head	1.1;
branch	1.1.1;
access;
symbols
	netbsd-11-0-RC4:1.1.1.1.2.2
	netbsd-11:1.1.1.1.0.2
	PFIX-3-11-2:1.1.1.1
	VENEMA:1.1.1;
locks; strict;
comment	@# @;


1.1
date	2026.05.09.18.39.09;	author christos;	state Exp;
branches
	1.1.1.1;
next	;
commitid	mtbvlXzNqJaszaFG;

1.1.1.1
date	2026.05.09.18.39.09;	author christos;	state Exp;
branches
	1.1.1.1.2.1;
next	;
commitid	mtbvlXzNqJaszaFG;

1.1.1.1.2.1
date	2026.05.09.18.39.09;	author martin;	state dead;
branches;
next	1.1.1.1.2.2;
commitid	2QeqaJm8KrXk4qFG;

1.1.1.1.2.2
date	2026.05.11.17.13.36;	author martin;	state Exp;
branches;
next	;
commitid	2QeqaJm8KrXk4qFG;


desc
@@


1.1
log
@Initial revision
@
text
@PPoossttffiixx RREEQQUUIIRREETTLLSS SSuuppppoorrtt

-------------------------------------------------------------------------------

TTaabbllee ooff CCoonntteennttss

  * Purpose of this document
  * Introduction
  * REQUIRETLS for a perimeter MTA

      o Receiving inbound messages with REQUIRETLS requests
      o LMTP and SMTP-based message stores and content filters content filters
      o Non-SMTP and non-LMTP content filters
      o Communication with external servers
      o Relaxing REQUIRETLS for external deliveries

  * An experiment: testing REQUIRETLS support
  * Requesting REQUIRETLS without SMTP
  * Non-delivery notifications
  * REQUIRETLS quick summary
  * Credits

PPuurrppoossee ooff tthhiiss ddooccuummeenntt

This document covers Postfix configuration for the REQUIRETLS extension. The
purpose of these settings is to make REQUIRETLS support usable in an existing
environment where REQUIRETLS support is still uncommon, with a path towards a
future with REQUIRETLS.

IInnttrroodduuccttiioonn

The REQUIRETLS extension in ESMTP is defined in RFC 8689. When a sender
requests REQUIRETLS. the message must be sent only over strongly-authenticated
SMTP or LMTP connections.

Specifically:

  * Every server in the forward path to the final destination must announce
    REQUIRETLS support.

        Challenge: as of 2025, only a few servers implement REQUIRETLS.

  * Every server in the forward path must be looked up securely (for example,
    with DNSSEC or HTTPS).

  * Every server certificate in the forward path must be verified. In practice,
    this involves DANE (+DNSSEC) or MTA-STS; custom configuration would not
    scale.

        Challenge: as of 2025, many domains do not publish a DANE or MTA-STS
        policy.

  * A message with REQUIRETLS must be returned to the sender if any of the
    above requirements is not satisfied (no STARTTLS support, no secure server
    lookup, no trusted or no matching server certificate, or no server that
    announces REQUIRETLS support).

For more background information, see the REQUIRETLS quick summary below.

RREEQQUUIIRREETTLLSS ffoorr aa ppeerriimmeetteerr MMTTAA

In this text, a perimeter MTA is a mail system that operates on the boundary of
an administrative domain. It receives email messages for the domain, and/or
sends email messages on behalf of the domain.

RReecceeiivviinngg iinnbboouunndd mmeessssaaggeess wwiitthh RREEQQUUIIRREETTLLSS rreeqquueessttss

Postfix has one global parameter setting that controls REQUIRETLS support in
all Postfix processes. The default setting is:

    /etc/postfix/main.cf:
        requiretls_enable = yes

With this, the Postfix SMTP server will announce REQUIRETLS support, and more
importantly, will receive messages from senders that for some reason request
REQUIRETLS support -- messages that you would otherwise not receive, assuming
that the domain already publishes a valid DANE and/or STS policy.

If all you need is to receive messages with REQUIRETLS, and you do not insist
on enforcing REQUIRETLS when sending or forwarding messages, then you can stop
reading this document after adding the additional settings below.

    NOTE: The configuration below may be suitable for a personal domain, where
    the owner can decide what happens with all messages. For domains that
    receive messages for other people, a less radical approach may be better,
    as described in the sections that follow.

    1 /etc/postfix/main.cf:
    2     # Don't enforce REQUIRETLS when delivering mail with SMTP or LMTP.
    3     smtp_requiretls_policy = opportunistic
    4     lmtp_requiretls_policy = opportunistic
    5
    6     # Don't detect or add a "Require-TLS-ESMTP: yes" header.
    7     requiretls_esmtp_header = no

  * Lines 3-4: These relax REQUIRETLS enforcement when delivering a email to a
    message store, content filter, or other destination that may not support
    REQUIRETLS. If a server does not support STARTTLS or REQUIRETLS, then
    Postfix will simply deliver the message as if the sender did not request
    REQUIRETLS.

  * Line 7: The requiretls_esmtp_header feature enables support for a message
    header "Require-TLS-ESMTP: yes" that allows Postfix to propagate the
    sender's REQUIRETLS request through a content filter based on
    SMTPD_PROXY_README or FILTER_README. This feature can safely be disabled if
    the domain does not need to enforce REQUIRETLS while delivering or
    forwarding messages.

LLMMTTPP aanndd SSMMTTPP--bbaasseedd mmeessssaaggee ssttoorreess aanndd ccoonntteenntt ffiilltteerrss

REQUIRETLS is historically not supported by message stores such as Dovecot, and
by content filters based on FILTER_README or SMTPD_PROXY_README. The settings
below allow for that reality, while also preparing for future REQUIRETLS
support.

The Postfix SMTP (LMTP) client supports a permissive REQUIRETLS policy that is
suitable for communication with internal message stores and content filters
based on FILTER_README or SMTPD_PROXY_README.

  * ooppppoorrttuunniissttiicc: STARTTLS and REQUIRETLS support are optional. When the
    sender requests REQUIRETLS, and an SMTP or LMTP server supports STARTTLS
    and REQUIRETLS, then send REQUIRETLS, otherwise simply deliver the message
    as if the sender did not request REQUIRETLS.

For a more complete definition of this enforcement level, see the
smtp_requiretls_policy parameter documentation.

For REQUIRETLS, the relevant Postfix 3.11 configuration default settings are:

     1 /etc/postfix/main.cf:
     2     smtp_tls_security_level = may
     3     requiretls_esmtp_header = yes
     4     lmtp_requiretls_policy = opportunistic
     5     smtp_requiretls_policy =
     6         inline:{
     7             { ${domain_to_ascii{$mydomain}} = opportunistic }
     8             { .${domain_to_ascii{$mydomain}} = opportunistic }
     9             { localhost = opportunistic } }
    10         cidr:{
    11             { 0.0.0.0/0 opportunistic }
    12             { ::/0 opportunistic } }
    13       ...to be completed in section "Communication with external
    servers"...

  * Line 3: The requiretls_esmtp_header setting enables support for a message
    header "Require-TLS-ESMTP: yes" that allows Postfix to propagate the
    sender's REQUIRETLS request through a content filter. This feature can
    safely be disabled if there is no need for content inspection based on
    SMTPD_PROXY_README or FILTER_README.

  * Lines 5-12: These make REQUIRETLS support optional for internal
    destinations and content filters that are specified as a symbolic name
    (lines 6-9) or as a numerical IP address (lines 10-12).

  * Lines 7 and 8 use ${domain_to_ascii{$mydomain}} instead of $mydomain. The
    function domain_to_ascii{} returns $mydomain if that contains only (7-bit)
    ASCII. If the mydomain value contains non-ASCII characters, then
    domain_to_ascii{} returns the xn--mumble-mumble Punycode (A-label) form
    that Postfix needs. This works around a limitation that may be eliminated
    in a future Postfix version.

  * Note: if you specify a domain list outside main.cf, then the automatic
    $name expansions and Punycode conversions will not happen; you will need to
    enter real domain names and will need to convert non-ASCII domains to
    Punycode.

NNoonn--SSMMTTPP aanndd nnoonn--LLMMTTPP ccoonntteenntt ffiilltteerrss

Postfix FILTER_README describes content inspection based on a pipe-to-command
approach. For REQUIRETLS, the relevant Postfix 3.11 default setting is:

    /etc/postfix/main.cf:
        requiretls_esmtp_header = yes

The requiretls_esmtp_header feature enables support for a message header
"Require-TLS-ESMTP: yes" that allows Postfix to propagate the sender's
REQUIRETLS request through a content filter. This feature can safely be
disabled if there is no need for content inspection based on SMTPD_PROXY_README
or FILTER_README.

CCoommmmuunniiccaattiioonn wwiitthh eexxtteerrnnaall sseerrvveerrss

For communication with external servers, the Postfix SMTP client supports
multiple enforcement levels:

  * eennffoorrccee: When the sender requests REQUIRETLS, require secure lookup of MX
    hosts (for example, using DNSSEC or HTTPS), require a server certificate
    match (for example, based on a published DANE or STS policy), and require
    that the remote server supports REQUIRETLS. Otherwise return the message as
    undeliverable.

    NOTE: this is also used implicitly when no REQUIRETLS policy match is
    found.

  * ooppppoorrttuunniissttiicc++ssttaarrttttllss: When the sender requests REQUIRETLS, require that
    the server supports STARTTLS. Send REQUIRETLS if the server supports
    REQUIRETLS, otherwise simply deliver the message as if the sender did not
    request REQUIRETLS.

  * ooppppoorrttuunniissttiicc: STARTTLS and REQUIRETLS support are optional. When the
    sender requests REQUIRETLS, and an SMTP or LMTP server supports STARTTLS
    and REQUIRETLS, then send REQUIRETLS, otherwise simply deliver the message
    as if the sender did not request REQUIRETLS.

For a more complete definition of these enforcement levels, see the
smtp_requiretls_policy parameter documentation.

For sending mail with REQUIRETLS, the relevant Postfix 3.11 default settings
are shown below, with one suggested setting in a comment (line 2).

The default settings below complete the earlier configuration for message
stores and content filters, with an 'enforce' policy for external deliveries
(line 13). You can disable the requiretls_esmtp_header feature (line 4) if a
configuration does not use content inspection based on SMTPD_PROXY_README or
FILTER_README.

     1 /etc/postfix/main.cf:
     2     # smtp_tls_policy_maps = ...dane/sts plugin...
     3     smtp_tls_security_level = may
     4     requiretls_esmtp_header = yes
     5     smtp_requiretls_policy =
     6         inline:{
     7             { ${domain_to_ascii{$mydomain}} = opportunistic }
     8             { .${domain_to_ascii{$mydomain}} = opportunistic }
     9             { localhost = opportunistic } }
    10         cidr:{
    11             { 0.0.0.0/0 opportunistic }
    12             { ::/0 opportunistic } }
    13         enforce

  * New at line 13: The 'enforce' policy for external destinations is
    technically correct, but is likely to suffer from delivery failures because
    many domains do not publish a DANE or STS policy, and many MTAs support
    STARTTLS but not REQUIRETLS. A perhaps more practical policy may be found
    in the section Relaxing REQUIRETLS for external deliveries.

  * (Same as before) Line 3: The requiretls_esmtp_header setting enables
    support for a message header "Require-TLS-ESMTP: yes" that allows Postfix
    to propagate the sender's REQUIRETLS request through a content filter. This
    feature can safely be disabled if there is no need for content inspection
    based on SMTPD_PROXY_README or FILTER_README.

  * (Same as before) Lines 5-12: These make REQUIRETLS support optional for
    internal destinations and content filters that are specified as a symbolic
    name (lines 6-9) or as a numerical IP address (lines 10-12).

  * (Same as before) Lines 7 and 8 use ${domain_to_ascii{$mydomain}} instead of
    $mydomain. The function domain_to_ascii{} returns $mydomain if that
    contains only (7-bit) ASCII. If the mydomain value contains non-ASCII
    characters, then domain_to_ascii{} returns the xn--mumble-mumble Punycode
    (A-label) form that Postfix needs. This works around a limitation that may
    be eliminated in a future Postfix version.

  * (Same as before) Note: if you specify a domain list outside main.cf, then
    the automatic $name expansions and Punycode conversions will not happen;
    you will need to enter real domain names and will need to convert non-ASCII
    domains to Punycode.)

RReellaaxxiinngg RREEQQUUIIRREETTLLSS ffoorr eexxtteerrnnaall ddeelliivveerriieess

It may be desirable to make REQUIRETLS work with today's infrastructure, by
keeping the requirement for TLS, but relaxing the requirements that a remote
server supports REQUIRETLS and that its server certificate matches a DANE or
STS policy. The configuration below makes that change by replacing the default
'enforce' with 'opportunistic+starttls' (line 13).

     1 /etc/postfix/main.cf:
     2     smtp_tls_security_level = may
     3     # smtp_tls_policy_maps = ...dane/sts plugin...
     4     requiretls_esmtp_header = yes
     5     smtp_requiretls_policy =
     6         inline:{
     7             { ${domain_to_ascii{$mydomain}} = opportunistic }
     8             { .${domain_to_ascii{$mydomain}} = opportunistic }
     9             { localhost = opportunistic } }
    10         cidr:{
    11             { 0.0.0.0/0 opportunistic }
    12             { ::/0 opportunistic } }
    13         opportunistic+starttls

  * New at line 13: the 'opportunistic+starttls' policy relaxes the requirement
    that every MTA in the forward path of a message supports REQUIRETLS, but in
    practice only one network hop needs to be secured: from a sender's
    perimeter MTA to a receiver's perimeter MTA. The network connections
    between user agents and their respective perimeters are assumed to be
    already secure.

  * (Same as before) Line 3: The requiretls_esmtp_header setting enables
    support for a message header "Require-TLS-ESMTP: yes" that allows Postfix
    to propagate the sender's REQUIRETLS request through a content filter. This
    feature can safely be disabled if there is no need for content inspection
    based on SMTPD_PROXY_README or FILTER_README.

  * (Same as before) Lines 5-12: These make REQUIRETLS support optional for
    internal destinations and content filters that are specified as a symbolic
    name (lines 6-9) or as a numerical IP address (lines 10-12).

  * (Same as before) Lines 7 and 8 use ${domain_to_ascii{$mydomain}} instead of
    $mydomain. The function domain_to_ascii{} returns $mydomain if that
    contains only (7-bit) ASCII. If the mydomain value contains non-ASCII
    characters, then domain_to_ascii{} returns the xn--mumble-mumble Punycode
    (A-label) form that Postfix needs. This works around a limitation that may
    be eliminated in a future Postfix version.

  * (Same as before) Note: if you specify a domain list outside main.cf, then
    the automatic $name expansions and Punycode conversions will not happen;
    you will need to enter real domain names and will need to convert non-ASCII
    domains to Punycode.)

AAnn eexxppeerriimmeenntt:: tteessttiinngg RREEQQUUIIRREETTLLSS ssuuppppoorrtt

The 'opportunistic' enforcement level may be useful to discover REQUIRETLS
support globally. The idea is to turn on REQUIRETLS for all outbound mail, and
watch in Postfix TLS status logging how often delivery is logged as
"requiretls" (all requirements satisfied), "requiretls:nocertmatch" (no DANE or
STS policy, or certificate not trusted or not matched), "requiretls:none" (no
REQUIRETLS support), or "requiretls:nostarttls". For more details on this
logging format, see smtp_log_tls_feature_status.

RReeqquueessttiinngg RREEQQUUIIRREETTLLSS wwiitthhoouutt SSMMTTPP

There are two options:

  * Specify the Postfix-specific "sseennddmmaaiill --OOrreeqquuiirreettllss==yyeess" command-line
    option. This option is always available, but may not be convenient to use.

  * Add a Postfix-specific "RReeqquuiirree--TTLLSS--EESSMMTTPP:: yyeess" message header. This is
    easier to use, but requires the setting "requiretls_esmtp_header = yes"
    which is not recommended for systems without content filters based on
    SMTPD_PROXY_README or FILTER_README.

    QQuueessttiioonn: perhaps there needs to be a parameter setting to request
    REQUIRETLS for specific email sources or contexts?

NNoonn--ddeelliivveerryy nnoottiiffiiccaattiioonnss

By default, Postfix redacts an undeliverable REQUIRETLS message as described in
RFC 8689, before returning it to the sender:

  * Remove the label "this message needs REQUIRETLS". The purpose is to avoid
    loss of notifications when a reverse path does not support REQUIRETLS, even
    though the forward path supported it.

  * Return only the message header, as if the message was received with the RFC
    3461 DSN option "RET=HDRS". The purpose is to limit the amount of
    information that may be exposed in plaintext.

The relevant default setting is:

    /etc/postfix/main.cf:
        requiretls_redact_dsn = yes

When a message was received with a "TLS-Required: no" header, and REQUIRETLS
was not requested, the "TLS-Required: no" header is copied to the delivery
status notification.

RREEQQUUIIRREETTLLSS qquuiicckk ssuummmmaarryy

The REQUIRETLS extension in ESMTP allows a sender to request that a message
will be sent over connections that are protected with TLS. RFC 8689 defines two
SMTP features:

  * A message header "TLS-Required: no" that disables TLS enforcement: do not
    require a server certificate match, and allow falling back to plaintext if
    TLS is unavailable. This may be useful to report a TLS problem, as
    described in TLSRPT_README. This feature has lower precedence than
    REQUIRETLS, and is not discussed further in this document.

  * An ESMTP protocol extension named "REQUIRETLS" that an SMTP server may list
    in its EHLO response, and that an SMTP client may request in a MAIL FROM
    command. This extension can be used only in an encrypted session, as
    illustrated with the fragment below, where C=client and S=server.

    . . .
    C: STARTTLS
    S: 220 Ready to start TLS
    C: EHLO client.example.org
    S: 250-mail.example.com
       . . .
       250 REQUIRETLS
    C: MAIL FROM:<sender@@example.org> REQUIRETLS
    S: 250 OK
    . . .

  * RFC 8689 applies equally to message relay [RFC 5321], submission [RFC
    6409], and the LMTP Local Mail Transfer Protocol [RFC 2033].

  * REQUIRETLS is an end-to-end feature, unlike SMTP which is hop-by-hop. When
    a sender requests REQUIRETLS, each server in the forward path must support
    REQUIRETLS.

  * Each connection in the forward path must be made to a server that has been
    looked up securely (for example, with DNSSEC or HTTPS).

  * Each server certificate must be verified. To match a server certificate,
    the Postfix SMTP client needs to use an appropriate policy type:

      o A TLS policy type 'secure' or 'verify', with certificate name matching
        info. For example, a policy returned by an MTA-STS plugin that looks up
        certificate matching info using HTTPS;

      o A TLS policy type 'dane-only', which looks up certificate or public-key
        matching info using DNSSEC. For example, a policy that is returned by a
        DANE+STS plugin;

      o A TLS policy type 'dane', provided that both the nexthop domain and its
        MX hosts are in DNSSEC-signed zones, and usable DNSSEC-signed TLSA
        records are discovered. In other words, the effective TLS policy
        remains DANE and is not downgraded because the destination lacks DNSSEC
        and/or usable TLSA records;

      o A TLS policy type 'fingerprint', with digital fingerprints. This is a
        non-scalable solution for special deployments, mentioned here only for
        completeness.

  * A message that requires REQUIRETLS must be returned to the sender if any of
    the above requirements is not satisfied (no STARTTLS support, no secure
    lookup of MX servers, no trusted or no matching server certificate, or no
    server that announces REQUIRETLS support).

  * Returning an undeliverable message that requires REQUIRETLS comes with its
    own challenges: the return path may differ from the forward path, and the
    return path may not support REQUIRETLS all the way back to the sender, even
    if the forward path supported REQUIRETLS. By default, Postfix follows RFC
    8689 and redacts bounce messages so that they can be sent without
    REQUIRETLS.

CCrreeddiittss

  * In Postfix 3.10, Wietse Venema refactored SMTPUTF8 support and extended it
    to propagate REQUIRETLS and "TLS-Required: no" information.
  * In Postfix 3.11, Wietse added REQUIRETLS support to the Postfix SMTP
    client; added a "tls=status/requiretls=status" field to the Postfix
    delivery status logging; added smtp_requiretls_policy support; added
    support for the "Require-TLS-ESMTP: yes" header to propagate REQUIRETLS
    through non-Postfix programs, specifically content filters.

@


1.1.1.1
log
@Import postfix 3.11.2 (previous was 3.10.1)

Changes in 3.11.2

Bugfix (defect introduced: Postfix 3.11): the proxymap(8) daemon
dereferenced an uninitialized pointer after a request protocol
error. This daemon is not exposed to local or remote users. Found
by Claude Opus 4.6.

Bugfix (defect introduced: 20260309) a change, to set the service_name
default value to "amnesiac", violated a test that parameter names
in postconf output must match 1:1 with parameter names in the
postlink script.

Changes in 3.11.1

Bugfix (defect introduced: 20260219): alias_maps errors when
default_database_type was not set in main.cf. Fix by Michael Tokarev.

Bugfix (defect introduced: Postfix 3.0): buffer over-read when
Postfix is configured with an enhanced status code not followed by
other text. For example, "5.7.2" without text after the three-number
code, in an access(5) table, header or body checks, or with "$rbl_code
$rbl_text" in rbl_reply_maps or default_rbl_reply. These are all
uncommon configurations. Problem reported by Kamil Frankowicz.

Bugfix (defect introduced: Postfix 3.3): null pointer in nbdb_reindexd(8)
because the "service_name" value was not propagated. Report by
Michael Tokarev.

During Postfix start-up, avoid a spurious error message from
nbdb_reindexd(8), when non_bdb_migration_level disables automatic
re-indexing.

Changes in 3.11.0

Postfix stable release 3.11.0 is available. Postfix 3.7 - 3.10 were
updated a few weeks ago; after that, Postfix 3.7 will no longer be
updated.

The main changes are below. See the RELEASE_NOTES file for further details.

Berkeley DB migration:

Some (Linux) distributions are removing support for BerkeleyDB
databases (In Postfix, this means we lose support for the hash:
and btree: lookup tables). See NON_BERKELEYDB_README for manual
and partially automatic migration from btree: to lmdb:, and from
hash: to lmdb: or cdb:.

The loss of BerkeleyDB affects Mailman versions that want to execute
commands like "postmap hash:/path/to/file" when a mailing list is
added or removed. Postfix provides a way to redirect such commands
to a supported database type.

You don't have to wait until BerkeleyDB support is removed. It can
make sense to migrate while BerkeleyDB support is still available
(mainly, less downtime).

Changes in TLS support:

Default TLS security. The Postfix SMTP client smtp_tls_security_level
default value is "may" if Postfix was built with TLS support, and
the compatibility_level is 3.11 or higher.

Support for the RFC 8689 "REQUIRETLS" verb in ESMTP. This requires
that every SMTP (and LMTP) server in the forward path is strongly
authenticated with DANE, STS, or equivalent, and that every server
announces REQUIRETLS support.

See REQUIRETLS_README for suggestions to carefully enforce REQUIRETLS
without causing massive mail delivery problems.

Logging the TLS security level. This shows the desired and actual
TLS security level enforcement status and, if a message requests
REQUIRETLS, the REQUIRETLS policy enforcement status. For a list
of examples see smtp_log_tls_feature_status

Workaround for an interface mismatch between the Postfix SMTP client
and MTA-STS policy plugins. This introduces a new parameter
smtp_tls_enforce_sts_mx_patterns (default: "yes"). The MTA-STS
plugin configuration needs to enable TLSRPT support, so that it
forwards STS policy attributes to Postfix. Both postfix-tlspol and
postfix-mta-sts-resolver have been updated accordingly.

With this, the Postfix SMTP client will connect to an MX host only
if its name matches any STS policy MX host pattern, and will match
a server certificate against the MX hostname. Otherwise, the old
behavior stays in effect: connect to any MX host listed in DNS,
and match a server certificate against any STS policy MX host
pattern.

Post-quantum cryptography support. With OpenSSL 3.5 and later,
change the tls_eecdh_auto_curves default value to avoid problems
with network infrastructure that mishandles TLS hello messages
larger than one (Ethernet) TCP segment. This problem is more
generally known as "protocol ossification".

Miscellaneous changes:

Deprecation of obsolete parameters. Postfix programs log a warning
that these parameters will be removed. See DEPRECATION_README for
a list of deprecated parameters.

JSON output support with "postconf -j|-jM|-jF|-jP", "postalias
-jq|-js", "postmap -jq|-js", and "postmulti -jl". No support is
planned for JSON input support.

Milter support: improved Milter error handling for messages that
arrive over a long-lived SMTP connection, by changing the default
milter_default_action from "tempfail" to the new "shutdown" action
(i.e. disconnect the remote SMTP client). This was already back-ported
to earlier stable releases.

For more changes in the 3.10 branch see:
https://www.postfix.org/announcements.html
@
text
@@


1.1.1.1.2.1
log
@file REQUIRETLS_README was added on branch netbsd-11 on 2026-05-11 17:13:36 +0000
@
text
@d1 437
@


1.1.1.1.2.2
log
@Pull up the following, requested by christos in ticket #283:

	external/ibm-public/postfix//dist/README_FILES/NON_BERKELEYDB_README up to
	external/ibm-public/postfix//dist/README_FILES/REQUIRETLS_README up to
	external/ibm-public/postfix//dist/conf/postfix-non-bdb-script up to
	external/ibm-public/postfix//dist/html/NON_BERKELEYDB_README.html up to
	external/ibm-public/postfix//dist/html/REQUIRETLS_README.html up to
	external/ibm-public/postfix//dist/html/nbdb_reindexd.8.html up to
	external/ibm-public/postfix//dist/html/postfix-non-bdb.1.html up to
	external/ibm-public/postfix//dist/man/man1/postfix-non-bdb.1 up to
	external/ibm-public/postfix//dist/man/man8/nbdb_reindexd.8 up to
	external/ibm-public/postfix//dist/mantools/check-proxy-type-table up to
	external/ibm-public/postfix//dist/proto/NON_BERKELEYDB_README.html up to
	external/ibm-public/postfix//dist/proto/REQUIRETLS_README.html up to
	external/ibm-public/postfix//dist/src/cleanup/cleanup_message_test.c up to
	external/ibm-public/postfix//dist/src/global/ehlo_mask_test.c up to
	external/ibm-public/postfix//dist/src/global/nbdb_clnt.c up to
	external/ibm-public/postfix//dist/src/global/allowed_prefix.c up to
	external/ibm-public/postfix//dist/src/global/allowed_prefix.h up to
	external/ibm-public/postfix//dist/src/global/allowed_prefix_test.c up to
	external/ibm-public/postfix//dist/src/global/dict_sqlite_test.c up to
	external/ibm-public/postfix//dist/src/global/haproxy_srvr_test.c up to
	external/ibm-public/postfix//dist/src/global/login_sender_match_test.c up to
	external/ibm-public/postfix//dist/src/global/nbdb_clnt.h up to
	external/ibm-public/postfix//dist/src/global/nbdb_redirect.c up to
	external/ibm-public/postfix//dist/src/global/nbdb_redirect.h up to
	external/ibm-public/postfix//dist/src/global/nbdb_redirect_test.c up to
	external/ibm-public/postfix//dist/src/global/nbdb_surrogate.c up to
	external/ibm-public/postfix//dist/src/global/nbdb_surrogate.h up to
	external/ibm-public/postfix//dist/src/global/nbdb_surrogate_test.c up to
	external/ibm-public/postfix//dist/src/global/nbdb_util.c up to
	external/ibm-public/postfix//dist/src/global/nbdb_util.h up to
	external/ibm-public/postfix//dist/src/global/nbdb_util_test.c up to
	external/ibm-public/postfix//dist/src/global/pol_stats.c up to
	external/ibm-public/postfix//dist/src/global/pol_stats.h up to
	external/ibm-public/postfix//dist/src/global/pol_stats_test.c up to
	external/ibm-public/postfix//dist/src/postalias/mode_conflict_test.in up to
	external/ibm-public/postfix//dist/src/postalias/mode_conflict_test.ref up to
	external/ibm-public/postfix//dist/src/postconf/test77-main.cf up to
	external/ibm-public/postfix//dist/src/postconf/test77.ref up to
	external/ibm-public/postfix//dist/src/postconf/test78.ref up to
	external/ibm-public/postfix//dist/src/postconf/test79.ref up to
	external/ibm-public/postfix//dist/src/postconf/test80.ref up to
	external/ibm-public/postfix//dist/src/postconf/test81.ref up to
	external/ibm-public/postfix//dist/src/postconf/test82.ref up to
	external/ibm-public/postfix//dist/src/postconf/test83.ref up to
	external/ibm-public/postfix//dist/src/postconf/test84.ref up to
	external/ibm-public/postfix//dist/src/postconf/test85.ref up to
	external/ibm-public/postfix//dist/src/postconf/test86.ref up to
	external/ibm-public/postfix//dist/src/postconf/test87.ref up to
	external/ibm-public/postfix//dist/src/postconf/test91.ref up to
	external/ibm-public/postfix//dist/src/postmap/mode_conflict_test.in up to
	external/ibm-public/postfix//dist/src/postmap/mode_conflict_test.ref up to
	external/ibm-public/postfix//dist/src/postmulti/fake_strcmp.c up to
	external/ibm-public/postfix//dist/src/smtp/smtp_reqtls_policy.c up to
	external/ibm-public/postfix//dist/src/smtp/smtp_reqtls_policy.h up to
	external/ibm-public/postfix//dist/src/smtp/smtp_reqtls_policy_test.c up to
	external/ibm-public/postfix//dist/src/smtp/smtp_tls_policy_test.c up to
	external/ibm-public/postfix//dist/src/smtpd/smtpd_peer_test.c up to
	external/ibm-public/postfix//dist/src/util/dict_union_test.c up to
	external/ibm-public/postfix//dist/src/util/hash_fnv_test.c up to
	external/ibm-public/postfix//dist/src/util/mac_midna.h up to
	external/ibm-public/postfix//dist/src/util/normalize_v4mapped_addr.c up to
	external/ibm-public/postfix//dist/src/util/dict_debug.h up to
	external/ibm-public/postfix//dist/src/util/dict_debug_test.ref up to
	external/ibm-public/postfix//dist/src/util/dict_debug_test.sh up to
	external/ibm-public/postfix//dist/src/util/dict_pipe_test.c up to
	external/ibm-public/postfix//dist/src/util/mac_midna.c up to
	external/ibm-public/postfix//dist/src/util/normalize_v4mapped_addr.h up to
	external/ibm-public/postfix//dist/src/util/normalize_v4mapped_addr_test.c up to
	external/ibm-public/postfix//dist/src/util/ossl_digest.c up to
	external/ibm-public/postfix//dist/src/util/ossl_digest.h up to
	external/ibm-public/postfix//dist/src/util/ossl_digest_test.c up to
	external/ibm-public/postfix//dist/src/util/wrap_stat.c up to
	external/ibm-public/postfix//dist/src/util/wrap_stat.h up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/Makefile.in up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_index_as.c up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_index_as.h up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_index_as_test.c up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_process.c up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_process.h up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_process_test.c up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_reindexd.c up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_reindexd.h up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_safe.c up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_safe.h up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_safe_test.c up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_sniffer.c up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_sniffer.h up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_sniffer_test.c up to
	external/ibm-public/postfix//dist/src/testing/Makefile.in up to
	external/ibm-public/postfix//dist/src/testing/dict_test_helper.c up to
	external/ibm-public/postfix//dist/src/testing/dict_test_helper.h up to
	external/ibm-public/postfix//dist/src/testing/mock_dict.c up to
	external/ibm-public/postfix//dist/src/testing/mock_dict.h up to
	external/ibm-public/postfix//dist/src/testing/mock_open_as.c up to
	external/ibm-public/postfix//dist/src/testing/mock_open_as.h up to
	external/ibm-public/postfix//dist/src/testing/mock_spawn_command.c up to
	external/ibm-public/postfix//dist/src/testing/mock_spawn_command.h up to
	external/ibm-public/postfix//dist/src/testing/mock_stat.c up to
	external/ibm-public/postfix//dist/src/testing/mock_stat.h up to
	external/ibm-public/postfix//dist/src/testing/msg_capture.c up to
	external/ibm-public/postfix//dist/src/testing/msg_capture.h up to
	external/ibm-public/postfix//dist/src/testing/nosleep.c up to
	external/ibm-public/postfix//dist/TESTING       up to
	external/ibm-public/postfix//dist/RELEASE_NOTES-3.10 up to
	external/ibm-public/postfix//dist/src/global/ehlo_mask.in delete
	external/ibm-public/postfix//dist/src/global/ehlo_mask.ref delete
	external/ibm-public/postfix//dist/src/util/dict_pipe_test.in delete
	external/ibm-public/postfix//dist/src/util/dict_pipe_test.ref delete
	external/ibm-public/postfix//dist/src/util/dict_union_test.in delete
	external/ibm-public/postfix//dist/src/util/dict_union_test.ref delete
	external/ibm-public/postfix/Makefile.inc        up to 1.32
	external/ibm-public/postfix/dist/HISTORY        up to 1.1.1.31
	external/ibm-public/postfix/dist/INSTALL        up to 1.1.1.11
	external/ibm-public/postfix/dist/Makefile.in    up to 1.1.1.12
	external/ibm-public/postfix/dist/RELEASE_NOTES  up to 1.1.1.19
	external/ibm-public/postfix/dist/makedefs       up to 1.18
	external/ibm-public/postfix/dist/README_FILES/AAAREADME up to 1.1.1.8
	external/ibm-public/postfix/dist/README_FILES/CDB_README up to 1.1.1.4
	external/ibm-public/postfix/dist/README_FILES/COMPATIBILITY_README up to 1.1.1.5
	external/ibm-public/postfix/dist/README_FILES/DATABASE_README up to 1.1.1.11
	external/ibm-public/postfix/dist/README_FILES/DEPRECATION_README up to 1.1.1.2
	external/ibm-public/postfix/dist/README_FILES/INSTALL up to 1.12
	external/ibm-public/postfix/dist/README_FILES/MULTI_INSTANCE_README up to 1.1.1.8
	external/ibm-public/postfix/dist/README_FILES/MYSQL_README up to 1.1.1.7
	external/ibm-public/postfix/dist/README_FILES/OVERVIEW up to 1.1.1.7
	external/ibm-public/postfix/dist/README_FILES/RELEASE_NOTES up to 1.1.1.19
	external/ibm-public/postfix/dist/README_FILES/SASL_README up to 1.1.1.13
	external/ibm-public/postfix/dist/README_FILES/SMTPUTF8_README up to 1.1.1.5
	external/ibm-public/postfix/dist/README_FILES/SOHO_README up to 1.1.1.6
	external/ibm-public/postfix/dist/README_FILES/STANDARD_CONFIGURATION_README up to 1.1.1.8
	external/ibm-public/postfix/dist/README_FILES/TLSRPT_README up to 1.1.1.2
	external/ibm-public/postfix/dist/README_FILES/UUCP_README up to 1.1.1.3
	external/ibm-public/postfix/dist/README_FILES/VIRTUAL_README up to 1.1.1.4
	external/ibm-public/postfix/dist/README_FILES/XCLIENT_README up to 1.1.1.5
	external/ibm-public/postfix/dist/conf/access    up to 1.1.1.10
	external/ibm-public/postfix/dist/conf/aliases   up to 1.1.1.7
	external/ibm-public/postfix/dist/conf/canonical up to 1.1.1.7
	external/ibm-public/postfix/dist/conf/generic   up to 1.1.1.6
	external/ibm-public/postfix/dist/conf/main.cf   up to 1.12
	external/ibm-public/postfix/dist/conf/postfix-files up to 1.11
	external/ibm-public/postfix/dist/conf/postfix-script up to 1.6
	external/ibm-public/postfix/dist/conf/postfix-tls-script up to 1.6
	external/ibm-public/postfix/dist/conf/relocated up to 1.1.1.5
	external/ibm-public/postfix/dist/conf/transport up to 1.1.1.6
	external/ibm-public/postfix/dist/conf/virtual   up to 1.1.1.8
	external/ibm-public/postfix/dist/html/CDB_README.html up to 1.1.1.6
	external/ibm-public/postfix/dist/html/COMPATIBILITY_README.html up to 1.1.1.6
	external/ibm-public/postfix/dist/html/DATABASE_README.html up to 1.1.1.12
	external/ibm-public/postfix/dist/html/DEPRECATION_README.html up to 1.1.1.2
	external/ibm-public/postfix/dist/html/INSTALL.html up to 1.12
	external/ibm-public/postfix/dist/html/MULTI_INSTANCE_README.html up to 1.1.1.11
	external/ibm-public/postfix/dist/html/MYSQL_README.html up to 1.1.1.7
	external/ibm-public/postfix/dist/html/Makefile.in up to 1.1.1.9
	external/ibm-public/postfix/dist/html/OVERVIEW.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/SASL_README.html up to 1.1.1.13
	external/ibm-public/postfix/dist/html/SMTPUTF8_README.html up to 1.1.1.6
	external/ibm-public/postfix/dist/html/SOHO_README.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/STANDARD_CONFIGURATION_README.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/TLSRPT_README.html up to 1.1.1.2
	external/ibm-public/postfix/dist/html/UUCP_README.html up to 1.1.1.6
	external/ibm-public/postfix/dist/html/VIRTUAL_README.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/XCLIENT_README.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/access.5.html up to 1.1.1.11
	external/ibm-public/postfix/dist/html/aliases.5.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/bounce.8.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/canonical.5.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/cidr_table.5.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/cleanup.8.html up to 1.1.1.11
	external/ibm-public/postfix/dist/html/defer.8.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/discard.8.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/error.8.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/generic.5.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/index.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/ldap_table.5.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/lmdb_table.5.html up to 1.1.1.6
	external/ibm-public/postfix/dist/html/lmtp.8.html up to 1.1.1.14
	external/ibm-public/postfix/dist/html/mailq.1.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/makedefs.1.html up to 1.1.1.5
	external/ibm-public/postfix/dist/html/memcache_table.5.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/mongodb_table.5.html up to 1.1.1.2
	external/ibm-public/postfix/dist/html/mysql_table.5.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/newaliases.1.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/nisplus_table.5.html up to 1.1.1.7
	external/ibm-public/postfix/dist/html/oqmgr.8.html up to 1.1.1.11
	external/ibm-public/postfix/dist/html/pcre_table.5.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/pgsql_table.5.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/postalias.1.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/postconf.1.html up to 1.1.1.13
	external/ibm-public/postfix/dist/html/postconf.5.html up to 1.22
	external/ibm-public/postfix/dist/html/postdrop.1.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/postfix-manuals.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/postfix-tls.1.html up to 1.1.1.5
	external/ibm-public/postfix/dist/html/postfix.1.html up to 1.1.1.11
	external/ibm-public/postfix/dist/html/postlog.1.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/postmap.1.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/postmulti.1.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/postqueue.1.html up to 1.1.1.11
	external/ibm-public/postfix/dist/html/postscreen.8.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/posttls-finger.1.html up to 1.1.1.7
	external/ibm-public/postfix/dist/html/proxymap.8.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/qmgr.8.html up to 1.1.1.11
	external/ibm-public/postfix/dist/html/regexp_table.5.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/relocated.5.html up to 1.1.1.7
	external/ibm-public/postfix/dist/html/sendmail.1.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/smtp.8.html up to 1.1.1.14
	external/ibm-public/postfix/dist/html/smtpd.8.html up to 1.1.1.15
	external/ibm-public/postfix/dist/html/socketmap_table.5.html up to 1.1.1.7
	external/ibm-public/postfix/dist/html/sqlite_table.5.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/tcp_table.5.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/trace.8.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/transport.5.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/virtual.5.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/virtual.8.html up to 1.1.1.9
	external/ibm-public/postfix/dist/man/Makefile.in up to 1.1.1.9
	external/ibm-public/postfix/dist/man/man1/makedefs.1 up to 1.5
	external/ibm-public/postfix/dist/man/man1/postalias.1 up to 1.5
	external/ibm-public/postfix/dist/man/man1/postconf.1 up to 1.6
	external/ibm-public/postfix/dist/man/man1/postdrop.1 up to 1.6
	external/ibm-public/postfix/dist/man/man1/postfix-tls.1 up to 1.4
	external/ibm-public/postfix/dist/man/man1/postfix.1 up to 1.8
	external/ibm-public/postfix/dist/man/man1/postlog.1 up to 1.7
	external/ibm-public/postfix/dist/man/man1/postmap.1 up to 1.5
	external/ibm-public/postfix/dist/man/man1/postmulti.1 up to 1.5
	external/ibm-public/postfix/dist/man/man1/postqueue.1 up to 1.6
	external/ibm-public/postfix/dist/man/man1/posttls-finger.1 up to 1.7
	external/ibm-public/postfix/dist/man/man1/sendmail.1 up to 1.6
	external/ibm-public/postfix/dist/man/man5/access.5 up to 1.6
	external/ibm-public/postfix/dist/man/man5/aliases.5 up to 1.7
	external/ibm-public/postfix/dist/man/man5/canonical.5 up to 1.6
	external/ibm-public/postfix/dist/man/man5/cidr_table.5 up to 1.7
	external/ibm-public/postfix/dist/man/man5/generic.5 up to 1.6
	external/ibm-public/postfix/dist/man/man5/ldap_table.5 up to 1.7
	external/ibm-public/postfix/dist/man/man5/lmdb_table.5 up to 1.4
	external/ibm-public/postfix/dist/man/man5/memcache_table.5 up to 1.3
	external/ibm-public/postfix/dist/man/man5/mongodb_table.5 up to 1.3
	external/ibm-public/postfix/dist/man/man5/mysql_table.5 up to 1.7
	external/ibm-public/postfix/dist/man/man5/nisplus_table.5 up to 1.3
	external/ibm-public/postfix/dist/man/man5/pcre_table.5 up to 1.6
	external/ibm-public/postfix/dist/man/man5/pgsql_table.5 up to 1.7
	external/ibm-public/postfix/dist/man/man5/postconf.5 up to 1.21
	external/ibm-public/postfix/dist/man/man5/regexp_table.5 up to 1.6
	external/ibm-public/postfix/dist/man/man5/relocated.5 up to 1.5
	external/ibm-public/postfix/dist/man/man5/socketmap_table.5 up to 1.5
	external/ibm-public/postfix/dist/man/man5/sqlite_table.5 up to 1.5
	external/ibm-public/postfix/dist/man/man5/tcp_table.5 up to 1.4
	external/ibm-public/postfix/dist/man/man5/transport.5 up to 1.5
	external/ibm-public/postfix/dist/man/man5/virtual.5 up to 1.7
	external/ibm-public/postfix/dist/man/man8/bounce.8 up to 1.6
	external/ibm-public/postfix/dist/man/man8/cleanup.8 up to 1.6
	external/ibm-public/postfix/dist/man/man8/discard.8 up to 1.4
	external/ibm-public/postfix/dist/man/man8/error.8 up to 1.4
	external/ibm-public/postfix/dist/man/man8/oqmgr.8 up to 1.4
	external/ibm-public/postfix/dist/man/man8/postscreen.8 up to 1.7
	external/ibm-public/postfix/dist/man/man8/proxymap.8 up to 1.5
	external/ibm-public/postfix/dist/man/man8/qmgr.8 up to 1.5
	external/ibm-public/postfix/dist/man/man8/smtp.8 up to 1.7
	external/ibm-public/postfix/dist/man/man8/smtpd.8 up to 1.7
	external/ibm-public/postfix/dist/man/man8/virtual.8 up to 1.5
	external/ibm-public/postfix/dist/mantools/check-postconf-unimplemented up to 1.1.1.2
	external/ibm-public/postfix/dist/mantools/check-spell-history up to 1.1.1.2
	external/ibm-public/postfix/dist/mantools/check-spell-proto-html up to 1.1.1.3
	external/ibm-public/postfix/dist/mantools/dehtml up to 1.1.1.3
	external/ibm-public/postfix/dist/mantools/postconf2man up to 1.1.1.7
	external/ibm-public/postfix/dist/mantools/postlink up to 1.1.1.15
	external/ibm-public/postfix/dist/mantools/srctoman up to 1.1.1.5
	external/ibm-public/postfix/dist/proto/CDB_README.html up to 1.1.1.6
	external/ibm-public/postfix/dist/proto/COMPATIBILITY_README.html up to 1.1.1.6
	external/ibm-public/postfix/dist/proto/DATABASE_README.html up to 1.1.1.12
	external/ibm-public/postfix/dist/proto/DEPRECATION_README.html up to 1.1.1.2
	external/ibm-public/postfix/dist/proto/INSTALL.html up to 1.12
	external/ibm-public/postfix/dist/proto/MULTI_INSTANCE_README.html up to 1.1.1.10
	external/ibm-public/postfix/dist/proto/MYSQL_README.html up to 1.1.1.7
	external/ibm-public/postfix/dist/proto/Makefile.in up to 1.1.1.9
	external/ibm-public/postfix/dist/proto/OVERVIEW.html up to 1.1.1.8
	external/ibm-public/postfix/dist/proto/SASL_README.html up to 1.1.1.13
	external/ibm-public/postfix/dist/proto/SMTPUTF8_README.html up to 1.1.1.6
	external/ibm-public/postfix/dist/proto/STANDARD_CONFIGURATION_README.html up to 1.1.1.8
	external/ibm-public/postfix/dist/proto/TLSRPT_README.html up to 1.1.1.2
	external/ibm-public/postfix/dist/proto/UUCP_README.html up to 1.1.1.5
	external/ibm-public/postfix/dist/proto/VIRTUAL_README.html up to 1.1.1.6
	external/ibm-public/postfix/dist/proto/XCLIENT_README.html up to 1.1.1.8
	external/ibm-public/postfix/dist/proto/access   up to 1.1.1.10
	external/ibm-public/postfix/dist/proto/aliases  up to 1.1.1.8
	external/ibm-public/postfix/dist/proto/canonical up to 1.1.1.7
	external/ibm-public/postfix/dist/proto/cidr_table up to 1.1.1.8
	external/ibm-public/postfix/dist/proto/generic  up to 1.1.1.6
	external/ibm-public/postfix/dist/proto/index.html up to 1.1.1.2
	external/ibm-public/postfix/dist/proto/ldap_table up to 1.1.1.9
	external/ibm-public/postfix/dist/proto/lmdb_table up to 1.1.1.4
	external/ibm-public/postfix/dist/proto/memcache_table up to 1.1.1.5
	external/ibm-public/postfix/dist/proto/mongodb_table up to 1.1.1.2
	external/ibm-public/postfix/dist/proto/mysql_table up to 1.1.1.10
	external/ibm-public/postfix/dist/proto/nisplus_table up to 1.1.1.4
	external/ibm-public/postfix/dist/proto/pcre_table up to 1.1.1.8
	external/ibm-public/postfix/dist/proto/pgsql_table up to 1.1.1.10
	external/ibm-public/postfix/dist/proto/postconf.html.prolog up to 1.1.1.7
	external/ibm-public/postfix/dist/proto/postconf.man.prolog up to 1.1.1.5
	external/ibm-public/postfix/dist/proto/postconf.proto up to 1.21
	external/ibm-public/postfix/dist/proto/regexp_table up to 1.1.1.8
	external/ibm-public/postfix/dist/proto/relocated up to 1.1.1.5
	external/ibm-public/postfix/dist/proto/socketmap_table up to 1.1.1.5
	external/ibm-public/postfix/dist/proto/sqlite_table up to 1.1.1.6
	external/ibm-public/postfix/dist/proto/stop     up to 1.1.1.9
	external/ibm-public/postfix/dist/proto/stop.double-cc up to 1.1.1.4
	external/ibm-public/postfix/dist/proto/stop.double-history up to 1.1.1.3
	external/ibm-public/postfix/dist/proto/stop.double-install-proto-text up to 1.1.1.3
	external/ibm-public/postfix/dist/proto/stop.double-proto-html up to 1.1.1.4
	external/ibm-public/postfix/dist/proto/stop.spell-cc up to 1.1.1.4
	external/ibm-public/postfix/dist/proto/stop.spell-history up to 1.1.1.3
	external/ibm-public/postfix/dist/proto/stop.spell-proto-html up to 1.1.1.4
	external/ibm-public/postfix/dist/proto/tcp_table up to 1.1.1.5
	external/ibm-public/postfix/dist/proto/transport up to 1.1.1.6
	external/ibm-public/postfix/dist/proto/virtual  up to 1.1.1.8
	external/ibm-public/postfix/dist/src/bounce/Makefile.in up to 1.1.1.7
	external/ibm-public/postfix/dist/src/bounce/bounce.c up to 1.6
	external/ibm-public/postfix/dist/src/bounce/bounce_notify_service.c up to 1.4
	external/ibm-public/postfix/dist/src/bounce/bounce_notify_util.c up to 1.6
	external/ibm-public/postfix/dist/src/bounce/bounce_notify_verp.c up to 1.4
	external/ibm-public/postfix/dist/src/bounce/bounce_one_service.c up to 1.4
	external/ibm-public/postfix/dist/src/bounce/bounce_trace_service.c up to 1.4
	external/ibm-public/postfix/dist/src/bounce/bounce_warn_service.c up to 1.4
	external/ibm-public/postfix/dist/src/cleanup/Makefile.in up to 1.1.1.11
	external/ibm-public/postfix/dist/src/cleanup/cleanup.c up to 1.10
	external/ibm-public/postfix/dist/src/cleanup/cleanup.h up to 1.12
	external/ibm-public/postfix/dist/src/cleanup/cleanup_api.c up to 1.6
	external/ibm-public/postfix/dist/src/cleanup/cleanup_bounce.c up to 1.4
	external/ibm-public/postfix/dist/src/cleanup/cleanup_init.c up to 1.9
	external/ibm-public/postfix/dist/src/cleanup/cleanup_message.c up to 1.6
	external/ibm-public/postfix/dist/src/cleanup/cleanup_milter.c up to 1.7
	external/ibm-public/postfix/dist/src/cleanup/cleanup_out_recipient.c up to 1.6
	external/ibm-public/postfix/dist/src/cleanup/cleanup_state.c up to 1.6
	external/ibm-public/postfix/dist/src/discard/Makefile.in up to 1.1.1.5
	external/ibm-public/postfix/dist/src/discard/discard.c up to 1.4
	external/ibm-public/postfix/dist/src/dns/dns.h  up to 1.8
	external/ibm-public/postfix/dist/src/dns/dns_lookup.c up to 1.10
	external/ibm-public/postfix/dist/src/error/Makefile.in up to 1.1.1.5
	external/ibm-public/postfix/dist/src/error/error.c up to 1.4
	external/ibm-public/postfix/dist/src/global/Makefile.in up to 1.1.1.12
	external/ibm-public/postfix/dist/src/global/abounce.c up to 1.5
	external/ibm-public/postfix/dist/src/global/ascii_header_text.c up to 1.3
	external/ibm-public/postfix/dist/src/global/ascii_header_text.h up to 1.3
	external/ibm-public/postfix/dist/src/global/bounce.c up to 1.5
	external/ibm-public/postfix/dist/src/global/bounce.h up to 1.3
	external/ibm-public/postfix/dist/src/global/cleanup_strflags.c up to 1.3
	external/ibm-public/postfix/dist/src/global/cleanup_user.h up to 1.5
	external/ibm-public/postfix/dist/src/global/config_known_tcp_ports.c up to 1.3
	external/ibm-public/postfix/dist/src/global/data_redirect.c up to 1.3
	external/ibm-public/postfix/dist/src/global/defer.c up to 1.5
	external/ibm-public/postfix/dist/src/global/defer.h up to 1.3
	external/ibm-public/postfix/dist/src/global/deliver_pass.c up to 1.5
	external/ibm-public/postfix/dist/src/global/dict_ldap.c up to 1.7
	external/ibm-public/postfix/dist/src/global/dict_memcache.c up to 1.4
	external/ibm-public/postfix/dist/src/global/dict_mongodb.c up to 1.3
	external/ibm-public/postfix/dist/src/global/dict_mysql.c up to 1.6
	external/ibm-public/postfix/dist/src/global/dict_pgsql.c up to 1.6
	external/ibm-public/postfix/dist/src/global/dict_proxy.c up to 1.4
	external/ibm-public/postfix/dist/src/global/dict_sqlite.c up to 1.6
	external/ibm-public/postfix/dist/src/global/dict_sqlite.h up to 1.2
	external/ibm-public/postfix/dist/src/global/dsn_util.c up to 1.2
	external/ibm-public/postfix/dist/src/global/ehlo_mask.c up to 1.4
	external/ibm-public/postfix/dist/src/global/ehlo_mask.h up to 1.4
	external/ibm-public/postfix/dist/src/global/haproxy_srvr.c up to 1.5
	external/ibm-public/postfix/dist/src/global/haproxy_srvr.h up to 1.3
	external/ibm-public/postfix/dist/src/global/header_opts.c up to 1.4
	external/ibm-public/postfix/dist/src/global/header_opts.h up to 1.4
	external/ibm-public/postfix/dist/src/global/log_adhoc.c up to 1.4
	external/ibm-public/postfix/dist/src/global/log_adhoc.h up to 1.2
	external/ibm-public/postfix/dist/src/global/login_sender_match.c up to 1.3
	external/ibm-public/postfix/dist/src/global/mail_conf.c up to 1.5
	external/ibm-public/postfix/dist/src/global/mail_conf.h up to 1.4
	external/ibm-public/postfix/dist/src/global/mail_params.c up to 1.7
	external/ibm-public/postfix/dist/src/global/mail_params.h up to 1.21
	external/ibm-public/postfix/dist/src/global/mail_proto.h up to 1.7
	external/ibm-public/postfix/dist/src/global/mail_version.h up to 1.8
	external/ibm-public/postfix/dist/src/global/maps.c up to 1.6
	external/ibm-public/postfix/dist/src/global/mime_garb3.ref up to 1.1.1.2
	external/ibm-public/postfix/dist/src/global/mime_state.c up to 1.4
	external/ibm-public/postfix/dist/src/global/mime_state.h up to 1.2
	external/ibm-public/postfix/dist/src/global/mynetworks.c up to 1.3
	external/ibm-public/postfix/dist/src/global/namadr_list.in up to 1.1.1.5
	external/ibm-public/postfix/dist/src/global/namadr_list.ref up to 1.1.1.6
	external/ibm-public/postfix/dist/src/global/own_inet_addr.c up to 1.3
	external/ibm-public/postfix/dist/src/global/pipe_command.c up to 1.3
	external/ibm-public/postfix/dist/src/global/post_mail.c up to 1.6
	external/ibm-public/postfix/dist/src/global/rec_type.h up to 1.5
	external/ibm-public/postfix/dist/src/global/reject_deliver_request.c up to 1.3
	external/ibm-public/postfix/dist/src/global/rfc2047_code.c up to 1.3
	external/ibm-public/postfix/dist/src/global/rfc2047_code.h up to 1.3
	external/ibm-public/postfix/dist/src/global/sendopts.c up to 1.3
	external/ibm-public/postfix/dist/src/global/sent.c up to 1.4
	external/ibm-public/postfix/dist/src/global/sent.h up to 1.3
	external/ibm-public/postfix/dist/src/global/server_acl.c up to 1.5
	external/ibm-public/postfix/dist/src/global/trace.c up to 1.4
	external/ibm-public/postfix/dist/src/global/trace.h up to 1.2
	external/ibm-public/postfix/dist/src/global/verify.c up to 1.5
	external/ibm-public/postfix/dist/src/global/verify.h up to 1.2
	external/ibm-public/postfix/dist/src/local/Makefile.in up to 1.1.1.10
	external/ibm-public/postfix/dist/src/local/forward.c up to 1.6
	external/ibm-public/postfix/dist/src/local/local.c up to 1.6
	external/ibm-public/postfix/dist/src/local/local.h up to 1.4
	external/ibm-public/postfix/dist/src/master/Makefile.in up to 1.1.1.9
	external/ibm-public/postfix/dist/src/master/event_server.c up to 1.5
	external/ibm-public/postfix/dist/src/master/multi_server.c up to 1.5
	external/ibm-public/postfix/dist/src/milter/milter8.c up to 1.7
	external/ibm-public/postfix/dist/src/milter/test-milter.c up to 1.5
	external/ibm-public/postfix/dist/src/oqmgr/Makefile.in up to 1.1.1.7
	external/ibm-public/postfix/dist/src/oqmgr/qmgr.c up to 1.4
	external/ibm-public/postfix/dist/src/oqmgr/qmgr_bounce.c up to 1.2
	external/ibm-public/postfix/dist/src/oqmgr/qmgr_defer.c up to 1.2
	external/ibm-public/postfix/dist/src/oqmgr/qmgr_message.c up to 1.6
	external/ibm-public/postfix/dist/src/pipe/Makefile.in up to 1.1.1.6
	external/ibm-public/postfix/dist/src/pipe/pipe.c up to 1.6
	external/ibm-public/postfix/dist/src/postalias/Makefile.in up to 1.1.1.8
	external/ibm-public/postfix/dist/src/postalias/postalias.c up to 1.7
	external/ibm-public/postfix/dist/src/postcat/postcat.c up to 1.6
	external/ibm-public/postfix/dist/src/postconf/Makefile.in up to 1.1.1.13
	external/ibm-public/postfix/dist/src/postconf/extract.awk up to 1.1.1.7
	external/ibm-public/postfix/dist/src/postconf/postconf.c up to 1.6
	external/ibm-public/postfix/dist/src/postconf/postconf.h up to 1.6
	external/ibm-public/postfix/dist/src/postconf/postconf_builtin.c up to 1.5
	external/ibm-public/postfix/dist/src/postconf/postconf_dbms.c up to 1.7
	external/ibm-public/postfix/dist/src/postconf/postconf_edit.c up to 1.4
	external/ibm-public/postfix/dist/src/postconf/postconf_lookup.c up to 1.5
	external/ibm-public/postfix/dist/src/postconf/postconf_main.c up to 1.5
	external/ibm-public/postfix/dist/src/postconf/postconf_master.c up to 1.9
	external/ibm-public/postfix/dist/src/postconf/postconf_unused.c up to 1.3
	external/ibm-public/postfix/dist/src/postconf/postconf_user.c up to 1.6
	external/ibm-public/postfix/dist/src/postconf/test18.ref up to 1.1.1.2
	external/ibm-public/postfix/dist/src/postconf/test2.ref up to 1.1.1.2
	external/ibm-public/postfix/dist/src/postconf/test28.ref up to 1.1.1.4
	external/ibm-public/postfix/dist/src/postconf/test29.ref up to 1.1.1.5
	external/ibm-public/postfix/dist/src/postconf/test57.ref up to 1.1.1.2
	external/ibm-public/postfix/dist/src/postconf/test59.ref up to 1.1.1.4
	external/ibm-public/postfix/dist/src/postconf/test67.ref up to 1.1.1.3
	external/ibm-public/postfix/dist/src/postconf/test76.ref up to 1.1.1.2
	external/ibm-public/postfix/dist/src/postdrop/postdrop.c up to 1.6
	external/ibm-public/postfix/dist/src/postfix/postfix.c up to 1.8
	external/ibm-public/postfix/dist/src/postlog/postlog.c up to 1.7
	external/ibm-public/postfix/dist/src/postmap/Makefile.in up to 1.1.1.9
	external/ibm-public/postfix/dist/src/postmap/postmap.c up to 1.7
	external/ibm-public/postfix/dist/src/postmulti/Makefile.in up to 1.1.1.6
	external/ibm-public/postfix/dist/src/postmulti/postmulti.c up to 1.5
	external/ibm-public/postfix/dist/src/postqueue/postqueue.c up to 1.6
	external/ibm-public/postfix/dist/src/postqueue/showq_compat.c up to 1.5
	external/ibm-public/postfix/dist/src/postqueue/showq_json.c up to 1.6
	external/ibm-public/postfix/dist/src/postscreen/postscreen.c up to 1.7
	external/ibm-public/postfix/dist/src/postscreen/postscreen_endpt.c up to 1.6
	external/ibm-public/postfix/dist/src/posttls-finger/posttls-finger.c up to 1.7
	external/ibm-public/postfix/dist/src/proxymap/Makefile.in up to 1.1.1.8
	external/ibm-public/postfix/dist/src/proxymap/proxymap.c up to 1.6
	external/ibm-public/postfix/dist/src/qmgr/Makefile.in up to 1.1.1.7
	external/ibm-public/postfix/dist/src/qmgr/qmgr.c up to 1.5
	external/ibm-public/postfix/dist/src/qmgr/qmgr_bounce.c up to 1.2
	external/ibm-public/postfix/dist/src/qmgr/qmgr_defer.c up to 1.2
	external/ibm-public/postfix/dist/src/qmgr/qmgr_message.c up to 1.6
	external/ibm-public/postfix/dist/src/sendmail/Makefile.in up to 1.1.1.6
	external/ibm-public/postfix/dist/src/sendmail/sendmail.c up to 1.6
	external/ibm-public/postfix/dist/src/showq/showq.c up to 1.6
	external/ibm-public/postfix/dist/src/smtp/Makefile.in up to 1.1.1.12
	external/ibm-public/postfix/dist/src/smtp/lmtp_params.c up to 1.7
	external/ibm-public/postfix/dist/src/smtp/smtp.c up to 1.15
	external/ibm-public/postfix/dist/src/smtp/smtp.h up to 1.7
	external/ibm-public/postfix/dist/src/smtp/smtp_connect.c up to 1.7
	external/ibm-public/postfix/dist/src/smtp/smtp_key.c up to 1.4
	external/ibm-public/postfix/dist/src/smtp/smtp_params.c up to 1.7
	external/ibm-public/postfix/dist/src/smtp/smtp_proto.c up to 1.7
	external/ibm-public/postfix/dist/src/smtp/smtp_rcpt.c up to 1.4
	external/ibm-public/postfix/dist/src/smtp/smtp_state.c up to 1.5
	external/ibm-public/postfix/dist/src/smtp/smtp_tls_policy.c up to 1.6
	external/ibm-public/postfix/dist/src/smtp/smtp_tlsrpt.c up to 1.3
	external/ibm-public/postfix/dist/src/smtp/smtp_trouble.c up to 1.4
	external/ibm-public/postfix/dist/src/smtpd/Makefile.in up to 1.1.1.13
	external/ibm-public/postfix/dist/src/smtpd/smtpd.c up to 1.22
	external/ibm-public/postfix/dist/src/smtpd/smtpd.h up to 1.7
	external/ibm-public/postfix/dist/src/smtpd/smtpd_chat.c up to 1.5
	external/ibm-public/postfix/dist/src/smtpd/smtpd_check.c up to 1.8
	external/ibm-public/postfix/dist/src/smtpd/smtpd_haproxy.c up to 1.4
	external/ibm-public/postfix/dist/src/smtpd/smtpd_peer.c up to 1.6
	external/ibm-public/postfix/dist/src/smtpd/smtpd_proxy.c up to 1.4
	external/ibm-public/postfix/dist/src/smtpd/smtpd_proxy.h up to 1.2
	external/ibm-public/postfix/dist/src/tls/Makefile.in up to 1.1.1.12
	external/ibm-public/postfix/dist/src/tls/tls.h  up to 1.7
	external/ibm-public/postfix/dist/src/tls/tls_client.c up to 1.15
	external/ibm-public/postfix/dist/src/tls/tls_dane.c up to 1.7
	external/ibm-public/postfix/dist/src/tls/tls_dane.sh up to 1.1.1.2
	external/ibm-public/postfix/dist/src/tls/tls_dh.c up to 1.7
	external/ibm-public/postfix/dist/src/tls/tls_misc.c up to 1.7
	external/ibm-public/postfix/dist/src/tls/tls_prng_file.c up to 1.3
	external/ibm-public/postfix/dist/src/tls/tls_proxy.h up to 1.6
	external/ibm-public/postfix/dist/src/tls/tls_proxy_client_misc.c up to 1.5
	external/ibm-public/postfix/dist/src/tls/tls_proxy_client_print.c up to 1.6
	external/ibm-public/postfix/dist/src/tls/tls_proxy_client_scan.c up to 1.6
	external/ibm-public/postfix/dist/src/tls/tls_server.c up to 1.14
	external/ibm-public/postfix/dist/src/tls/tls_verify.c up to 1.6
	external/ibm-public/postfix/dist/src/tls/tlsrpt_wrapper.c up to 1.3
	external/ibm-public/postfix/dist/src/tlsproxy/tlsproxy.c up to 1.8
	external/ibm-public/postfix/dist/src/tlsproxy/tlsproxy_state.c up to 1.4
	external/ibm-public/postfix/dist/src/trivial-rewrite/Makefile.in up to 1.1.1.7
	external/ibm-public/postfix/dist/src/trivial-rewrite/resolve.c up to 1.6
	external/ibm-public/postfix/dist/src/trivial-rewrite/trivial-rewrite.c up to 1.6
	external/ibm-public/postfix/dist/src/util/Makefile.in up to 1.1.1.13
	external/ibm-public/postfix/dist/src/util/alldig.c up to 1.4
	external/ibm-public/postfix/dist/src/util/argv.c up to 1.6
	external/ibm-public/postfix/dist/src/util/argv.h up to 1.6
	external/ibm-public/postfix/dist/src/util/dict.c up to 1.5
	external/ibm-public/postfix/dist/src/util/dict.h up to 1.7
	external/ibm-public/postfix/dist/src/util/dict_alloc.c up to 1.4
	external/ibm-public/postfix/dist/src/util/dict_cache.c up to 1.5
	external/ibm-public/postfix/dist/src/util/dict_cache.h up to 1.3
	external/ibm-public/postfix/dist/src/util/dict_cdb.c up to 1.5
	external/ibm-public/postfix/dist/src/util/dict_cidr.c up to 1.6
	external/ibm-public/postfix/dist/src/util/dict_db.c up to 1.5
	external/ibm-public/postfix/dist/src/util/dict_dbm.c up to 1.3
	external/ibm-public/postfix/dist/src/util/dict_debug.c up to 1.3
	external/ibm-public/postfix/dist/src/util/dict_env.c up to 1.2
	external/ibm-public/postfix/dist/src/util/dict_fail.c up to 1.3
	external/ibm-public/postfix/dist/src/util/dict_inline.c up to 1.6
	external/ibm-public/postfix/dist/src/util/dict_lmdb.c up to 1.5
	external/ibm-public/postfix/dist/src/util/dict_ni.c up to 1.2
	external/ibm-public/postfix/dist/src/util/dict_nis.c up to 1.2
	external/ibm-public/postfix/dist/src/util/dict_nisplus.c up to 1.2
	external/ibm-public/postfix/dist/src/util/dict_open.c up to 1.5
	external/ibm-public/postfix/dist/src/util/dict_pcre.c up to 1.6
	external/ibm-public/postfix/dist/src/util/dict_pipe.c up to 1.3
	external/ibm-public/postfix/dist/src/util/dict_random.c up to 1.5
	external/ibm-public/postfix/dist/src/util/dict_regexp.c up to 1.6
	external/ibm-public/postfix/dist/src/util/dict_sdbm.c up to 1.2
	external/ibm-public/postfix/dist/src/util/dict_seq.ref up to 1.1.1.2
	external/ibm-public/postfix/dist/src/util/dict_sockmap.c up to 1.7
	external/ibm-public/postfix/dist/src/util/dict_static.c up to 1.5
	external/ibm-public/postfix/dist/src/util/dict_surrogate.c up to 1.3
	external/ibm-public/postfix/dist/src/util/dict_tcp.c up to 1.3
	external/ibm-public/postfix/dist/src/util/dict_test.c up to 1.3
	external/ibm-public/postfix/dist/src/util/dict_thash.c up to 1.6
	external/ibm-public/postfix/dist/src/util/dict_union.c up to 1.4
	external/ibm-public/postfix/dist/src/util/dict_unix.c up to 1.2
	external/ibm-public/postfix/dist/src/util/dict_utf8_test.ref up to 1.1.1.2
	external/ibm-public/postfix/dist/src/util/hash_fnv.c up to 1.5
	external/ibm-public/postfix/dist/src/util/hex_code.c up to 1.5
	external/ibm-public/postfix/dist/src/util/hex_code.h up to 1.6
	external/ibm-public/postfix/dist/src/util/htable.c up to 1.5
	external/ibm-public/postfix/dist/src/util/inet_addr_list.c up to 1.3
	external/ibm-public/postfix/dist/src/util/inet_prefix_top.c up to 1.4
	external/ibm-public/postfix/dist/src/util/inet_proto.c up to 1.5
	external/ibm-public/postfix/dist/src/util/mac_expand.c up to 1.5
	external/ibm-public/postfix/dist/src/util/mac_expand.h up to 1.6
	external/ibm-public/postfix/dist/src/util/mac_expand.in up to 1.1.1.5
	external/ibm-public/postfix/dist/src/util/mac_expand.ref up to 1.1.1.5
	external/ibm-public/postfix/dist/src/util/match_list.c up to 1.4
	external/ibm-public/postfix/dist/src/util/midna_domain.c up to 1.6
	external/ibm-public/postfix/dist/src/util/mkmap_open.c up to 1.3
	external/ibm-public/postfix/dist/src/util/msg_vstream.c up to 1.2
	external/ibm-public/postfix/dist/src/util/myaddrinfo.c up to 1.4
	external/ibm-public/postfix/dist/src/util/myaddrinfo.h up to 1.5
	external/ibm-public/postfix/dist/src/util/myaddrinfo.ref up to 1.1.1.6
	external/ibm-public/postfix/dist/src/util/myaddrinfo.ref2 up to 1.1.1.2
	external/ibm-public/postfix/dist/src/util/myaddrinfo4.ref up to 1.1.1.3
	external/ibm-public/postfix/dist/src/util/myaddrinfo4.ref2 up to 1.1.1.2
	external/ibm-public/postfix/dist/src/util/myflock.c up to 1.4
	external/ibm-public/postfix/dist/src/util/name_mask.c up to 1.5
	external/ibm-public/postfix/dist/src/util/name_mask.h up to 1.2
	external/ibm-public/postfix/dist/src/util/name_mask.ref5 up to 1.1.1.2
	external/ibm-public/postfix/dist/src/util/name_mask.ref6 up to 1.1.1.2
	external/ibm-public/postfix/dist/src/util/netstring.c up to 1.5
	external/ibm-public/postfix/dist/src/util/normalize_ws.c up to 1.3
	external/ibm-public/postfix/dist/src/util/open_as.c up to 1.2
	external/ibm-public/postfix/dist/src/util/open_as.h up to 1.2
	external/ibm-public/postfix/dist/src/util/quote_for_json.c up to 1.3
	external/ibm-public/postfix/dist/src/util/sane_sockaddr_to_hostaddr.c up to 1.3
	external/ibm-public/postfix/dist/src/util/spawn_command.c up to 1.4
	external/ibm-public/postfix/dist/src/util/spawn_command.h up to 1.3
	external/ibm-public/postfix/dist/src/util/stringops.h up to 1.7
	external/ibm-public/postfix/dist/src/util/sys_defs.h up to 1.16
	external/ibm-public/postfix/dist/src/util/unescape.ref up to 1.1.1.3
	external/ibm-public/postfix/dist/src/util/vbuf_print.c up to 1.6
	external/ibm-public/postfix/dist/src/util/vbuf_print_test.in up to 1.1.1.2
	external/ibm-public/postfix/dist/src/util/vbuf_print_test.ref up to 1.1.1.2
	external/ibm-public/postfix/dist/src/util/vstream.c up to 1.6
	external/ibm-public/postfix/dist/src/util/vstream.h up to 1.5
	external/ibm-public/postfix/dist/src/util/vstring.c up to 1.5
	external/ibm-public/postfix/dist/src/util/vstring_vstream.c up to 1.3
	external/ibm-public/postfix/dist/src/verify/verify.c up to 1.6
	external/ibm-public/postfix/dist/src/virtual/Makefile.in up to 1.1.1.7
	external/ibm-public/postfix/dist/src/virtual/virtual.c up to 1.5
	external/ibm-public/postfix/dist/src/virtual/virtual.h up to 1.2
	external/ibm-public/postfix/dist/src/xsasl/xsasl_dovecot_server.c up to 1.6
	external/ibm-public/postfix/lib/global/Makefile up to 1.12
	external/ibm-public/postfix/lib/util/Makefile   up to 1.13
	external/ibm-public/postfix/libexec/smtp/Makefile up to 1.5
	doc/3RDPARTY						(manually edited)

Import Postfix 3.11.2.
@
text
@a0 437
PPoossttffiixx RREEQQUUIIRREETTLLSS SSuuppppoorrtt

-------------------------------------------------------------------------------

TTaabbllee ooff CCoonntteennttss

  * Purpose of this document
  * Introduction
  * REQUIRETLS for a perimeter MTA

      o Receiving inbound messages with REQUIRETLS requests
      o LMTP and SMTP-based message stores and content filters content filters
      o Non-SMTP and non-LMTP content filters
      o Communication with external servers
      o Relaxing REQUIRETLS for external deliveries

  * An experiment: testing REQUIRETLS support
  * Requesting REQUIRETLS without SMTP
  * Non-delivery notifications
  * REQUIRETLS quick summary
  * Credits

PPuurrppoossee ooff tthhiiss ddooccuummeenntt

This document covers Postfix configuration for the REQUIRETLS extension. The
purpose of these settings is to make REQUIRETLS support usable in an existing
environment where REQUIRETLS support is still uncommon, with a path towards a
future with REQUIRETLS.

IInnttrroodduuccttiioonn

The REQUIRETLS extension in ESMTP is defined in RFC 8689. When a sender
requests REQUIRETLS. the message must be sent only over strongly-authenticated
SMTP or LMTP connections.

Specifically:

  * Every server in the forward path to the final destination must announce
    REQUIRETLS support.

        Challenge: as of 2025, only a few servers implement REQUIRETLS.

  * Every server in the forward path must be looked up securely (for example,
    with DNSSEC or HTTPS).

  * Every server certificate in the forward path must be verified. In practice,
    this involves DANE (+DNSSEC) or MTA-STS; custom configuration would not
    scale.

        Challenge: as of 2025, many domains do not publish a DANE or MTA-STS
        policy.

  * A message with REQUIRETLS must be returned to the sender if any of the
    above requirements is not satisfied (no STARTTLS support, no secure server
    lookup, no trusted or no matching server certificate, or no server that
    announces REQUIRETLS support).

For more background information, see the REQUIRETLS quick summary below.

RREEQQUUIIRREETTLLSS ffoorr aa ppeerriimmeetteerr MMTTAA

In this text, a perimeter MTA is a mail system that operates on the boundary of
an administrative domain. It receives email messages for the domain, and/or
sends email messages on behalf of the domain.

RReecceeiivviinngg iinnbboouunndd mmeessssaaggeess wwiitthh RREEQQUUIIRREETTLLSS rreeqquueessttss

Postfix has one global parameter setting that controls REQUIRETLS support in
all Postfix processes. The default setting is:

    /etc/postfix/main.cf:
        requiretls_enable = yes

With this, the Postfix SMTP server will announce REQUIRETLS support, and more
importantly, will receive messages from senders that for some reason request
REQUIRETLS support -- messages that you would otherwise not receive, assuming
that the domain already publishes a valid DANE and/or STS policy.

If all you need is to receive messages with REQUIRETLS, and you do not insist
on enforcing REQUIRETLS when sending or forwarding messages, then you can stop
reading this document after adding the additional settings below.

    NOTE: The configuration below may be suitable for a personal domain, where
    the owner can decide what happens with all messages. For domains that
    receive messages for other people, a less radical approach may be better,
    as described in the sections that follow.

    1 /etc/postfix/main.cf:
    2     # Don't enforce REQUIRETLS when delivering mail with SMTP or LMTP.
    3     smtp_requiretls_policy = opportunistic
    4     lmtp_requiretls_policy = opportunistic
    5
    6     # Don't detect or add a "Require-TLS-ESMTP: yes" header.
    7     requiretls_esmtp_header = no

  * Lines 3-4: These relax REQUIRETLS enforcement when delivering a email to a
    message store, content filter, or other destination that may not support
    REQUIRETLS. If a server does not support STARTTLS or REQUIRETLS, then
    Postfix will simply deliver the message as if the sender did not request
    REQUIRETLS.

  * Line 7: The requiretls_esmtp_header feature enables support for a message
    header "Require-TLS-ESMTP: yes" that allows Postfix to propagate the
    sender's REQUIRETLS request through a content filter based on
    SMTPD_PROXY_README or FILTER_README. This feature can safely be disabled if
    the domain does not need to enforce REQUIRETLS while delivering or
    forwarding messages.

LLMMTTPP aanndd SSMMTTPP--bbaasseedd mmeessssaaggee ssttoorreess aanndd ccoonntteenntt ffiilltteerrss

REQUIRETLS is historically not supported by message stores such as Dovecot, and
by content filters based on FILTER_README or SMTPD_PROXY_README. The settings
below allow for that reality, while also preparing for future REQUIRETLS
support.

The Postfix SMTP (LMTP) client supports a permissive REQUIRETLS policy that is
suitable for communication with internal message stores and content filters
based on FILTER_README or SMTPD_PROXY_README.

  * ooppppoorrttuunniissttiicc: STARTTLS and REQUIRETLS support are optional. When the
    sender requests REQUIRETLS, and an SMTP or LMTP server supports STARTTLS
    and REQUIRETLS, then send REQUIRETLS, otherwise simply deliver the message
    as if the sender did not request REQUIRETLS.

For a more complete definition of this enforcement level, see the
smtp_requiretls_policy parameter documentation.

For REQUIRETLS, the relevant Postfix 3.11 configuration default settings are:

     1 /etc/postfix/main.cf:
     2     smtp_tls_security_level = may
     3     requiretls_esmtp_header = yes
     4     lmtp_requiretls_policy = opportunistic
     5     smtp_requiretls_policy =
     6         inline:{
     7             { ${domain_to_ascii{$mydomain}} = opportunistic }
     8             { .${domain_to_ascii{$mydomain}} = opportunistic }
     9             { localhost = opportunistic } }
    10         cidr:{
    11             { 0.0.0.0/0 opportunistic }
    12             { ::/0 opportunistic } }
    13       ...to be completed in section "Communication with external
    servers"...

  * Line 3: The requiretls_esmtp_header setting enables support for a message
    header "Require-TLS-ESMTP: yes" that allows Postfix to propagate the
    sender's REQUIRETLS request through a content filter. This feature can
    safely be disabled if there is no need for content inspection based on
    SMTPD_PROXY_README or FILTER_README.

  * Lines 5-12: These make REQUIRETLS support optional for internal
    destinations and content filters that are specified as a symbolic name
    (lines 6-9) or as a numerical IP address (lines 10-12).

  * Lines 7 and 8 use ${domain_to_ascii{$mydomain}} instead of $mydomain. The
    function domain_to_ascii{} returns $mydomain if that contains only (7-bit)
    ASCII. If the mydomain value contains non-ASCII characters, then
    domain_to_ascii{} returns the xn--mumble-mumble Punycode (A-label) form
    that Postfix needs. This works around a limitation that may be eliminated
    in a future Postfix version.

  * Note: if you specify a domain list outside main.cf, then the automatic
    $name expansions and Punycode conversions will not happen; you will need to
    enter real domain names and will need to convert non-ASCII domains to
    Punycode.

NNoonn--SSMMTTPP aanndd nnoonn--LLMMTTPP ccoonntteenntt ffiilltteerrss

Postfix FILTER_README describes content inspection based on a pipe-to-command
approach. For REQUIRETLS, the relevant Postfix 3.11 default setting is:

    /etc/postfix/main.cf:
        requiretls_esmtp_header = yes

The requiretls_esmtp_header feature enables support for a message header
"Require-TLS-ESMTP: yes" that allows Postfix to propagate the sender's
REQUIRETLS request through a content filter. This feature can safely be
disabled if there is no need for content inspection based on SMTPD_PROXY_README
or FILTER_README.

CCoommmmuunniiccaattiioonn wwiitthh eexxtteerrnnaall sseerrvveerrss

For communication with external servers, the Postfix SMTP client supports
multiple enforcement levels:

  * eennffoorrccee: When the sender requests REQUIRETLS, require secure lookup of MX
    hosts (for example, using DNSSEC or HTTPS), require a server certificate
    match (for example, based on a published DANE or STS policy), and require
    that the remote server supports REQUIRETLS. Otherwise return the message as
    undeliverable.

    NOTE: this is also used implicitly when no REQUIRETLS policy match is
    found.

  * ooppppoorrttuunniissttiicc++ssttaarrttttllss: When the sender requests REQUIRETLS, require that
    the server supports STARTTLS. Send REQUIRETLS if the server supports
    REQUIRETLS, otherwise simply deliver the message as if the sender did not
    request REQUIRETLS.

  * ooppppoorrttuunniissttiicc: STARTTLS and REQUIRETLS support are optional. When the
    sender requests REQUIRETLS, and an SMTP or LMTP server supports STARTTLS
    and REQUIRETLS, then send REQUIRETLS, otherwise simply deliver the message
    as if the sender did not request REQUIRETLS.

For a more complete definition of these enforcement levels, see the
smtp_requiretls_policy parameter documentation.

For sending mail with REQUIRETLS, the relevant Postfix 3.11 default settings
are shown below, with one suggested setting in a comment (line 2).

The default settings below complete the earlier configuration for message
stores and content filters, with an 'enforce' policy for external deliveries
(line 13). You can disable the requiretls_esmtp_header feature (line 4) if a
configuration does not use content inspection based on SMTPD_PROXY_README or
FILTER_README.

     1 /etc/postfix/main.cf:
     2     # smtp_tls_policy_maps = ...dane/sts plugin...
     3     smtp_tls_security_level = may
     4     requiretls_esmtp_header = yes
     5     smtp_requiretls_policy =
     6         inline:{
     7             { ${domain_to_ascii{$mydomain}} = opportunistic }
     8             { .${domain_to_ascii{$mydomain}} = opportunistic }
     9             { localhost = opportunistic } }
    10         cidr:{
    11             { 0.0.0.0/0 opportunistic }
    12             { ::/0 opportunistic } }
    13         enforce

  * New at line 13: The 'enforce' policy for external destinations is
    technically correct, but is likely to suffer from delivery failures because
    many domains do not publish a DANE or STS policy, and many MTAs support
    STARTTLS but not REQUIRETLS. A perhaps more practical policy may be found
    in the section Relaxing REQUIRETLS for external deliveries.

  * (Same as before) Line 3: The requiretls_esmtp_header setting enables
    support for a message header "Require-TLS-ESMTP: yes" that allows Postfix
    to propagate the sender's REQUIRETLS request through a content filter. This
    feature can safely be disabled if there is no need for content inspection
    based on SMTPD_PROXY_README or FILTER_README.

  * (Same as before) Lines 5-12: These make REQUIRETLS support optional for
    internal destinations and content filters that are specified as a symbolic
    name (lines 6-9) or as a numerical IP address (lines 10-12).

  * (Same as before) Lines 7 and 8 use ${domain_to_ascii{$mydomain}} instead of
    $mydomain. The function domain_to_ascii{} returns $mydomain if that
    contains only (7-bit) ASCII. If the mydomain value contains non-ASCII
    characters, then domain_to_ascii{} returns the xn--mumble-mumble Punycode
    (A-label) form that Postfix needs. This works around a limitation that may
    be eliminated in a future Postfix version.

  * (Same as before) Note: if you specify a domain list outside main.cf, then
    the automatic $name expansions and Punycode conversions will not happen;
    you will need to enter real domain names and will need to convert non-ASCII
    domains to Punycode.)

RReellaaxxiinngg RREEQQUUIIRREETTLLSS ffoorr eexxtteerrnnaall ddeelliivveerriieess

It may be desirable to make REQUIRETLS work with today's infrastructure, by
keeping the requirement for TLS, but relaxing the requirements that a remote
server supports REQUIRETLS and that its server certificate matches a DANE or
STS policy. The configuration below makes that change by replacing the default
'enforce' with 'opportunistic+starttls' (line 13).

     1 /etc/postfix/main.cf:
     2     smtp_tls_security_level = may
     3     # smtp_tls_policy_maps = ...dane/sts plugin...
     4     requiretls_esmtp_header = yes
     5     smtp_requiretls_policy =
     6         inline:{
     7             { ${domain_to_ascii{$mydomain}} = opportunistic }
     8             { .${domain_to_ascii{$mydomain}} = opportunistic }
     9             { localhost = opportunistic } }
    10         cidr:{
    11             { 0.0.0.0/0 opportunistic }
    12             { ::/0 opportunistic } }
    13         opportunistic+starttls

  * New at line 13: the 'opportunistic+starttls' policy relaxes the requirement
    that every MTA in the forward path of a message supports REQUIRETLS, but in
    practice only one network hop needs to be secured: from a sender's
    perimeter MTA to a receiver's perimeter MTA. The network connections
    between user agents and their respective perimeters are assumed to be
    already secure.

  * (Same as before) Line 3: The requiretls_esmtp_header setting enables
    support for a message header "Require-TLS-ESMTP: yes" that allows Postfix
    to propagate the sender's REQUIRETLS request through a content filter. This
    feature can safely be disabled if there is no need for content inspection
    based on SMTPD_PROXY_README or FILTER_README.

  * (Same as before) Lines 5-12: These make REQUIRETLS support optional for
    internal destinations and content filters that are specified as a symbolic
    name (lines 6-9) or as a numerical IP address (lines 10-12).

  * (Same as before) Lines 7 and 8 use ${domain_to_ascii{$mydomain}} instead of
    $mydomain. The function domain_to_ascii{} returns $mydomain if that
    contains only (7-bit) ASCII. If the mydomain value contains non-ASCII
    characters, then domain_to_ascii{} returns the xn--mumble-mumble Punycode
    (A-label) form that Postfix needs. This works around a limitation that may
    be eliminated in a future Postfix version.

  * (Same as before) Note: if you specify a domain list outside main.cf, then
    the automatic $name expansions and Punycode conversions will not happen;
    you will need to enter real domain names and will need to convert non-ASCII
    domains to Punycode.)

AAnn eexxppeerriimmeenntt:: tteessttiinngg RREEQQUUIIRREETTLLSS ssuuppppoorrtt

The 'opportunistic' enforcement level may be useful to discover REQUIRETLS
support globally. The idea is to turn on REQUIRETLS for all outbound mail, and
watch in Postfix TLS status logging how often delivery is logged as
"requiretls" (all requirements satisfied), "requiretls:nocertmatch" (no DANE or
STS policy, or certificate not trusted or not matched), "requiretls:none" (no
REQUIRETLS support), or "requiretls:nostarttls". For more details on this
logging format, see smtp_log_tls_feature_status.

RReeqquueessttiinngg RREEQQUUIIRREETTLLSS wwiitthhoouutt SSMMTTPP

There are two options:

  * Specify the Postfix-specific "sseennddmmaaiill --OOrreeqquuiirreettllss==yyeess" command-line
    option. This option is always available, but may not be convenient to use.

  * Add a Postfix-specific "RReeqquuiirree--TTLLSS--EESSMMTTPP:: yyeess" message header. This is
    easier to use, but requires the setting "requiretls_esmtp_header = yes"
    which is not recommended for systems without content filters based on
    SMTPD_PROXY_README or FILTER_README.

    QQuueessttiioonn: perhaps there needs to be a parameter setting to request
    REQUIRETLS for specific email sources or contexts?

NNoonn--ddeelliivveerryy nnoottiiffiiccaattiioonnss

By default, Postfix redacts an undeliverable REQUIRETLS message as described in
RFC 8689, before returning it to the sender:

  * Remove the label "this message needs REQUIRETLS". The purpose is to avoid
    loss of notifications when a reverse path does not support REQUIRETLS, even
    though the forward path supported it.

  * Return only the message header, as if the message was received with the RFC
    3461 DSN option "RET=HDRS". The purpose is to limit the amount of
    information that may be exposed in plaintext.

The relevant default setting is:

    /etc/postfix/main.cf:
        requiretls_redact_dsn = yes

When a message was received with a "TLS-Required: no" header, and REQUIRETLS
was not requested, the "TLS-Required: no" header is copied to the delivery
status notification.

RREEQQUUIIRREETTLLSS qquuiicckk ssuummmmaarryy

The REQUIRETLS extension in ESMTP allows a sender to request that a message
will be sent over connections that are protected with TLS. RFC 8689 defines two
SMTP features:

  * A message header "TLS-Required: no" that disables TLS enforcement: do not
    require a server certificate match, and allow falling back to plaintext if
    TLS is unavailable. This may be useful to report a TLS problem, as
    described in TLSRPT_README. This feature has lower precedence than
    REQUIRETLS, and is not discussed further in this document.

  * An ESMTP protocol extension named "REQUIRETLS" that an SMTP server may list
    in its EHLO response, and that an SMTP client may request in a MAIL FROM
    command. This extension can be used only in an encrypted session, as
    illustrated with the fragment below, where C=client and S=server.

    . . .
    C: STARTTLS
    S: 220 Ready to start TLS
    C: EHLO client.example.org
    S: 250-mail.example.com
       . . .
       250 REQUIRETLS
    C: MAIL FROM:<sender@@example.org> REQUIRETLS
    S: 250 OK
    . . .

  * RFC 8689 applies equally to message relay [RFC 5321], submission [RFC
    6409], and the LMTP Local Mail Transfer Protocol [RFC 2033].

  * REQUIRETLS is an end-to-end feature, unlike SMTP which is hop-by-hop. When
    a sender requests REQUIRETLS, each server in the forward path must support
    REQUIRETLS.

  * Each connection in the forward path must be made to a server that has been
    looked up securely (for example, with DNSSEC or HTTPS).

  * Each server certificate must be verified. To match a server certificate,
    the Postfix SMTP client needs to use an appropriate policy type:

      o A TLS policy type 'secure' or 'verify', with certificate name matching
        info. For example, a policy returned by an MTA-STS plugin that looks up
        certificate matching info using HTTPS;

      o A TLS policy type 'dane-only', which looks up certificate or public-key
        matching info using DNSSEC. For example, a policy that is returned by a
        DANE+STS plugin;

      o A TLS policy type 'dane', provided that both the nexthop domain and its
        MX hosts are in DNSSEC-signed zones, and usable DNSSEC-signed TLSA
        records are discovered. In other words, the effective TLS policy
        remains DANE and is not downgraded because the destination lacks DNSSEC
        and/or usable TLSA records;

      o A TLS policy type 'fingerprint', with digital fingerprints. This is a
        non-scalable solution for special deployments, mentioned here only for
        completeness.

  * A message that requires REQUIRETLS must be returned to the sender if any of
    the above requirements is not satisfied (no STARTTLS support, no secure
    lookup of MX servers, no trusted or no matching server certificate, or no
    server that announces REQUIRETLS support).

  * Returning an undeliverable message that requires REQUIRETLS comes with its
    own challenges: the return path may differ from the forward path, and the
    return path may not support REQUIRETLS all the way back to the sender, even
    if the forward path supported REQUIRETLS. By default, Postfix follows RFC
    8689 and redacts bounce messages so that they can be sent without
    REQUIRETLS.

CCrreeddiittss

  * In Postfix 3.10, Wietse Venema refactored SMTPUTF8 support and extended it
    to propagate REQUIRETLS and "TLS-Required: no" information.
  * In Postfix 3.11, Wietse added REQUIRETLS support to the Postfix SMTP
    client; added a "tls=status/requiretls=status" field to the Postfix
    delivery status logging; added smtp_requiretls_policy support; added
    support for the "Require-TLS-ESMTP: yes" header to propagate REQUIRETLS
    through non-Postfix programs, specifically content filters.

@