Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/external/ibm-public/postfix/dist Resolve conflicts from last...
details: https://anonhg.NetBSD.org/src/rev/f01e5d80b6b8
branches: trunk
changeset: 797141:f01e5d80b6b8
user: tron <tron%NetBSD.org@localhost>
date: Sun Jul 06 19:45:50 2014 +0000
description:
Resolve conflicts from last import.
diffstat:
external/ibm-public/postfix/dist/README_FILES/ADDRESS_VERIFICATION_README | 32 +-
external/ibm-public/postfix/dist/README_FILES/INSTALL | 76 +-
external/ibm-public/postfix/dist/README_FILES/TLS_README | 655 ++++-
external/ibm-public/postfix/dist/conf/main.cf | 4 +-
external/ibm-public/postfix/dist/conf/master.cf | 11 +-
external/ibm-public/postfix/dist/conf/postfix-files | 10 +-
external/ibm-public/postfix/dist/html/ADDRESS_VERIFICATION_README.html | 42 +-
external/ibm-public/postfix/dist/html/INSTALL.html | 23 +-
external/ibm-public/postfix/dist/html/TLS_README.html | 761 +++++-
external/ibm-public/postfix/dist/html/postconf.5.html | 1159 ++++++++-
external/ibm-public/postfix/dist/makedefs | 111 +-
external/ibm-public/postfix/dist/man/man5/postconf.5 | 954 ++++++-
external/ibm-public/postfix/dist/proto/ADDRESS_VERIFICATION_README.html | 32 +-
external/ibm-public/postfix/dist/proto/INSTALL.html | 23 +-
external/ibm-public/postfix/dist/proto/TLS_README.html | 727 +++++-
external/ibm-public/postfix/dist/proto/postconf.proto | 1019 +++++++-
external/ibm-public/postfix/dist/src/cleanup/cleanup.h | 3 +-
external/ibm-public/postfix/dist/src/dns/dns_lookup.c | 154 +-
external/ibm-public/postfix/dist/src/global/mail_params.h | 106 +-
external/ibm-public/postfix/dist/src/postconf/postconf_master.c | 799 ++++++-
external/ibm-public/postfix/dist/src/smtp/smtp.c | 119 +-
external/ibm-public/postfix/dist/src/smtpd/smtpd.c | 102 +-
external/ibm-public/postfix/dist/src/tls/tls_client.c | 355 +-
external/ibm-public/postfix/dist/src/tls/tls_server.c | 171 +-
external/ibm-public/postfix/dist/src/util/dict_sockmap.c | 47 +-
external/ibm-public/postfix/dist/src/util/read_wait.c | 138 -
external/ibm-public/postfix/dist/src/util/readable.c | 121 -
external/ibm-public/postfix/dist/src/util/sys_defs.h | 137 +-
external/ibm-public/postfix/dist/src/util/writable.c | 121 -
external/ibm-public/postfix/dist/src/util/write_wait.c | 137 -
30 files changed, 5966 insertions(+), 2183 deletions(-)
diffs (truncated from 12587 to 300 lines):
diff -r 382e3a5b4a5e -r f01e5d80b6b8 external/ibm-public/postfix/dist/README_FILES/ADDRESS_VERIFICATION_README
--- a/external/ibm-public/postfix/dist/README_FILES/ADDRESS_VERIFICATION_README Sun Jul 06 19:27:32 2014 +0000
+++ b/external/ibm-public/postfix/dist/README_FILES/ADDRESS_VERIFICATION_README Sun Jul 06 19:45:50 2014 +0000
@@ -292,23 +292,35 @@
verification results. If you specify an empty value, all address verification
results are lost after "postfix reload" or "postfix stop".
+ # Example 1: Default setting for Postfix 2.7 and later.
+ # Note: avoid hash files here. Use btree instead.
/etc/postfix/main.cf:
- # Default setting for Postfix 2.7 and later.
- # Note: avoid hash files here. Use btree instead.
address_verify_map = btree:$data_directory/verify_cache
- # Shared persistent cache (requires Postfix 2.9 or later).
- address_verify_map = proxy:btree:$data_directory/verify_cache
- # Disable automatic cache cleanup in all Postfix instances except
- # for one instance that will be responsible for cache cleanup.
+ # Example 2: Shared persistent lmdb: cache (Postfix 2.11 or later).
+ # Disable automatic cache cleanup in all Postfix instances except
+ # for one instance that will be responsible for cache cleanup.
+ /etc/postfix/main.cf:
+ address_verify_map = lmdb:$data_directory/verify_cache
# address_verify_cache_cleanup_interval = 0
- # Shared memory cache (requires Postfix 2.9 or later).
- # See memcache_table(5) for details.
+ # Example 3: Shared persistent btree: cache (Postfix 2.9 or later).
+ # Disable automatic cache cleanup in all Postfix instances except
+ # for one instance that will be responsible for cache cleanup.
+ /etc/postfix/main.cf:
+ address_verify_map = proxy:btree:$data_directory/verify_cache
+ # address_verify_cache_cleanup_interval = 0
+
+ # Example 4: Shared memory cache (requires Postfix 2.9 or later).
+ # Disable automatic cache cleanup in all Postfix instances.
+ # See memcache_table(5) for details.
+ /etc/postfix/main.cf:
address_verify_map = memcache:/etc/postfix/verify-memcache.cf
+ address_verify_cache_cleanup_interval = 0
- # Default setting for Postfix 2.6 and earlier.
- # This uses non-persistent storage only.
+ # Example 5: Default setting for Postfix 2.6 and earlier.
+ # This uses non-persistent storage only.
+ /etc/postfix/main.cf:
address_verify_map =
NOTE 1: The database file should be stored under a Postfix-owned directory,
diff -r 382e3a5b4a5e -r f01e5d80b6b8 external/ibm-public/postfix/dist/README_FILES/INSTALL
--- a/external/ibm-public/postfix/dist/README_FILES/INSTALL Sun Jul 06 19:27:32 2014 +0000
+++ b/external/ibm-public/postfix/dist/README_FILES/INSTALL Sun Jul 06 19:45:50 2014 +0000
@@ -148,18 +148,20 @@
and so on. In some cases, optimization is turned off automatically.
-4�4.�.3�3 -�- B�Bu�ui�il�ld�di�in�ng�g w�wi�it�th�h o�op�pt�ti�io�on�na�al�l e�ex�xt�te�en�ns�si�io�on�ns�s
+4�4.�.3�3 -�- B�Bu�ui�il�ld�di�in�ng�g w�wi�it�th�h o�op�pt�ti�io�on�na�al�l f�fe�ea�at�tu�ur�re�es�s
By default, Postfix builds as a mail system with relatively few bells and
whistles. Support for third-party databases etc. must be configured when
Postfix is compiled. The following documents describe how to build Postfix with
-support for extensions:
+support for optional features:
_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�
- |P�Po�os�st�tf�fi�ix�x e�ex�xt�te�en�ns�si�io�on�n |D�Do�oc�cu�um�me�en�nt�t |A�Av�va�ai�il�la�ab�bi�il�li�it�ty�y|
+ |O�Op�pt�ti�io�on�na�al�l f�fe�ea�at�tu�ur�re�e |D�Do�oc�cu�um�me�en�nt�t |A�Av�va�ai�il�la�ab�bi�il�li�it�ty�y|
|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� |
|Berkeley DB database |DB_README |Postfix 1.0 |
|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� |
+ |LMDB database |LMDB_README |Postfix 2.11|
+ |_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� |
|LDAP database |LDAP_README |Postfix 1.0 |
|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� |
|MySQL database |MYSQL_README |Postfix 1.0 |
@@ -192,31 +194,33 @@
Parameters whose defaults can be specified in this way are:
- _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�
- |M�Ma�ac�cr�ro�o n�na�am�me�e |d�de�ef�fa�au�ul�lt�t v�va�al�lu�ue�e f�fo�or�r|t�ty�yp�pi�ic�ca�al�l d�de�ef�fa�au�ul�lt�t |
- |_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� |
- |DEF_COMMAND_DIR |command_directory|/usr/sbin |
- |_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� |
- |DEF_CONFIG_DIR |config_directory |/etc/postfix |
- |_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� |
- |DEF_DAEMON_DIR |daemon_directory |/usr/libexec/postfix|
- |_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� |
- |DEF_DATA_DIR |data_directory |/var/db/postfix |
- |_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� |
- |DEF_MAILQ_PATH |mailq_path |/usr/bin/mailq |
- |_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� |
- |DEF_HTML_DIR |html_directory |no |
- |_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� |
- |DEF_MANPAGE_DIR |manpage_directory|/usr/local/man |
- |_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� |
- |DEF_NEWALIAS_PATH|newaliases_path |/usr/bin/newaliases |
- |_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� |
- |DEF_QUEUE_DIR |queue_directory |/var/spool/postfix |
- |_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� |
- |DEF_README_DIR |readme_directory |no |
- |_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� |
- |DEF_SENDMAIL_PATH|sendmail_path |/usr/sbin/sendmail |
- |_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� |
+ _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�
+ |M�Ma�ac�cr�ro�o n�na�am�me�e |d�de�ef�fa�au�ul�lt�t v�va�al�lu�ue�e f�fo�or�r |t�ty�yp�pi�ic�ca�al�l d�de�ef�fa�au�ul�lt�t |
+ |_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� |
+ |DEF_COMMAND_DIR |command_directory |/usr/sbin |
+ |_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� |
+ |DEF_CONFIG_DIR |config_directory |/etc/postfix |
+ |_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� |
+ |DEF_DB_TYPE |default_database_type|hash |
+ |_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� |
+ |DEF_DAEMON_DIR |daemon_directory |/usr/libexec/postfix|
+ |_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� |
+ |DEF_DATA_DIR |data_directory |/var/db/postfix |
+ |_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� |
+ |DEF_MAILQ_PATH |mailq_path |/usr/bin/mailq |
+ |_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� |
+ |DEF_HTML_DIR |html_directory |no |
+ |_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� |
+ |DEF_MANPAGE_DIR |manpage_directory |/usr/local/man |
+ |_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� |
+ |DEF_NEWALIAS_PATH|newaliases_path |/usr/bin/newaliases |
+ |_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� |
+ |DEF_QUEUE_DIR |queue_directory |/var/spool/postfix |
+ |_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� |
+ |DEF_README_DIR |readme_directory |no |
+ |_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� |
+ |DEF_SENDMAIL_PATH|sendmail_path |/usr/sbin/sendmail |
+ |_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� |
Note: the data_directory parameter (for caches and pseudo-random numbers) was
introduced with Postfix version 2.5.
@@ -245,9 +249,11 @@
| |at compile time: |
|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�
_� _� _� _� _� _� _� _� _� _� _� |
|| |Do not build with Berkeley DB support. By |
-||-DNO_DB |default, Berkeley DB support is compiled in on|
-|| |platforms that are known to support this |
-|| |feature. |
+|| |default, Berkeley DB support is compiled in on|
+||-DNO_DB |platforms that are known to support this |
+|| |feature. If you override this, then you |
+|| |probably should also override DEF_DB_TYPE as |
+|| |described in section 4.4. |
|_�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�
_� _� _� _� _� _� _� _� _� _� _� |
|| |Do not build with Solaris /dev/poll support. |
||-DNO_DEVPOLL |By default, /dev/poll support is compiled in |
@@ -271,8 +277,12 @@
|| |known to support it. |
|_�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�
_� _� _� _� _� _� _� _� _� _� _� |
|| |Do not build with NIS or NISPLUS support. NIS |
-||-DNO_NIS |is not available on some recent Linux or |
-|| |Solaris distributions. |
+||-DNO_NIS |is not available on some recent Linux |
+|| |distributions. |
+|_�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�
_� _� _� _� _� _� _� _� _� _� _� |
+|| |Do not build with NISPLUS support. NISPLUS is |
+||-DNO_NISPLUS |not available on some recent Solaris |
+|| |distributions. |
|_�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�
_� _� _� _� _� _� _� _� _� _� _� |
|| |Do not build with PCRE support. By default, |
||-DNO_PCRE |PCRE support is compiled in when the pcre- |
diff -r 382e3a5b4a5e -r f01e5d80b6b8 external/ibm-public/postfix/dist/README_FILES/TLS_README
--- a/external/ibm-public/postfix/dist/README_FILES/TLS_README Sun Jul 06 19:27:32 2014 +0000
+++ b/external/ibm-public/postfix/dist/README_FILES/TLS_README Sun Jul 06 19:45:50 2014 +0000
@@ -86,14 +86,15 @@
encrypted, meaning: the key must be accessible without a password. The
certificate and private key may be in the same file, in which case the
certificate file should be owned by "root" and not be readable by any other
-user. If the key is stored separately, this applies to the key file only, and
-the certificate file may be "world-readable".
+user. If the key is stored separately, this access restriction applies to the
+key file only, and the certificate file may be "world-readable".
-Public Internet MX hosts without certificates signed by a "reputable" CA must
-generate, and be prepared to present to most clients, a self-signed or private-
-CA signed certificate. The remote SMTP client will generally not be able to
-authenticate the self-signed certificate, but unless the client is running
-Postfix or similar software, it will still insist on a server certificate.
+Public Internet MX hosts without certificates signed by a well-known public CA
+must still generate, and be prepared to present to most clients, a self-signed
+or private-CA signed certificate. The remote SMTP client will generally not be
+able to verify the self-signed certificate, but unless the client is running
+Postfix or similar software, it will only negotiate TLS ciphersuites that
+require a server certificate.
For servers that are n�no�ot�t public Internet MX hosts, Postfix supports
configurations with no certificates. This entails the use of just the anonymous
@@ -106,34 +107,73 @@
new Postfix SMTP server configurations will not accidentally run with no
certificates.
-RSA, DSA and ECDSA (Postfix >= 2.6) certificates are supported. Typically you
-will only have RSA certificates issued by a commercial CA. In addition, the
-tools supplied with OpenSSL will by default issue RSA certificates. You can
-configure all three at the same time, in which case the cipher used determines
-which certificate is presented. For Netscape and OpenSSL clients without
-special cipher choices, the RSA certificate is preferred.
+RSA, DSA and ECDSA (Postfix >= 2.6) certificates are supported. Most sites only
+have RSA certificates. You can configure all three at the same time, in which
+case the ciphersuite negotiated with the remote SMTP client determines which
+certificate is used. If your DNS zone is signed, and you want to publish RFC
+6698 TLSA records, these must match any of the configured certificates. Since
+the best practice is to publish "3 1 1" certificate associations, create a
+separate TLSA record for each public-key certificate digest.
-To enable a remote SMTP client to verify the Postfix SMTP server certificate,
-the issuing CA certificates must be made available to the client. You should
-include the required certificates in the server certificate file, the server
-certificate first, then the issuing CA(s) (bottom-up order).
+C�Cr�re�ea�at�ti�in�ng�g t�th�he�e s�se�er�rv�ve�er�r c�ce�er�rt�ti�if�fi�ic�ca�at�te�e f�fi�il�le�e
-Example: the certificate for "server.example.com" was issued by "intermediate
-CA" which itself has a certificate issued by "root CA". Create the server.pem
-file with:
-
- % c�ca�at�t s�se�er�rv�ve�er�r_�_c�ce�er�rt�t.�.p�pe�em�m i�in�nt�te�er�rm�me�ed�di�ia�at�te�e_�_C�CA�A.�.p�pe�em�m >�> s�se�er�rv�ve�er�r.�.p�pe�em�m
-
-A Postfix SMTP server certificate supplied here must be usable as SSL server
+To verify the Postfix SMTP server certificate, the remote SMTP client must
+receive the issuing CA certificates via the TLS handshake or via public-key
+infrastructure. This means that the Postfix server public-key certificate file
+must include the server certificate first, then the issuing CA(s) (bottom-up
+order). The Postfix SMTP server certificate must be usable as SSL server
certificate and hence pass the "openssl verify -purpose sslserver ..." test.
-A client that trusts the root CA has a local copy of the root CA certificate,
-so it is not necessary to include the root CA certificate here. Leaving it out
-of the "server.pem" file reduces the overhead of the TLS exchange.
+The examples that follow show how to create a server certificate file. We
+assume that the certificate for "server.example.com" was issued by
+"intermediate CA" which itself has a certificate issued by "root CA".
+
+ * With legacy public CA trust verification, you can omit the root certificate
+ from the "server.pem" certificate file. If the client trusts the root CA,
+ it will already have a local copy of the root CA certificate. Omitting the
+ root CA certificate reduces the size of the server TLS handshake.
+
+ % c�ca�at�t s�se�er�rv�ve�er�r_�_c�ce�er�rt�t.�.p�pe�em�m i�in�nt�te�er�rm�me�ed�di�ia�at�te�e_�_C�CA�A.�.p�pe�em�m >�> s�se�er�rv�ve�er�r.�.p�pe�em�m
+
+ * If you publish RFC 6698 TLSA "2 0 1" or "2 1 1" records to specify root CA
+ certificate digests, you must include the corresponding root CA
+ certificates in the "server.pem" certificate file. See the documentation of
+ the tls_dane_trust_anchor_digest_enable main.cf parameter.
+
+ % c�ca�at�t s�se�er�rv�ve�er�r_�_c�ce�er�rt�t.�.p�pe�em�m i�in�nt�te�er�rm�me�ed�di�ia�at�te�e_�_C�CA�A.�.p�pe�em�m r�ro�oo�ot�t.�.p�pe�em�m >�> s�se�er�rv�ve�er�r.�.p�pe�em�m
+
+ Remote SMTP clients will be able to use the TLSA record you publish (which
+ only contains the certificate digest) only if they have access to the
+ corresponding certificate. Failure to verify certificates per the server's
+ published TLSA records will typically cause the SMTP client to defer mail
+ delivery. The foregoing also applies to "2 0 2" and "2 1 2" TLSA records or
+ any other digest of a CA certificate, but it is expected that SHA256 will
+ be by far the most common digest for TLSA.
+
+ As a best practice, publish either "3 0 1" or "3 1 1" TLSA associations
+ that specify the SHA256 digest of the server certificate public key with
+ the alias-expanded hostname of each STARTTLS capable SMTP server. These
+ continue to work when a certificate is renewed with the same public/private
+ key pair.
+
+For instructions on how to compute the digest of a certificate or its public
+key for use in TLSA records, see the documentation of the
+smtpd_tls_fingerprint_digest main.cf parameter.
+
+When a new key or certificate is generated, an additional TLSA record with the
+new digest must be published in advance of the actual deployment of the new key
+or certificate on the server. You must allow sufficient time for any TLSA
+RRsets with only the old digest to expire from DNS caches. The safest practice
+is to wait until the DNSSEC signature on the previous TLSA RRset expires, and
+only then switch the server to use new keys published in the updated TLSA
+RRset. Once the new certificate trust chain and private key are in effect, the
+DNS should be updated once again to remove the old digest from the TLSA RRset.
If you want the Postfix SMTP server to accept remote SMTP client certificates
-issued by these CAs, append the root certificate to $smtpd_tls_CAfile or
-install it in the $smtpd_tls_CApath directory.
+issued by one or more root CAs, append the root certificate to
+$smtpd_tls_CAfile or install it in the $smtpd_tls_CApath directory.
+
+C�Co�on�nf�fi�ig�gu�ur�ri�in�ng�g t�th�he�e s�se�er�rv�ve�er�r c�ce�er�rt�ti�if�fi�ic�ca�at�te�e a�an�nd�d k�ke�ey�y f�fi�il�le�es�s
RSA key and certificate examples:
@@ -207,27 +247,25 @@
increase the log level from 0..4. Each logging level also includes the
information that is logged at a lower logging level.
- _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�
_� _� _� _� _� _� _� _� _�
- |L�Le�ev�ve�el�l|P�Po�os�st�tf�fi�ix�x 2�2.�.9�9 a�an�nd�d l�la�at�te�er�r |E�Ea�ar�rl�li�ie�er�r r�re�el�le�ea�as�se�es�s.�. |
- |_� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�|_� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _� _�
_� _� _� _� _� _� _� _� _� |
- |0 |Log only a summary message on TLS |Disable logging of TLS activity.|
- | |handshake completion -- no logging| |
- | |of client certificate trust-chain | |
- | |verification errors if client | |
- | |certificate verification is not | |
- | |required. | |
Home |
Main Index |
Thread Index |
Old Index