3.5
|
||||
Server configuration problem): The default action when an SMTPD
|
||||
policy service request fails. Available with Postfix 3.0 and
|
||||
later. </p>
|
||||
|
||||
<li> <p> <a href="postconf.5.html#smtpd_policy_service_max_idle">smtpd_policy_service_max_idle</a> (default: 300s): The amount
|
||||
of time before the Postfix SMTP server closes an unused policy
|
||||
client connection. </p>
|
||||
@ -337,11 +358,104 @@ client connection. </p>
|
||||
of time before the Postfix SMTP server closes an active policy
|
||||
client connection. </p>
|
||||
|
||||
<li> <p> <a href="postconf.5.html#smtpd_policy_service_request_limit">smtpd_policy_service_request_limit</a> (default: 0): The maximal
|
||||
number of requests per policy connection, or zero (no limit).
|
||||
Available with Postfix 3.0 and later. </p>
|
||||
|
||||
<li> <p> <a href="postconf.5.html#smtpd_policy_service_timeout">smtpd_policy_service_timeout</a> (default: 100s): The time
|
||||
limit to connect to, send to or receive from a policy server. </p>
|
||||
|
||||
<li> <p> <a href="postconf.5.html#smtpd_policy_service_try_limit">smtpd_policy_service_try_limit</a> (default: 2): The maximal
|
||||
number of attempts to send an SMTPD policy service request before
|
||||
giving up. Available with Postfix 3.0 and later. </p>
|
||||
|
||||
<li> <p> <a href="postconf.5.html#smtpd_policy_service_retry_delay">smtpd_policy_service_retry_delay</a> (default: 1s): The delay
|
||||
between attempts to resend a failed SMTPD policy service request.
|
||||
Available with Postfix 3.0 and later. </p>
|
||||
|
||||
<li> <p> <a href="postconf.5.html#smtpd_policy_service_policy_context">smtpd_policy_service_policy_context</a> (default: empty):
|
||||
Optional information that is passed in the "policy_context" attribute
|
||||
of an SMTPD policy service request (originally, to share the same
|
||||
SMTPD service endpoint among multiple <a href="postconf.5.html#check_policy_service">check_policy_service</a> clients).
|
||||
Available with Postfix 3.1 and later. </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<p> Configuration parameters that control the server side of the
|
||||
policy delegation protocol: </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> <a href="postconf.5.html#transport_time_limit"><i>transport</i>_time_limit</a> ($<a href="postconf.5.html#command_time_limit">command_time_limit</a>): The
|
||||
maximal amount of time the policy daemon is allowed to run before
|
||||
it is terminated. The <i>transport</i> is the service name of the
|
||||
<a href="master.5.html">master.cf</a> entry for the policy daemon service. In the above
|
||||
examples, the service name is "policy" or "127.0.0.1:9998". </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2><a name="advanced">Advanced policy client configuration</a></h2>
|
||||
|
||||
<p> The previous section lists a number of Postfix <a href="postconf.5.html">main.cf</a> parameters
|
||||
that control time limits and other settings for all policy clients.
|
||||
This is sufficient for simple configurations. With more complex
|
||||
configurations it becomes desirable to have different settings per
|
||||
policy client. This is supported with Postfix 3.0 and later. </p>
|
||||
|
||||
<p> The following example shows a "non-critical" policy service
|
||||
with a short timeout, and with "DUNNO" as default action when the
|
||||
service is unvailable. The "DUNNO" action causes Postfix to ignore
|
||||
the result. </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
|
||||
2 <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
|
||||
3 ...
|
||||
4 <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
|
||||
5 <a href="postconf.5.html#check_policy_service">check_policy_service</a> { inet:host:port,
|
||||
6 timeout=10s, default_action=DUNNO }
|
||||
8 ...
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> Instead of a server endpoint, we now have a list enclosed in {}. </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> Line 5: The first item in the list is the server endpoint.
|
||||
This supports the exact same "inet" and "unix" syntax as described
|
||||
earlier. </p>
|
||||
|
||||
<li> <p> Line 6: The remainder of the list contains per-client
|
||||
settings. These settings override global <a href="postconf.5.html">main.cf</a> parameters,
|
||||
and have the same name as those parameters, without the
|
||||
"smtpd_policy_service_" prefix. </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<p> Inside the list, syntax is similar to what we already know from
|
||||
<a href="postconf.5.html">main.cf</a>: items separated by space or comma. There is one difference:
|
||||
<b>you must enclose a setting in parentheses, as in "{ name = value
|
||||
}", if you want to have space or comma within a value or around
|
||||
"="</b>. This comes in handy when different policy servers require
|
||||
different default actions with different SMTP status codes or text:
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
|
||||
2 <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
|
||||
3 ...
|
||||
4 <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
|
||||
5 <a href="postconf.5.html#check_policy_service">check_policy_service</a> {
|
||||
6 inet:host:port1,
|
||||
7 { default_action = 451 4.3.5 See <a href="http://www.example.com/support1">http://www.example.com/support1</a> }
|
||||
8 }
|
||||
9 ...
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<h2><a name="greylist">Example: greylist policy server</a></h2>
|
||||
|
||||
<p> Greylisting is a defense against junk email that is described at
|
||||
@ -413,6 +527,7 @@ processes only: </p>
|
||||
9 <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
|
||||
10 <a href="postconf.5.html#check_policy_service">check_policy_service</a> unix:private/greylist
|
||||
11 ...
|
||||
12 # <a href="postconf.5.html#smtpd_policy_service_request_limit">smtpd_policy_service_request_limit</a> = 1
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
@ -451,6 +566,10 @@ of a <a href="master.5.html">master.cf</a> service name (in the above example, "
|
||||
a built-in suffix (in the above example: "_time_limit"). </p>
|
||||
</blockquote>
|
||||
|
||||
<li> <p> Line 12: specify <a href="postconf.5.html#smtpd_policy_service_request_limit">smtpd_policy_service_request_limit</a> to
|
||||
avoid error-recovery delays with policy servers that cannot
|
||||
maintain a persistent connection. </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<p> With Solaris < 9, or Postfix < 2.10 on any Solaris
|
||||
@ -471,6 +590,7 @@ client/server configuration</a>" section above. </p>
|
||||
9 <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
|
||||
10 <a href="postconf.5.html#check_policy_service">check_policy_service</a> inet:127.0.0.1:9998
|
||||
11 ...
|
||||
12 # <a href="postconf.5.html#smtpd_policy_service_request_limit">smtpd_policy_service_request_limit</a> = 1
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
|
@ -199,8 +199,8 @@ usual. </p>
|
||||
<p> The content filter itself is not described here. You can use
|
||||
any filter that is SMTP enabled. For non-SMTP capable content
|
||||
filtering software, Bennett Todd's SMTP proxy implements a nice
|
||||
PERL/SMTP content filtering framework. See:
|
||||
<a href="http://bent.latency.net/smtpprox/">http://bent.latency.net/smtpprox/</a>. </p>
|
||||
Perl-based framework. See: <a href="http://bent.latency.net/smtpprox/">http://bent.latency.net/smtpprox/</a> or
|
||||
https://github.com/jnorell/smtpprox.</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
|
369
external/ibm-public/postfix/dist/html/SMTPUTF8_README.html
vendored
Normal file
369
external/ibm-public/postfix/dist/html/SMTPUTF8_README.html
vendored
Normal file
@ -0,0 +1,369 @@
|
||||
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
|
||||
"http://www.w3.org/TR/html4/loose.dtd">
|
||||
|
||||
<html>
|
||||
|
||||
<head>
|
||||
|
||||
<title>Postfix SMTPUTF8 support</title>
|
||||
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
|
||||
|
||||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">
|
||||
Postfix SMTPUTF8 support
|
||||
</h1>
|
||||
|
||||
<hr>
|
||||
|
||||
<h2> Overview </h2>
|
||||
|
||||
<p> This document describes Postfix support for Email Address
|
||||
Internationalization (EAI) as defined in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a> (SMTPUTF8 extension),
|
||||
<a href="http://tools.ietf.org/html/rfc6532">RFC 6532</a> (Internationalized email headers) and <a href="http://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized
|
||||
delivery status notifications). Introduced with Postfix version
|
||||
3.0, this fully supports UTF-8 email addresses and UTF-8 message
|
||||
header values. </p>
|
||||
|
||||
<p> Topics covered in this document: </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li><a href="#building">Building with/without SMTPUTF8 support</a>
|
||||
|
||||
<li><a href="#enabling">Enabling Postfix SMTPUTF8 support</a>
|
||||
|
||||
<li><a href="#using">Using Postfix SMTPUTF8 support</a>
|
||||
|
||||
<li><a href="#detecting">SMTPUTF8 autodetection</a>
|
||||
|
||||
<li><a href="#limitations">Limitations of the current implementation</a>
|
||||
|
||||
<li><a href="#compatibility">Compatibility with pre-SMTPUTF8 environments</a>
|
||||
|
||||
<li><a href="#credits">Credits</a>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2> <a name="building">Building Postfix with/without SMTPUTF8 support</a> </h2>
|
||||
|
||||
<p> Postfix will build with SMTPUTF8 support if the ICU library and
|
||||
header files are installed on the system. The package name varies
|
||||
with the OS distribution (and version). The table shows package
|
||||
names for a number of platforms at the time this text was written.
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<table border="1">
|
||||
|
||||
<tr> <th> OS Distribution </th> <th> Package </th> </tr>
|
||||
|
||||
<tr> <td> FreeBSD, NetBSD, etc. </td> <td> icu </td> </tr>
|
||||
|
||||
<tr> <td> Centos, Fedora, RHEL </td> <td> libicu-devel </td> </tr>
|
||||
|
||||
<tr> <td> Debian, Ubuntu </td> <td> libicu-dev </td> </tr>
|
||||
|
||||
</table>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<p> To force Postfix to build without SMTPUTF8, specify: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
$ <b>make makefiles CCARGS="-DNO_EAI ..."</b>
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> See the <a href="INSTALL.html">INSTALL</a> document for more "make makefiles" options. </p>
|
||||
|
||||
<h2> <a name="enabling">Enabling Postfix SMTPUTF8 support</a> </h2>
|
||||
|
||||
<p> There is more to SMTPUTF8 than just Postfix itself. The rest
|
||||
of your email infrastructure also needs to be able to handle UTF-8
|
||||
email addresses and message header values. This includes SMTPUTF8
|
||||
protocol support in SMTP-based content filters (Amavisd), LMTP
|
||||
servers (Dovecot), and down-stream SMTP servers. </p>
|
||||
|
||||
<p> Postfix SMTPUTF8 support is enabled by default, but it may be
|
||||
disabled as part of a backwards-compatibility safety net (see the
|
||||
<a href="COMPATIBILITY_README.html">COMPATIBILITY_README</a> file). </p>
|
||||
|
||||
<p> SMTPUTF8 support is enabled by setting the <a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a>
|
||||
parameter in <a href="postconf.5.html">main.cf</a>:</p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
# <b>postconf "<a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> = yes"</b>
|
||||
# <b>postfix reload</b>
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> With SMTPUTF8 support enabled, Postfix changes behavior with
|
||||
respect to earlier Postfix releases: </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> UTF-8 is permitted in the <a href="postconf.5.html#myorigin">myorigin</a> parameter value. However,
|
||||
the <a href="postconf.5.html#myhostname">myhostname</a> and <a href="postconf.5.html#mydomain">mydomain</a> parameters must currently specify
|
||||
ASCII-only domain names. This limitation may be removed later. </p>
|
||||
|
||||
<li> <p> UTF-8 is the only form of non-ASCII text that Postfix
|
||||
supports in access tables, address rewriting tables, and other
|
||||
tables that are indexed with an email address, hostname, or domain
|
||||
name. </p>
|
||||
|
||||
<li> <p> The <a href="postconf.5.html#header_checks">header_checks</a>-like and <a href="postconf.5.html#body_checks">body_checks</a>-like features are
|
||||
not UTF-8 enabled, and therefore they do not enforce UTF-8 syntax
|
||||
rules on inputs and outputs. The reason is that non-ASCII text may
|
||||
be sent in encodings other than UTF-8, and that real email sometimes
|
||||
contains malformed headers. Instead of skipping non-UTF-8 content,
|
||||
Postfix should be able to filter it. You may try to enable UTF-8
|
||||
processing by starting a PCRE pattern with the sequence (*UTF8),
|
||||
but this is will result in "message not accepted, try again later"
|
||||
errors when the PCRE pattern matcher encounters non-UTF-8 input.
|
||||
Other features that are not UTF-8 enabled are <a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a>,
|
||||
<a href="postconf.5.html#smtp_reply_filter">smtp_reply_filter</a>, the *_delivery_status_filter features, and the
|
||||
*_dns_reply_filter features (the latter because DNS is by definition
|
||||
an ASCII protocol). </p>
|
||||
|
||||
<li> <p> The Postfix SMTP server announces SMTPUTF8 support in the
|
||||
EHLO response. </p>
|
||||
|
||||
<pre>
|
||||
220 server.example.com ESMTP Postfix
|
||||
<b>EHLO client.example.com</b>
|
||||
250-server.example.com
|
||||
250-PIPELINING
|
||||
250-SIZE 10240000
|
||||
250-VRFY
|
||||
250-ETRN
|
||||
250-STARTTLS
|
||||
250-AUTH PLAIN LOGIN
|
||||
250-ENHANCEDSTATUSCODES
|
||||
250-8BITMIME
|
||||
250-DSN
|
||||
250 SMTPUTF8
|
||||
</pre>
|
||||
|
||||
<li> <p> The Postfix SMTP server accepts the SMTPUTF8 request in
|
||||
MAIL FROM and VRFY commands. </p>
|
||||
|
||||
<pre>
|
||||
<b>MAIL FROM:<address> SMTPUTF8 ...</b>
|
||||
|
||||
<b>VRFY address SMTPUTF8</b>
|
||||
</pre>
|
||||
|
||||
<li> <p> The Postfix SMTP client may issue the SMTPUTF8 request in
|
||||
MAIL FROM commands. </p>
|
||||
|
||||
<li> <p> The Postfix SMTP server accepts UTF-8 in email address
|
||||
domains, but only after the remote SMTP client issues the
|
||||
SMTPUTF8 request in MAIL FROM or VRFY commands. </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<p> Postfix already permitted UTF-8 in message header values
|
||||
and in address localparts. This does not change. </p>
|
||||
|
||||
<h2> <a name="using">Using Postfix SMTPUTF8 support</a> </h2>
|
||||
|
||||
<p> After Postfix SMTPUTF8 support is turned on, Postfix behavior
|
||||
will depend on 1) whether a remote SMTP client requests SMTPUTF8
|
||||
support, 2) the presence of UTF-8 content in the message envelope
|
||||
and headers, and 3) whether a down-stream SMTP (or LMTP) server
|
||||
announces SMTPUTF8 support. </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> When the Postfix SMTP server receives a message WITHOUT
|
||||
the SMTPUTF8 request, Postfix handles the message as it has always
|
||||
done (at least that is the default, see autodetection below).
|
||||
Specifically, the Postfix SMTP server does not accept UTF-8 in the
|
||||
envelope sender domain name or envelope recipient domain name, and
|
||||
the Postfix SMTP client does not issue the SMTPUTF8 request when
|
||||
delivering that message to an SMTP or LMTP server that announces
|
||||
SMTPUTF8 support (again, that is the default). Postfix will accept
|
||||
UTF-8 in message header values and in the localpart of envelope
|
||||
sender and recipient addresses, because it has always done that.
|
||||
</p>
|
||||
|
||||
<li> <p> When the Postfix SMTP server receives a message WITH the
|
||||
SMTPUTF8 request, Postfix will issue the SMTPUTF8 request when
|
||||
delivering that message to an SMTP or LMTP server that announces
|
||||
SMTPUTF8 support. This is not configurable. </p>
|
||||
|
||||
<li> <p> When a message is received with the SMTPUTF8 request,
|
||||
Postfix will deliver the message to a non-SMTPUTF8 SMTP or LMTP
|
||||
server ONLY if: </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> No message header value contains UTF-8. </p>
|
||||
|
||||
<li> <p> The envelope sender address contains no UTF-8, </p>
|
||||
|
||||
<li> <p> No envelope recipient address for that specific
|
||||
SMTP/LMTP delivery transaction contains UTF-8. </p>
|
||||
|
||||
<blockquote> <p> NOTE: Recipients in other email delivery
|
||||
transactions for that same message may still contain UTF-8.
|
||||
</p> </blockquote>
|
||||
|
||||
</ul>
|
||||
|
||||
<p> Otherwise, Postfix will return the recipient(s) for that
|
||||
email delivery transaction as undeliverable. The delivery status
|
||||
notification message will be an SMTPUTF8 message. It will therefore
|
||||
be subject to the same restrictions as email that is received
|
||||
with the SMTPUTF8 request. </p>
|
||||
|
||||
<li> <p> When the Postfix SMTP server receives a message with the
|
||||
SMTPUTF8 request, that request also applies after the message is
|
||||
forwarded via a virtual or local alias, or $HOME/.forward file.
|
||||
</p>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2> <a name="detecting">SMTPUTF8 autodetection</a> </h2>
|
||||
|
||||
<p> This section applies only to systems that have SMTPUTF8 support
|
||||
turned on (<a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> = yes). </p>
|
||||
|
||||
<p> For compatibility with pre-SMTPUTF8 environments, Postfix does
|
||||
not automatically set the "SMTPUTF8 requested" flag on messages
|
||||
from non-SMTPUTF8 clients that contain an UTF-8 header value or
|
||||
UTF-8 address localpart. This would make such messages undeliverable
|
||||
to non-SMTPUTF8 servers, and could be a barrier to SMTPUTF8 adoption.
|
||||
</p>
|
||||
|
||||
<p> By default, Postfix sets the "SMTPUTF8 requested" flag only on
|
||||
address verification probes and on Postfix sendmail submissions
|
||||
that contain UTF-8 in the sender address, UTF-8 in a recipient
|
||||
address, or UTF-8 in a message header value. </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
|
||||
<a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> = sendmail, verify
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> However, if you have a non-ASCII <a href="postconf.5.html#myorigin">myorigin</a> or <a href="postconf.5.html#mydomain">mydomain</a> setting,
|
||||
or if you have a configuration that introduces UTF-8 addresses with
|
||||
virtual aliases, canonical mappings, or BCC mappings, then you may
|
||||
have to apply SMTPUTF8 autodetection to all email: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
|
||||
<a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> = all
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> This will, of course, also flag email that was received without
|
||||
SMTPUTF8 request, but that contains UTF-8 in a sender address
|
||||
localpart, receiver address localpart, or message header value.
|
||||
Such email was not standards-compliant, but Postfix would have
|
||||
delivered it if SMTPUTF8 support was disabled. </p>
|
||||
|
||||
<h2> <a name="limitations">Limitations of the current implementation</a>
|
||||
</h2>
|
||||
|
||||
<p> The Postfix implementation is a work in progress; limitations
|
||||
are steadily being removed. The text below describes the situation
|
||||
at one point in time. </p>
|
||||
|
||||
<h3> No automatic conversions between ASCII and UTF-8 domain names. </h3>
|
||||
|
||||
<p> Some background: According to <a href="http://tools.ietf.org/html/rfc6530">RFC 6530</a> and related documents,
|
||||
an internationalized domain name can appear in two forms: the UTF-8
|
||||
form, and the ASCII (xn--mumble) form. An internationalized address
|
||||
localpart must be encoded in UTF-8; the RFCs do not define an ASCII
|
||||
alternative form. </p>
|
||||
|
||||
<p> Postfix currently does not convert internationalized domain
|
||||
names from UTF-8 into ASCII (or from ASCII into UTF-8) before using
|
||||
domain names in SMTP commands and responses, before looking up
|
||||
domain names in lists such as <a href="postconf.5.html#mydestination">mydestination</a>, <a href="postconf.5.html#relay_domains">relay_domains</a> or in
|
||||
lookup tables such as access tables, etc., before using domain names
|
||||
in a policy daemon or Milter request, or before logging events.
|
||||
</p>
|
||||
|
||||
<p> Postfix does, however, casefold domain names and email addresses
|
||||
before matching them against a Postfix configuration parameter or
|
||||
lookup table. </p>
|
||||
|
||||
<p> In order to use Postfix SMTPUTF8 support: </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> The Postfix parameters <a href="postconf.5.html#myhostname">myhostname</a> and <a href="postconf.5.html#mydomain">mydomain</a> must be in
|
||||
ASCII form. One is a substring of the other, and the <a href="postconf.5.html#myhostname">myhostname</a>
|
||||
value is used in SMTP commands and responses that require ASCII.
|
||||
The parameter <a href="postconf.5.html#myorigin">myorigin</a> (added to local addresses without domain)
|
||||
supports UTF-8. </p>
|
||||
|
||||
<li> <p> You need to configure both the ASCII and UTF-8 forms of
|
||||
an Internationalized domain name in Postfix parameters such as
|
||||
<a href="postconf.5.html#mydestination">mydestination</a> and <a href="postconf.5.html#relay_domains">relay_domains</a>, as well as lookup table search
|
||||
keys. </p>
|
||||
|
||||
<li> <p> Milters, content filters, policy servers and logfile
|
||||
analysis tools need to be able to handle both the ASCII and UTF-8
|
||||
forms of Internationalized domain names. </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2> <a name="compatibility">Compatibility with pre-SMTPUTF8
|
||||
environments</a> </h2>
|
||||
|
||||
<h3> Mailing lists with UTF-8 and non-UTF-8 subscribers </h3>
|
||||
|
||||
<p> With Postfix, there is no need to split mailing lists into UTF-8 and
|
||||
non-UTF-8 members. Postfix will try to deliver the non-UTF8 subscribers
|
||||
over "traditional" non-SMTPUTF8 sessions, as long as the message
|
||||
has an ASCII envelope sender address and all-ASCII header values.
|
||||
The mailing list manager may have to apply <a href="http://tools.ietf.org/html/rfc2047">RFC 2047</a> encoding to
|
||||
satisfy that last condition. </p>
|
||||
|
||||
<h3> Pre-existing non-ASCII email flows </h3>
|
||||
|
||||
<p> With "<a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> = no", Postfix handles email with non-ASCII
|
||||
in address localparts (and in headers) as before. The vast majority
|
||||
of email software is perfectly capable of handling such email, even
|
||||
if pre-SMTPUTF8 standards do not support such practice. </p>
|
||||
|
||||
<p> However, when you specify "<a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> = yes", Postfix
|
||||
requires that non-ASCII address information is encoded in UTF-8 and
|
||||
will reject other encodings such as ISO-8859. It is not practical
|
||||
for Postfix to support multiple encodings at the same time. There
|
||||
is no problem with <a href="http://tools.ietf.org/html/rfc2047">RFC 2047</a> encodings such as "=?ISO-8859-1?Q?text?=",
|
||||
because those use only characters from the ASCII characterset. </p>
|
||||
|
||||
<h2> <a name="credits">Credits</a> </h2>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> May 15, 2014: Arnt Gulbrandsen posted his patch for Unicode
|
||||
email support. This work was sponsored by CNNIC. </p>
|
||||
|
||||
<li> <p> July 15, 2014: Wietse integrated Arnt Gulbrandsen's code
|
||||
and released Postfix with SMTPUTF8 support. </p>
|
||||
|
||||
<li> <p> January 2015: Wietse added UTF-8 support for casefolding
|
||||
in Postfix lookup tables and caseless string comparison in Postfix
|
||||
list-based features. </p>
|
||||
|
||||
</ul>
|
||||
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
@ -248,6 +248,8 @@ second part sets up the username/password information. </p>
|
||||
<pre>
|
||||
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
|
||||
<a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> = yes
|
||||
<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt
|
||||
<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> = noanonymous
|
||||
<a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example]
|
||||
# Alternative form:
|
||||
# <a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example]:submission
|
||||
@ -262,6 +264,11 @@ client-side authentication. We will configure the client's username
|
||||
and password information in the second part of the example. </p>
|
||||
</li>
|
||||
|
||||
<li> <p> The <code><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a></code> setting ensures
|
||||
that the connection to the remote smtp server will be encrypted, and
|
||||
<code><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a></code> removes the prohibition on
|
||||
plaintext passwords. </p>
|
||||
|
||||
<li> <p> The <code><a href="postconf.5.html#relayhost">relayhost</a></code> setting forces the Postfix SMTP
|
||||
to send all remote messages to the specified mail server instead
|
||||
of trying to deliver them directly to their destination. </p> </li>
|
||||
@ -370,7 +377,7 @@ resort. </p>
|
||||
<pre>
|
||||
/etc/postfix/sasl_passwd:
|
||||
# Per-sender authentication; see also /etc/postfix/sender_relay.
|
||||
user1@example.com username2:password2
|
||||
user1@example.com username1:password1
|
||||
user2@example.net username2:password2
|
||||
# Login information for the default <a href="postconf.5.html#relayhost">relayhost</a>.
|
||||
[mail.isp.example] username:password
|
||||
|
@ -44,10 +44,25 @@ name of the standard POSIX thread library (pthread). For example:
|
||||
<pre>
|
||||
make -f Makefile.init makefiles \
|
||||
'CCARGS=-DHAS_SQLITE -I/usr/local/include' \
|
||||
'AUXLIBS=-L/usr/local/lib -lsqlite3 -lpthread'
|
||||
'<a href="SQLITE_README.html">AUXLIBS_SQLITE</a>=-L/usr/local/lib -lsqlite3 -lpthread'
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> Postfix versions before 3.0 use AUXLIBS instead of <a href="SQLITE_README.html">AUXLIBS_SQLITE</a>.
|
||||
With Postfix 3.0 and later, the old AUXLIBS variable still supports
|
||||
building a statically-loaded SQLite database client, but only the new
|
||||
<a href="SQLITE_README.html">AUXLIBS_SQLITE</a> variable supports building a dynamically-loaded or
|
||||
statically-loaded SQLite database client. </p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<p> Failure to use the <a href="SQLITE_README.html">AUXLIBS_SQLITE</a> variable will defeat the purpose
|
||||
of dynamic database client loading. Every Postfix executable file
|
||||
will have SQLITE database library dependencies. And that was exactly
|
||||
what dynamic database client loading was meant to avoid. </p>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<p> Then, just run 'make'.</p>
|
||||
|
||||
<h2>Using SQLite tables</h2>
|
||||
|
@ -158,16 +158,19 @@ default with Postfix 2.6 and later. </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
1 <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> = ${stress?10}${stress:300}s
|
||||
2 <a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> = ${stress?1}${stress:20}
|
||||
3 <a href="postconf.5.html#smtpd_junk_command_limit">smtpd_junk_command_limit</a> = ${stress?1}${stress:100}
|
||||
1 <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> = ${stress?{10}:{300}}s
|
||||
2 <a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> = ${stress?{1}:{20}}
|
||||
3 <a href="postconf.5.html#smtpd_junk_command_limit">smtpd_junk_command_limit</a> = ${stress?{1}:{100}}
|
||||
4 # Parameters added after Postfix 2.6:
|
||||
5 <a href="postconf.5.html#smtpd_per_record_deadline">smtpd_per_record_deadline</a> = ${stress?yes}${stress:no}
|
||||
6 <a href="postconf.5.html#smtpd_starttls_timeout">smtpd_starttls_timeout</a> = ${stress?10}${stress:300}s
|
||||
7 <a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> = ${stress?1}${stress:3}
|
||||
5 <a href="postconf.5.html#smtpd_per_record_deadline">smtpd_per_record_deadline</a> = ${stress?{yes}:{no}}
|
||||
6 <a href="postconf.5.html#smtpd_starttls_timeout">smtpd_starttls_timeout</a> = ${stress?{10}:{300}}s
|
||||
7 <a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> = ${stress?{1}:{3}}
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> Postfix versions before 3.0 use the older form ${stress?x}${stress:y}
|
||||
instead of the newer form ${stress?{x}:{y}}. </p>
|
||||
|
||||
<p> Translation: <p>
|
||||
|
||||
<ul>
|
||||
@ -216,8 +219,9 @@ as this measure is used only temporarily. </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<p> The syntax of ${name?value} and ${name:value} is explained at
|
||||
the beginning of the <a href="postconf.5.html">postconf(5)</a> manual page. </p>
|
||||
<p> The syntax of ${name?{value}:{value}}, ${name?value} and
|
||||
${name:value} is explained at the beginning of the <a href="postconf.5.html">postconf(5)</a>
|
||||
manual page. </p>
|
||||
|
||||
<p> NOTE: Please keep in mind that the stress-adaptive feature is
|
||||
a fairly desperate measure to keep <b>some</b> legitimate mail
|
||||
|
@ -294,8 +294,8 @@ is correctly configured to supply its intermediate CA certificate). </p>
|
||||
</blockquote>
|
||||
|
||||
<p> To verify a remote SMTP client certificate, the Postfix SMTP
|
||||
server needs to trust the certificates of the issuing certification
|
||||
authorities. These certificates in "pem" format can be stored in a
|
||||
server needs to trust the certificates of the issuing Certification
|
||||
Authorities. These certificates in "pem" format can be stored in a
|
||||
single $<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> or in multiple files, one CA per file in
|
||||
the $<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> directory. If you use a directory, don't forget
|
||||
to create the necessary "hash" links with: </p>
|
||||
@ -839,8 +839,8 @@ is correctly configured to supply its intermediate CA certificate). </p>
|
||||
</blockquote>
|
||||
|
||||
<p> To verify a remote SMTP server certificate, the Postfix SMTP
|
||||
client needs to trust the certificates of the issuing certification
|
||||
authorities. These certificates in "pem" format can be stored in a
|
||||
client needs to trust the certificates of the issuing Certification
|
||||
Authorities. These certificates in "pem" format can be stored in a
|
||||
single $<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> or in multiple files, one CA per file in
|
||||
the $<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> directory. If you use a directory, don't forget
|
||||
to create the necessary "hash" links with: </p>
|
||||
@ -1032,7 +1032,7 @@ the certificate. </p>
|
||||
other attacks, mandatory certificate/peername verification is not
|
||||
viable as a default Internet mail delivery policy at this time. A
|
||||
significant fraction of TLS enabled MTAs uses self-signed certificates,
|
||||
or certificates that are signed by a private certificate authority.
|
||||
or certificates that are signed by a private Certification Authority.
|
||||
On a machine that delivers mail to the Internet, if you set
|
||||
<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes, you should probably also set
|
||||
<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = no. You can use the per-site TLS
|
||||
@ -1395,9 +1395,9 @@ sign your own Postfix public key certificate, you get TLS encryption
|
||||
but no TLS authentication. This is sufficient for testing, and
|
||||
for exchanging email with sites that you have no trust relationship
|
||||
with. For real authentication, your Postfix public key certificate
|
||||
needs to be signed by a recognized Certificate Authority, and
|
||||
needs to be signed by a recognized Certification Authority, and
|
||||
Postfix needs to be configured with a list of public key certificates
|
||||
of Certificate Authorities, so that Postfix can verify the public key
|
||||
of Certification Authorities, so that Postfix can verify the public key
|
||||
certificates of remote hosts. </p>
|
||||
|
||||
<p> In the examples below, user input is shown in <b><tt>bold</tt></b>
|
||||
@ -1405,7 +1405,7 @@ font, and a "<tt>#</tt>" prompt indicates a super-user shell. </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> Become your own Certificate Authority, so that you can
|
||||
<li> <p> Become your own Certification Authority, so that you can
|
||||
sign your own public keys. This example uses the CA.pl script that
|
||||
ships with OpenSSL. By default, OpenSSL installs this as
|
||||
<tt>/usr/local/ssl/misc/CA.pl</tt>, but your mileage may vary.
|
||||
|
@ -267,6 +267,11 @@ the TLS session cache) that an SMTP client may negotiate in the
|
||||
time interval specified with <a href="postconf.5.html#anvil_rate_time_unit">anvil_rate_time_unit</a> (default: 60s).
|
||||
</dd>
|
||||
|
||||
<dt> <a href="postconf.5.html#smtpd_client_auth_rate_limit">smtpd_client_auth_rate_limit</a> (default: no limit) </dt> <dd>
|
||||
The maximum number of AUTH commands that an SMTP client may send
|
||||
in the time interval specified with <a href="postconf.5.html#anvil_rate_time_unit">anvil_rate_time_unit</a> (default:
|
||||
60s). Available in Postfix 3.1 and later. </dd>
|
||||
|
||||
<dt> <a href="postconf.5.html#smtpd_client_event_limit_exceptions">smtpd_client_event_limit_exceptions</a> (default: $<a href="postconf.5.html#mynetworks">mynetworks</a>)
|
||||
</dt> <dd> SMTP clients that are excluded from connection and rate
|
||||
limits specified above. </dd>
|
||||
|
@ -124,7 +124,8 @@ elements can be up to 255 characters long. The client must not send
|
||||
XCLIENT commands that exceed the 512 character limit for SMTP
|
||||
commands. To avoid exceeding the limit the client should send the
|
||||
information in multiple XCLIENT commands; for example, send NAME
|
||||
and ADDR first, then HELO and PROTO. </p>
|
||||
and ADDR last, after HELO and PROTO. Once ADDR is sent, the client
|
||||
is usually no longer authorized to send XCLIENT commands. </p>
|
||||
|
||||
<p> Note 2: [UNAVAILABLE], [TEMPUNAVAIL] and IPV6: may be specified
|
||||
in upper case, lower case or mixed case. </p>
|
||||
|
@ -163,8 +163,8 @@ ACCESS(5) ACCESS(5)
|
||||
|
||||
<i>all-numerical</i>
|
||||
An all-numerical result is treated as OK. This format is gener-
|
||||
ated by address-based relay authorization schemes such as pop-
|
||||
before-smtp.
|
||||
ated by address-based relay authorization schemes such as
|
||||
pop-before-smtp.
|
||||
|
||||
For other accept actions, see "OTHER ACTIONS" below.
|
||||
|
||||
@ -246,7 +246,7 @@ ACCESS(5) ACCESS(5)
|
||||
If multiple BCC actions are specified within the same SMTP MAIL
|
||||
transaction, only the last action will be used.
|
||||
|
||||
This feature is not part of the stable Postfix release.
|
||||
This feature is available in Postfix 3.0 and later.
|
||||
|
||||
<b>DISCARD</b> <i>optional text...</i>
|
||||
Claim successful delivery and silently discard the message. Log
|
||||
@ -326,76 +326,84 @@ ACCESS(5) ACCESS(5)
|
||||
|
||||
<b>REDIRECT</b> <i>user@domain</i>
|
||||
After the message is queued, send the message to the specified
|
||||
address instead of the intended recipient(s).
|
||||
address instead of the intended recipient(s). When multiple <b>RE-</b>
|
||||
<b>DIRECT</b> actions fire, only the last one takes effect.
|
||||
|
||||
Note: this action overrides the FILTER action, and currently
|
||||
affects all recipients of the message.
|
||||
Note: this action overrides the FILTER action, and currently
|
||||
overrides all recipients of the message.
|
||||
|
||||
This feature is available in Postfix 2.1 and later.
|
||||
|
||||
<b>INFO</b> <i>optional text...</i>
|
||||
Log an informational record with the optional text, together
|
||||
with client information and if available, with helo, sender,
|
||||
recipient and protocol information.
|
||||
|
||||
This feature is available in Postfix 3.0 and later.
|
||||
|
||||
<b>WARN</b> <i>optional text...</i>
|
||||
Log a warning with the optional text, together with client
|
||||
information and if available, with helo, sender, recipient and
|
||||
Log a warning with the optional text, together with client
|
||||
information and if available, with helo, sender, recipient and
|
||||
protocol information.
|
||||
|
||||
This feature is available in Postfix 2.1 and later.
|
||||
|
||||
<b>ENHANCED STATUS CODES</b>
|
||||
Postfix version 2.3 and later support enhanced status codes as defined
|
||||
in <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a>. When an enhanced status code is specified in an access
|
||||
Postfix version 2.3 and later support enhanced status codes as defined
|
||||
in <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a>. When an enhanced status code is specified in an access
|
||||
table, it is subject to modification. The following transformations are
|
||||
needed when the same access table is used for client, helo, sender, or
|
||||
recipient access restrictions; they happen regardless of whether Post-
|
||||
needed when the same access table is used for client, helo, sender, or
|
||||
recipient access restrictions; they happen regardless of whether Post-
|
||||
fix replies to a MAIL FROM, RCPT TO or other SMTP command.
|
||||
|
||||
<b>o</b> When a sender address matches a REJECT action, the Postfix SMTP
|
||||
<b>o</b> When a sender address matches a REJECT action, the Postfix SMTP
|
||||
server will transform a recipient DSN status (e.g., 4.1.1-4.1.6)
|
||||
into the corresponding sender DSN status, and vice versa.
|
||||
|
||||
<b>o</b> When non-address information matches a REJECT action (such as
|
||||
the HELO command argument or the client hostname/address), the
|
||||
Postfix SMTP server will transform a sender or recipient DSN
|
||||
<b>o</b> When non-address information matches a REJECT action (such as
|
||||
the HELO command argument or the client hostname/address), the
|
||||
Postfix SMTP server will transform a sender or recipient DSN
|
||||
status into a generic non-address DSN status (e.g., 4.0.0).
|
||||
|
||||
<b>REGULAR EXPRESSION TABLES</b>
|
||||
This section describes how the table lookups change when the table is
|
||||
given in the form of regular expressions. For a description of regular
|
||||
This section describes how the table lookups change when the table is
|
||||
given in the form of regular expressions. For a description of regular
|
||||
expression lookup table syntax, see <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>.
|
||||
|
||||
Each pattern is a regular expression that is applied to the entire
|
||||
Each pattern is a regular expression that is applied to the entire
|
||||
string being looked up. Depending on the application, that string is an
|
||||
entire client hostname, an entire client IP address, or an entire mail
|
||||
address. Thus, no parent domain or parent network search is done,
|
||||
<i>user@domain</i> mail addresses are not broken up into their <i>user@</i> and
|
||||
<i>domain</i> constituent parts, nor is <i>user+foo</i> broken up into <i>user</i> and <i>foo</i>.
|
||||
entire client hostname, an entire client IP address, or an entire mail
|
||||
address. Thus, no parent domain or parent network search is done,
|
||||
<i>user@domain</i> mail addresses are not broken up into their <i>user@</i> and
|
||||
<i>domain</i> constituent parts, nor is <i>user+foo</i> broken up into <i>user</i> and <i>foo</i>.
|
||||
|
||||
Patterns are applied in the order as specified in the table, until a
|
||||
Patterns are applied in the order as specified in the table, until a
|
||||
pattern is found that matches the search string.
|
||||
|
||||
Actions are the same as with indexed file lookups, with the additional
|
||||
feature that parenthesized substrings from the pattern can be interpo-
|
||||
Actions are the same as with indexed file lookups, with the additional
|
||||
feature that parenthesized substrings from the pattern can be interpo-
|
||||
lated as <b>$1</b>, <b>$2</b> and so on.
|
||||
|
||||
<b>TCP-BASED TABLES</b>
|
||||
This section describes how the table lookups change when lookups are
|
||||
directed to a TCP-based server. For a description of the TCP
|
||||
client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>. This feature is not
|
||||
This section describes how the table lookups change when lookups are
|
||||
directed to a TCP-based server. For a description of the TCP
|
||||
client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>. This feature is not
|
||||
available up to and including Postfix version 2.4.
|
||||
|
||||
Each lookup operation uses the entire query string once. Depending on
|
||||
the application, that string is an entire client hostname, an entire
|
||||
client IP address, or an entire mail address. Thus, no parent domain
|
||||
or parent network search is done, <i>user@domain</i> mail addresses are not
|
||||
broken up into their <i>user@</i> and <i>domain</i> constituent parts, nor is
|
||||
Each lookup operation uses the entire query string once. Depending on
|
||||
the application, that string is an entire client hostname, an entire
|
||||
client IP address, or an entire mail address. Thus, no parent domain
|
||||
or parent network search is done, <i>user@domain</i> mail addresses are not
|
||||
broken up into their <i>user@</i> and <i>domain</i> constituent parts, nor is
|
||||
<i>user+foo</i> broken up into <i>user</i> and <i>foo</i>.
|
||||
|
||||
Actions are the same as with indexed file lookups.
|
||||
|
||||
<b>EXAMPLE</b>
|
||||
The following example uses an indexed file, so that the order of table
|
||||
entries does not matter. The example permits access by the client at
|
||||
The following example uses an indexed file, so that the order of table
|
||||
entries does not matter. The example permits access by the client at
|
||||
address 1.2.3.4 but rejects all other clients in 1.2.3.0/24. Instead of
|
||||
<b>hash</b> lookup tables, some systems use <b>dbm</b>. Use the command "<b>postconf</b>
|
||||
<b>hash</b> lookup tables, some systems use <b>dbm</b>. Use the command "<b>postconf</b>
|
||||
<b>-m</b>" to find out what lookup tables Postfix supports on your system.
|
||||
|
||||
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
|
||||
@ -406,7 +414,7 @@ ACCESS(5) ACCESS(5)
|
||||
1.2.3 REJECT
|
||||
1.2.3.4 OK
|
||||
|
||||
Execute the command "<b>postmap /etc/postfix/access</b>" after editing the
|
||||
Execute the command "<b>postmap /etc/postfix/access</b>" after editing the
|
||||
file.
|
||||
|
||||
<b>BUGS</b>
|
||||
@ -431,5 +439,10 @@ ACCESS(5) ACCESS(5)
|
||||
P.O. Box 704
|
||||
Yorktown Heights, NY 10598, USA
|
||||
|
||||
Wietse Venema
|
||||
Google, Inc.
|
||||
111 8th Avenue
|
||||
New York, NY 10011, USA
|
||||
|
||||
ACCESS(5)
|
||||
</pre> </body> </html>
|
||||
|
@ -194,5 +194,10 @@ ALIASES(5) ALIASES(5)
|
||||
P.O. Box 704
|
||||
Yorktown Heights, NY 10598, USA
|
||||
|
||||
Wietse Venema
|
||||
Google, Inc.
|
||||
111 8th Avenue
|
||||
New York, NY 10011, USA
|
||||
|
||||
ALIASES(5)
|
||||
</pre> </body> </html>
|
||||
|
@ -106,6 +106,19 @@ ANVIL(8) ANVIL(8)
|
||||
<b>status=0</b>
|
||||
<b>rate=</b><i>number</i>
|
||||
|
||||
<b>AUTH RATE CONTROL</b>
|
||||
To register an AUTH request send the following request to the <a href="anvil.8.html"><b>anvil</b>(8)</a>
|
||||
server:
|
||||
|
||||
<b>request=auth</b>
|
||||
<b>ident=</b><i>string</i>
|
||||
|
||||
The <a href="anvil.8.html"><b>anvil</b>(8)</a> server answers with the number of auth requests per unit
|
||||
time for the (service, client) combination specified with <b>ident</b>:
|
||||
|
||||
<b>status=0</b>
|
||||
<b>rate=</b><i>number</i>
|
||||
|
||||
<b>SECURITY</b>
|
||||
The <a href="anvil.8.html"><b>anvil</b>(8)</a> server does not talk to the network or to local users, and
|
||||
can run chrooted at fixed low privilege.
|
||||
@ -216,5 +229,10 @@ ANVIL(8) ANVIL(8)
|
||||
P.O. Box 704
|
||||
Yorktown Heights, NY 10598, USA
|
||||
|
||||
Wietse Venema
|
||||
Google, Inc.
|
||||
111 8th Avenue
|
||||
New York, NY 10011, USA
|
||||
|
||||
ANVIL(8)
|
||||
</pre> </body> </html>
|
||||
|
@ -153,6 +153,20 @@ BOUNCE(5) BOUNCE(5)
|
||||
expressed in the time unit specified by <i>suffix</i>. See above under
|
||||
<b><a href="postconf.5.html#delay_warning_time">delay_warning_time</a></b> for possible <i>suffix</i> values.
|
||||
|
||||
<b><a href="postconf.5.html#mydomain">mydomain</a></b>
|
||||
Expands into the value of the <b><a href="postconf.5.html#mydomain">mydomain</a></b> parameter. With "smt-
|
||||
putf8_enable = yes", this replaces ACE labels (xn--mumble) with
|
||||
their UTF-8 equivalent.
|
||||
|
||||
This feature is available in Postfix 3.0.
|
||||
|
||||
<b><a href="postconf.5.html#myhostname">myhostname</a></b>
|
||||
Expands into the value of the <b><a href="postconf.5.html#myhostname">myhostname</a></b> parameter. With "smt-
|
||||
putf8_enable = yes", this replaces ACE labels (xn--mumble) with
|
||||
their UTF-8 equivalent.
|
||||
|
||||
This feature is available in Postfix 3.0.
|
||||
|
||||
The usage and specification of template message text is subject to the
|
||||
following restrictions:
|
||||
|
||||
@ -182,5 +196,10 @@ BOUNCE(5) BOUNCE(5)
|
||||
P.O. Box 704
|
||||
Yorktown Heights, NY 10598, USA
|
||||
|
||||
Wietse Venema
|
||||
Google, Inc.
|
||||
111 8th Avenue
|
||||
New York, NY 10011, USA
|
||||
|
||||
BOUNCE(5)
|
||||
</pre> </body> </html>
|
||||
|
@ -33,10 +33,10 @@ BOUNCE(8) BOUNCE(8)
|
||||
tion is sent even when the log file or the original message cannot be
|
||||
read.
|
||||
|
||||
Optionally, a bounce (defer, trace) client can request that the per-
|
||||
message log file be deleted when the requested operation fails. This
|
||||
is used by clients that cannot retry transactions by themselves, and
|
||||
that depend on retry logic in their own client.
|
||||
Optionally, a bounce (defer, trace) client can request that the
|
||||
per-message log file be deleted when the requested operation fails.
|
||||
This is used by clients that cannot retry transactions by themselves,
|
||||
and that depend on retry logic in their own client.
|
||||
|
||||
<b>STANDARDS</b>
|
||||
<a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
|
||||
@ -46,6 +46,9 @@ BOUNCE(8) BOUNCE(8)
|
||||
<a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications)
|
||||
<a href="http://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header)
|
||||
<a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
|
||||
<a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
|
||||
<a href="http://tools.ietf.org/html/rfc6532">RFC 6532</a> (Internationalized Message Format)
|
||||
<a href="http://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
|
||||
|
||||
<b>DIAGNOSTICS</b>
|
||||
Problems and transactions are logged to <b>syslogd</b>(8).
|
||||
@ -104,9 +107,9 @@ BOUNCE(8) BOUNCE(8)
|
||||
internal communication channel.
|
||||
|
||||
<b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
|
||||
What categories of Postfix-generated mail are subject to before-
|
||||
queue content inspection by <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and
|
||||
<a href="postconf.5.html#body_checks">body_checks</a>.
|
||||
What categories of Postfix-generated mail are subject to
|
||||
before-queue content inspection by <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
|
||||
<a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
|
||||
|
||||
<b><a href="postconf.5.html#mail_name">mail_name</a> (Postfix)</b>
|
||||
The mail system name that is displayed in Received: headers, in
|
||||
@ -140,6 +143,12 @@ BOUNCE(8) BOUNCE(8)
|
||||
syslog records, so that "smtpd" becomes, for example, "post-
|
||||
fix/smtpd".
|
||||
|
||||
Available in Postfix 3.0 and later:
|
||||
|
||||
<b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
|
||||
Detect that a message requires SMTPUTF8 support for the speci-
|
||||
fied mail origin classes.
|
||||
|
||||
<b>FILES</b>
|
||||
/var/spool/postfix/bounce/* non-delivery records
|
||||
/var/spool/postfix/defer/* non-delivery records
|
||||
@ -162,5 +171,10 @@ BOUNCE(8) BOUNCE(8)
|
||||
P.O. Box 704
|
||||
Yorktown Heights, NY 10598, USA
|
||||
|
||||
Wietse Venema
|
||||
Google, Inc.
|
||||
111 8th Avenue
|
||||
New York, NY 10011, USA
|
||||
|
||||
BOUNCE(8)
|
||||
</pre> </body> </html>
|
||||
|
@ -253,5 +253,10 @@ CANONICAL(5) CANONICAL(5)
|
||||
P.O. Box 704
|
||||
Yorktown Heights, NY 10598, USA
|
||||
|
||||
Wietse Venema
|
||||
Google, Inc.
|
||||
111 8th Avenue
|
||||
New York, NY 10011, USA
|
||||
|
||||
CANONICAL(5)
|
||||
</pre> </body> </html>
|
||||
|
@ -101,5 +101,10 @@ CIDR_TABLE(5) CIDR_TABLE(5)
|
||||
P.O. Box 704
|
||||
Yorktown Heights, NY 10598, USA
|
||||
|
||||
Wietse Venema
|
||||
Google, Inc.
|
||||
111 8th Avenue
|
||||
New York, NY 10011, USA
|
||||
|
||||
CIDR_TABLE(5)
|
||||
</pre> </body> </html>
|
||||
|
181
external/ibm-public/postfix/dist/html/cleanup.8.html
vendored
181
external/ibm-public/postfix/dist/html/cleanup.8.html
vendored
@ -18,8 +18,8 @@ CLEANUP(8) CLEANUP(8)
|
||||
|
||||
The <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon always performs the following transformations:
|
||||
|
||||
<b>o</b> Insert missing message headers: (<b>Resent-</b>) <b>From:</b>, <b>To:</b>, <b>Message-</b>
|
||||
<b>Id:</b>, and <b>Date:</b>.
|
||||
<b>o</b> Insert missing message headers: (<b>Resent-</b>) <b>From:</b>, <b>To:</b>, <b>Mes-</b>
|
||||
<b>sage-Id:</b>, and <b>Date:</b>.
|
||||
|
||||
<b>o</b> Transform envelope and header addresses to the standard
|
||||
<i>user@fully-qualified-domain</i> form that is expected by other Post-
|
||||
@ -28,23 +28,26 @@ CLEANUP(8) CLEANUP(8)
|
||||
|
||||
<b>o</b> Eliminate duplicate envelope recipient addresses.
|
||||
|
||||
<b>o</b> Remove message headers: <b>Bcc</b>, <b>Content-Length</b>, <b>Resent-Bcc</b>,
|
||||
<b>Return-Path</b>.
|
||||
|
||||
The following address transformations are optional:
|
||||
|
||||
<b>o</b> Optionally, rewrite all envelope and header addresses according
|
||||
<b>o</b> Optionally, rewrite all envelope and header addresses according
|
||||
to the mappings specified in the <a href="canonical.5.html"><b>canonical</b>(5)</a> lookup tables.
|
||||
|
||||
<b>o</b> Optionally, masquerade envelope sender addresses and message
|
||||
header addresses (i.e. strip host or domain information below
|
||||
all domains listed in the <b><a href="postconf.5.html#masquerade_domains">masquerade_domains</a></b> parameter, except
|
||||
for user names listed in <b><a href="postconf.5.html#masquerade_exceptions">masquerade_exceptions</a></b>). By default,
|
||||
<b>o</b> Optionally, masquerade envelope sender addresses and message
|
||||
header addresses (i.e. strip host or domain information below
|
||||
all domains listed in the <b><a href="postconf.5.html#masquerade_domains">masquerade_domains</a></b> parameter, except
|
||||
for user names listed in <b><a href="postconf.5.html#masquerade_exceptions">masquerade_exceptions</a></b>). By default,
|
||||
address masquerading does not affect envelope recipients.
|
||||
|
||||
<b>o</b> Optionally, expand envelope recipients according to information
|
||||
<b>o</b> Optionally, expand envelope recipients according to information
|
||||
found in the <a href="virtual.5.html"><b>virtual</b>(5)</a> lookup tables.
|
||||
|
||||
The <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon performs sanity checks on the content of each
|
||||
message. When it finds a problem, by default it returns a diagnostic
|
||||
status to the client, and leaves it up to the client to deal with the
|
||||
The <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon performs sanity checks on the content of each
|
||||
message. When it finds a problem, by default it returns a diagnostic
|
||||
status to the client, and leaves it up to the client to deal with the
|
||||
problem. Alternatively, the client can request the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon to
|
||||
bounce the message back to the sender in case of trouble.
|
||||
|
||||
@ -61,7 +64,7 @@ CLEANUP(8) CLEANUP(8)
|
||||
Problems and transactions are logged to <b>syslogd</b>(8).
|
||||
|
||||
<b>BUGS</b>
|
||||
Table-driven rewriting rules make it hard to express <b>if then else</b> and
|
||||
Table-driven rewriting rules make it hard to express <b>if then else</b> and
|
||||
other logical relationships.
|
||||
|
||||
<b>CONFIGURATION PARAMETERS</b>
|
||||
@ -69,7 +72,7 @@ CLEANUP(8) CLEANUP(8)
|
||||
run for only a limited amount of time. Use the command "<b>postfix reload</b>"
|
||||
to speed up a change.
|
||||
|
||||
The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for
|
||||
The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for
|
||||
more details including examples.
|
||||
|
||||
<b>COMPATIBILITY CONTROLS</b>
|
||||
@ -80,16 +83,16 @@ CLEANUP(8) CLEANUP(8)
|
||||
Available in Postfix version 2.1 only:
|
||||
|
||||
<b><a href="postconf.5.html#enable_errors_to">enable_errors_to</a> (no)</b>
|
||||
Report mail delivery errors to the address specified with the
|
||||
non-standard Errors-To: message header, instead of the envelope
|
||||
sender address (this feature is removed with Postfix version
|
||||
2.2, is turned off by default with Postfix version 2.1, and is
|
||||
Report mail delivery errors to the address specified with the
|
||||
non-standard Errors-To: message header, instead of the envelope
|
||||
sender address (this feature is removed with Postfix version
|
||||
2.2, is turned off by default with Postfix version 2.1, and is
|
||||
always turned on with older Postfix versions).
|
||||
|
||||
Available in Postfix version 2.6 and later:
|
||||
|
||||
<b><a href="postconf.5.html#always_add_missing_headers">always_add_missing_headers</a> (no)</b>
|
||||
Always add (Resent-) From:, To:, Date: or Message-ID: headers
|
||||
Always add (Resent-) From:, To:, Date: or Message-ID: headers
|
||||
when not present.
|
||||
|
||||
Available in Postfix version 2.9 and later:
|
||||
@ -97,39 +100,46 @@ CLEANUP(8) CLEANUP(8)
|
||||
<b><a href="postconf.5.html#enable_long_queue_ids">enable_long_queue_ids</a> (no)</b>
|
||||
Enable long, non-repeating, queue IDs (queue file names).
|
||||
|
||||
Available in Postfix version 3.0 and later:
|
||||
|
||||
<b><a href="postconf.5.html#message_drop_headers">message_drop_headers</a> (bcc, content-length, resent-bcc, return-path)</b>
|
||||
Names of message headers that the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon will remove
|
||||
after applying <a href="header_checks.5.html"><b>header_checks</b>(5)</a> and before invoking Milter
|
||||
applications.
|
||||
|
||||
<b>BUILT-IN CONTENT FILTERING CONTROLS</b>
|
||||
Postfix built-in content filtering is meant to stop a flood of worms or
|
||||
viruses. It is not a general content filter.
|
||||
|
||||
<b><a href="postconf.5.html#body_checks">body_checks</a> (empty)</b>
|
||||
Optional lookup tables for content inspection as specified in
|
||||
Optional lookup tables for content inspection as specified in
|
||||
the <a href="header_checks.5.html"><b>body_checks</b>(5)</a> manual page.
|
||||
|
||||
<b><a href="postconf.5.html#header_checks">header_checks</a> (empty)</b>
|
||||
Optional lookup tables for content inspection of primary non-
|
||||
MIME message headers, as specified in the <a href="header_checks.5.html"><b>header_checks</b>(5)</a> man-
|
||||
ual page.
|
||||
Optional lookup tables for content inspection of primary
|
||||
non-MIME message headers, as specified in the <a href="header_checks.5.html"><b>header_checks</b>(5)</a>
|
||||
manual page.
|
||||
|
||||
Available in Postfix version 2.0 and later:
|
||||
|
||||
<b><a href="postconf.5.html#body_checks_size_limit">body_checks_size_limit</a> (51200)</b>
|
||||
How much text in a message body segment (or attachment, if you
|
||||
How much text in a message body segment (or attachment, if you
|
||||
prefer to use that term) is subjected to <a href="postconf.5.html#body_checks">body_checks</a> inspection.
|
||||
|
||||
<b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a> ($<a href="postconf.5.html#header_checks">header_checks</a>)</b>
|
||||
Optional lookup tables for content inspection of MIME related
|
||||
message headers, as described in the <a href="header_checks.5.html"><b>header_checks</b>(5)</a> manual
|
||||
Optional lookup tables for content inspection of MIME related
|
||||
message headers, as described in the <a href="header_checks.5.html"><b>header_checks</b>(5)</a> manual
|
||||
page.
|
||||
|
||||
<b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a> ($<a href="postconf.5.html#header_checks">header_checks</a>)</b>
|
||||
Optional lookup tables for content inspection of non-MIME mes-
|
||||
sage headers in attached messages, as described in the
|
||||
Optional lookup tables for content inspection of non-MIME mes-
|
||||
sage headers in attached messages, as described in the
|
||||
<a href="header_checks.5.html"><b>header_checks</b>(5)</a> manual page.
|
||||
|
||||
Available in Postfix version 2.3 and later:
|
||||
|
||||
<b><a href="postconf.5.html#message_reject_characters">message_reject_characters</a> (empty)</b>
|
||||
The set of characters that Postfix will reject in message con-
|
||||
The set of characters that Postfix will reject in message con-
|
||||
tent.
|
||||
|
||||
<b><a href="postconf.5.html#message_strip_characters">message_strip_characters</a> (empty)</b>
|
||||
@ -138,25 +148,25 @@ CLEANUP(8) CLEANUP(8)
|
||||
|
||||
<b>BEFORE QUEUE MILTER CONTROLS</b>
|
||||
As of version 2.3, Postfix supports the Sendmail version 8 Milter (mail
|
||||
filter) protocol. When mail is not received via the <a href="smtpd.8.html">smtpd(8)</a> server,
|
||||
filter) protocol. When mail is not received via the <a href="smtpd.8.html">smtpd(8)</a> server,
|
||||
the <a href="cleanup.8.html">cleanup(8)</a> server will simulate SMTP events to the extent that this
|
||||
is possible. For details see the <a href="MILTER_README.html">MILTER_README</a> document.
|
||||
|
||||
<b><a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a> (empty)</b>
|
||||
A list of Milter (mail filter) applications for new mail that
|
||||
A list of Milter (mail filter) applications for new mail that
|
||||
does not arrive via the Postfix <a href="smtpd.8.html"><b>smtpd</b>(8)</a> server.
|
||||
|
||||
<b><a href="postconf.5.html#milter_protocol">milter_protocol</a> (6)</b>
|
||||
The mail filter protocol version and optional protocol exten-
|
||||
sions for communication with a Milter application; prior to
|
||||
The mail filter protocol version and optional protocol exten-
|
||||
sions for communication with a Milter application; prior to
|
||||
Postfix 2.6 the default protocol is 2.
|
||||
|
||||
<b><a href="postconf.5.html#milter_default_action">milter_default_action</a> (tempfail)</b>
|
||||
The default action when a Milter (mail filter) application is
|
||||
The default action when a Milter (mail filter) application is
|
||||
unavailable or mis-configured.
|
||||
|
||||
<b><a href="postconf.5.html#milter_macro_daemon_name">milter_macro_daemon_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
|
||||
The {daemon_name} macro value for Milter (mail filter) applica-
|
||||
The {daemon_name} macro value for Milter (mail filter) applica-
|
||||
tions.
|
||||
|
||||
<b><a href="postconf.5.html#milter_macro_v">milter_macro_v</a> ($<a href="postconf.5.html#mail_name">mail_name</a> $<a href="postconf.5.html#mail_version">mail_version</a>)</b>
|
||||
@ -167,45 +177,45 @@ CLEANUP(8) CLEANUP(8)
|
||||
tion, and for negotiating protocol options.
|
||||
|
||||
<b><a href="postconf.5.html#milter_command_timeout">milter_command_timeout</a> (30s)</b>
|
||||
The time limit for sending an SMTP command to a Milter (mail
|
||||
The time limit for sending an SMTP command to a Milter (mail
|
||||
filter) application, and for receiving the response.
|
||||
|
||||
<b><a href="postconf.5.html#milter_content_timeout">milter_content_timeout</a> (300s)</b>
|
||||
The time limit for sending message content to a Milter (mail
|
||||
The time limit for sending message content to a Milter (mail
|
||||
filter) application, and for receiving the response.
|
||||
|
||||
<b><a href="postconf.5.html#milter_connect_macros">milter_connect_macros</a> (see 'postconf -d' output)</b>
|
||||
The macros that are sent to Milter (mail filter) applications
|
||||
The macros that are sent to Milter (mail filter) applications
|
||||
after completion of an SMTP connection.
|
||||
|
||||
<b><a href="postconf.5.html#milter_helo_macros">milter_helo_macros</a> (see 'postconf -d' output)</b>
|
||||
The macros that are sent to Milter (mail filter) applications
|
||||
The macros that are sent to Milter (mail filter) applications
|
||||
after the SMTP HELO or EHLO command.
|
||||
|
||||
<b><a href="postconf.5.html#milter_mail_macros">milter_mail_macros</a> (see 'postconf -d' output)</b>
|
||||
The macros that are sent to Milter (mail filter) applications
|
||||
The macros that are sent to Milter (mail filter) applications
|
||||
after the SMTP MAIL FROM command.
|
||||
|
||||
<b><a href="postconf.5.html#milter_rcpt_macros">milter_rcpt_macros</a> (see 'postconf -d' output)</b>
|
||||
The macros that are sent to Milter (mail filter) applications
|
||||
The macros that are sent to Milter (mail filter) applications
|
||||
after the SMTP RCPT TO command.
|
||||
|
||||
<b><a href="postconf.5.html#milter_data_macros">milter_data_macros</a> (see 'postconf -d' output)</b>
|
||||
The macros that are sent to version 4 or higher Milter (mail
|
||||
The macros that are sent to version 4 or higher Milter (mail
|
||||
filter) applications after the SMTP DATA command.
|
||||
|
||||
<b><a href="postconf.5.html#milter_unknown_command_macros">milter_unknown_command_macros</a> (see 'postconf -d' output)</b>
|
||||
The macros that are sent to version 3 or higher Milter (mail
|
||||
The macros that are sent to version 3 or higher Milter (mail
|
||||
filter) applications after an unknown SMTP command.
|
||||
|
||||
<b><a href="postconf.5.html#milter_end_of_data_macros">milter_end_of_data_macros</a> (see 'postconf -d' output)</b>
|
||||
The macros that are sent to Milter (mail filter) applications
|
||||
The macros that are sent to Milter (mail filter) applications
|
||||
after the message end-of-data.
|
||||
|
||||
Available in Postfix version 2.5 and later:
|
||||
|
||||
<b><a href="postconf.5.html#milter_end_of_header_macros">milter_end_of_header_macros</a> (see 'postconf -d' output)</b>
|
||||
The macros that are sent to Milter (mail filter) applications
|
||||
The macros that are sent to Milter (mail filter) applications
|
||||
after the end of the message header.
|
||||
|
||||
Available in Postfix version 2.7 and later:
|
||||
@ -214,6 +224,13 @@ CLEANUP(8) CLEANUP(8)
|
||||
Optional lookup tables for content inspection of message headers
|
||||
that are produced by Milter applications.
|
||||
|
||||
Available in Postfix version 3.1 and later:
|
||||
|
||||
<b><a href="postconf.5.html#milter_macro_defaults">milter_macro_defaults</a> (empty)</b>
|
||||
Optional list of <i>name=value</i> pairs that specify default values
|
||||
for arbitrary macros that Postfix may send to Milter applica-
|
||||
tions.
|
||||
|
||||
<b>MIME PROCESSING CONTROLS</b>
|
||||
Available in Postfix version 2.0 and later:
|
||||
|
||||
@ -237,91 +254,91 @@ CLEANUP(8) CLEANUP(8)
|
||||
ing information.
|
||||
|
||||
<b><a href="postconf.5.html#strict_mime_encoding_domain">strict_mime_encoding_domain</a> (no)</b>
|
||||
Reject mail with invalid Content-Transfer-Encoding: information
|
||||
Reject mail with invalid Content-Transfer-Encoding: information
|
||||
for the message/* or multipart/* MIME content types.
|
||||
|
||||
Available in Postfix version 2.5 and later:
|
||||
|
||||
<b><a href="postconf.5.html#detect_8bit_encoding_header">detect_8bit_encoding_header</a> (yes)</b>
|
||||
Automatically detect 8BITMIME body content by looking at Con-
|
||||
tent-Transfer-Encoding: message headers; historically, this
|
||||
Automatically detect 8BITMIME body content by looking at Con-
|
||||
tent-Transfer-Encoding: message headers; historically, this
|
||||
behavior was hard-coded to be "always on".
|
||||
|
||||
<b>AUTOMATIC BCC RECIPIENT CONTROLS</b>
|
||||
Postfix can automatically add BCC (blind carbon copy) when mail enters
|
||||
Postfix can automatically add BCC (blind carbon copy) when mail enters
|
||||
the mail system:
|
||||
|
||||
<b><a href="postconf.5.html#always_bcc">always_bcc</a> (empty)</b>
|
||||
Optional address that receives a "blind carbon copy" of each
|
||||
Optional address that receives a "blind carbon copy" of each
|
||||
message that is received by the Postfix mail system.
|
||||
|
||||
Available in Postfix version 2.1 and later:
|
||||
|
||||
<b><a href="postconf.5.html#sender_bcc_maps">sender_bcc_maps</a> (empty)</b>
|
||||
Optional BCC (blind carbon-copy) address lookup tables, indexed
|
||||
Optional BCC (blind carbon-copy) address lookup tables, indexed
|
||||
by sender address.
|
||||
|
||||
<b><a href="postconf.5.html#recipient_bcc_maps">recipient_bcc_maps</a> (empty)</b>
|
||||
Optional BCC (blind carbon-copy) address lookup tables, indexed
|
||||
Optional BCC (blind carbon-copy) address lookup tables, indexed
|
||||
by recipient address.
|
||||
|
||||
<b>ADDRESS TRANSFORMATION CONTROLS</b>
|
||||
Address rewriting is delegated to the <a href="trivial-rewrite.8.html"><b>trivial-rewrite</b>(8)</a> daemon. The
|
||||
Address rewriting is delegated to the <a href="trivial-rewrite.8.html"><b>trivial-rewrite</b>(8)</a> daemon. The
|
||||
<a href="cleanup.8.html"><b>cleanup</b>(8)</a> server implements table driven address mapping.
|
||||
|
||||
<b><a href="postconf.5.html#empty_address_recipient">empty_address_recipient</a> (MAILER-DAEMON)</b>
|
||||
The recipient of mail addressed to the null address.
|
||||
|
||||
<b><a href="postconf.5.html#canonical_maps">canonical_maps</a> (empty)</b>
|
||||
Optional address mapping lookup tables for message headers and
|
||||
Optional address mapping lookup tables for message headers and
|
||||
envelopes.
|
||||
|
||||
<b><a href="postconf.5.html#recipient_canonical_maps">recipient_canonical_maps</a> (empty)</b>
|
||||
Optional address mapping lookup tables for envelope and header
|
||||
Optional address mapping lookup tables for envelope and header
|
||||
recipient addresses.
|
||||
|
||||
<b><a href="postconf.5.html#sender_canonical_maps">sender_canonical_maps</a> (empty)</b>
|
||||
Optional address mapping lookup tables for envelope and header
|
||||
Optional address mapping lookup tables for envelope and header
|
||||
sender addresses.
|
||||
|
||||
<b><a href="postconf.5.html#masquerade_classes">masquerade_classes</a> (envelope_sender, header_sender, header_recipient)</b>
|
||||
What addresses are subject to address masquerading.
|
||||
|
||||
<b><a href="postconf.5.html#masquerade_domains">masquerade_domains</a> (empty)</b>
|
||||
Optional list of domains whose subdomain structure will be
|
||||
Optional list of domains whose subdomain structure will be
|
||||
stripped off in email addresses.
|
||||
|
||||
<b><a href="postconf.5.html#masquerade_exceptions">masquerade_exceptions</a> (empty)</b>
|
||||
Optional list of user names that are not subjected to address
|
||||
masquerading, even when their address matches $<a href="postconf.5.html#masquerade_domains">masquer</a>-
|
||||
Optional list of user names that are not subjected to address
|
||||
masquerading, even when their address matches $<a href="postconf.5.html#masquerade_domains">masquer</a>-
|
||||
<a href="postconf.5.html#masquerade_domains">ade_domains</a>.
|
||||
|
||||
<b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a> (canonical, virtual)</b>
|
||||
What address lookup tables copy an address extension from the
|
||||
What address lookup tables copy an address extension from the
|
||||
lookup key to the lookup result.
|
||||
|
||||
Available before Postfix version 2.0:
|
||||
|
||||
<b><a href="postconf.5.html#virtual_maps">virtual_maps</a> (empty)</b>
|
||||
Optional lookup tables with a) names of domains for which all
|
||||
addresses are aliased to addresses in other local or remote
|
||||
Optional lookup tables with a) names of domains for which all
|
||||
addresses are aliased to addresses in other local or remote
|
||||
domains, and b) addresses that are aliased to addresses in other
|
||||
local or remote domains.
|
||||
|
||||
Available in Postfix version 2.0 and later:
|
||||
|
||||
<b><a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> ($<a href="postconf.5.html#virtual_maps">virtual_maps</a>)</b>
|
||||
Optional lookup tables that alias specific mail addresses or
|
||||
Optional lookup tables that alias specific mail addresses or
|
||||
domains to other local or remote address.
|
||||
|
||||
Available in Postfix version 2.2 and later:
|
||||
|
||||
<b><a href="postconf.5.html#canonical_classes">canonical_classes</a> (envelope_sender, envelope_recipient, header_sender,</b>
|
||||
<b><a href="postconf.5.html#canonical_classes">canonical_classes</a> (envelope_sender, envelope_recipient, header_sender,</b>
|
||||
<b>header_recipient)</b>
|
||||
What addresses are subject to <a href="postconf.5.html#canonical_maps">canonical_maps</a> address mapping.
|
||||
|
||||
<b><a href="postconf.5.html#recipient_canonical_classes">recipient_canonical_classes</a> (envelope_recipient, header_recipient)</b>
|
||||
What addresses are subject to <a href="postconf.5.html#recipient_canonical_maps">recipient_canonical_maps</a> address
|
||||
What addresses are subject to <a href="postconf.5.html#recipient_canonical_maps">recipient_canonical_maps</a> address
|
||||
mapping.
|
||||
|
||||
<b><a href="postconf.5.html#sender_canonical_classes">sender_canonical_classes</a> (envelope_sender, header_sender)</b>
|
||||
@ -329,8 +346,8 @@ CLEANUP(8) CLEANUP(8)
|
||||
ping.
|
||||
|
||||
<b><a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> (empty)</b>
|
||||
Don't rewrite message headers from remote clients at all when
|
||||
this parameter is empty; otherwise, rewrite message headers and
|
||||
Don't rewrite message headers from remote clients at all when
|
||||
this parameter is empty; otherwise, rewrite message headers and
|
||||
append the specified domain name to incomplete addresses.
|
||||
|
||||
<b>RESOURCE AND RATE CONTROLS</b>
|
||||
@ -340,7 +357,7 @@ CLEANUP(8) CLEANUP(8)
|
||||
<a href="showq.8.html"><b>showq</b>(8)</a> queue displays.
|
||||
|
||||
<b><a href="postconf.5.html#header_size_limit">header_size_limit</a> (102400)</b>
|
||||
The maximal amount of memory in bytes for storing a message
|
||||
The maximal amount of memory in bytes for storing a message
|
||||
header.
|
||||
|
||||
<b><a href="postconf.5.html#hopcount_limit">hopcount_limit</a> (50)</b>
|
||||
@ -348,17 +365,17 @@ CLEANUP(8) CLEANUP(8)
|
||||
in the primary message headers.
|
||||
|
||||
<b><a href="postconf.5.html#in_flow_delay">in_flow_delay</a> (1s)</b>
|
||||
Time to pause before accepting a new message, when the message
|
||||
Time to pause before accepting a new message, when the message
|
||||
arrival rate exceeds the message delivery rate.
|
||||
|
||||
<b><a href="postconf.5.html#message_size_limit">message_size_limit</a> (10240000)</b>
|
||||
The maximal size in bytes of a message, including envelope
|
||||
The maximal size in bytes of a message, including envelope
|
||||
information.
|
||||
|
||||
Available in Postfix version 2.0 and later:
|
||||
|
||||
<b><a href="postconf.5.html#header_address_token_limit">header_address_token_limit</a> (10240)</b>
|
||||
The maximal number of address tokens are allowed in an address
|
||||
The maximal number of address tokens are allowed in an address
|
||||
message header.
|
||||
|
||||
<b><a href="postconf.5.html#mime_boundary_length_limit">mime_boundary_length_limit</a> (2048)</b>
|
||||
@ -374,12 +391,29 @@ CLEANUP(8) CLEANUP(8)
|
||||
Available in Postfix version 2.1 and later:
|
||||
|
||||
<b><a href="postconf.5.html#virtual_alias_expansion_limit">virtual_alias_expansion_limit</a> (1000)</b>
|
||||
The maximal number of addresses that virtual alias expansion
|
||||
The maximal number of addresses that virtual alias expansion
|
||||
produces from each original recipient.
|
||||
|
||||
<b><a href="postconf.5.html#virtual_alias_recursion_limit">virtual_alias_recursion_limit</a> (1000)</b>
|
||||
The maximal nesting depth of virtual alias expansion.
|
||||
|
||||
Available in Postfix version 3.0 and later:
|
||||
|
||||
<b><a href="postconf.5.html#virtual_alias_address_length_limit">virtual_alias_address_length_limit</a> (1000)</b>
|
||||
The maximal length of an email address after virtual alias
|
||||
expansion.
|
||||
|
||||
<b>SMTPUTF8 CONTROLS</b>
|
||||
Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
|
||||
|
||||
<b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
|
||||
Enable preliminary SMTPUTF8 support for the protocols described
|
||||
in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
|
||||
|
||||
<b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
|
||||
Detect that a message requires SMTPUTF8 support for the speci-
|
||||
fied mail origin classes.
|
||||
|
||||
<b>MISCELLANEOUS CONTROLS</b>
|
||||
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
|
||||
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
|
||||
@ -471,5 +505,10 @@ CLEANUP(8) CLEANUP(8)
|
||||
P.O. Box 704
|
||||
Yorktown Heights, NY 10598, USA
|
||||
|
||||
Wietse Venema
|
||||
Google, Inc.
|
||||
111 8th Avenue
|
||||
New York, NY 10011, USA
|
||||
|
||||
CLEANUP(8)
|
||||
</pre> </body> </html>
|
||||
|
@ -33,10 +33,10 @@ BOUNCE(8) BOUNCE(8)
|
||||
tion is sent even when the log file or the original message cannot be
|
||||
read.
|
||||
|
||||
Optionally, a bounce (defer, trace) client can request that the per-
|
||||
message log file be deleted when the requested operation fails. This
|
||||
is used by clients that cannot retry transactions by themselves, and
|
||||
that depend on retry logic in their own client.
|
||||
Optionally, a bounce (defer, trace) client can request that the
|
||||
per-message log file be deleted when the requested operation fails.
|
||||
This is used by clients that cannot retry transactions by themselves,
|
||||
and that depend on retry logic in their own client.
|
||||
|
||||
<b>STANDARDS</b>
|
||||
<a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
|
||||
@ -46,6 +46,9 @@ BOUNCE(8) BOUNCE(8)
|
||||
<a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications)
|
||||
<a href="http://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header)
|
||||
<a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
|
||||
<a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
|
||||
<a href="http://tools.ietf.org/html/rfc6532">RFC 6532</a> (Internationalized Message Format)
|
||||
<a href="http://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
|
||||
|
||||
<b>DIAGNOSTICS</b>
|
||||
Problems and transactions are logged to <b>syslogd</b>(8).
|
||||
@ -104,9 +107,9 @@ BOUNCE(8) BOUNCE(8)
|
||||
internal communication channel.
|
||||
|
||||
<b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
|
||||
What categories of Postfix-generated mail are subject to before-
|
||||
queue content inspection by <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and
|
||||
<a href="postconf.5.html#body_checks">body_checks</a>.
|
||||
What categories of Postfix-generated mail are subject to
|
||||
before-queue content inspection by <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
|
||||
<a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
|
||||
|
||||
<b><a href="postconf.5.html#mail_name">mail_name</a> (Postfix)</b>
|
||||
The mail system name that is displayed in Received: headers, in
|
||||
@ -140,6 +143,12 @@ BOUNCE(8) BOUNCE(8)
|
||||
syslog records, so that "smtpd" becomes, for example, "post-
|
||||
fix/smtpd".
|
||||
|
||||
Available in Postfix 3.0 and later:
|
||||
|
||||
<b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
|
||||
Detect that a message requires SMTPUTF8 support for the speci-
|
||||
fied mail origin classes.
|
||||
|
||||
<b>FILES</b>
|
||||
/var/spool/postfix/bounce/* non-delivery records
|
||||
/var/spool/postfix/defer/* non-delivery records
|
||||
@ -162,5 +171,10 @@ BOUNCE(8) BOUNCE(8)
|
||||
P.O. Box 704
|
||||
Yorktown Heights, NY 10598, USA
|
||||
|
||||
Wietse Venema
|
||||
Google, Inc.
|
||||
111 8th Avenue
|
||||
New York, NY 10011, USA
|
||||
|
||||
BOUNCE(8)
|
||||
</pre> </body> </html>
|
||||
|
@ -119,5 +119,10 @@ DISCARD(8) DISCARD(8)
|
||||
P.O. Box 704
|
||||
Yorktown Heights, NY 10598, USA
|
||||
|
||||
Wietse Venema
|
||||
Google, Inc.
|
||||
111 8th Avenue
|
||||
New York, NY 10011, USA
|
||||
|
||||
DISCARD(8)
|
||||
</pre> </body> </html>
|
||||
|
@ -19,12 +19,13 @@ DNSBLOG(8) DNSBLOG(8)
|
||||
|
||||
<b>PROTOCOL</b>
|
||||
With each connection, the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> server receives a DNS white/black-
|
||||
list domain name, IP address, and an ID. If the address is listed
|
||||
under the DNS white/blacklist, the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> server logs the match and
|
||||
replies with the query arguments plus an address list with the result-
|
||||
ing IP addresses separated by whitespace. Otherwise it replies with
|
||||
the query arguments plus an empty address list. Finally, The <a href="dnsblog.8.html"><b>dns-</b></a>
|
||||
<a href="dnsblog.8.html"><b>blog</b>(8)</a> server closes the connection.
|
||||
list domain name, an IP address, and an ID. If the IP address is
|
||||
listed under the DNS white/blacklist, the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> server logs the
|
||||
match and replies with the query arguments plus an address list with
|
||||
the resulting IP addresses, separated by whitespace, and the reply TTL.
|
||||
Otherwise it replies with the query arguments plus an empty address
|
||||
list and the reply TTL (-1 if unavailable). Finally, The <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a>
|
||||
server closes the connection.
|
||||
|
||||
<b>DIAGNOSTICS</b>
|
||||
Problems and transactions are logged to <b>syslogd</b>(8).
|
||||
@ -34,15 +35,15 @@ DNSBLOG(8) DNSBLOG(8)
|
||||
run for only a limited amount of time. Use the command "<b>postfix reload</b>"
|
||||
to speed up a change.
|
||||
|
||||
The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for
|
||||
The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for
|
||||
more details including examples.
|
||||
|
||||
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
|
||||
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
|
||||
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
|
||||
figuration files.
|
||||
|
||||
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
|
||||
How much time a Postfix daemon process may take to handle a
|
||||
How much time a Postfix daemon process may take to handle a
|
||||
request before it is terminated by a built-in watchdog timer.
|
||||
|
||||
<b><a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> (empty)</b>
|
||||
@ -50,7 +51,7 @@ DNSBLOG(8) DNSBLOG(8)
|
||||
factors.
|
||||
|
||||
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
|
||||
The time limit for sending or receiving information over an
|
||||
The time limit for sending or receiving information over an
|
||||
internal communication channel.
|
||||
|
||||
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
|
||||
@ -66,8 +67,8 @@ DNSBLOG(8) DNSBLOG(8)
|
||||
The syslog facility of Postfix logging.
|
||||
|
||||
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
|
||||
The mail system name that is prepended to the process name in
|
||||
syslog records, so that "smtpd" becomes, for example, "post-
|
||||
The mail system name that is prepended to the process name in
|
||||
syslog records, so that "smtpd" becomes, for example, "post-
|
||||
fix/smtpd".
|
||||
|
||||
<b>SEE ALSO</b>
|
||||
@ -87,5 +88,10 @@ DNSBLOG(8) DNSBLOG(8)
|
||||
P.O. Box 704
|
||||
Yorktown Heights, NY 10598, USA
|
||||
|
||||
Wietse Venema
|
||||
Google, Inc.
|
||||
111 8th Avenue
|
||||
New York, NY 10011, USA
|
||||
|
||||
DNSBLOG(8)
|
||||
</pre> </body> </html>
|
||||
|
@ -125,5 +125,10 @@ ERROR(8) ERROR(8)
|
||||
P.O. Box 704
|
||||
Yorktown Heights, NY 10598, USA
|
||||
|
||||
Wietse Venema
|
||||
Google, Inc.
|
||||
111 8th Avenue
|
||||
New York, NY 10011, USA
|
||||
|
||||
ERROR(8)
|
||||
</pre> </body> </html>
|
||||
|
@ -118,8 +118,9 @@ FLUSH(8) FLUSH(8)
|
||||
process will service before terminating voluntarily.
|
||||
|
||||
<b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> (see 'postconf -d' output)</b>
|
||||
What Postfix features match subdomains of "domain.tld" automati-
|
||||
cally, instead of requiring an explicit ".domain.tld" pattern.
|
||||
A list of Postfix features where the pattern "example.com" also
|
||||
matches subdomains of example.com, instead of requiring an
|
||||
explicit ".example.com" pattern.
|
||||
|
||||
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
|
||||
The process ID of a Postfix command or daemon process.
|
||||
@ -134,8 +135,8 @@ FLUSH(8) FLUSH(8)
|
||||
The syslog facility of Postfix logging.
|
||||
|
||||
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
|
||||
The mail system name that is prepended to the process name in
|
||||
syslog records, so that "smtpd" becomes, for example, "post-
|
||||
The mail system name that is prepended to the process name in
|
||||
syslog records, so that "smtpd" becomes, for example, "post-
|
||||
fix/smtpd".
|
||||
|
||||
<b>FILES</b>
|
||||
@ -164,5 +165,10 @@ FLUSH(8) FLUSH(8)
|
||||
P.O. Box 704
|
||||
Yorktown Heights, NY 10598, USA
|
||||
|
||||
Wietse Venema
|
||||
Google, Inc.
|
||||
111 8th Avenue
|
||||
New York, NY 10011, USA
|
||||
|
||||
FLUSH(8)
|
||||
</pre> </body> </html>
|
||||
|
@ -219,5 +219,10 @@ GENERIC(5) GENERIC(5)
|
||||
P.O. Box 704
|
||||
Yorktown Heights, NY 10598, USA
|
||||
|
||||
Wietse Venema
|
||||
Google, Inc.
|
||||
111 8th Avenue
|
||||
New York, NY 10011, USA
|
||||
|
||||
GENERIC(5)
|
||||
</pre> </body> </html>
|
||||
|
@ -124,17 +124,17 @@ HEADER_CHECKS(5) HEADER_CHECKS(5)
|
||||
|
||||
<b>if /</b><i>pattern</i><b>/</b><i>flags</i>
|
||||
|
||||
<b>endif</b> Match the input string against the patterns between <b>if</b> and
|
||||
<b>endif</b>, if and only if the same input string also matches /<i>pat-</i>
|
||||
<i>tern</i>/. The <b>if</b>..<b>endif</b> can nest.
|
||||
<b>endif</b> If the input string matches /<i>pattern</i>/, then match that input
|
||||
string against the patterns between <b>if</b> and <b>endif</b>. The <b>if</b>..<b>endif</b>
|
||||
can nest.
|
||||
|
||||
Note: do not prepend whitespace to patterns inside <b>if</b>..<b>endif</b>.
|
||||
|
||||
<b>if !/</b><i>pattern</i><b>/</b><i>flags</i>
|
||||
|
||||
<b>endif</b> Match the input string against the patterns between <b>if</b> and
|
||||
<b>endif</b>, if and only if the same input string does <b>not</b> match /<i>pat-</i>
|
||||
<i>tern</i>/. The <b>if</b>..<b>endif</b> can nest.
|
||||
<b>endif</b> If the input string does not match /<i>pattern</i>/, then match that
|
||||
input string against the patterns between <b>if</b> and <b>endif</b>. The
|
||||
<b>if</b>..<b>endif</b> can nest.
|
||||
|
||||
blank lines and comments
|
||||
Empty lines and whitespace-only lines are ignored, as are lines
|
||||
@ -164,13 +164,32 @@ HEADER_CHECKS(5) HEADER_CHECKS(5)
|
||||
Action names are case insensitive. They are shown in upper case for
|
||||
consistency with other Postfix documentation.
|
||||
|
||||
<b>BCC</b> <i>user@domain</i>
|
||||
Add the specified address as a BCC recipient, and inspect the
|
||||
next input line. The address must have a local part and domain
|
||||
part. The number of BCC addresses that can be added is limited
|
||||
only by the amount of available storage space.
|
||||
|
||||
Note 1: the BCC address is added as if it was specified with
|
||||
NOTIFY=NONE. The sender will not be notified when the BCC
|
||||
address is undeliverable, as long as all down-stream software
|
||||
implements <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a>.
|
||||
|
||||
Note 2: this ignores duplicate addresses (with the same delivery
|
||||
status notification options).
|
||||
|
||||
This feature is available in Postfix 3.0 and later.
|
||||
|
||||
This feature is not supported with smtp header/body checks.
|
||||
|
||||
<b>DISCARD</b> <i>optional text...</i>
|
||||
Claim successful delivery and silently discard the message. Log
|
||||
the optional text if specified, otherwise log a generic message.
|
||||
Claim successful delivery and silently discard the message. Do
|
||||
not inspect the remainder of the input message. Log the
|
||||
optional text if specified, otherwise log a generic message.
|
||||
|
||||
Note: this action disables further header or <a href="postconf.5.html#body_checks">body_checks</a> inspec-
|
||||
tion of the current message and affects all recipients. To dis-
|
||||
card only one recipient without discarding the entire message,
|
||||
card only one recipient without discarding the entire message,
|
||||
use the <a href="transport.5.html">transport(5)</a> table to direct mail to the <a href="discard.8.html">discard(8)</a> ser-
|
||||
vice.
|
||||
|
||||
@ -178,8 +197,8 @@ HEADER_CHECKS(5) HEADER_CHECKS(5)
|
||||
|
||||
This feature is not supported with smtp header/body checks.
|
||||
|
||||
<b>DUNNO</b> Pretend that the input line did not match any pattern, and
|
||||
inspect the next input line. This action can be used to shorten
|
||||
<b>DUNNO</b> Pretend that the input line did not match any pattern, and
|
||||
inspect the next input line. This action can be used to shorten
|
||||
the table search.
|
||||
|
||||
For backwards compatibility reasons, Postfix also accepts <b>OK</b> but
|
||||
@ -188,13 +207,14 @@ HEADER_CHECKS(5) HEADER_CHECKS(5)
|
||||
This feature is available in Postfix 2.1 and later.
|
||||
|
||||
<b>FILTER</b> <i>transport:destination</i>
|
||||
After the message is queued, send the entire message through the
|
||||
specified external content filter. The <i>transport</i> name specifies
|
||||
the first field of a mail delivery agent definition in <a href="master.5.html">mas-
|
||||
ter.cf</a>; the syntax of the next-hop <i>destination</i> is described in
|
||||
the manual page of the corresponding delivery agent. More
|
||||
information about external content filters is in the Postfix
|
||||
<a href="FILTER_README.html">FILTER_README</a> file.
|
||||
Override the <a href="postconf.5.html#content_filter">content_filter</a> parameter setting, and inspect the
|
||||
next input line. After the message is queued, send the entire
|
||||
message through the specified external content filter. The
|
||||
<i>transport</i> name specifies the first field of a mail delivery
|
||||
agent definition in <a href="master.5.html">master.cf</a>; the syntax of the next-hop <i>desti-</i>
|
||||
<i>nation</i> is described in the manual page of the corresponding
|
||||
delivery agent. More information about external content filters
|
||||
is in the Postfix <a href="FILTER_README.html">FILTER_README</a> file.
|
||||
|
||||
Note 1: do not use $<i>number</i> regular expression substitutions for
|
||||
<i>transport</i> or <i>destination</i> unless you know that the information
|
||||
@ -306,55 +326,55 @@ HEADER_CHECKS(5) HEADER_CHECKS(5)
|
||||
headers.
|
||||
|
||||
<b>REJECT</b> <i>optional text...</i>
|
||||
Reject the entire message. Reply with <i>optional text...</i> when the
|
||||
optional text is specified, otherwise reply with a generic error
|
||||
message.
|
||||
Reject the entire message. Do not inspect the remainder of the
|
||||
input message. Reply with <i>optional text...</i> when the optional
|
||||
text is specified, otherwise reply with a generic error message.
|
||||
|
||||
Note: this action disables further header or <a href="postconf.5.html#body_checks">body_checks</a> inspec-
|
||||
tion of the current message and affects all recipients.
|
||||
|
||||
Postfix version 2.3 and later support enhanced status codes.
|
||||
When no code is specified at the beginning of <i>optional text...</i>,
|
||||
Postfix version 2.3 and later support enhanced status codes.
|
||||
When no code is specified at the beginning of <i>optional text...</i>,
|
||||
Postfix inserts a default enhanced status code of "5.7.1".
|
||||
|
||||
This feature is not supported with smtp header/body checks.
|
||||
|
||||
<b>WARN</b> <i>optional text...</i>
|
||||
Log a "warning:" record with the <i>optional text...</i> (or log a
|
||||
generic text), and inspect the next input line. This action is
|
||||
useful for debugging and for testing a pattern before applying
|
||||
Log a "warning:" record with the <i>optional text...</i> (or log a
|
||||
generic text), and inspect the next input line. This action is
|
||||
useful for debugging and for testing a pattern before applying
|
||||
more drastic actions.
|
||||
|
||||
<b>BUGS</b>
|
||||
Empty lines never match, because some map types mis-behave when given a
|
||||
zero-length search string. This limitation may be removed for regular
|
||||
zero-length search string. This limitation may be removed for regular
|
||||
expression tables in a future release.
|
||||
|
||||
Many people overlook the main limitations of header and <a href="postconf.5.html#body_checks">body_checks</a>
|
||||
Many people overlook the main limitations of header and <a href="postconf.5.html#body_checks">body_checks</a>
|
||||
rules.
|
||||
|
||||
<b>o</b> These rules operate on one logical message header or one body
|
||||
<b>o</b> These rules operate on one logical message header or one body
|
||||
line at a time. A decision made for one line is not carried over
|
||||
to the next line.
|
||||
|
||||
<b>o</b> If text in the message body is encoded (<a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a>) then the rules
|
||||
need to be specified for the encoded form.
|
||||
|
||||
<b>o</b> Likewise, when message headers are encoded (<a href="http://tools.ietf.org/html/rfc2047">RFC 2047</a>) then the
|
||||
<b>o</b> Likewise, when message headers are encoded (<a href="http://tools.ietf.org/html/rfc2047">RFC 2047</a>) then the
|
||||
rules need to be specified for the encoded form.
|
||||
|
||||
Message headers added by the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon itself are excluded from
|
||||
inspection. Examples of such message headers are <b>From:</b>, <b>To:</b>, <b>Message-</b>
|
||||
<b>ID:</b>, <b>Date:</b>.
|
||||
inspection. Examples of such message headers are <b>From:</b>, <b>To:</b>, <b>Mes-</b>
|
||||
<b>sage-ID:</b>, <b>Date:</b>.
|
||||
|
||||
Message headers deleted by the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon will be examined
|
||||
before they are deleted. Examples are: <b>Bcc:</b>, <b>Content-Length:</b>, <b>Return-</b>
|
||||
<b>Path:</b>.
|
||||
Message headers deleted by the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon will be examined
|
||||
before they are deleted. Examples are: <b>Bcc:</b>, <b>Content-Length:</b>,
|
||||
<b>Return-Path:</b>.
|
||||
|
||||
<b>CONFIGURATION PARAMETERS</b>
|
||||
<b><a href="postconf.5.html#body_checks">body_checks</a></b>
|
||||
Lookup tables with content filter rules for message body lines.
|
||||
These filters see one physical line at a time, in chunks of at
|
||||
Lookup tables with content filter rules for message body lines.
|
||||
These filters see one physical line at a time, in chunks of at
|
||||
most <b>$<a href="postconf.5.html#line_length_limit">line_length_limit</a></b> bytes.
|
||||
|
||||
<b><a href="postconf.5.html#body_checks_size_limit">body_checks_size_limit</a></b>
|
||||
@ -366,38 +386,38 @@ HEADER_CHECKS(5) HEADER_CHECKS(5)
|
||||
<b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b> (default: <b>$<a href="postconf.5.html#header_checks">header_checks</a></b>)
|
||||
|
||||
<b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a></b> (default: <b>$<a href="postconf.5.html#header_checks">header_checks</a></b>)
|
||||
Lookup tables with content filter rules for message header
|
||||
lines: respectively, these are applied to the initial message
|
||||
headers (not including MIME headers), to the MIME headers any-
|
||||
where in the message, and to the initial headers of attached
|
||||
Lookup tables with content filter rules for message header
|
||||
lines: respectively, these are applied to the initial message
|
||||
headers (not including MIME headers), to the MIME headers any-
|
||||
where in the message, and to the initial headers of attached
|
||||
messages.
|
||||
|
||||
Note: these filters see one logical message header at a time,
|
||||
Note: these filters see one logical message header at a time,
|
||||
even when a message header spans multiple lines. Message headers
|
||||
that are longer than <b>$<a href="postconf.5.html#header_size_limit">header_size_limit</a></b> characters are trun-
|
||||
that are longer than <b>$<a href="postconf.5.html#header_size_limit">header_size_limit</a></b> characters are trun-
|
||||
cated.
|
||||
|
||||
<b><a href="postconf.5.html#disable_mime_input_processing">disable_mime_input_processing</a></b>
|
||||
While receiving mail, give no special treatment to MIME related
|
||||
message headers; all text after the initial message headers is
|
||||
considered to be part of the message body. This means that
|
||||
While receiving mail, give no special treatment to MIME related
|
||||
message headers; all text after the initial message headers is
|
||||
considered to be part of the message body. This means that
|
||||
<b><a href="postconf.5.html#header_checks">header_checks</a></b> is applied to all the initial message headers, and
|
||||
that <b><a href="postconf.5.html#body_checks">body_checks</a></b> is applied to the remainder of the message.
|
||||
|
||||
Note: when used in this manner, <b><a href="postconf.5.html#body_checks">body_checks</a></b> will process a
|
||||
Note: when used in this manner, <b><a href="postconf.5.html#body_checks">body_checks</a></b> will process a
|
||||
multi-line message header one line at a time.
|
||||
|
||||
<b>EXAMPLES</b>
|
||||
Header pattern to block attachments with bad file name extensions. For
|
||||
convenience, the PCRE /x flag is specified, so that there is no need to
|
||||
collapse the pattern into a single line of text. The purpose of the
|
||||
collapse the pattern into a single line of text. The purpose of the
|
||||
[[:xdigit:]] sub-expressions is to recognize Windows CLSID strings.
|
||||
|
||||
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
|
||||
<a href="postconf.5.html#header_checks">header_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/header_checks.pcre
|
||||
|
||||
/etc/postfix/header_checks.<a href="pcre_table.5.html">pcre</a>:
|
||||
/^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
|
||||
/^Content-(Disposition|Type).*name\s*=\s*"?([^;]*(\.|=2E)(
|
||||
ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
|
||||
hlp|ht[at]|
|
||||
inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
|
||||
@ -441,5 +461,10 @@ HEADER_CHECKS(5) HEADER_CHECKS(5)
|
||||
P.O. Box 704
|
||||
Yorktown Heights, NY 10598, USA
|
||||
|
||||
Wietse Venema
|
||||
Google, Inc.
|
||||
111 8th Avenue
|
||||
New York, NY 10011, USA
|
||||
|
||||
HEADER_CHECKS(5)
|
||||
</pre> </body> </html>
|
||||
|
@ -46,7 +46,11 @@ configuration examples </a>
|
||||
|
||||
<li> <a href="IPV6_README.html"> IP Version 6 Support </a>
|
||||
|
||||
<li> <a href="MULTI_INSTANCE_README.html"> Multiple-instance management </a>
|
||||
<li> <a href="IPV6_README.html"> IP Version 6 Support </a>
|
||||
|
||||
<li> <a href="SMTPUTF8_README.html"> SMTPUTF8 Support </a>
|
||||
|
||||
<li> <a href="COMPATIBILITY_README.html"> Backwards-Compatibility Safety Net</a>
|
||||
|
||||
<li> <a href="INSTALL.html"> Installation from source code </a>
|
||||
|
||||
|
@ -187,11 +187,11 @@ LDAP_TABLE(5) LDAP_TABLE(5)
|
||||
returns no results.
|
||||
|
||||
<b>%[SUD]</b> The upper-case equivalents of the above expansions behave
|
||||
in the <b>query_filter</b> parameter identically to their lower-
|
||||
case counter-parts. With the <b>result_format</b> parameter
|
||||
(previously called <b>result_filter</b> see the COMPATIBILITY
|
||||
section and below), they expand to the corresponding com-
|
||||
ponents of input key rather than the result value.
|
||||
in the <b>query_filter</b> parameter identically to their
|
||||
lower-case counter-parts. With the <b>result_format</b> parame-
|
||||
ter (previously called <b>result_filter</b> see the COMPATIBIL-
|
||||
ITY section and below), they expand to the corresponding
|
||||
components of input key rather than the result value.
|
||||
|
||||
The above %S, %U and %D expansions are available with
|
||||
Postfix 2.2 and later.
|
||||
@ -269,11 +269,11 @@ LDAP_TABLE(5) LDAP_TABLE(5)
|
||||
|
||||
<b>domain (default: no domain list)</b>
|
||||
This is a list of domain names, paths to files, or dictionaries.
|
||||
When specified, only fully qualified search keys with a *non-
|
||||
empty* localpart and a matching domain are eligible for lookup:
|
||||
'user' lookups, bare domain lookups and "@domain" lookups are
|
||||
not performed. This can significantly reduce the query load on
|
||||
the LDAP server.
|
||||
When specified, only fully qualified search keys with a
|
||||
*non-empty* localpart and a matching domain are eligible for
|
||||
lookup: 'user' lookups, bare domain lookups and "@domain"
|
||||
lookups are not performed. This can significantly reduce the
|
||||
query load on the LDAP server.
|
||||
|
||||
domain = postfix.org, <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/searchdomains
|
||||
|
||||
@ -320,9 +320,9 @@ LDAP_TABLE(5) LDAP_TABLE(5)
|
||||
Postfix table.
|
||||
|
||||
If an LDAP URL attribute-descriptor or the corresponding Postfix
|
||||
LDAP table result attribute (but not both) uses <a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a> sub-
|
||||
type options ("attr;option"), the attribute requested from the
|
||||
LDAP server will include the sub-type option. In all other
|
||||
LDAP table result attribute (but not both) uses <a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a>
|
||||
sub-type options ("attr;option"), the attribute requested from
|
||||
the LDAP server will include the sub-type option. In all other
|
||||
cases, the URL attribute and the table attribute must match
|
||||
exactly. Attributes with options in both the URL and the Postfix
|
||||
table are requested only when the options are identical. LDAP
|
||||
@ -350,8 +350,8 @@ LDAP_TABLE(5) LDAP_TABLE(5)
|
||||
This feature is available with Postfix 2.4 or later.
|
||||
|
||||
<b>leaf_result_attribute (default: empty)</b>
|
||||
When one or more special result attributes are found in a non-
|
||||
terminal (see above) LDAP entry, leaf result attributes are
|
||||
When one or more special result attributes are found in a
|
||||
non-terminal (see above) LDAP entry, leaf result attributes are
|
||||
excluded from the expansion of that entry. This is useful when
|
||||
expanding groups and the desired mail address attribute(s) of
|
||||
the member objects obtained via DN or URI recursion are also
|
||||
@ -565,10 +565,10 @@ LDAP_TABLE(5) LDAP_TABLE(5)
|
||||
cally when the TCP connection is opened).
|
||||
|
||||
<b>tls_ca_cert_dir (No default; set either this or tls_ca_cert_file)</b>
|
||||
Directory containing X509 Certificate Authority certificates in
|
||||
PEM format which are to be recognized by the client in SSL/TLS
|
||||
connections. The files each contain one CA certificate. The
|
||||
files are looked up by the CA subject name hash value, which
|
||||
Directory containing X509 Certification Authority certificates
|
||||
in PEM format which are to be recognized by the client in
|
||||
SSL/TLS connections. The files each contain one CA certificate.
|
||||
The files are looked up by the CA subject name hash value, which
|
||||
must hence be available. If more than one CA certificate with
|
||||
the same name hash value exist, the extension must be different
|
||||
(e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in
|
||||
@ -577,7 +577,7 @@ LDAP_TABLE(5) LDAP_TABLE(5)
|
||||
OpenSSL distribution) to create the necessary links.
|
||||
|
||||
<b>tls_ca_cert_file (No default; set either this or tls_ca_cert_dir)</b>
|
||||
File containing the X509 Certificate Authority certificates in
|
||||
File containing the X509 Certification Authority certificates in
|
||||
PEM format which are to be recognized by the client in SSL/TLS
|
||||
connections. This setting takes precedence over tls_ca_cert_dir.
|
||||
|
||||
|
@ -20,9 +20,9 @@ LMDB_TABLE(5) LMDB_TABLE(5)
|
||||
<b>postmap -q - <a href="lmdb_table.5.html">lmdb</a>:/etc/postfix/</b><i>filename</i> <<i>inputfile</i>
|
||||
|
||||
<b>DESCRIPTION</b>
|
||||
The Postfix LMDB adapter provides access to a persistent, memory-
|
||||
mapped, key-value store. The database size is limited only by the size
|
||||
of the memory address space (typically 31 or 47 bits on 32-bit or
|
||||
The Postfix LMDB adapter provides access to a persistent, mem-
|
||||
ory-mapped, key-value store. The database size is limited only by the
|
||||
size of the memory address space (typically 31 or 47 bits on 32-bit or
|
||||
64-bit CPUs, respectively) and by the available file system space.
|
||||
|
||||
<b>REQUESTS</b>
|
||||
@ -48,7 +48,7 @@ LMDB_TABLE(5) LMDB_TABLE(5)
|
||||
LMDB's copy-on-write architecture provides safe updates, at the cost of
|
||||
using more space than some other flat-file databases. Read operations
|
||||
are memory-mapped for speed. Write operations are not memory-mapped to
|
||||
avoid silent curruption due to stray pointer bugs.
|
||||
avoid silent corruption due to stray pointer bugs.
|
||||
|
||||
Multiple processes can safely update an LMDB database without serializ-
|
||||
ing requests through the <a href="proxymap.8.html">proxymap(8)</a> service. This makes LMDB suitable
|
||||
@ -64,17 +64,16 @@ LMDB_TABLE(5) LMDB_TABLE(5)
|
||||
Every Postfix LMDB database read or write transaction must be protected
|
||||
from start to end with a shared or exclusive fcntl(2) lock. A writer
|
||||
may atomically downgrade an exclusive lock to a shared lock, but it
|
||||
must acquire an exclusive lock between updating the database and start-
|
||||
ing another write transaction.
|
||||
must hold an exclusive lock while opening another write transaction.
|
||||
|
||||
Note that fcntl(2) locks do not protect transactions within the same
|
||||
process against each other. If a program cannot avoid making simulta-
|
||||
neous database requests, then it must protect its transactions with in-
|
||||
process locks, in addition to the per-process fcntl(2) locks.
|
||||
Note that fcntl(2) locks do not protect transactions within the same
|
||||
process against each other. If a program cannot avoid making simulta-
|
||||
neous database requests, then it must protect its transactions with
|
||||
in-process locks, in addition to the per-process fcntl(2) locks.
|
||||
|
||||
<b>CONFIGURATION PARAMETERS</b>
|
||||
Short-lived programs automatically pick up changes to <a href="postconf.5.html">main.cf</a>. With
|
||||
long-running daemon programs, Use the command "<b>postfix reload</b>" after a
|
||||
Short-lived programs automatically pick up changes to <a href="postconf.5.html">main.cf</a>. With
|
||||
long-running daemon programs, Use the command "<b>postfix reload</b>" after a
|
||||
configuration change.
|
||||
|
||||
<b><a href="postconf.5.html#lmdb_map_size">lmdb_map_size</a> (default: 16777216)</b>
|
||||
@ -104,5 +103,10 @@ LMDB_TABLE(5) LMDB_TABLE(5)
|
||||
P.O. Box 704
|
||||
Yorktown Heights, NY 10598, USA
|
||||
|
||||
Wietse Venema
|
||||
Google, Inc.
|
||||
111 8th Avenue
|
||||
New York, NY 10011, USA
|
||||
|
||||
LMDB_TABLE(5)
|
||||
</pre> </body> </html>
|
||||
|
209
external/ibm-public/postfix/dist/html/lmtp.8.html
vendored
209
external/ibm-public/postfix/dist/html/lmtp.8.html
vendored
@ -107,6 +107,9 @@ SMTP(8) SMTP(8)
|
||||
<a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
|
||||
<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH command)
|
||||
<a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a> (SMTP protocol)
|
||||
<a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
|
||||
<a href="http://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
|
||||
<a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a> (SMTP security via opportunistic DANE TLS)
|
||||
|
||||
<b>DIAGNOSTICS</b>
|
||||
Problems and transactions are logged to <b>syslogd</b>(8). Corrupted message
|
||||
@ -219,42 +222,43 @@ SMTP(8) SMTP(8)
|
||||
Available in Postfix version 2.2.9 and later:
|
||||
|
||||
<b><a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> (version dependent)</b>
|
||||
Allow DNS CNAME records to override the servername that the
|
||||
Postfix SMTP client uses for logging, SASL password lookup, TLS
|
||||
policy decisions, or TLS certificate verification.
|
||||
When the remote SMTP servername is a DNS CNAME, replace the
|
||||
servername with the result from CNAME expansion for the purpose
|
||||
of logging, SASL password lookup, TLS policy decisions, or TLS
|
||||
certificate verification.
|
||||
|
||||
Available in Postfix version 2.3 and later:
|
||||
|
||||
<b><a href="postconf.5.html#lmtp_discard_lhlo_keyword_address_maps">lmtp_discard_lhlo_keyword_address_maps</a> (empty)</b>
|
||||
Lookup tables, indexed by the remote LMTP server address, with
|
||||
case insensitive lists of LHLO keywords (pipelining, starttls,
|
||||
Lookup tables, indexed by the remote LMTP server address, with
|
||||
case insensitive lists of LHLO keywords (pipelining, starttls,
|
||||
auth, etc.) that the Postfix LMTP client will ignore in the LHLO
|
||||
response from a remote LMTP server.
|
||||
|
||||
<b><a href="postconf.5.html#lmtp_discard_lhlo_keywords">lmtp_discard_lhlo_keywords</a> (empty)</b>
|
||||
A case insensitive list of LHLO keywords (pipelining, starttls,
|
||||
A case insensitive list of LHLO keywords (pipelining, starttls,
|
||||
auth, etc.) that the Postfix LMTP client will ignore in the LHLO
|
||||
response from a remote LMTP server.
|
||||
|
||||
Available in Postfix version 2.4.4 and later:
|
||||
|
||||
<b><a href="postconf.5.html#send_cyrus_sasl_authzid">send_cyrus_sasl_authzid</a> (no)</b>
|
||||
When authenticating to a remote SMTP or LMTP server with the
|
||||
default setting "no", send no SASL authoriZation ID (authzid);
|
||||
send only the SASL authentiCation ID (authcid) plus the auth-
|
||||
When authenticating to a remote SMTP or LMTP server with the
|
||||
default setting "no", send no SASL authoriZation ID (authzid);
|
||||
send only the SASL authentiCation ID (authcid) plus the auth-
|
||||
cid's password.
|
||||
|
||||
Available in Postfix version 2.5 and later:
|
||||
|
||||
<b><a href="postconf.5.html#smtp_header_checks">smtp_header_checks</a> (empty)</b>
|
||||
Restricted <a href="header_checks.5.html"><b>header_checks</b>(5)</a> tables for the Postfix SMTP client.
|
||||
Restricted <a href="header_checks.5.html"><b>header_checks</b>(5)</a> tables for the Postfix SMTP client.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_mime_header_checks">smtp_mime_header_checks</a> (empty)</b>
|
||||
Restricted <b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b>(5) tables for the Postfix SMTP
|
||||
Restricted <b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b>(5) tables for the Postfix SMTP
|
||||
client.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_nested_header_checks">smtp_nested_header_checks</a> (empty)</b>
|
||||
Restricted <b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a></b>(5) tables for the Postfix SMTP
|
||||
Restricted <b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a></b>(5) tables for the Postfix SMTP
|
||||
client.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_body_checks">smtp_body_checks</a> (empty)</b>
|
||||
@ -263,7 +267,7 @@ SMTP(8) SMTP(8)
|
||||
Available in Postfix version 2.6 and later:
|
||||
|
||||
<b><a href="postconf.5.html#tcp_windowsize">tcp_windowsize</a> (0)</b>
|
||||
An optional workaround for routers that break TCP window scal-
|
||||
An optional workaround for routers that break TCP window scal-
|
||||
ing.
|
||||
|
||||
Available in Postfix version 2.8 and later:
|
||||
@ -274,14 +278,14 @@ SMTP(8) SMTP(8)
|
||||
Available in Postfix version 2.9 and later:
|
||||
|
||||
<b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
|
||||
Change the behavior of the smtp_*_timeout time limits, from a
|
||||
time limit per read or write system call, to a time limit to
|
||||
send or receive a complete record (an SMTP command line, SMTP
|
||||
response line, SMTP message content line, or TLS protocol mes-
|
||||
Change the behavior of the smtp_*_timeout time limits, from a
|
||||
time limit per read or write system call, to a time limit to
|
||||
send or receive a complete record (an SMTP command line, SMTP
|
||||
response line, SMTP message content line, or TLS protocol mes-
|
||||
sage).
|
||||
|
||||
<b><a href="postconf.5.html#smtp_send_dummy_mail_auth">smtp_send_dummy_mail_auth</a> (no)</b>
|
||||
Whether or not to append the "AUTH=<>" option to the MAIL FROM
|
||||
Whether or not to append the "AUTH=<>" option to the MAIL FROM
|
||||
command in SASL-authenticated SMTP sessions.
|
||||
|
||||
Available in Postfix version 2.11 and later:
|
||||
@ -289,6 +293,16 @@ SMTP(8) SMTP(8)
|
||||
<b><a href="postconf.5.html#smtp_dns_support_level">smtp_dns_support_level</a> (empty)</b>
|
||||
Level of DNS support in the Postfix SMTP client.
|
||||
|
||||
Available in Postfix version 3.0 and later:
|
||||
|
||||
<b><a href="postconf.5.html#smtp_delivery_status_filter">smtp_delivery_status_filter</a> ($<a href="postconf.5.html#default_delivery_status_filter">default_delivery_status_filter</a>)</b>
|
||||
Optional filter for the <a href="smtp.8.html"><b>smtp</b>(8)</a> delivery agent to change the
|
||||
delivery status code or explanatory text of successful or unsuc-
|
||||
cessful deliveries.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_dns_reply_filter">smtp_dns_reply_filter</a> (empty)</b>
|
||||
Optional filter for Postfix SMTP client DNS lookup results.
|
||||
|
||||
<b>MIME PROCESSING CONTROLS</b>
|
||||
Available in Postfix version 2.0 and later:
|
||||
|
||||
@ -305,7 +319,7 @@ SMTP(8) SMTP(8)
|
||||
Available in Postfix version 2.1 and later:
|
||||
|
||||
<b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b>
|
||||
Send the non-standard XFORWARD command when the Postfix SMTP
|
||||
Send the non-standard XFORWARD command when the Postfix SMTP
|
||||
server EHLO response announces XFORWARD support.
|
||||
|
||||
<b>SASL AUTHENTICATION CONTROLS</b>
|
||||
@ -313,62 +327,62 @@ SMTP(8) SMTP(8)
|
||||
Enable SASL authentication in the Postfix SMTP client.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b>
|
||||
Optional Postfix SMTP client lookup tables with one user-
|
||||
name:password entry per remote hostname or domain, or sender
|
||||
address when sender-dependent authentication is enabled.
|
||||
Optional Postfix SMTP client lookup tables with one user-
|
||||
name:password entry per sender, remote hostname or next-hop
|
||||
domain.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b>
|
||||
Postfix SMTP client SASL security options; as of Postfix 2.3 the
|
||||
list of available features depends on the SASL client implemen-
|
||||
list of available features depends on the SASL client implemen-
|
||||
tation that is selected with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
|
||||
|
||||
Available in Postfix version 2.2 and later:
|
||||
|
||||
<b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b>
|
||||
If non-empty, a Postfix SMTP client filter for the remote SMTP
|
||||
If non-empty, a Postfix SMTP client filter for the remote SMTP
|
||||
server's list of offered SASL mechanisms.
|
||||
|
||||
Available in Postfix version 2.3 and later:
|
||||
|
||||
<b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b>
|
||||
Enable sender-dependent authentication in the Postfix SMTP
|
||||
client; this is available only with SASL authentication, and
|
||||
disables SMTP connection caching to ensure that mail from dif-
|
||||
client; this is available only with SASL authentication, and
|
||||
disables SMTP connection caching to ensure that mail from dif-
|
||||
ferent senders will use the appropriate credentials.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b>
|
||||
Implementation-specific information that the Postfix SMTP client
|
||||
passes through to the SASL plug-in implementation that is
|
||||
passes through to the SASL plug-in implementation that is
|
||||
selected with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b>
|
||||
The SASL plug-in type that the Postfix SMTP client should use
|
||||
The SASL plug-in type that the Postfix SMTP client should use
|
||||
for authentication.
|
||||
|
||||
Available in Postfix version 2.5 and later:
|
||||
|
||||
<b><a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> (empty)</b>
|
||||
An optional table to prevent repeated SASL authentication fail-
|
||||
ures with the same remote SMTP server hostname, username and
|
||||
An optional table to prevent repeated SASL authentication fail-
|
||||
ures with the same remote SMTP server hostname, username and
|
||||
password.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_sasl_auth_cache_time">smtp_sasl_auth_cache_time</a> (90d)</b>
|
||||
The maximal age of an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> entry before it
|
||||
The maximal age of an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> entry before it
|
||||
is removed.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a> (yes)</b>
|
||||
When a remote SMTP server rejects a SASL authentication request
|
||||
with a 535 reply code, defer mail delivery instead of returning
|
||||
When a remote SMTP server rejects a SASL authentication request
|
||||
with a 535 reply code, defer mail delivery instead of returning
|
||||
mail as undeliverable.
|
||||
|
||||
Available in Postfix version 2.9 and later:
|
||||
|
||||
<b><a href="postconf.5.html#smtp_send_dummy_mail_auth">smtp_send_dummy_mail_auth</a> (no)</b>
|
||||
Whether or not to append the "AUTH=<>" option to the MAIL FROM
|
||||
Whether or not to append the "AUTH=<>" option to the MAIL FROM
|
||||
command in SASL-authenticated SMTP sessions.
|
||||
|
||||
<b>STARTTLS SUPPORT CONTROLS</b>
|
||||
Detailed information about STARTTLS configuration may be found in the
|
||||
Detailed information about STARTTLS configuration may be found in the
|
||||
<a href="TLS_README.html">TLS_README</a> document.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
|
||||
@ -378,20 +392,20 @@ SMTP(8) SMTP(8)
|
||||
<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a>)</b>
|
||||
The SASL authentication security options that the Postfix SMTP
|
||||
The SASL authentication security options that the Postfix SMTP
|
||||
client uses for TLS encrypted SMTP sessions.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b>
|
||||
Time limit for Postfix SMTP client write and read operations
|
||||
Time limit for Postfix SMTP client write and read operations
|
||||
during TLS startup and shutdown handshake procedures.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b>
|
||||
A file containing CA certificates of root CAs trusted to sign
|
||||
either remote SMTP server certificates or intermediate CA cer-
|
||||
A file containing CA certificates of root CAs trusted to sign
|
||||
either remote SMTP server certificates or intermediate CA cer-
|
||||
tificates.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b>
|
||||
Directory with PEM format certificate authority certificates
|
||||
Directory with PEM format Certification Authority certificates
|
||||
that the Postfix SMTP client uses to verify a remote SMTP server
|
||||
certificate.
|
||||
|
||||
@ -399,7 +413,7 @@ SMTP(8) SMTP(8)
|
||||
File with the Postfix SMTP client RSA certificate in PEM format.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b>
|
||||
The minimum TLS cipher grade that the Postfix SMTP client will
|
||||
The minimum TLS cipher grade that the Postfix SMTP client will
|
||||
use with mandatory TLS encryption.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b>
|
||||
@ -407,8 +421,8 @@ SMTP(8) SMTP(8)
|
||||
client cipher list at all TLS security levels.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b>
|
||||
Additional list of ciphers or cipher types to exclude from the
|
||||
Postfix SMTP client cipher list at mandatory TLS security lev-
|
||||
Additional list of ciphers or cipher types to exclude from the
|
||||
Postfix SMTP client cipher list at mandatory TLS security lev-
|
||||
els.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b>
|
||||
@ -424,7 +438,7 @@ SMTP(8) SMTP(8)
|
||||
Enable additional Postfix SMTP client logging of TLS activity.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b>
|
||||
Log the hostname of a remote SMTP server that offers STARTTLS,
|
||||
Log the hostname of a remote SMTP server that offers STARTTLS,
|
||||
when TLS is not already enabled for that server.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b>
|
||||
@ -433,14 +447,14 @@ SMTP(8) SMTP(8)
|
||||
fied, this overrides the obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (!SSLv2, !SSLv3)</b>
|
||||
List of SSL/TLS protocols that the Postfix SMTP client will use
|
||||
List of SSL/TLS protocols that the Postfix SMTP client will use
|
||||
with mandatory TLS encryption.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (9)</b>
|
||||
The verification depth for remote SMTP server certificates.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> (nexthop, dot-nexthop)</b>
|
||||
How the Postfix SMTP client verifies the server certificate
|
||||
How the Postfix SMTP client verifies the server certificate
|
||||
peername for the "secure" TLS security level.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
|
||||
@ -448,77 +462,77 @@ SMTP(8) SMTP(8)
|
||||
session cache.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b>
|
||||
The expiration time of Postfix SMTP client TLS session cache
|
||||
The expiration time of Postfix SMTP client TLS session cache
|
||||
information.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> (hostname)</b>
|
||||
How the Postfix SMTP client verifies the server certificate
|
||||
How the Postfix SMTP client verifies the server certificate
|
||||
peername for the "verify" TLS security level.
|
||||
|
||||
<b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
|
||||
The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a> or <a href="smtpd.8.html"><b>smtpd</b>(8)</a>
|
||||
process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> server in order to seed its
|
||||
The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a> or <a href="smtpd.8.html"><b>smtpd</b>(8)</a>
|
||||
process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> server in order to seed its
|
||||
internal pseudo random number generator (PRNG).
|
||||
|
||||
<b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a> (ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)</b>
|
||||
The OpenSSL cipherlist for "HIGH" grade ciphers.
|
||||
<b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a> (see 'postconf -d' output)</b>
|
||||
The OpenSSL cipherlist for "high" grade ciphers.
|
||||
|
||||
<b><a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> (ALL:!EXPORT:!LOW:+RC4:@STRENGTH)</b>
|
||||
The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers.
|
||||
<b><a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> (see 'postconf -d' output)</b>
|
||||
The OpenSSL cipherlist for "medium" or higher grade ciphers.
|
||||
|
||||
<b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (ALL:!EXPORT:+RC4:@STRENGTH)</b>
|
||||
The OpenSSL cipherlist for "LOW" or higher grade ciphers.
|
||||
<b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (see 'postconf -d' output)</b>
|
||||
The OpenSSL cipherlist for "low" or higher grade ciphers.
|
||||
|
||||
<b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b>
|
||||
The OpenSSL cipherlist for "EXPORT" or higher grade ciphers.
|
||||
<b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (see 'postconf -d' output)</b>
|
||||
The OpenSSL cipherlist for "export" or higher grade ciphers.
|
||||
|
||||
<b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
|
||||
The OpenSSL cipherlist for "NULL" grade ciphers that provide
|
||||
The OpenSSL cipherlist for "NULL" grade ciphers that provide
|
||||
authentication without encryption.
|
||||
|
||||
Available in Postfix version 2.4 and later:
|
||||
|
||||
<b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a> ($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_secu</a>-</b>
|
||||
<b><a href="postconf.5.html#smtp_sasl_tls_security_options">rity_options</a>)</b>
|
||||
The SASL authentication security options that the Postfix SMTP
|
||||
client uses for TLS encrypted SMTP sessions with a verified
|
||||
The SASL authentication security options that the Postfix SMTP
|
||||
client uses for TLS encrypted SMTP sessions with a verified
|
||||
server certificate.
|
||||
|
||||
Available in Postfix version 2.5 and later:
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> (empty)</b>
|
||||
List of acceptable remote SMTP server certificate fingerprints
|
||||
for the "fingerprint" TLS security level (<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_secu</a>-</b>
|
||||
List of acceptable remote SMTP server certificate fingerprints
|
||||
for the "fingerprint" TLS security level (<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_secu</a>-</b>
|
||||
<b><a href="postconf.5.html#smtp_tls_security_level">rity_level</a></b> = fingerprint).
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> (md5)</b>
|
||||
The message digest algorithm used to construct remote SMTP
|
||||
The message digest algorithm used to construct remote SMTP
|
||||
server certificate fingerprints.
|
||||
|
||||
Available in Postfix version 2.6 and later:
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (!SSLv2, !SSLv3)</b>
|
||||
List of TLS protocols that the Postfix SMTP client will exclude
|
||||
List of TLS protocols that the Postfix SMTP client will exclude
|
||||
or include with opportunistic TLS encryption.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> (medium)</b>
|
||||
The minimum TLS cipher grade that the Postfix SMTP client will
|
||||
The minimum TLS cipher grade that the Postfix SMTP client will
|
||||
use with opportunistic TLS encryption.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> (empty)</b>
|
||||
File with the Postfix SMTP client ECDSA certificate in PEM for-
|
||||
File with the Postfix SMTP client ECDSA certificate in PEM for-
|
||||
mat.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a> ($<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>)</b>
|
||||
File with the Postfix SMTP client ECDSA private key in PEM for-
|
||||
File with the Postfix SMTP client ECDSA private key in PEM for-
|
||||
mat.
|
||||
|
||||
Available in Postfix version 2.7 and later:
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a> (no)</b>
|
||||
Try to detect a mail hijacking attack based on a TLS protocol
|
||||
vulnerability (CVE-2009-3555), where an attacker prepends mali-
|
||||
cious HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client
|
||||
Try to detect a mail hijacking attack based on a TLS protocol
|
||||
vulnerability (CVE-2009-3555), where an attacker prepends mali-
|
||||
cious HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client
|
||||
TLS session.
|
||||
|
||||
Available in Postfix version 2.8 and later:
|
||||
@ -529,11 +543,11 @@ SMTP(8) SMTP(8)
|
||||
Available in Postfix version 2.11 and later:
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a> (empty)</b>
|
||||
Zero or more PEM-format files with trust-anchor certificates
|
||||
Zero or more PEM-format files with trust-anchor certificates
|
||||
and/or public keys.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_force_insecure_host_tlsa_lookup">smtp_tls_force_insecure_host_tlsa_lookup</a> (no)</b>
|
||||
Lookup the associated DANE TLSA RRset even when a hostname is
|
||||
Lookup the associated DANE TLSA RRset even when a hostname is
|
||||
not an alias and its address records lie in an unsigned zone.
|
||||
|
||||
<b><a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">tls_dane_trust_anchor_digest_enable</a> (yes)</b>
|
||||
@ -542,6 +556,19 @@ SMTP(8) SMTP(8)
|
||||
<b><a href="postconf.5.html#tlsmgr_service_name">tlsmgr_service_name</a> (tlsmgr)</b>
|
||||
The name of the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>.
|
||||
|
||||
Available in Postfix version 3.0 and later:
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> (no)</b>
|
||||
Request that the Postfix SMTP client connects using the legacy
|
||||
SMTPS protocol instead of using the STARTTLS command.
|
||||
|
||||
Available in Postfix version 3.1 and later:
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> (dane)</b>
|
||||
The TLS policy for MX hosts with "secure" TLSA records when the
|
||||
nexthop destination security level is <b>dane</b>, but the MX record
|
||||
was found via an "insecure" MX lookup.
|
||||
|
||||
<b>OBSOLETE STARTTLS CONTROLS</b>
|
||||
The following configuration parameters exist for compatibility with
|
||||
Postfix versions before 2.3. Support for these will be removed in a
|
||||
@ -682,6 +709,17 @@ SMTP(8) SMTP(8)
|
||||
that an SMTP session may be reused before it is closed, or zero
|
||||
(no limit).
|
||||
|
||||
<b>SMTPUTF8 CONTROLS</b>
|
||||
Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
|
||||
|
||||
<b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
|
||||
Enable preliminary SMTPUTF8 support for the protocols described
|
||||
in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
|
||||
|
||||
<b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
|
||||
Detect that a message requires SMTPUTF8 support for the speci-
|
||||
fied mail origin classes.
|
||||
|
||||
<b>TROUBLE SHOOTING CONTROLS</b>
|
||||
<b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
|
||||
The increment in verbose logging level when a remote client or
|
||||
@ -698,9 +736,9 @@ SMTP(8) SMTP(8)
|
||||
col errors.
|
||||
|
||||
<b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
|
||||
What categories of Postfix-generated mail are subject to before-
|
||||
queue content inspection by <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and
|
||||
<a href="postconf.5.html#body_checks">body_checks</a>.
|
||||
What categories of Postfix-generated mail are subject to
|
||||
before-queue content inspection by <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
|
||||
<a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
|
||||
|
||||
<b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
|
||||
The list of error classes that are reported to the postmaster.
|
||||
@ -777,7 +815,7 @@ SMTP(8) SMTP(8)
|
||||
client should bind to when making an IPv6 connection.
|
||||
|
||||
<b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
|
||||
The hostname to send in the SMTP EHLO or HELO command.
|
||||
The hostname to send in the SMTP HELO or EHLO command.
|
||||
|
||||
<b><a href="postconf.5.html#lmtp_lhlo_name">lmtp_lhlo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
|
||||
The hostname to send in the LMTP LHLO command.
|
||||
@ -809,6 +847,18 @@ SMTP(8) SMTP(8)
|
||||
Optional list of relay hosts for SMTP destinations that can't be
|
||||
found or that are unreachable.
|
||||
|
||||
Available with Postfix 3.0 and later:
|
||||
|
||||
<b><a href="postconf.5.html#smtp_address_verify_target">smtp_address_verify_target</a> (rcpt)</b>
|
||||
In the context of email address verification, the SMTP protocol
|
||||
stage that determines whether an email address is deliverable.
|
||||
|
||||
Available with Postfix 3.1 and later:
|
||||
|
||||
<b><a href="postconf.5.html#lmtp_fallback_relay">lmtp_fallback_relay</a> (empty)</b>
|
||||
Optional list of relay hosts for LMTP destinations that can't be
|
||||
found or that are unreachable.
|
||||
|
||||
<b>SEE ALSO</b>
|
||||
<a href="generic.5.html">generic(5)</a>, output address rewriting
|
||||
<a href="header_checks.5.html">header_checks(5)</a>, message header content inspection
|
||||
@ -835,6 +885,11 @@ SMTP(8) SMTP(8)
|
||||
P.O. Box 704
|
||||
Yorktown Heights, NY 10598, USA
|
||||
|
||||
Wietse Venema
|
||||
Google, Inc.
|
||||
111 8th Avenue
|
||||
New York, NY 10011, USA
|
||||
|
||||
Command pipelining in cooperation with:
|
||||
Jon Ribbens
|
||||
Oaktree Internet Solutions Ltd.,
|
||||
|
@ -30,10 +30,10 @@ LOCAL(8) LOCAL(8)
|
||||
EXTENSION below for a few exceptions.
|
||||
|
||||
<b>SYSTEM-WIDE AND USER-LEVEL ALIASING</b>
|
||||
The system administrator can set up one or more system-wide <b>sendmail</b>-
|
||||
style alias databases. Users can have <b>sendmail</b>-style ~/.<b>forward</b> files.
|
||||
Mail for <i>name</i> is delivered to the alias <i>name</i>, to destinations in
|
||||
~<i>name</i>/.<b>forward</b>, to the mailbox owned by the user <i>name</i>, or it is sent
|
||||
The system administrator can set up one or more system-wide <b>send-</b>
|
||||
<b>mail</b>-style alias databases. Users can have <b>sendmail</b>-style ~/.<b>forward</b>
|
||||
files. Mail for <i>name</i> is delivered to the alias <i>name</i>, to destinations
|
||||
in ~<i>name</i>/.<b>forward</b>, to the mailbox owned by the user <i>name</i>, or it is sent
|
||||
back as undeliverable.
|
||||
|
||||
The system administrator can specify a comma/space separated list of
|
||||
@ -258,8 +258,8 @@ LOCAL(8) LOCAL(8)
|
||||
In the case of <b>maildir</b> delivery, the local daemon prepends an optional
|
||||
<b>Delivered-To:</b> header with the final envelope recipient address, and
|
||||
prepends an <b>X-Original-To:</b> header with the recipient address as given
|
||||
to Postfix. The envelope sender address is available in the <b>Return-</b>
|
||||
<b>Path:</b> header.
|
||||
to Postfix. The envelope sender address is available in the
|
||||
<b>Return-Path:</b> header.
|
||||
|
||||
<b>ADDRESS EXTENSION</b>
|
||||
The optional <b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a></b> configuration parameter specifies how
|
||||
@ -327,9 +327,9 @@ LOCAL(8) LOCAL(8)
|
||||
Whether or not to use the local <a href="postconf.5.html#biff">biff</a> service.
|
||||
|
||||
<b><a href="postconf.5.html#expand_owner_alias">expand_owner_alias</a> (no)</b>
|
||||
When delivering to an alias "aliasname" that has an "owner-
|
||||
aliasname" companion alias, set the envelope sender address to
|
||||
the expansion of the "owner-aliasname" alias.
|
||||
When delivering to an alias "aliasname" that has an
|
||||
"owner-aliasname" companion alias, set the envelope sender
|
||||
address to the expansion of the "owner-aliasname" alias.
|
||||
|
||||
<b><a href="postconf.5.html#owner_request_special">owner_request_special</a> (yes)</b>
|
||||
Give special treatment to owner-listname and listname-request
|
||||
@ -358,6 +358,13 @@ LOCAL(8) LOCAL(8)
|
||||
attribute, when delivering mail to a child alias that does not
|
||||
have its own owner alias.
|
||||
|
||||
Available in Postfix version 3.0 and later:
|
||||
|
||||
<b><a href="postconf.5.html#local_delivery_status_filter">local_delivery_status_filter</a> ($<a href="postconf.5.html#default_delivery_status_filter">default_delivery_status_filter</a>)</b>
|
||||
Optional filter for the <a href="local.8.html"><b>local</b>(8)</a> delivery agent to change the
|
||||
status code or explanatory text of successful or unsuccessful
|
||||
deliveries.
|
||||
|
||||
<b>DELIVERY METHOD CONTROLS</b>
|
||||
The precedence of <a href="local.8.html"><b>local</b>(8)</a> delivery methods from high to low is:
|
||||
aliases, .forward files, <a href="postconf.5.html#mailbox_transport_maps">mailbox_transport_maps</a>, <a href="postconf.5.html#mailbox_transport">mailbox_transport</a>,
|
||||
@ -587,5 +594,10 @@ LOCAL(8) LOCAL(8)
|
||||
P.O. Box 704
|
||||
Yorktown Heights, NY 10598, USA
|
||||
|
||||
Wietse Venema
|
||||
Google, Inc.
|
||||
111 8th Avenue
|
||||
New York, NY 10011, USA
|
||||
|
||||
LOCAL(8)
|
||||
</pre> </body> </html>
|
||||
|
@ -156,11 +156,11 @@ SENDMAIL(1) SENDMAIL(1)
|
||||
Backwards compatibility.
|
||||
|
||||
<b>-N</b> <i>dsn</i> (default: 'delay, failure')
|
||||
Delivery status notification control. Specify either a comma-
|
||||
separated list with one or more of <b>failure</b> (send notification
|
||||
when delivery fails), <b>delay</b> (send notification when delivery is
|
||||
delayed), or <b>success</b> (send notification when the message is
|
||||
delivered); or specify <b>never</b> (don't send any notifications at
|
||||
Delivery status notification control. Specify either a
|
||||
comma-separated list with one or more of <b>failure</b> (send notifica-
|
||||
tion when delivery fails), <b>delay</b> (send notification when deliv-
|
||||
ery is delayed), or <b>success</b> (send notification when the message
|
||||
is delivered); or specify <b>never</b> (don't send any notifications at
|
||||
all).
|
||||
|
||||
This feature is available in Postfix 2.3 and later.
|
||||
@ -255,10 +255,10 @@ SENDMAIL(1) SENDMAIL(1)
|
||||
of the form <i>owner-listname</i>@<i>origin</i>, each recipient <i>user</i>@<i>domain</i>
|
||||
receives mail with a personalized envelope sender address.
|
||||
|
||||
By default, the personalized envelope sender address is <i>owner-</i>
|
||||
<i>listname</i><b>+</b><i>user</i><b>=</b><i>domain</i>@<i>origin</i>. The default <b>+</b> and <b>=</b> characters are
|
||||
configurable with the <b><a href="postconf.5.html#default_verp_delimiters">default_verp_delimiters</a></b> configuration
|
||||
parameter.
|
||||
By default, the personalized envelope sender address is
|
||||
<i>owner-listname</i><b>+</b><i>user</i><b>=</b><i>domain</i>@<i>origin</i>. The default <b>+</b> and <b>=</b> charac-
|
||||
ters are configurable with the <b><a href="postconf.5.html#default_verp_delimiters">default_verp_delimiters</a></b> configu-
|
||||
ration parameter.
|
||||
|
||||
<b>-XV</b><i>xy</i> (Postfix 2.2 and earlier: <b>-V</b><i>xy</i>)
|
||||
As <b>-XV</b>, but uses <i>x</i> and <i>y</i> as the VERP delimiter characters,
|
||||
@ -400,13 +400,6 @@ SENDMAIL(1) SENDMAIL(1)
|
||||
The time after which the sender receives a copy of the message
|
||||
headers of mail that is still queued.
|
||||
|
||||
<b><a href="postconf.5.html#enable_errors_to">enable_errors_to</a> (no)</b>
|
||||
Report mail delivery errors to the address specified with the
|
||||
non-standard Errors-To: message header, instead of the envelope
|
||||
sender address (this feature is removed with Postfix version
|
||||
2.2, is turned off by default with Postfix version 2.1, and is
|
||||
always turned on with older Postfix versions).
|
||||
|
||||
<b><a href="postconf.5.html#mail_owner">mail_owner</a> (postfix)</b>
|
||||
The UNIX system account that owns the Postfix queue and most
|
||||
Postfix daemon processes.
|
||||
@ -459,5 +452,10 @@ SENDMAIL(1) SENDMAIL(1)
|
||||
P.O. Box 704
|
||||
Yorktown Heights, NY 10598, USA
|
||||
|
||||
Wietse Venema
|
||||
Google, Inc.
|
||||
111 8th Avenue
|
||||
New York, NY 10011, USA
|
||||
|
||||
SENDMAIL(1)
|
||||
</pre> </body> </html>
|
||||
|
@ -124,7 +124,7 @@ MASTER(5) MASTER(5)
|
||||
The <a href="local.8.html"><b>local</b>(8)</a>, <a href="pipe.8.html"><b>pipe</b>(8)</a>, <a href="spawn.8.html"><b>spawn</b>(8)</a>, and <a href="virtual.8.html"><b>virtual</b>(8)</a> daemons require
|
||||
privileges.
|
||||
|
||||
<b>Chroot (default: y)</b>
|
||||
<b>Chroot (default: Postfix</b> ><b>= 3.0: n, Postfix</b> <<b>3.0: y)</b>
|
||||
Whether or not the service runs chrooted to the mail queue
|
||||
directory (pathname is controlled by the <b><a href="postconf.5.html#queue_directory">queue_directory</a></b> config-
|
||||
uration variable in the <a href="postconf.5.html">main.cf</a> file).
|
||||
@ -154,49 +154,57 @@ MASTER(5) MASTER(5)
|
||||
The maximum number of processes that may execute this service
|
||||
simultaneously. Specify 0 for no process count limit.
|
||||
|
||||
NOTE: Some Postfix services must be configured as a single-
|
||||
process service (for example, <a href="qmgr.8.html"><b>qmgr</b>(8)</a>) and some services must be
|
||||
configured with no process limit (for example, <a href="cleanup.8.html"><b>cleanup</b>(8)</a>).
|
||||
These limits must not be changed.
|
||||
NOTE: Some Postfix services must be configured as a sin-
|
||||
gle-process service (for example, <a href="qmgr.8.html"><b>qmgr</b>(8)</a>) and some services
|
||||
must be configured with no process limit (for example,
|
||||
<a href="cleanup.8.html"><b>cleanup</b>(8)</a>). These limits must not be changed.
|
||||
|
||||
<b>Command name + arguments</b>
|
||||
The command to be executed. Characters that are special to the
|
||||
shell such as ">" or "|" have no special meaning here, and
|
||||
quotes cannot be used to protect arguments containing white-
|
||||
space.
|
||||
space. To protect whitespace, use "{" and "}" as described
|
||||
below.
|
||||
|
||||
The command name is relative to the Postfix daemon directory
|
||||
(pathname is controlled by the <b><a href="postconf.5.html#daemon_directory">daemon_directory</a></b> configuration
|
||||
The command name is relative to the Postfix daemon directory
|
||||
(pathname is controlled by the <b><a href="postconf.5.html#daemon_directory">daemon_directory</a></b> configuration
|
||||
variable).
|
||||
|
||||
The command argument syntax for specific commands is specified
|
||||
The command argument syntax for specific commands is specified
|
||||
in the respective daemon manual page.
|
||||
|
||||
The following command-line options have the same effect for all
|
||||
The following command-line options have the same effect for all
|
||||
daemon programs:
|
||||
|
||||
<b>-D</b> Run the daemon under control by the command specified
|
||||
<b>-D</b> Run the daemon under control by the command specified
|
||||
with the <b><a href="postconf.5.html#debugger_command">debugger_command</a></b> variable in the <a href="postconf.5.html">main.cf</a> config-
|
||||
uration file. See <a href="DEBUG_README.html">DEBUG_README</a> for hints and tips.
|
||||
|
||||
<b>-o</b> <i>name</i>=<i>value</i>
|
||||
Override the named <a href="postconf.5.html">main.cf</a> configuration parameter. The
|
||||
parameter value can refer to other parameters as <i>$name</i>
|
||||
etc., just like in <a href="postconf.5.html">main.cf</a>. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for syntax.
|
||||
<b>-o {</b> <i>name</i> = <i>value</i> <b>}</b> (long form, Postfix >= 3.0)
|
||||
|
||||
NOTE 1: do not specify whitespace around the "=" or in
|
||||
parameter values. To specify a parameter value that con-
|
||||
tains whitespace, use commas instead of spaces, or spec-
|
||||
ify the value in <a href="postconf.5.html">main.cf</a>. Example:
|
||||
<b>-o</b> <i>name</i>=<i>value</i> (short form)
|
||||
Override the named <a href="postconf.5.html">main.cf</a> configuration parameter. The
|
||||
parameter value can refer to other parameters as <i>$name</i>
|
||||
etc., just like in <a href="postconf.5.html">main.cf</a>. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for syntax.
|
||||
|
||||
NOTE 1: With the "long form" shown above, whitespace
|
||||
after "{", around "=", and before "}" is ignored, and
|
||||
whitespace within the parameter value is preserved.
|
||||
|
||||
NOTE 2: with the "short form" shown above, do not specify
|
||||
whitespace around the "=" or in parameter values. To
|
||||
specify a parameter value that contains whitespace, use
|
||||
the long form described above, or use commas instead of
|
||||
spaces, or specify the value in <a href="postconf.5.html">main.cf</a>. Example:
|
||||
|
||||
/etc/postfix/<a href="master.5.html">master.cf</a>:
|
||||
submission inet .... smtpd
|
||||
-o smtpd_mumble=$submission_mumble
|
||||
-o smtpd_xxx_yyy=$submission_xxx_yyy
|
||||
|
||||
/etc/postfix/<a href="postconf.5.html">main.cf</a>
|
||||
submission_mumble = text with whitespace...
|
||||
submission_xxx_yyy = text with whitespace...
|
||||
|
||||
NOTE 2: Over-zealous use of parameter overrides makes the
|
||||
NOTE 3: Over-zealous use of parameter overrides makes the
|
||||
Postfix configuration hard to understand and maintain.
|
||||
At a certain point, it might be easier to configure mul-
|
||||
tiple instances of Postfix, instead of configuring multi-
|
||||
@ -206,6 +214,11 @@ MASTER(5) MASTER(5)
|
||||
options to make a Postfix daemon process increasingly
|
||||
verbose.
|
||||
|
||||
Other command-line arguments
|
||||
Specify "{" and "}" around command arguments that contain
|
||||
whitespace (Postfix 3.0 and later). Whitespace after "{"
|
||||
and before "}" is ignored.
|
||||
|
||||
<b>SEE ALSO</b>
|
||||
<a href="master.8.html">master(8)</a>, process manager
|
||||
<a href="postconf.5.html">postconf(5)</a>, configuration parameters
|
||||
@ -228,5 +241,10 @@ MASTER(5) MASTER(5)
|
||||
P.O. Box 704
|
||||
Yorktown Heights, NY 10598, USA
|
||||
|
||||
Wietse Venema
|
||||
Google, Inc.
|
||||
111 8th Avenue
|
||||
New York, NY 10011, USA
|
||||
|
||||
MASTER(5)
|
||||
</pre> </body> </html>
|
||||
|
@ -192,5 +192,10 @@ MASTER(8) MASTER(8)
|
||||
P.O. Box 704
|
||||
Yorktown Heights, NY 10598, USA
|
||||
|
||||
Wietse Venema
|
||||
Google, Inc.
|
||||
111 8th Avenue
|
||||
New York, NY 10011, USA
|
||||
|
||||
MASTER(8)
|
||||
</pre> </body> </html>
|
||||
|
@ -137,8 +137,8 @@ MEMCACHE_TABLE(5) MEMCACHE_TABLE(5)
|
||||
results (an update is skipped with a warning).
|
||||
|
||||
<b>%[SUD]</b> The upper-case equivalents of the above expansions behave
|
||||
in the <b>key_format</b> parameter identically to their lower-
|
||||
case counter-parts.
|
||||
in the <b>key_format</b> parameter identically to their
|
||||
lower-case counter-parts.
|
||||
|
||||
<b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by the corre-
|
||||
sponding most significant component of the input key's
|
||||
@ -214,5 +214,10 @@ MEMCACHE_TABLE(5) MEMCACHE_TABLE(5)
|
||||
P.O. Box 704
|
||||
Yorktown Heights, NY 10598, USA
|
||||
|
||||
Wietse Venema
|
||||
Google, Inc.
|
||||
111 8th Avenue
|
||||
New York, NY 10011, USA
|
||||
|
||||
MEMCACHE_TABLE(5)
|
||||
</pre> </body> </html>
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user