16d67a18c4
- Support for PKI-less TLS server certificate verification with DANE (DNS-based Authentication of Named Entities) where the CA public key or the server certificate is identified via DNSSEC lookup. This requires a DNS resolver that validates DNSSEC replies. The problem with conventional PKI is that there are literally hundreds of organizations world-wide that can provide a certificate in anyone's name. DANE limits trust to the people who control the target DNS zone and its parent zones. - A new postscreen_dnsbl_whitelist_threshold feature to allow clients to skip postscreen tests based on their DNSBL score. This can eliminate email delays due to "after 220 greeting" protocol tests, which otherwise require that a client reconnects before it can deliver mail. Some providers such as Google don't retry from the same IP address, and that can result in large email delivery delays. - The recipient_delimiter feature now supports different delimiters, for example both "+" and "-". As before, this implementation recognizes exactly one delimiter character per email address, and exactly one address extension per email address. - Advanced master.cf query/update support to access service attributes as "name = value" pairs. For example to turn off chroot on all services use "postconf -F '*/*/chroot = n'", and to change/add a "-o name=value" setting use "postconf -P 'smtp/inet/name = value'". This was developed primarily to allow automated tools to manage Postfix systems without having to parse Postfix configuration files.
43 KiB
43 KiB