head	1.1;
branch	1.1.1;
access;
symbols
	netbsd-11-0-RC4:1.1.1.1.2.2
	netbsd-11:1.1.1.1.0.2
	PFIX-3-11-2:1.1.1.1
	VENEMA:1.1.1;
locks; strict;
comment	@# @;


1.1
date	2026.05.09.18.39.10;	author christos;	state Exp;
branches
	1.1.1.1;
next	;
commitid	mtbvlXzNqJaszaFG;

1.1.1.1
date	2026.05.09.18.39.10;	author christos;	state Exp;
branches
	1.1.1.1.2.1;
next	;
commitid	mtbvlXzNqJaszaFG;

1.1.1.1.2.1
date	2026.05.09.18.39.10;	author martin;	state dead;
branches;
next	1.1.1.1.2.2;
commitid	2QeqaJm8KrXk4qFG;

1.1.1.1.2.2
date	2026.05.11.17.13.37;	author martin;	state Exp;
branches;
next	;
commitid	2QeqaJm8KrXk4qFG;


desc
@@


1.1
log
@Initial revision
@
text
@<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
  "https://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

<title>Postfix REQUIRETLS Support</title>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel='stylesheet' type='text/css' href='postfix-doc.css'>

</head>

<body>

<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix REQUIRETLS Support</h1>

<hr>

<h2> Table of Contents </h2>
<ul>

<li> <a href="#purpose"> Purpose of this document </a> </li>
<li> <a href="#intro"> Introduction </a> </li>
<li> <a href="#perimeter"> REQUIRETLS for a perimeter MTA </a>
<ul>
<li> <a href="#inbound"> Receiving inbound messages with REQUIRETLS requests </a>
<li> <a href="#lmtp-smtp"> LMTP and SMTP-based message stores and content filters content filters </a>
<li> <a href="#non-smtp"> Non-SMTP and non-LMTP content filters </a>
<li> <a href="#external"> Communication with external servers </a>
<li> <a href="#relax"> Relaxing REQUIRETLS for external deliveries </a>
</ul>
<li> <a href="#census"> An experiment: testing REQUIRETLS support </a>
<li> <a href="#requesting"> Requesting REQUIRETLS without SMTP </a>
<li> <a href="#ndrs"> Non-delivery notifications </a> </li>
<li> <a href="#summary"> REQUIRETLS quick summary </a> </li>
<li> <a href="#credits"> Credits </a> </li>

</ul>

<h2> <a name="purpose"> Purpose of this document </a> </h2>

<p> This document covers Postfix configuration for the REQUIRETLS
extension. The purpose of these settings is to make REQUIRETLS
support usable in an existing environment where REQUIRETLS support
is still uncommon, with a path towards a future with REQUIRETLS.
</p>

<h2> <a name="intro"> Introduction </a> </h2>

<p> The REQUIRETLS extension in ESMTP is defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>. When
a sender requests REQUIRETLS. the message must be sent only over
strongly-authenticated SMTP or LMTP connections. </p>

<p> Specifically: </p>

<ul>

<li> <p> Every server in the forward path to the final destination must
announce REQUIRETLS support. </p>

<blockquote> Challenge: as of 2025, only a few servers implement
REQUIRETLS. </blockquote>

<li> <p> Every server in the forward path must be looked up securely
(for example, with DNSSEC or HTTPS). </p>

<li> <p> Every server certificate in the forward path must be verified. In
practice, this involves DANE (+DNSSEC) or MTA-STS; custom configuration
would not scale. </p>

<blockquote> Challenge: as of 2025, many domains do not publish a
DANE or MTA-STS policy. </blockquote>

<li> <p> A message with REQUIRETLS must be returned to the sender if
any of the above requirements is not satisfied (no STARTTLS support,
no secure server lookup, no trusted or no matching server certificate,
or no server that announces REQUIRETLS support). </p>

</ul>

<p> For more background information, see the <a href="#summary">
REQUIRETLS quick summary</a> below. </p>

<h2> <a name="perimeter"> REQUIRETLS for a perimeter MTA </a> </h2>

<p> In this text, a perimeter MTA is a mail system that operates
on the boundary of an administrative domain. It receives email
messages for the domain, and/or sends email messages on behalf
of the domain. </p>

<h3> <a name="inbound"> Receiving inbound messages with REQUIRETLS requests </a> </h3>

<p> Postfix has one global parameter setting that controls REQUIRETLS
support in all Postfix processes. The default setting is:

<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
    <a href="postconf.5.html#requiretls_enable">requiretls_enable</a> = yes
</pre>
</blockquote>

<p> With this, the Postfix SMTP server will announce REQUIRETLS
support, and more importantly, will receive messages from senders
that for some reason request REQUIRETLS support -- messages that
you would otherwise not receive, assuming that the domain already
publishes a valid DANE and/or STS policy. </p>

<p> If all you need is to receive messages with REQUIRETLS, and
you do not insist on enforcing REQUIRETLS when sending or forwarding
messages, then you can stop reading this document after adding the
additional settings below. </p>

<blockquote> <p> NOTE: The configuration below may be suitable for
a personal domain, where the owner can decide what happens with all
messages. For domains that receive messages for other people, a
less radical approach may be better, as described in the sections
that follow.  </p> </blockquote>

<blockquote>
<pre>
1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
2     # Don't enforce REQUIRETLS when delivering mail with SMTP or LMTP.
3     <a href="postconf.5.html#smtp_requiretls_policy">smtp_requiretls_policy</a> = opportunistic
4     <a href="postconf.5.html#lmtp_requiretls_policy">lmtp_requiretls_policy</a> = opportunistic
5     
6     # Don't detect or add a "Require-TLS-ESMTP: yes" header.
7     <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> = no
</pre>
</blockquote>

<ul>

<li> <p> Lines 3-4: These relax REQUIRETLS enforcement when delivering
a email to a message store, content filter, or other destination
that may not support REQUIRETLS. If a server does not support
STARTTLS or REQUIRETLS, then Postfix will simply deliver the message
as if the sender did not request REQUIRETLS.

<li> <p> Line 7: The <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> feature enables support
for a message header "Require-TLS-ESMTP: yes" that allows Postfix
to propagate the sender's REQUIRETLS request through a content
filter based on <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> or <a href="FILTER_README.html">FILTER_README</a>. This feature
can safely be disabled if the domain does not need to enforce
REQUIRETLS while delivering or forwarding messages. </p>

</ul>

<h3> <a name="lmtp-smtp"> LMTP and SMTP-based message stores and content filters </a> </h3>

<p> REQUIRETLS is historically not supported by message stores such
as Dovecot, and by content filters based on <a href="FILTER_README.html">FILTER_README</a> or
<a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a>. The settings below allow for that reality, while
also preparing for future REQUIRETLS support. <p>

<p> The Postfix SMTP (LMTP) client supports a permissive REQUIRETLS
policy that is suitable for communication with internal message stores
and content filters based on <a href="FILTER_README.html">FILTER_README</a> or <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a>. </p>

<ul> 

<li> <p> <b>opportunistic</b>: STARTTLS and REQUIRETLS support are
optional. When the sender requests REQUIRETLS, and an SMTP or LMTP
server supports STARTTLS and REQUIRETLS, then send REQUIRETLS,
otherwise simply deliver the message as if the sender did not request
REQUIRETLS. </p>

</ul>

<p> For a more complete definition of this enforcement level, see
the <a href="postconf.5.html#smtp_requiretls_policy">smtp_requiretls_policy</a> parameter documentation. </p>

<p> For REQUIRETLS, the relevant Postfix 3.11 configuration default
settings are: </p>

<blockquote>
<pre>
 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
 2     <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may
 3     <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> = yes
 4     <a href="postconf.5.html#lmtp_requiretls_policy">lmtp_requiretls_policy</a> = opportunistic
 5     <a href="postconf.5.html#smtp_requiretls_policy">smtp_requiretls_policy</a> =
 6         <a href="DATABASE_README.html#types">inline</a>:{
 7             { ${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}} = opportunistic }
 8             { .${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}} = opportunistic }
 9             { localhost = opportunistic } }
10         <a href="cidr_table.5.html">cidr</a>:{
11             { 0.0.0.0/0 opportunistic }
12             { ::/0 opportunistic } }
13       ...to be completed in section "<a href="#external">Communication with external servers</a>"...
</pre>
</blockquote>

<ul>

<li> <p> Line 3: The <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> setting enables support
for a message header "Require-TLS-ESMTP: yes" that allows Postfix
to propagate the sender's REQUIRETLS request through a content
filter. This feature can safely be disabled if there is no need for
content inspection based on <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> or <a href="FILTER_README.html">FILTER_README</a>.
</p>

<li> <p> Lines 5-12: These make REQUIRETLS support optional for
internal destinations and content filters that are specified as a
symbolic name (lines 6-9) or as a numerical IP address (lines 10-12).
</p>

<li> <p> Lines 7 and 8 use ${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}} instead
of $<a href="postconf.5.html#mydomain">mydomain</a>. The function <a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{} returns $<a href="postconf.5.html#mydomain">mydomain</a> if
that contains only (7-bit) ASCII. If the <a href="postconf.5.html#mydomain">mydomain</a> value contains
non-ASCII characters, then <a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{} returns the
<tt>xn--mumble-mumble</tt> Punycode (A-label) form that Postfix
needs. This works around a limitation that may be eliminated in a
future Postfix version. </p>

<li> <p>  Note: if you specify a domain list outside <a href="postconf.5.html">main.cf</a>, then
the automatic $<i>name</i> expansions and Punycode conversions will
not happen; you will need to enter real domain names and will need
to convert non-ASCII domains to Punycode. </p>

</ul>

<h3> <a name="non-smtp"> Non-SMTP and non-LMTP content filters </a> </h3>

<p> Postfix <a href="FILTER_README.html">FILTER_README</a> describes content inspection based on a
pipe-to-command approach. For REQUIRETLS, the relevant Postfix 3.11
default setting is: </p>

<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
    <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> = yes
</pre>
</blockquote>

<p> The <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> feature enables support for a message
header "Require-TLS-ESMTP: yes" that allows Postfix to propagate the
sender's REQUIRETLS request through a content filter. This feature can
safely be disabled if there is no need for content inspection based on
<a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> or <a href="FILTER_README.html">FILTER_README</a>. </p>

<h3> <a name="external"> Communication with external servers </a> </h3>

<p> For communication with external servers, the Postfix SMTP client
supports multiple enforcement levels: </p>

<ul>

<li> <p> <b>enforce</b>: When the sender requests REQUIRETLS, require
secure lookup of MX hosts (for example, using DNSSEC or HTTPS),
require a server certificate match (for example, based on a published
DANE or STS policy), and require that the remote server supports
REQUIRETLS. Otherwise return the message as undeliverable. </p> <p>
NOTE: this is also used implicitly when no REQUIRETLS policy match
is found. </p>

<li> <p> <b>opportunistic+starttls</b>: When the sender requests
REQUIRETLS, require that the server supports STARTTLS. Send REQUIRETLS
if the server supports REQUIRETLS, otherwise simply deliver the
message as if the sender did not request REQUIRETLS. </p>

<li> <p> <b>opportunistic</b>: STARTTLS and REQUIRETLS support are
optional. When the sender requests REQUIRETLS, and an SMTP or LMTP
server supports STARTTLS and REQUIRETLS, then send REQUIRETLS,
otherwise simply deliver the message as if the sender did not request
REQUIRETLS. </p>

</ul>

<p> For a more complete definition of these enforcement levels,
see the <a href="postconf.5.html#smtp_requiretls_policy">smtp_requiretls_policy</a> parameter documentation. </p>

<p> For sending mail with REQUIRETLS, the relevant Postfix 3.11
default settings are shown below, with one suggested setting in a
comment (line 2).

<p> The default settings below complete the earlier configuration
for <a href="#lmtp-smtp">message stores and content filters</a>,
with an 'enforce' policy for external deliveries (line 13). You can
disable the <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> feature (line 4) if a configuration
does not use content inspection based on <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> or
<a href="FILTER_README.html">FILTER_README</a>. </p>

<blockquote>
<pre>
 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
 2     # <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> = ...dane/sts plugin...
 3     <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may
 4     <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> = yes
 5     <a href="postconf.5.html#smtp_requiretls_policy">smtp_requiretls_policy</a> =
 6         <a href="DATABASE_README.html#types">inline</a>:{
 7             { ${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}} = opportunistic }
 8             { .${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}} = opportunistic }
 9             { localhost = opportunistic } }
10         <a href="cidr_table.5.html">cidr</a>:{
11             { 0.0.0.0/0 opportunistic }
12             { ::/0 opportunistic } }
13         enforce
</pre>
</blockquote>

<ul>

<li> <p> New at line 13: The 'enforce' policy for external
destinations is technically correct, but is likely to suffer from
delivery failures because many domains do not publish a DANE or STS
policy, and many MTAs support STARTTLS but not REQUIRETLS. A perhaps
more practical policy may be found in the section <a href="#relax">
Relaxing REQUIRETLS for external deliveries</a>. </p>

<li> <p> (Same as before) Line 3: The <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> setting
enables support for a message header "Require-TLS-ESMTP: yes" that
allows Postfix to propagate the sender's REQUIRETLS request through
a content filter. This feature can safely be disabled if there is
no need for content inspection based on <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> or
<a href="FILTER_README.html">FILTER_README</a>.  </p>

<li> <p> (Same as before) Lines 5-12: These make REQUIRETLS support
optional for internal destinations and content filters that are
specified as a symbolic name (lines 6-9) or as a numerical IP address
(lines 10-12).

<li> <p> (Same as before) Lines 7 and 8 use ${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}}
instead of $<a href="postconf.5.html#mydomain">mydomain</a>. The function <a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{} returns $<a href="postconf.5.html#mydomain">mydomain</a>
if that contains only (7-bit) ASCII. If the <a href="postconf.5.html#mydomain">mydomain</a> value contains
non-ASCII characters, then <a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{} returns the
<tt>xn--mumble-mumble</tt> Punycode (A-label) form that Postfix
needs. This works around a limitation that may be eliminated in a
future Postfix version. </p>

<li> <p> (Same as before) Note: if you specify a domain list outside
<a href="postconf.5.html">main.cf</a>, then the automatic $<i>name</i> expansions and Punycode
conversions will not happen; you will need to enter real domain
names and will need to convert non-ASCII domains to Punycode.) </p>

</ul>

<h3> <a name="relax"> Relaxing REQUIRETLS for external deliveries </a> </h3>

<p> It may be desirable to make REQUIRETLS work with today's
infrastructure, by keeping the requirement for TLS, but relaxing
the requirements that a remote server supports REQUIRETLS and that
its server certificate matches a DANE or STS policy. The configuration
below makes that change by replacing the default 'enforce' with
'opportunistic+starttls' (line 13). </p>

<blockquote>
<pre>
 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
 2     <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may
 3     # <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> = ...dane/sts plugin...
 4     <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> = yes
 5     <a href="postconf.5.html#smtp_requiretls_policy">smtp_requiretls_policy</a> =
 6         <a href="DATABASE_README.html#types">inline</a>:{
 7             { ${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}} = opportunistic }
 8             { .${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}} = opportunistic }
 9             { localhost = opportunistic } }
10         <a href="cidr_table.5.html">cidr</a>:{
11             { 0.0.0.0/0 opportunistic }
12             { ::/0 opportunistic } }
13         opportunistic+starttls
</pre>
</blockquote>

<ul>

<li> <p> New at line 13: the 'opportunistic+starttls' policy relaxes
the requirement that every MTA in the forward path of a message
supports REQUIRETLS, but in practice only one network hop needs to
be secured: from a sender's perimeter MTA to a receiver's perimeter
MTA. The network connections between user agents and their respective
perimeters are assumed to be already secure. </p>

<li> <p> (Same as before) Line 3: The <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> setting
enables support for a message header "Require-TLS-ESMTP: yes" that
allows Postfix to propagate the sender's REQUIRETLS request through
a content filter. This feature can safely be disabled if there is
no need for content inspection based on <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> or
<a href="FILTER_README.html">FILTER_README</a>.  </p>

<li> <p> (Same as before) Lines 5-12: These make REQUIRETLS support
optional for internal destinations and content filters that are
specified as a symbolic name (lines 6-9) or as a numerical IP address
(lines 10-12).

<li> <p> (Same as before) Lines 7 and 8 use ${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}}
instead of $<a href="postconf.5.html#mydomain">mydomain</a>. The function <a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{} returns $<a href="postconf.5.html#mydomain">mydomain</a>
if that contains only (7-bit) ASCII. If the <a href="postconf.5.html#mydomain">mydomain</a> value contains
non-ASCII characters, then <a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{} returns the
<tt>xn--mumble-mumble</tt> Punycode (A-label) form that Postfix
needs. This works around a limitation that may be eliminated in a
future Postfix version. </p>

<li> <p> (Same as before) Note: if you specify a domain list outside
<a href="postconf.5.html">main.cf</a>, then the automatic $<i>name</i> expansions and Punycode
conversions will not happen; you will need to enter real domain
names and will need to convert non-ASCII domains to Punycode.) </p>

</ul>

<h2> <a name="census"> An experiment: testing REQUIRETLS support </a> </h2>

<p> The 'opportunistic' enforcement level may be useful to discover
REQUIRETLS support globally. The idea is to turn on REQUIRETLS for
all outbound mail, and watch in Postfix TLS status logging how often
delivery is logged as "requiretls" (all requirements satisfied),
"requiretls:nocertmatch" (no DANE or STS policy, or certificate not
trusted or not matched), "requiretls:none" (no REQUIRETLS support),
or "requiretls:nostarttls". For more details on this logging format,
see <a href="postconf.5.html#smtp_log_tls_feature_status">smtp_log_tls_feature_status</a>.</p>

<h2> <a name="requesting"> Requesting REQUIRETLS without SMTP </a> </h2>

<p> There are two options: </p>

<ul>

<li> <p> Specify the Postfix-specific "<b>sendmail -Orequiretls=yes</b>"
command-line option. This option is always available, but may not
be convenient to use. <p>

<li> <p> Add a Postfix-specific "<b>Require-TLS-ESMTP: yes</b>"
message header. This is easier to use, but requires the setting
"<a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> = yes" which is not recommended for systems
without content filters based on <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> or <a href="FILTER_README.html">FILTER_README</a>.
</p>

</ul>

<blockquote> <b>Question</b>: perhaps there needs to be a parameter
setting to request REQUIRETLS for specific email sources or contexts?
</blockquote>

<h2> <a name="ndrs"> Non-delivery notifications </a> </h2>

<p> By default, Postfix redacts an undeliverable REQUIRETLS message as
described in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>,  before returning it to the sender: </p>

<ul>

<li> <p> Remove the label "this message needs REQUIRETLS". The
purpose is to avoid loss of notifications when a reverse path does
not support REQUIRETLS, even though the forward path supported it.
</p>

<li> <p> Return only the message header, as if the message was
received with the <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a> DSN option "<tt>RET=HDRS</tt>". The
purpose is to limit the amount of information that may be exposed
in plaintext. </p>

</ul>

<p> The relevant default setting is: </p>

<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
    <a href="postconf.5.html#requiretls_redact_dsn">requiretls_redact_dsn</a> = yes
</pre>
</blockquote>

<p> When a message was received with a "<tt>TLS-Required: no</tt>"
header, and REQUIRETLS was not requested, the "T<tt>LS-Required:
no</tt>" header is copied to the delivery status notification. </p>

<h2> <a name="summary"> REQUIRETLS quick summary </a> </h2>

<p> The REQUIRETLS extension in ESMTP allows a sender to request
that a message will be sent over connections that are protected
with TLS. <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a> defines two SMTP features: </p>

<ul>

<li> <p> A message header "TLS-Required: no" that disables TLS
enforcement: do not require a server certificate match, and allow
falling back to plaintext if TLS is unavailable. This may be useful
to report a TLS problem, as described in <a href="TLSRPT_README.html">TLSRPT_README</a>. This feature
has lower precedence than REQUIRETLS, and is not discussed further
in this document. </p>

<li> <p> An ESMTP protocol extension named "REQUIRETLS" that an SMTP
server may list in its EHLO response, and that an SMTP client may request
in a MAIL FROM command. This extension can be used only in an encrypted
session, as illustrated with the fragment below, where <tt>C</tt>=client
and <tt>S</tt>=server. </p>

<pre>
. . .
C: STARTTLS
S: 220 Ready to start TLS
C: EHLO client.example.org
S: 250-mail.example.com 
   . . .
   250 REQUIRETLS
C: MAIL FROM:&lt;sender@@example.org&gt; REQUIRETLS
S: 250 OK
. . .
</pre>

<li> <p> <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a> applies equally to message relay [<a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>], submission
[<a href="https://tools.ietf.org/html/rfc6409">RFC 6409</a>], and the LMTP Local Mail Transfer Protocol [<a href="https://tools.ietf.org/html/rfc2033">RFC 2033</a>]. </p>

<li> <p> REQUIRETLS is an <i>end-to-end</i> feature, unlike SMTP
which is <i>hop-by-hop</i>. When a sender requests REQUIRETLS, each
server in the forward path must support REQUIRETLS. </p>

<li> <p> Each connection in the forward path must be made to a server
that has been looked up securely (for example, with DNSSEC
or HTTPS).

<li> <p> Each server certificate must be verified. To match a server
certificate, the Postfix SMTP client needs to use an appropriate policy
type: </p>

<ul>

<li> <p> A TLS policy type 'secure' or 'verify', with certificate name
matching info. For example, a policy returned by an MTA-STS plugin that
looks up certificate matching info using HTTPS;

<li> <p> A TLS policy type 'dane-only', which looks up certificate or
public-key matching info using DNSSEC. For example, a policy that is
returned by a DANE+STS plugin; </p>

<li> <p> A TLS policy type 'dane', provided that both the nexthop
domain and its MX hosts are in DNSSEC-signed zones, and usable
DNSSEC-signed TLSA records are discovered.  In other words, the
effective TLS policy remains DANE and is not downgraded because the
destination lacks DNSSEC and/or usable TLSA records; </p>

<li> <p> A TLS policy type 'fingerprint', with digital fingerprints.
This is a non-scalable solution for special deployments, mentioned
here only for completeness. </p>

</ul>

<li> <p> A message that requires REQUIRETLS must be returned to the
sender if any of the above requirements is not satisfied (no STARTTLS
support, no secure lookup of MX servers, no trusted or no matching
server certificate, or no server that announces REQUIRETLS support).
</p>

<li> <p> Returning an undeliverable message that requires REQUIRETLS
comes with its own challenges: the return path may differ from the
forward path, and the return path may not support REQUIRETLS all
the way back to the sender, even if the forward path supported
REQUIRETLS. By default, Postfix follows <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a> and redacts
bounce messages so that they can be sent without REQUIRETLS. </p>

</ul>

<h2> <a name="credits"> Credits </a> </h2>

<ul>

<li> In Postfix 3.10, Wietse Venema refactored SMTPUTF8 support and
extended it to propagate REQUIRETLS and "TLS-Required: no" information.

<li> In Postfix 3.11, Wietse added REQUIRETLS support to the Postfix
SMTP client; added a "<tt>tls=<i>status</i>/requiretls=<i>status</i></tt>"
field to the Postfix delivery status logging; added <a href="postconf.5.html#smtp_requiretls_policy">smtp_requiretls_policy</a>
support; added support for the "Require-TLS-ESMTP: yes" header to
propagate REQUIRETLS through non-Postfix programs, specifically
content filters. </li>

</ul>

</body>

</html>
@


1.1.1.1
log
@Import postfix 3.11.2 (previous was 3.10.1)

Changes in 3.11.2

Bugfix (defect introduced: Postfix 3.11): the proxymap(8) daemon
dereferenced an uninitialized pointer after a request protocol
error. This daemon is not exposed to local or remote users. Found
by Claude Opus 4.6.

Bugfix (defect introduced: 20260309) a change, to set the service_name
default value to "amnesiac", violated a test that parameter names
in postconf output must match 1:1 with parameter names in the
postlink script.

Changes in 3.11.1

Bugfix (defect introduced: 20260219): alias_maps errors when
default_database_type was not set in main.cf. Fix by Michael Tokarev.

Bugfix (defect introduced: Postfix 3.0): buffer over-read when
Postfix is configured with an enhanced status code not followed by
other text. For example, "5.7.2" without text after the three-number
code, in an access(5) table, header or body checks, or with "$rbl_code
$rbl_text" in rbl_reply_maps or default_rbl_reply. These are all
uncommon configurations. Problem reported by Kamil Frankowicz.

Bugfix (defect introduced: Postfix 3.3): null pointer in nbdb_reindexd(8)
because the "service_name" value was not propagated. Report by
Michael Tokarev.

During Postfix start-up, avoid a spurious error message from
nbdb_reindexd(8), when non_bdb_migration_level disables automatic
re-indexing.

Changes in 3.11.0

Postfix stable release 3.11.0 is available. Postfix 3.7 - 3.10 were
updated a few weeks ago; after that, Postfix 3.7 will no longer be
updated.

The main changes are below. See the RELEASE_NOTES file for further details.

Berkeley DB migration:

Some (Linux) distributions are removing support for BerkeleyDB
databases (In Postfix, this means we lose support for the hash:
and btree: lookup tables). See NON_BERKELEYDB_README for manual
and partially automatic migration from btree: to lmdb:, and from
hash: to lmdb: or cdb:.

The loss of BerkeleyDB affects Mailman versions that want to execute
commands like "postmap hash:/path/to/file" when a mailing list is
added or removed. Postfix provides a way to redirect such commands
to a supported database type.

You don't have to wait until BerkeleyDB support is removed. It can
make sense to migrate while BerkeleyDB support is still available
(mainly, less downtime).

Changes in TLS support:

Default TLS security. The Postfix SMTP client smtp_tls_security_level
default value is "may" if Postfix was built with TLS support, and
the compatibility_level is 3.11 or higher.

Support for the RFC 8689 "REQUIRETLS" verb in ESMTP. This requires
that every SMTP (and LMTP) server in the forward path is strongly
authenticated with DANE, STS, or equivalent, and that every server
announces REQUIRETLS support.

See REQUIRETLS_README for suggestions to carefully enforce REQUIRETLS
without causing massive mail delivery problems.

Logging the TLS security level. This shows the desired and actual
TLS security level enforcement status and, if a message requests
REQUIRETLS, the REQUIRETLS policy enforcement status. For a list
of examples see smtp_log_tls_feature_status

Workaround for an interface mismatch between the Postfix SMTP client
and MTA-STS policy plugins. This introduces a new parameter
smtp_tls_enforce_sts_mx_patterns (default: "yes"). The MTA-STS
plugin configuration needs to enable TLSRPT support, so that it
forwards STS policy attributes to Postfix. Both postfix-tlspol and
postfix-mta-sts-resolver have been updated accordingly.

With this, the Postfix SMTP client will connect to an MX host only
if its name matches any STS policy MX host pattern, and will match
a server certificate against the MX hostname. Otherwise, the old
behavior stays in effect: connect to any MX host listed in DNS,
and match a server certificate against any STS policy MX host
pattern.

Post-quantum cryptography support. With OpenSSL 3.5 and later,
change the tls_eecdh_auto_curves default value to avoid problems
with network infrastructure that mishandles TLS hello messages
larger than one (Ethernet) TCP segment. This problem is more
generally known as "protocol ossification".

Miscellaneous changes:

Deprecation of obsolete parameters. Postfix programs log a warning
that these parameters will be removed. See DEPRECATION_README for
a list of deprecated parameters.

JSON output support with "postconf -j|-jM|-jF|-jP", "postalias
-jq|-js", "postmap -jq|-js", and "postmulti -jl". No support is
planned for JSON input support.

Milter support: improved Milter error handling for messages that
arrive over a long-lived SMTP connection, by changing the default
milter_default_action from "tempfail" to the new "shutdown" action
(i.e. disconnect the remote SMTP client). This was already back-ported
to earlier stable releases.

For more changes in the 3.10 branch see:
https://www.postfix.org/announcements.html
@
text
@@


1.1.1.1.2.1
log
@file REQUIRETLS_README.html was added on branch netbsd-11 on 2026-05-11 17:13:37 +0000
@
text
@d1 572
@


1.1.1.1.2.2
log
@Pull up the following, requested by christos in ticket #283:

	external/ibm-public/postfix//dist/README_FILES/NON_BERKELEYDB_README up to
	external/ibm-public/postfix//dist/README_FILES/REQUIRETLS_README up to
	external/ibm-public/postfix//dist/conf/postfix-non-bdb-script up to
	external/ibm-public/postfix//dist/html/NON_BERKELEYDB_README.html up to
	external/ibm-public/postfix//dist/html/REQUIRETLS_README.html up to
	external/ibm-public/postfix//dist/html/nbdb_reindexd.8.html up to
	external/ibm-public/postfix//dist/html/postfix-non-bdb.1.html up to
	external/ibm-public/postfix//dist/man/man1/postfix-non-bdb.1 up to
	external/ibm-public/postfix//dist/man/man8/nbdb_reindexd.8 up to
	external/ibm-public/postfix//dist/mantools/check-proxy-type-table up to
	external/ibm-public/postfix//dist/proto/NON_BERKELEYDB_README.html up to
	external/ibm-public/postfix//dist/proto/REQUIRETLS_README.html up to
	external/ibm-public/postfix//dist/src/cleanup/cleanup_message_test.c up to
	external/ibm-public/postfix//dist/src/global/ehlo_mask_test.c up to
	external/ibm-public/postfix//dist/src/global/nbdb_clnt.c up to
	external/ibm-public/postfix//dist/src/global/allowed_prefix.c up to
	external/ibm-public/postfix//dist/src/global/allowed_prefix.h up to
	external/ibm-public/postfix//dist/src/global/allowed_prefix_test.c up to
	external/ibm-public/postfix//dist/src/global/dict_sqlite_test.c up to
	external/ibm-public/postfix//dist/src/global/haproxy_srvr_test.c up to
	external/ibm-public/postfix//dist/src/global/login_sender_match_test.c up to
	external/ibm-public/postfix//dist/src/global/nbdb_clnt.h up to
	external/ibm-public/postfix//dist/src/global/nbdb_redirect.c up to
	external/ibm-public/postfix//dist/src/global/nbdb_redirect.h up to
	external/ibm-public/postfix//dist/src/global/nbdb_redirect_test.c up to
	external/ibm-public/postfix//dist/src/global/nbdb_surrogate.c up to
	external/ibm-public/postfix//dist/src/global/nbdb_surrogate.h up to
	external/ibm-public/postfix//dist/src/global/nbdb_surrogate_test.c up to
	external/ibm-public/postfix//dist/src/global/nbdb_util.c up to
	external/ibm-public/postfix//dist/src/global/nbdb_util.h up to
	external/ibm-public/postfix//dist/src/global/nbdb_util_test.c up to
	external/ibm-public/postfix//dist/src/global/pol_stats.c up to
	external/ibm-public/postfix//dist/src/global/pol_stats.h up to
	external/ibm-public/postfix//dist/src/global/pol_stats_test.c up to
	external/ibm-public/postfix//dist/src/postalias/mode_conflict_test.in up to
	external/ibm-public/postfix//dist/src/postalias/mode_conflict_test.ref up to
	external/ibm-public/postfix//dist/src/postconf/test77-main.cf up to
	external/ibm-public/postfix//dist/src/postconf/test77.ref up to
	external/ibm-public/postfix//dist/src/postconf/test78.ref up to
	external/ibm-public/postfix//dist/src/postconf/test79.ref up to
	external/ibm-public/postfix//dist/src/postconf/test80.ref up to
	external/ibm-public/postfix//dist/src/postconf/test81.ref up to
	external/ibm-public/postfix//dist/src/postconf/test82.ref up to
	external/ibm-public/postfix//dist/src/postconf/test83.ref up to
	external/ibm-public/postfix//dist/src/postconf/test84.ref up to
	external/ibm-public/postfix//dist/src/postconf/test85.ref up to
	external/ibm-public/postfix//dist/src/postconf/test86.ref up to
	external/ibm-public/postfix//dist/src/postconf/test87.ref up to
	external/ibm-public/postfix//dist/src/postconf/test91.ref up to
	external/ibm-public/postfix//dist/src/postmap/mode_conflict_test.in up to
	external/ibm-public/postfix//dist/src/postmap/mode_conflict_test.ref up to
	external/ibm-public/postfix//dist/src/postmulti/fake_strcmp.c up to
	external/ibm-public/postfix//dist/src/smtp/smtp_reqtls_policy.c up to
	external/ibm-public/postfix//dist/src/smtp/smtp_reqtls_policy.h up to
	external/ibm-public/postfix//dist/src/smtp/smtp_reqtls_policy_test.c up to
	external/ibm-public/postfix//dist/src/smtp/smtp_tls_policy_test.c up to
	external/ibm-public/postfix//dist/src/smtpd/smtpd_peer_test.c up to
	external/ibm-public/postfix//dist/src/util/dict_union_test.c up to
	external/ibm-public/postfix//dist/src/util/hash_fnv_test.c up to
	external/ibm-public/postfix//dist/src/util/mac_midna.h up to
	external/ibm-public/postfix//dist/src/util/normalize_v4mapped_addr.c up to
	external/ibm-public/postfix//dist/src/util/dict_debug.h up to
	external/ibm-public/postfix//dist/src/util/dict_debug_test.ref up to
	external/ibm-public/postfix//dist/src/util/dict_debug_test.sh up to
	external/ibm-public/postfix//dist/src/util/dict_pipe_test.c up to
	external/ibm-public/postfix//dist/src/util/mac_midna.c up to
	external/ibm-public/postfix//dist/src/util/normalize_v4mapped_addr.h up to
	external/ibm-public/postfix//dist/src/util/normalize_v4mapped_addr_test.c up to
	external/ibm-public/postfix//dist/src/util/ossl_digest.c up to
	external/ibm-public/postfix//dist/src/util/ossl_digest.h up to
	external/ibm-public/postfix//dist/src/util/ossl_digest_test.c up to
	external/ibm-public/postfix//dist/src/util/wrap_stat.c up to
	external/ibm-public/postfix//dist/src/util/wrap_stat.h up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/Makefile.in up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_index_as.c up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_index_as.h up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_index_as_test.c up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_process.c up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_process.h up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_process_test.c up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_reindexd.c up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_reindexd.h up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_safe.c up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_safe.h up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_safe_test.c up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_sniffer.c up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_sniffer.h up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_sniffer_test.c up to
	external/ibm-public/postfix//dist/src/testing/Makefile.in up to
	external/ibm-public/postfix//dist/src/testing/dict_test_helper.c up to
	external/ibm-public/postfix//dist/src/testing/dict_test_helper.h up to
	external/ibm-public/postfix//dist/src/testing/mock_dict.c up to
	external/ibm-public/postfix//dist/src/testing/mock_dict.h up to
	external/ibm-public/postfix//dist/src/testing/mock_open_as.c up to
	external/ibm-public/postfix//dist/src/testing/mock_open_as.h up to
	external/ibm-public/postfix//dist/src/testing/mock_spawn_command.c up to
	external/ibm-public/postfix//dist/src/testing/mock_spawn_command.h up to
	external/ibm-public/postfix//dist/src/testing/mock_stat.c up to
	external/ibm-public/postfix//dist/src/testing/mock_stat.h up to
	external/ibm-public/postfix//dist/src/testing/msg_capture.c up to
	external/ibm-public/postfix//dist/src/testing/msg_capture.h up to
	external/ibm-public/postfix//dist/src/testing/nosleep.c up to
	external/ibm-public/postfix//dist/TESTING       up to
	external/ibm-public/postfix//dist/RELEASE_NOTES-3.10 up to
	external/ibm-public/postfix//dist/src/global/ehlo_mask.in delete
	external/ibm-public/postfix//dist/src/global/ehlo_mask.ref delete
	external/ibm-public/postfix//dist/src/util/dict_pipe_test.in delete
	external/ibm-public/postfix//dist/src/util/dict_pipe_test.ref delete
	external/ibm-public/postfix//dist/src/util/dict_union_test.in delete
	external/ibm-public/postfix//dist/src/util/dict_union_test.ref delete
	external/ibm-public/postfix/Makefile.inc        up to 1.32
	external/ibm-public/postfix/dist/HISTORY        up to 1.1.1.31
	external/ibm-public/postfix/dist/INSTALL        up to 1.1.1.11
	external/ibm-public/postfix/dist/Makefile.in    up to 1.1.1.12
	external/ibm-public/postfix/dist/RELEASE_NOTES  up to 1.1.1.19
	external/ibm-public/postfix/dist/makedefs       up to 1.18
	external/ibm-public/postfix/dist/README_FILES/AAAREADME up to 1.1.1.8
	external/ibm-public/postfix/dist/README_FILES/CDB_README up to 1.1.1.4
	external/ibm-public/postfix/dist/README_FILES/COMPATIBILITY_README up to 1.1.1.5
	external/ibm-public/postfix/dist/README_FILES/DATABASE_README up to 1.1.1.11
	external/ibm-public/postfix/dist/README_FILES/DEPRECATION_README up to 1.1.1.2
	external/ibm-public/postfix/dist/README_FILES/INSTALL up to 1.12
	external/ibm-public/postfix/dist/README_FILES/MULTI_INSTANCE_README up to 1.1.1.8
	external/ibm-public/postfix/dist/README_FILES/MYSQL_README up to 1.1.1.7
	external/ibm-public/postfix/dist/README_FILES/OVERVIEW up to 1.1.1.7
	external/ibm-public/postfix/dist/README_FILES/RELEASE_NOTES up to 1.1.1.19
	external/ibm-public/postfix/dist/README_FILES/SASL_README up to 1.1.1.13
	external/ibm-public/postfix/dist/README_FILES/SMTPUTF8_README up to 1.1.1.5
	external/ibm-public/postfix/dist/README_FILES/SOHO_README up to 1.1.1.6
	external/ibm-public/postfix/dist/README_FILES/STANDARD_CONFIGURATION_README up to 1.1.1.8
	external/ibm-public/postfix/dist/README_FILES/TLSRPT_README up to 1.1.1.2
	external/ibm-public/postfix/dist/README_FILES/UUCP_README up to 1.1.1.3
	external/ibm-public/postfix/dist/README_FILES/VIRTUAL_README up to 1.1.1.4
	external/ibm-public/postfix/dist/README_FILES/XCLIENT_README up to 1.1.1.5
	external/ibm-public/postfix/dist/conf/access    up to 1.1.1.10
	external/ibm-public/postfix/dist/conf/aliases   up to 1.1.1.7
	external/ibm-public/postfix/dist/conf/canonical up to 1.1.1.7
	external/ibm-public/postfix/dist/conf/generic   up to 1.1.1.6
	external/ibm-public/postfix/dist/conf/main.cf   up to 1.12
	external/ibm-public/postfix/dist/conf/postfix-files up to 1.11
	external/ibm-public/postfix/dist/conf/postfix-script up to 1.6
	external/ibm-public/postfix/dist/conf/postfix-tls-script up to 1.6
	external/ibm-public/postfix/dist/conf/relocated up to 1.1.1.5
	external/ibm-public/postfix/dist/conf/transport up to 1.1.1.6
	external/ibm-public/postfix/dist/conf/virtual   up to 1.1.1.8
	external/ibm-public/postfix/dist/html/CDB_README.html up to 1.1.1.6
	external/ibm-public/postfix/dist/html/COMPATIBILITY_README.html up to 1.1.1.6
	external/ibm-public/postfix/dist/html/DATABASE_README.html up to 1.1.1.12
	external/ibm-public/postfix/dist/html/DEPRECATION_README.html up to 1.1.1.2
	external/ibm-public/postfix/dist/html/INSTALL.html up to 1.12
	external/ibm-public/postfix/dist/html/MULTI_INSTANCE_README.html up to 1.1.1.11
	external/ibm-public/postfix/dist/html/MYSQL_README.html up to 1.1.1.7
	external/ibm-public/postfix/dist/html/Makefile.in up to 1.1.1.9
	external/ibm-public/postfix/dist/html/OVERVIEW.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/SASL_README.html up to 1.1.1.13
	external/ibm-public/postfix/dist/html/SMTPUTF8_README.html up to 1.1.1.6
	external/ibm-public/postfix/dist/html/SOHO_README.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/STANDARD_CONFIGURATION_README.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/TLSRPT_README.html up to 1.1.1.2
	external/ibm-public/postfix/dist/html/UUCP_README.html up to 1.1.1.6
	external/ibm-public/postfix/dist/html/VIRTUAL_README.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/XCLIENT_README.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/access.5.html up to 1.1.1.11
	external/ibm-public/postfix/dist/html/aliases.5.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/bounce.8.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/canonical.5.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/cidr_table.5.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/cleanup.8.html up to 1.1.1.11
	external/ibm-public/postfix/dist/html/defer.8.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/discard.8.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/error.8.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/generic.5.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/index.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/ldap_table.5.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/lmdb_table.5.html up to 1.1.1.6
	external/ibm-public/postfix/dist/html/lmtp.8.html up to 1.1.1.14
	external/ibm-public/postfix/dist/html/mailq.1.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/makedefs.1.html up to 1.1.1.5
	external/ibm-public/postfix/dist/html/memcache_table.5.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/mongodb_table.5.html up to 1.1.1.2
	external/ibm-public/postfix/dist/html/mysql_table.5.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/newaliases.1.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/nisplus_table.5.html up to 1.1.1.7
	external/ibm-public/postfix/dist/html/oqmgr.8.html up to 1.1.1.11
	external/ibm-public/postfix/dist/html/pcre_table.5.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/pgsql_table.5.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/postalias.1.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/postconf.1.html up to 1.1.1.13
	external/ibm-public/postfix/dist/html/postconf.5.html up to 1.22
	external/ibm-public/postfix/dist/html/postdrop.1.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/postfix-manuals.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/postfix-tls.1.html up to 1.1.1.5
	external/ibm-public/postfix/dist/html/postfix.1.html up to 1.1.1.11
	external/ibm-public/postfix/dist/html/postlog.1.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/postmap.1.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/postmulti.1.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/postqueue.1.html up to 1.1.1.11
	external/ibm-public/postfix/dist/html/postscreen.8.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/posttls-finger.1.html up to 1.1.1.7
	external/ibm-public/postfix/dist/html/proxymap.8.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/qmgr.8.html up to 1.1.1.11
	external/ibm-public/postfix/dist/html/regexp_table.5.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/relocated.5.html up to 1.1.1.7
	external/ibm-public/postfix/dist/html/sendmail.1.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/smtp.8.html up to 1.1.1.14
	external/ibm-public/postfix/dist/html/smtpd.8.html up to 1.1.1.15
	external/ibm-public/postfix/dist/html/socketmap_table.5.html up to 1.1.1.7
	external/ibm-public/postfix/dist/html/sqlite_table.5.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/tcp_table.5.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/trace.8.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/transport.5.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/virtual.5.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/virtual.8.html up to 1.1.1.9
	external/ibm-public/postfix/dist/man/Makefile.in up to 1.1.1.9
	external/ibm-public/postfix/dist/man/man1/makedefs.1 up to 1.5
	external/ibm-public/postfix/dist/man/man1/postalias.1 up to 1.5
	external/ibm-public/postfix/dist/man/man1/postconf.1 up to 1.6
	external/ibm-public/postfix/dist/man/man1/postdrop.1 up to 1.6
	external/ibm-public/postfix/dist/man/man1/postfix-tls.1 up to 1.4
	external/ibm-public/postfix/dist/man/man1/postfix.1 up to 1.8
	external/ibm-public/postfix/dist/man/man1/postlog.1 up to 1.7
	external/ibm-public/postfix/dist/man/man1/postmap.1 up to 1.5
	external/ibm-public/postfix/dist/man/man1/postmulti.1 up to 1.5
	external/ibm-public/postfix/dist/man/man1/postqueue.1 up to 1.6
	external/ibm-public/postfix/dist/man/man1/posttls-finger.1 up to 1.7
	external/ibm-public/postfix/dist/man/man1/sendmail.1 up to 1.6
	external/ibm-public/postfix/dist/man/man5/access.5 up to 1.6
	external/ibm-public/postfix/dist/man/man5/aliases.5 up to 1.7
	external/ibm-public/postfix/dist/man/man5/canonical.5 up to 1.6
	external/ibm-public/postfix/dist/man/man5/cidr_table.5 up to 1.7
	external/ibm-public/postfix/dist/man/man5/generic.5 up to 1.6
	external/ibm-public/postfix/dist/man/man5/ldap_table.5 up to 1.7
	external/ibm-public/postfix/dist/man/man5/lmdb_table.5 up to 1.4
	external/ibm-public/postfix/dist/man/man5/memcache_table.5 up to 1.3
	external/ibm-public/postfix/dist/man/man5/mongodb_table.5 up to 1.3
	external/ibm-public/postfix/dist/man/man5/mysql_table.5 up to 1.7
	external/ibm-public/postfix/dist/man/man5/nisplus_table.5 up to 1.3
	external/ibm-public/postfix/dist/man/man5/pcre_table.5 up to 1.6
	external/ibm-public/postfix/dist/man/man5/pgsql_table.5 up to 1.7
	external/ibm-public/postfix/dist/man/man5/postconf.5 up to 1.21
	external/ibm-public/postfix/dist/man/man5/regexp_table.5 up to 1.6
	external/ibm-public/postfix/dist/man/man5/relocated.5 up to 1.5
	external/ibm-public/postfix/dist/man/man5/socketmap_table.5 up to 1.5
	external/ibm-public/postfix/dist/man/man5/sqlite_table.5 up to 1.5
	external/ibm-public/postfix/dist/man/man5/tcp_table.5 up to 1.4
	external/ibm-public/postfix/dist/man/man5/transport.5 up to 1.5
	external/ibm-public/postfix/dist/man/man5/virtual.5 up to 1.7
	external/ibm-public/postfix/dist/man/man8/bounce.8 up to 1.6
	external/ibm-public/postfix/dist/man/man8/cleanup.8 up to 1.6
	external/ibm-public/postfix/dist/man/man8/discard.8 up to 1.4
	external/ibm-public/postfix/dist/man/man8/error.8 up to 1.4
	external/ibm-public/postfix/dist/man/man8/oqmgr.8 up to 1.4
	external/ibm-public/postfix/dist/man/man8/postscreen.8 up to 1.7
	external/ibm-public/postfix/dist/man/man8/proxymap.8 up to 1.5
	external/ibm-public/postfix/dist/man/man8/qmgr.8 up to 1.5
	external/ibm-public/postfix/dist/man/man8/smtp.8 up to 1.7
	external/ibm-public/postfix/dist/man/man8/smtpd.8 up to 1.7
	external/ibm-public/postfix/dist/man/man8/virtual.8 up to 1.5
	external/ibm-public/postfix/dist/mantools/check-postconf-unimplemented up to 1.1.1.2
	external/ibm-public/postfix/dist/mantools/check-spell-history up to 1.1.1.2
	external/ibm-public/postfix/dist/mantools/check-spell-proto-html up to 1.1.1.3
	external/ibm-public/postfix/dist/mantools/dehtml up to 1.1.1.3
	external/ibm-public/postfix/dist/mantools/postconf2man up to 1.1.1.7
	external/ibm-public/postfix/dist/mantools/postlink up to 1.1.1.15
	external/ibm-public/postfix/dist/mantools/srctoman up to 1.1.1.5
	external/ibm-public/postfix/dist/proto/CDB_README.html up to 1.1.1.6
	external/ibm-public/postfix/dist/proto/COMPATIBILITY_README.html up to 1.1.1.6
	external/ibm-public/postfix/dist/proto/DATABASE_README.html up to 1.1.1.12
	external/ibm-public/postfix/dist/proto/DEPRECATION_README.html up to 1.1.1.2
	external/ibm-public/postfix/dist/proto/INSTALL.html up to 1.12
	external/ibm-public/postfix/dist/proto/MULTI_INSTANCE_README.html up to 1.1.1.10
	external/ibm-public/postfix/dist/proto/MYSQL_README.html up to 1.1.1.7
	external/ibm-public/postfix/dist/proto/Makefile.in up to 1.1.1.9
	external/ibm-public/postfix/dist/proto/OVERVIEW.html up to 1.1.1.8
	external/ibm-public/postfix/dist/proto/SASL_README.html up to 1.1.1.13
	external/ibm-public/postfix/dist/proto/SMTPUTF8_README.html up to 1.1.1.6
	external/ibm-public/postfix/dist/proto/STANDARD_CONFIGURATION_README.html up to 1.1.1.8
	external/ibm-public/postfix/dist/proto/TLSRPT_README.html up to 1.1.1.2
	external/ibm-public/postfix/dist/proto/UUCP_README.html up to 1.1.1.5
	external/ibm-public/postfix/dist/proto/VIRTUAL_README.html up to 1.1.1.6
	external/ibm-public/postfix/dist/proto/XCLIENT_README.html up to 1.1.1.8
	external/ibm-public/postfix/dist/proto/access   up to 1.1.1.10
	external/ibm-public/postfix/dist/proto/aliases  up to 1.1.1.8
	external/ibm-public/postfix/dist/proto/canonical up to 1.1.1.7
	external/ibm-public/postfix/dist/proto/cidr_table up to 1.1.1.8
	external/ibm-public/postfix/dist/proto/generic  up to 1.1.1.6
	external/ibm-public/postfix/dist/proto/index.html up to 1.1.1.2
	external/ibm-public/postfix/dist/proto/ldap_table up to 1.1.1.9
	external/ibm-public/postfix/dist/proto/lmdb_table up to 1.1.1.4
	external/ibm-public/postfix/dist/proto/memcache_table up to 1.1.1.5
	external/ibm-public/postfix/dist/proto/mongodb_table up to 1.1.1.2
	external/ibm-public/postfix/dist/proto/mysql_table up to 1.1.1.10
	external/ibm-public/postfix/dist/proto/nisplus_table up to 1.1.1.4
	external/ibm-public/postfix/dist/proto/pcre_table up to 1.1.1.8
	external/ibm-public/postfix/dist/proto/pgsql_table up to 1.1.1.10
	external/ibm-public/postfix/dist/proto/postconf.html.prolog up to 1.1.1.7
	external/ibm-public/postfix/dist/proto/postconf.man.prolog up to 1.1.1.5
	external/ibm-public/postfix/dist/proto/postconf.proto up to 1.21
	external/ibm-public/postfix/dist/proto/regexp_table up to 1.1.1.8
	external/ibm-public/postfix/dist/proto/relocated up to 1.1.1.5
	external/ibm-public/postfix/dist/proto/socketmap_table up to 1.1.1.5
	external/ibm-public/postfix/dist/proto/sqlite_table up to 1.1.1.6
	external/ibm-public/postfix/dist/proto/stop     up to 1.1.1.9
	external/ibm-public/postfix/dist/proto/stop.double-cc up to 1.1.1.4
	external/ibm-public/postfix/dist/proto/stop.double-history up to 1.1.1.3
	external/ibm-public/postfix/dist/proto/stop.double-install-proto-text up to 1.1.1.3
	external/ibm-public/postfix/dist/proto/stop.double-proto-html up to 1.1.1.4
	external/ibm-public/postfix/dist/proto/stop.spell-cc up to 1.1.1.4
	external/ibm-public/postfix/dist/proto/stop.spell-history up to 1.1.1.3
	external/ibm-public/postfix/dist/proto/stop.spell-proto-html up to 1.1.1.4
	external/ibm-public/postfix/dist/proto/tcp_table up to 1.1.1.5
	external/ibm-public/postfix/dist/proto/transport up to 1.1.1.6
	external/ibm-public/postfix/dist/proto/virtual  up to 1.1.1.8
	external/ibm-public/postfix/dist/src/bounce/Makefile.in up to 1.1.1.7
	external/ibm-public/postfix/dist/src/bounce/bounce.c up to 1.6
	external/ibm-public/postfix/dist/src/bounce/bounce_notify_service.c up to 1.4
	external/ibm-public/postfix/dist/src/bounce/bounce_notify_util.c up to 1.6
	external/ibm-public/postfix/dist/src/bounce/bounce_notify_verp.c up to 1.4
	external/ibm-public/postfix/dist/src/bounce/bounce_one_service.c up to 1.4
	external/ibm-public/postfix/dist/src/bounce/bounce_trace_service.c up to 1.4
	external/ibm-public/postfix/dist/src/bounce/bounce_warn_service.c up to 1.4
	external/ibm-public/postfix/dist/src/cleanup/Makefile.in up to 1.1.1.11
	external/ibm-public/postfix/dist/src/cleanup/cleanup.c up to 1.10
	external/ibm-public/postfix/dist/src/cleanup/cleanup.h up to 1.12
	external/ibm-public/postfix/dist/src/cleanup/cleanup_api.c up to 1.6
	external/ibm-public/postfix/dist/src/cleanup/cleanup_bounce.c up to 1.4
	external/ibm-public/postfix/dist/src/cleanup/cleanup_init.c up to 1.9
	external/ibm-public/postfix/dist/src/cleanup/cleanup_message.c up to 1.6
	external/ibm-public/postfix/dist/src/cleanup/cleanup_milter.c up to 1.7
	external/ibm-public/postfix/dist/src/cleanup/cleanup_out_recipient.c up to 1.6
	external/ibm-public/postfix/dist/src/cleanup/cleanup_state.c up to 1.6
	external/ibm-public/postfix/dist/src/discard/Makefile.in up to 1.1.1.5
	external/ibm-public/postfix/dist/src/discard/discard.c up to 1.4
	external/ibm-public/postfix/dist/src/dns/dns.h  up to 1.8
	external/ibm-public/postfix/dist/src/dns/dns_lookup.c up to 1.10
	external/ibm-public/postfix/dist/src/error/Makefile.in up to 1.1.1.5
	external/ibm-public/postfix/dist/src/error/error.c up to 1.4
	external/ibm-public/postfix/dist/src/global/Makefile.in up to 1.1.1.12
	external/ibm-public/postfix/dist/src/global/abounce.c up to 1.5
	external/ibm-public/postfix/dist/src/global/ascii_header_text.c up to 1.3
	external/ibm-public/postfix/dist/src/global/ascii_header_text.h up to 1.3
	external/ibm-public/postfix/dist/src/global/bounce.c up to 1.5
	external/ibm-public/postfix/dist/src/global/bounce.h up to 1.3
	external/ibm-public/postfix/dist/src/global/cleanup_strflags.c up to 1.3
	external/ibm-public/postfix/dist/src/global/cleanup_user.h up to 1.5
	external/ibm-public/postfix/dist/src/global/config_known_tcp_ports.c up to 1.3
	external/ibm-public/postfix/dist/src/global/data_redirect.c up to 1.3
	external/ibm-public/postfix/dist/src/global/defer.c up to 1.5
	external/ibm-public/postfix/dist/src/global/defer.h up to 1.3
	external/ibm-public/postfix/dist/src/global/deliver_pass.c up to 1.5
	external/ibm-public/postfix/dist/src/global/dict_ldap.c up to 1.7
	external/ibm-public/postfix/dist/src/global/dict_memcache.c up to 1.4
	external/ibm-public/postfix/dist/src/global/dict_mongodb.c up to 1.3
	external/ibm-public/postfix/dist/src/global/dict_mysql.c up to 1.6
	external/ibm-public/postfix/dist/src/global/dict_pgsql.c up to 1.6
	external/ibm-public/postfix/dist/src/global/dict_proxy.c up to 1.4
	external/ibm-public/postfix/dist/src/global/dict_sqlite.c up to 1.6
	external/ibm-public/postfix/dist/src/global/dict_sqlite.h up to 1.2
	external/ibm-public/postfix/dist/src/global/dsn_util.c up to 1.2
	external/ibm-public/postfix/dist/src/global/ehlo_mask.c up to 1.4
	external/ibm-public/postfix/dist/src/global/ehlo_mask.h up to 1.4
	external/ibm-public/postfix/dist/src/global/haproxy_srvr.c up to 1.5
	external/ibm-public/postfix/dist/src/global/haproxy_srvr.h up to 1.3
	external/ibm-public/postfix/dist/src/global/header_opts.c up to 1.4
	external/ibm-public/postfix/dist/src/global/header_opts.h up to 1.4
	external/ibm-public/postfix/dist/src/global/log_adhoc.c up to 1.4
	external/ibm-public/postfix/dist/src/global/log_adhoc.h up to 1.2
	external/ibm-public/postfix/dist/src/global/login_sender_match.c up to 1.3
	external/ibm-public/postfix/dist/src/global/mail_conf.c up to 1.5
	external/ibm-public/postfix/dist/src/global/mail_conf.h up to 1.4
	external/ibm-public/postfix/dist/src/global/mail_params.c up to 1.7
	external/ibm-public/postfix/dist/src/global/mail_params.h up to 1.21
	external/ibm-public/postfix/dist/src/global/mail_proto.h up to 1.7
	external/ibm-public/postfix/dist/src/global/mail_version.h up to 1.8
	external/ibm-public/postfix/dist/src/global/maps.c up to 1.6
	external/ibm-public/postfix/dist/src/global/mime_garb3.ref up to 1.1.1.2
	external/ibm-public/postfix/dist/src/global/mime_state.c up to 1.4
	external/ibm-public/postfix/dist/src/global/mime_state.h up to 1.2
	external/ibm-public/postfix/dist/src/global/mynetworks.c up to 1.3
	external/ibm-public/postfix/dist/src/global/namadr_list.in up to 1.1.1.5
	external/ibm-public/postfix/dist/src/global/namadr_list.ref up to 1.1.1.6
	external/ibm-public/postfix/dist/src/global/own_inet_addr.c up to 1.3
	external/ibm-public/postfix/dist/src/global/pipe_command.c up to 1.3
	external/ibm-public/postfix/dist/src/global/post_mail.c up to 1.6
	external/ibm-public/postfix/dist/src/global/rec_type.h up to 1.5
	external/ibm-public/postfix/dist/src/global/reject_deliver_request.c up to 1.3
	external/ibm-public/postfix/dist/src/global/rfc2047_code.c up to 1.3
	external/ibm-public/postfix/dist/src/global/rfc2047_code.h up to 1.3
	external/ibm-public/postfix/dist/src/global/sendopts.c up to 1.3
	external/ibm-public/postfix/dist/src/global/sent.c up to 1.4
	external/ibm-public/postfix/dist/src/global/sent.h up to 1.3
	external/ibm-public/postfix/dist/src/global/server_acl.c up to 1.5
	external/ibm-public/postfix/dist/src/global/trace.c up to 1.4
	external/ibm-public/postfix/dist/src/global/trace.h up to 1.2
	external/ibm-public/postfix/dist/src/global/verify.c up to 1.5
	external/ibm-public/postfix/dist/src/global/verify.h up to 1.2
	external/ibm-public/postfix/dist/src/local/Makefile.in up to 1.1.1.10
	external/ibm-public/postfix/dist/src/local/forward.c up to 1.6
	external/ibm-public/postfix/dist/src/local/local.c up to 1.6
	external/ibm-public/postfix/dist/src/local/local.h up to 1.4
	external/ibm-public/postfix/dist/src/master/Makefile.in up to 1.1.1.9
	external/ibm-public/postfix/dist/src/master/event_server.c up to 1.5
	external/ibm-public/postfix/dist/src/master/multi_server.c up to 1.5
	external/ibm-public/postfix/dist/src/milter/milter8.c up to 1.7
	external/ibm-public/postfix/dist/src/milter/test-milter.c up to 1.5
	external/ibm-public/postfix/dist/src/oqmgr/Makefile.in up to 1.1.1.7
	external/ibm-public/postfix/dist/src/oqmgr/qmgr.c up to 1.4
	external/ibm-public/postfix/dist/src/oqmgr/qmgr_bounce.c up to 1.2
	external/ibm-public/postfix/dist/src/oqmgr/qmgr_defer.c up to 1.2
	external/ibm-public/postfix/dist/src/oqmgr/qmgr_message.c up to 1.6
	external/ibm-public/postfix/dist/src/pipe/Makefile.in up to 1.1.1.6
	external/ibm-public/postfix/dist/src/pipe/pipe.c up to 1.6
	external/ibm-public/postfix/dist/src/postalias/Makefile.in up to 1.1.1.8
	external/ibm-public/postfix/dist/src/postalias/postalias.c up to 1.7
	external/ibm-public/postfix/dist/src/postcat/postcat.c up to 1.6
	external/ibm-public/postfix/dist/src/postconf/Makefile.in up to 1.1.1.13
	external/ibm-public/postfix/dist/src/postconf/extract.awk up to 1.1.1.7
	external/ibm-public/postfix/dist/src/postconf/postconf.c up to 1.6
	external/ibm-public/postfix/dist/src/postconf/postconf.h up to 1.6
	external/ibm-public/postfix/dist/src/postconf/postconf_builtin.c up to 1.5
	external/ibm-public/postfix/dist/src/postconf/postconf_dbms.c up to 1.7
	external/ibm-public/postfix/dist/src/postconf/postconf_edit.c up to 1.4
	external/ibm-public/postfix/dist/src/postconf/postconf_lookup.c up to 1.5
	external/ibm-public/postfix/dist/src/postconf/postconf_main.c up to 1.5
	external/ibm-public/postfix/dist/src/postconf/postconf_master.c up to 1.9
	external/ibm-public/postfix/dist/src/postconf/postconf_unused.c up to 1.3
	external/ibm-public/postfix/dist/src/postconf/postconf_user.c up to 1.6
	external/ibm-public/postfix/dist/src/postconf/test18.ref up to 1.1.1.2
	external/ibm-public/postfix/dist/src/postconf/test2.ref up to 1.1.1.2
	external/ibm-public/postfix/dist/src/postconf/test28.ref up to 1.1.1.4
	external/ibm-public/postfix/dist/src/postconf/test29.ref up to 1.1.1.5
	external/ibm-public/postfix/dist/src/postconf/test57.ref up to 1.1.1.2
	external/ibm-public/postfix/dist/src/postconf/test59.ref up to 1.1.1.4
	external/ibm-public/postfix/dist/src/postconf/test67.ref up to 1.1.1.3
	external/ibm-public/postfix/dist/src/postconf/test76.ref up to 1.1.1.2
	external/ibm-public/postfix/dist/src/postdrop/postdrop.c up to 1.6
	external/ibm-public/postfix/dist/src/postfix/postfix.c up to 1.8
	external/ibm-public/postfix/dist/src/postlog/postlog.c up to 1.7
	external/ibm-public/postfix/dist/src/postmap/Makefile.in up to 1.1.1.9
	external/ibm-public/postfix/dist/src/postmap/postmap.c up to 1.7
	external/ibm-public/postfix/dist/src/postmulti/Makefile.in up to 1.1.1.6
	external/ibm-public/postfix/dist/src/postmulti/postmulti.c up to 1.5
	external/ibm-public/postfix/dist/src/postqueue/postqueue.c up to 1.6
	external/ibm-public/postfix/dist/src/postqueue/showq_compat.c up to 1.5
	external/ibm-public/postfix/dist/src/postqueue/showq_json.c up to 1.6
	external/ibm-public/postfix/dist/src/postscreen/postscreen.c up to 1.7
	external/ibm-public/postfix/dist/src/postscreen/postscreen_endpt.c up to 1.6
	external/ibm-public/postfix/dist/src/posttls-finger/posttls-finger.c up to 1.7
	external/ibm-public/postfix/dist/src/proxymap/Makefile.in up to 1.1.1.8
	external/ibm-public/postfix/dist/src/proxymap/proxymap.c up to 1.6
	external/ibm-public/postfix/dist/src/qmgr/Makefile.in up to 1.1.1.7
	external/ibm-public/postfix/dist/src/qmgr/qmgr.c up to 1.5
	external/ibm-public/postfix/dist/src/qmgr/qmgr_bounce.c up to 1.2
	external/ibm-public/postfix/dist/src/qmgr/qmgr_defer.c up to 1.2
	external/ibm-public/postfix/dist/src/qmgr/qmgr_message.c up to 1.6
	external/ibm-public/postfix/dist/src/sendmail/Makefile.in up to 1.1.1.6
	external/ibm-public/postfix/dist/src/sendmail/sendmail.c up to 1.6
	external/ibm-public/postfix/dist/src/showq/showq.c up to 1.6
	external/ibm-public/postfix/dist/src/smtp/Makefile.in up to 1.1.1.12
	external/ibm-public/postfix/dist/src/smtp/lmtp_params.c up to 1.7
	external/ibm-public/postfix/dist/src/smtp/smtp.c up to 1.15
	external/ibm-public/postfix/dist/src/smtp/smtp.h up to 1.7
	external/ibm-public/postfix/dist/src/smtp/smtp_connect.c up to 1.7
	external/ibm-public/postfix/dist/src/smtp/smtp_key.c up to 1.4
	external/ibm-public/postfix/dist/src/smtp/smtp_params.c up to 1.7
	external/ibm-public/postfix/dist/src/smtp/smtp_proto.c up to 1.7
	external/ibm-public/postfix/dist/src/smtp/smtp_rcpt.c up to 1.4
	external/ibm-public/postfix/dist/src/smtp/smtp_state.c up to 1.5
	external/ibm-public/postfix/dist/src/smtp/smtp_tls_policy.c up to 1.6
	external/ibm-public/postfix/dist/src/smtp/smtp_tlsrpt.c up to 1.3
	external/ibm-public/postfix/dist/src/smtp/smtp_trouble.c up to 1.4
	external/ibm-public/postfix/dist/src/smtpd/Makefile.in up to 1.1.1.13
	external/ibm-public/postfix/dist/src/smtpd/smtpd.c up to 1.22
	external/ibm-public/postfix/dist/src/smtpd/smtpd.h up to 1.7
	external/ibm-public/postfix/dist/src/smtpd/smtpd_chat.c up to 1.5
	external/ibm-public/postfix/dist/src/smtpd/smtpd_check.c up to 1.8
	external/ibm-public/postfix/dist/src/smtpd/smtpd_haproxy.c up to 1.4
	external/ibm-public/postfix/dist/src/smtpd/smtpd_peer.c up to 1.6
	external/ibm-public/postfix/dist/src/smtpd/smtpd_proxy.c up to 1.4
	external/ibm-public/postfix/dist/src/smtpd/smtpd_proxy.h up to 1.2
	external/ibm-public/postfix/dist/src/tls/Makefile.in up to 1.1.1.12
	external/ibm-public/postfix/dist/src/tls/tls.h  up to 1.7
	external/ibm-public/postfix/dist/src/tls/tls_client.c up to 1.15
	external/ibm-public/postfix/dist/src/tls/tls_dane.c up to 1.7
	external/ibm-public/postfix/dist/src/tls/tls_dane.sh up to 1.1.1.2
	external/ibm-public/postfix/dist/src/tls/tls_dh.c up to 1.7
	external/ibm-public/postfix/dist/src/tls/tls_misc.c up to 1.7
	external/ibm-public/postfix/dist/src/tls/tls_prng_file.c up to 1.3
	external/ibm-public/postfix/dist/src/tls/tls_proxy.h up to 1.6
	external/ibm-public/postfix/dist/src/tls/tls_proxy_client_misc.c up to 1.5
	external/ibm-public/postfix/dist/src/tls/tls_proxy_client_print.c up to 1.6
	external/ibm-public/postfix/dist/src/tls/tls_proxy_client_scan.c up to 1.6
	external/ibm-public/postfix/dist/src/tls/tls_server.c up to 1.14
	external/ibm-public/postfix/dist/src/tls/tls_verify.c up to 1.6
	external/ibm-public/postfix/dist/src/tls/tlsrpt_wrapper.c up to 1.3
	external/ibm-public/postfix/dist/src/tlsproxy/tlsproxy.c up to 1.8
	external/ibm-public/postfix/dist/src/tlsproxy/tlsproxy_state.c up to 1.4
	external/ibm-public/postfix/dist/src/trivial-rewrite/Makefile.in up to 1.1.1.7
	external/ibm-public/postfix/dist/src/trivial-rewrite/resolve.c up to 1.6
	external/ibm-public/postfix/dist/src/trivial-rewrite/trivial-rewrite.c up to 1.6
	external/ibm-public/postfix/dist/src/util/Makefile.in up to 1.1.1.13
	external/ibm-public/postfix/dist/src/util/alldig.c up to 1.4
	external/ibm-public/postfix/dist/src/util/argv.c up to 1.6
	external/ibm-public/postfix/dist/src/util/argv.h up to 1.6
	external/ibm-public/postfix/dist/src/util/dict.c up to 1.5
	external/ibm-public/postfix/dist/src/util/dict.h up to 1.7
	external/ibm-public/postfix/dist/src/util/dict_alloc.c up to 1.4
	external/ibm-public/postfix/dist/src/util/dict_cache.c up to 1.5
	external/ibm-public/postfix/dist/src/util/dict_cache.h up to 1.3
	external/ibm-public/postfix/dist/src/util/dict_cdb.c up to 1.5
	external/ibm-public/postfix/dist/src/util/dict_cidr.c up to 1.6
	external/ibm-public/postfix/dist/src/util/dict_db.c up to 1.5
	external/ibm-public/postfix/dist/src/util/dict_dbm.c up to 1.3
	external/ibm-public/postfix/dist/src/util/dict_debug.c up to 1.3
	external/ibm-public/postfix/dist/src/util/dict_env.c up to 1.2
	external/ibm-public/postfix/dist/src/util/dict_fail.c up to 1.3
	external/ibm-public/postfix/dist/src/util/dict_inline.c up to 1.6
	external/ibm-public/postfix/dist/src/util/dict_lmdb.c up to 1.5
	external/ibm-public/postfix/dist/src/util/dict_ni.c up to 1.2
	external/ibm-public/postfix/dist/src/util/dict_nis.c up to 1.2
	external/ibm-public/postfix/dist/src/util/dict_nisplus.c up to 1.2
	external/ibm-public/postfix/dist/src/util/dict_open.c up to 1.5
	external/ibm-public/postfix/dist/src/util/dict_pcre.c up to 1.6
	external/ibm-public/postfix/dist/src/util/dict_pipe.c up to 1.3
	external/ibm-public/postfix/dist/src/util/dict_random.c up to 1.5
	external/ibm-public/postfix/dist/src/util/dict_regexp.c up to 1.6
	external/ibm-public/postfix/dist/src/util/dict_sdbm.c up to 1.2
	external/ibm-public/postfix/dist/src/util/dict_seq.ref up to 1.1.1.2
	external/ibm-public/postfix/dist/src/util/dict_sockmap.c up to 1.7
	external/ibm-public/postfix/dist/src/util/dict_static.c up to 1.5
	external/ibm-public/postfix/dist/src/util/dict_surrogate.c up to 1.3
	external/ibm-public/postfix/dist/src/util/dict_tcp.c up to 1.3
	external/ibm-public/postfix/dist/src/util/dict_test.c up to 1.3
	external/ibm-public/postfix/dist/src/util/dict_thash.c up to 1.6
	external/ibm-public/postfix/dist/src/util/dict_union.c up to 1.4
	external/ibm-public/postfix/dist/src/util/dict_unix.c up to 1.2
	external/ibm-public/postfix/dist/src/util/dict_utf8_test.ref up to 1.1.1.2
	external/ibm-public/postfix/dist/src/util/hash_fnv.c up to 1.5
	external/ibm-public/postfix/dist/src/util/hex_code.c up to 1.5
	external/ibm-public/postfix/dist/src/util/hex_code.h up to 1.6
	external/ibm-public/postfix/dist/src/util/htable.c up to 1.5
	external/ibm-public/postfix/dist/src/util/inet_addr_list.c up to 1.3
	external/ibm-public/postfix/dist/src/util/inet_prefix_top.c up to 1.4
	external/ibm-public/postfix/dist/src/util/inet_proto.c up to 1.5
	external/ibm-public/postfix/dist/src/util/mac_expand.c up to 1.5
	external/ibm-public/postfix/dist/src/util/mac_expand.h up to 1.6
	external/ibm-public/postfix/dist/src/util/mac_expand.in up to 1.1.1.5
	external/ibm-public/postfix/dist/src/util/mac_expand.ref up to 1.1.1.5
	external/ibm-public/postfix/dist/src/util/match_list.c up to 1.4
	external/ibm-public/postfix/dist/src/util/midna_domain.c up to 1.6
	external/ibm-public/postfix/dist/src/util/mkmap_open.c up to 1.3
	external/ibm-public/postfix/dist/src/util/msg_vstream.c up to 1.2
	external/ibm-public/postfix/dist/src/util/myaddrinfo.c up to 1.4
	external/ibm-public/postfix/dist/src/util/myaddrinfo.h up to 1.5
	external/ibm-public/postfix/dist/src/util/myaddrinfo.ref up to 1.1.1.6
	external/ibm-public/postfix/dist/src/util/myaddrinfo.ref2 up to 1.1.1.2
	external/ibm-public/postfix/dist/src/util/myaddrinfo4.ref up to 1.1.1.3
	external/ibm-public/postfix/dist/src/util/myaddrinfo4.ref2 up to 1.1.1.2
	external/ibm-public/postfix/dist/src/util/myflock.c up to 1.4
	external/ibm-public/postfix/dist/src/util/name_mask.c up to 1.5
	external/ibm-public/postfix/dist/src/util/name_mask.h up to 1.2
	external/ibm-public/postfix/dist/src/util/name_mask.ref5 up to 1.1.1.2
	external/ibm-public/postfix/dist/src/util/name_mask.ref6 up to 1.1.1.2
	external/ibm-public/postfix/dist/src/util/netstring.c up to 1.5
	external/ibm-public/postfix/dist/src/util/normalize_ws.c up to 1.3
	external/ibm-public/postfix/dist/src/util/open_as.c up to 1.2
	external/ibm-public/postfix/dist/src/util/open_as.h up to 1.2
	external/ibm-public/postfix/dist/src/util/quote_for_json.c up to 1.3
	external/ibm-public/postfix/dist/src/util/sane_sockaddr_to_hostaddr.c up to 1.3
	external/ibm-public/postfix/dist/src/util/spawn_command.c up to 1.4
	external/ibm-public/postfix/dist/src/util/spawn_command.h up to 1.3
	external/ibm-public/postfix/dist/src/util/stringops.h up to 1.7
	external/ibm-public/postfix/dist/src/util/sys_defs.h up to 1.16
	external/ibm-public/postfix/dist/src/util/unescape.ref up to 1.1.1.3
	external/ibm-public/postfix/dist/src/util/vbuf_print.c up to 1.6
	external/ibm-public/postfix/dist/src/util/vbuf_print_test.in up to 1.1.1.2
	external/ibm-public/postfix/dist/src/util/vbuf_print_test.ref up to 1.1.1.2
	external/ibm-public/postfix/dist/src/util/vstream.c up to 1.6
	external/ibm-public/postfix/dist/src/util/vstream.h up to 1.5
	external/ibm-public/postfix/dist/src/util/vstring.c up to 1.5
	external/ibm-public/postfix/dist/src/util/vstring_vstream.c up to 1.3
	external/ibm-public/postfix/dist/src/verify/verify.c up to 1.6
	external/ibm-public/postfix/dist/src/virtual/Makefile.in up to 1.1.1.7
	external/ibm-public/postfix/dist/src/virtual/virtual.c up to 1.5
	external/ibm-public/postfix/dist/src/virtual/virtual.h up to 1.2
	external/ibm-public/postfix/dist/src/xsasl/xsasl_dovecot_server.c up to 1.6
	external/ibm-public/postfix/lib/global/Makefile up to 1.12
	external/ibm-public/postfix/lib/util/Makefile   up to 1.13
	external/ibm-public/postfix/libexec/smtp/Makefile up to 1.5
	doc/3RDPARTY						(manually edited)

Import Postfix 3.11.2.
@
text
@a0 572
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
  "https://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

<title>Postfix REQUIRETLS Support</title>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel='stylesheet' type='text/css' href='postfix-doc.css'>

</head>

<body>

<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix REQUIRETLS Support</h1>

<hr>

<h2> Table of Contents </h2>
<ul>

<li> <a href="#purpose"> Purpose of this document </a> </li>
<li> <a href="#intro"> Introduction </a> </li>
<li> <a href="#perimeter"> REQUIRETLS for a perimeter MTA </a>
<ul>
<li> <a href="#inbound"> Receiving inbound messages with REQUIRETLS requests </a>
<li> <a href="#lmtp-smtp"> LMTP and SMTP-based message stores and content filters content filters </a>
<li> <a href="#non-smtp"> Non-SMTP and non-LMTP content filters </a>
<li> <a href="#external"> Communication with external servers </a>
<li> <a href="#relax"> Relaxing REQUIRETLS for external deliveries </a>
</ul>
<li> <a href="#census"> An experiment: testing REQUIRETLS support </a>
<li> <a href="#requesting"> Requesting REQUIRETLS without SMTP </a>
<li> <a href="#ndrs"> Non-delivery notifications </a> </li>
<li> <a href="#summary"> REQUIRETLS quick summary </a> </li>
<li> <a href="#credits"> Credits </a> </li>

</ul>

<h2> <a name="purpose"> Purpose of this document </a> </h2>

<p> This document covers Postfix configuration for the REQUIRETLS
extension. The purpose of these settings is to make REQUIRETLS
support usable in an existing environment where REQUIRETLS support
is still uncommon, with a path towards a future with REQUIRETLS.
</p>

<h2> <a name="intro"> Introduction </a> </h2>

<p> The REQUIRETLS extension in ESMTP is defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>. When
a sender requests REQUIRETLS. the message must be sent only over
strongly-authenticated SMTP or LMTP connections. </p>

<p> Specifically: </p>

<ul>

<li> <p> Every server in the forward path to the final destination must
announce REQUIRETLS support. </p>

<blockquote> Challenge: as of 2025, only a few servers implement
REQUIRETLS. </blockquote>

<li> <p> Every server in the forward path must be looked up securely
(for example, with DNSSEC or HTTPS). </p>

<li> <p> Every server certificate in the forward path must be verified. In
practice, this involves DANE (+DNSSEC) or MTA-STS; custom configuration
would not scale. </p>

<blockquote> Challenge: as of 2025, many domains do not publish a
DANE or MTA-STS policy. </blockquote>

<li> <p> A message with REQUIRETLS must be returned to the sender if
any of the above requirements is not satisfied (no STARTTLS support,
no secure server lookup, no trusted or no matching server certificate,
or no server that announces REQUIRETLS support). </p>

</ul>

<p> For more background information, see the <a href="#summary">
REQUIRETLS quick summary</a> below. </p>

<h2> <a name="perimeter"> REQUIRETLS for a perimeter MTA </a> </h2>

<p> In this text, a perimeter MTA is a mail system that operates
on the boundary of an administrative domain. It receives email
messages for the domain, and/or sends email messages on behalf
of the domain. </p>

<h3> <a name="inbound"> Receiving inbound messages with REQUIRETLS requests </a> </h3>

<p> Postfix has one global parameter setting that controls REQUIRETLS
support in all Postfix processes. The default setting is:

<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
    <a href="postconf.5.html#requiretls_enable">requiretls_enable</a> = yes
</pre>
</blockquote>

<p> With this, the Postfix SMTP server will announce REQUIRETLS
support, and more importantly, will receive messages from senders
that for some reason request REQUIRETLS support -- messages that
you would otherwise not receive, assuming that the domain already
publishes a valid DANE and/or STS policy. </p>

<p> If all you need is to receive messages with REQUIRETLS, and
you do not insist on enforcing REQUIRETLS when sending or forwarding
messages, then you can stop reading this document after adding the
additional settings below. </p>

<blockquote> <p> NOTE: The configuration below may be suitable for
a personal domain, where the owner can decide what happens with all
messages. For domains that receive messages for other people, a
less radical approach may be better, as described in the sections
that follow.  </p> </blockquote>

<blockquote>
<pre>
1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
2     # Don't enforce REQUIRETLS when delivering mail with SMTP or LMTP.
3     <a href="postconf.5.html#smtp_requiretls_policy">smtp_requiretls_policy</a> = opportunistic
4     <a href="postconf.5.html#lmtp_requiretls_policy">lmtp_requiretls_policy</a> = opportunistic
5     
6     # Don't detect or add a "Require-TLS-ESMTP: yes" header.
7     <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> = no
</pre>
</blockquote>

<ul>

<li> <p> Lines 3-4: These relax REQUIRETLS enforcement when delivering
a email to a message store, content filter, or other destination
that may not support REQUIRETLS. If a server does not support
STARTTLS or REQUIRETLS, then Postfix will simply deliver the message
as if the sender did not request REQUIRETLS.

<li> <p> Line 7: The <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> feature enables support
for a message header "Require-TLS-ESMTP: yes" that allows Postfix
to propagate the sender's REQUIRETLS request through a content
filter based on <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> or <a href="FILTER_README.html">FILTER_README</a>. This feature
can safely be disabled if the domain does not need to enforce
REQUIRETLS while delivering or forwarding messages. </p>

</ul>

<h3> <a name="lmtp-smtp"> LMTP and SMTP-based message stores and content filters </a> </h3>

<p> REQUIRETLS is historically not supported by message stores such
as Dovecot, and by content filters based on <a href="FILTER_README.html">FILTER_README</a> or
<a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a>. The settings below allow for that reality, while
also preparing for future REQUIRETLS support. <p>

<p> The Postfix SMTP (LMTP) client supports a permissive REQUIRETLS
policy that is suitable for communication with internal message stores
and content filters based on <a href="FILTER_README.html">FILTER_README</a> or <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a>. </p>

<ul> 

<li> <p> <b>opportunistic</b>: STARTTLS and REQUIRETLS support are
optional. When the sender requests REQUIRETLS, and an SMTP or LMTP
server supports STARTTLS and REQUIRETLS, then send REQUIRETLS,
otherwise simply deliver the message as if the sender did not request
REQUIRETLS. </p>

</ul>

<p> For a more complete definition of this enforcement level, see
the <a href="postconf.5.html#smtp_requiretls_policy">smtp_requiretls_policy</a> parameter documentation. </p>

<p> For REQUIRETLS, the relevant Postfix 3.11 configuration default
settings are: </p>

<blockquote>
<pre>
 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
 2     <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may
 3     <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> = yes
 4     <a href="postconf.5.html#lmtp_requiretls_policy">lmtp_requiretls_policy</a> = opportunistic
 5     <a href="postconf.5.html#smtp_requiretls_policy">smtp_requiretls_policy</a> =
 6         <a href="DATABASE_README.html#types">inline</a>:{
 7             { ${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}} = opportunistic }
 8             { .${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}} = opportunistic }
 9             { localhost = opportunistic } }
10         <a href="cidr_table.5.html">cidr</a>:{
11             { 0.0.0.0/0 opportunistic }
12             { ::/0 opportunistic } }
13       ...to be completed in section "<a href="#external">Communication with external servers</a>"...
</pre>
</blockquote>

<ul>

<li> <p> Line 3: The <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> setting enables support
for a message header "Require-TLS-ESMTP: yes" that allows Postfix
to propagate the sender's REQUIRETLS request through a content
filter. This feature can safely be disabled if there is no need for
content inspection based on <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> or <a href="FILTER_README.html">FILTER_README</a>.
</p>

<li> <p> Lines 5-12: These make REQUIRETLS support optional for
internal destinations and content filters that are specified as a
symbolic name (lines 6-9) or as a numerical IP address (lines 10-12).
</p>

<li> <p> Lines 7 and 8 use ${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}} instead
of $<a href="postconf.5.html#mydomain">mydomain</a>. The function <a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{} returns $<a href="postconf.5.html#mydomain">mydomain</a> if
that contains only (7-bit) ASCII. If the <a href="postconf.5.html#mydomain">mydomain</a> value contains
non-ASCII characters, then <a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{} returns the
<tt>xn--mumble-mumble</tt> Punycode (A-label) form that Postfix
needs. This works around a limitation that may be eliminated in a
future Postfix version. </p>

<li> <p>  Note: if you specify a domain list outside <a href="postconf.5.html">main.cf</a>, then
the automatic $<i>name</i> expansions and Punycode conversions will
not happen; you will need to enter real domain names and will need
to convert non-ASCII domains to Punycode. </p>

</ul>

<h3> <a name="non-smtp"> Non-SMTP and non-LMTP content filters </a> </h3>

<p> Postfix <a href="FILTER_README.html">FILTER_README</a> describes content inspection based on a
pipe-to-command approach. For REQUIRETLS, the relevant Postfix 3.11
default setting is: </p>

<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
    <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> = yes
</pre>
</blockquote>

<p> The <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> feature enables support for a message
header "Require-TLS-ESMTP: yes" that allows Postfix to propagate the
sender's REQUIRETLS request through a content filter. This feature can
safely be disabled if there is no need for content inspection based on
<a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> or <a href="FILTER_README.html">FILTER_README</a>. </p>

<h3> <a name="external"> Communication with external servers </a> </h3>

<p> For communication with external servers, the Postfix SMTP client
supports multiple enforcement levels: </p>

<ul>

<li> <p> <b>enforce</b>: When the sender requests REQUIRETLS, require
secure lookup of MX hosts (for example, using DNSSEC or HTTPS),
require a server certificate match (for example, based on a published
DANE or STS policy), and require that the remote server supports
REQUIRETLS. Otherwise return the message as undeliverable. </p> <p>
NOTE: this is also used implicitly when no REQUIRETLS policy match
is found. </p>

<li> <p> <b>opportunistic+starttls</b>: When the sender requests
REQUIRETLS, require that the server supports STARTTLS. Send REQUIRETLS
if the server supports REQUIRETLS, otherwise simply deliver the
message as if the sender did not request REQUIRETLS. </p>

<li> <p> <b>opportunistic</b>: STARTTLS and REQUIRETLS support are
optional. When the sender requests REQUIRETLS, and an SMTP or LMTP
server supports STARTTLS and REQUIRETLS, then send REQUIRETLS,
otherwise simply deliver the message as if the sender did not request
REQUIRETLS. </p>

</ul>

<p> For a more complete definition of these enforcement levels,
see the <a href="postconf.5.html#smtp_requiretls_policy">smtp_requiretls_policy</a> parameter documentation. </p>

<p> For sending mail with REQUIRETLS, the relevant Postfix 3.11
default settings are shown below, with one suggested setting in a
comment (line 2).

<p> The default settings below complete the earlier configuration
for <a href="#lmtp-smtp">message stores and content filters</a>,
with an 'enforce' policy for external deliveries (line 13). You can
disable the <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> feature (line 4) if a configuration
does not use content inspection based on <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> or
<a href="FILTER_README.html">FILTER_README</a>. </p>

<blockquote>
<pre>
 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
 2     # <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> = ...dane/sts plugin...
 3     <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may
 4     <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> = yes
 5     <a href="postconf.5.html#smtp_requiretls_policy">smtp_requiretls_policy</a> =
 6         <a href="DATABASE_README.html#types">inline</a>:{
 7             { ${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}} = opportunistic }
 8             { .${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}} = opportunistic }
 9             { localhost = opportunistic } }
10         <a href="cidr_table.5.html">cidr</a>:{
11             { 0.0.0.0/0 opportunistic }
12             { ::/0 opportunistic } }
13         enforce
</pre>
</blockquote>

<ul>

<li> <p> New at line 13: The 'enforce' policy for external
destinations is technically correct, but is likely to suffer from
delivery failures because many domains do not publish a DANE or STS
policy, and many MTAs support STARTTLS but not REQUIRETLS. A perhaps
more practical policy may be found in the section <a href="#relax">
Relaxing REQUIRETLS for external deliveries</a>. </p>

<li> <p> (Same as before) Line 3: The <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> setting
enables support for a message header "Require-TLS-ESMTP: yes" that
allows Postfix to propagate the sender's REQUIRETLS request through
a content filter. This feature can safely be disabled if there is
no need for content inspection based on <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> or
<a href="FILTER_README.html">FILTER_README</a>.  </p>

<li> <p> (Same as before) Lines 5-12: These make REQUIRETLS support
optional for internal destinations and content filters that are
specified as a symbolic name (lines 6-9) or as a numerical IP address
(lines 10-12).

<li> <p> (Same as before) Lines 7 and 8 use ${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}}
instead of $<a href="postconf.5.html#mydomain">mydomain</a>. The function <a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{} returns $<a href="postconf.5.html#mydomain">mydomain</a>
if that contains only (7-bit) ASCII. If the <a href="postconf.5.html#mydomain">mydomain</a> value contains
non-ASCII characters, then <a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{} returns the
<tt>xn--mumble-mumble</tt> Punycode (A-label) form that Postfix
needs. This works around a limitation that may be eliminated in a
future Postfix version. </p>

<li> <p> (Same as before) Note: if you specify a domain list outside
<a href="postconf.5.html">main.cf</a>, then the automatic $<i>name</i> expansions and Punycode
conversions will not happen; you will need to enter real domain
names and will need to convert non-ASCII domains to Punycode.) </p>

</ul>

<h3> <a name="relax"> Relaxing REQUIRETLS for external deliveries </a> </h3>

<p> It may be desirable to make REQUIRETLS work with today's
infrastructure, by keeping the requirement for TLS, but relaxing
the requirements that a remote server supports REQUIRETLS and that
its server certificate matches a DANE or STS policy. The configuration
below makes that change by replacing the default 'enforce' with
'opportunistic+starttls' (line 13). </p>

<blockquote>
<pre>
 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
 2     <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may
 3     # <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> = ...dane/sts plugin...
 4     <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> = yes
 5     <a href="postconf.5.html#smtp_requiretls_policy">smtp_requiretls_policy</a> =
 6         <a href="DATABASE_README.html#types">inline</a>:{
 7             { ${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}} = opportunistic }
 8             { .${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}} = opportunistic }
 9             { localhost = opportunistic } }
10         <a href="cidr_table.5.html">cidr</a>:{
11             { 0.0.0.0/0 opportunistic }
12             { ::/0 opportunistic } }
13         opportunistic+starttls
</pre>
</blockquote>

<ul>

<li> <p> New at line 13: the 'opportunistic+starttls' policy relaxes
the requirement that every MTA in the forward path of a message
supports REQUIRETLS, but in practice only one network hop needs to
be secured: from a sender's perimeter MTA to a receiver's perimeter
MTA. The network connections between user agents and their respective
perimeters are assumed to be already secure. </p>

<li> <p> (Same as before) Line 3: The <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> setting
enables support for a message header "Require-TLS-ESMTP: yes" that
allows Postfix to propagate the sender's REQUIRETLS request through
a content filter. This feature can safely be disabled if there is
no need for content inspection based on <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> or
<a href="FILTER_README.html">FILTER_README</a>.  </p>

<li> <p> (Same as before) Lines 5-12: These make REQUIRETLS support
optional for internal destinations and content filters that are
specified as a symbolic name (lines 6-9) or as a numerical IP address
(lines 10-12).

<li> <p> (Same as before) Lines 7 and 8 use ${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}}
instead of $<a href="postconf.5.html#mydomain">mydomain</a>. The function <a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{} returns $<a href="postconf.5.html#mydomain">mydomain</a>
if that contains only (7-bit) ASCII. If the <a href="postconf.5.html#mydomain">mydomain</a> value contains
non-ASCII characters, then <a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{} returns the
<tt>xn--mumble-mumble</tt> Punycode (A-label) form that Postfix
needs. This works around a limitation that may be eliminated in a
future Postfix version. </p>

<li> <p> (Same as before) Note: if you specify a domain list outside
<a href="postconf.5.html">main.cf</a>, then the automatic $<i>name</i> expansions and Punycode
conversions will not happen; you will need to enter real domain
names and will need to convert non-ASCII domains to Punycode.) </p>

</ul>

<h2> <a name="census"> An experiment: testing REQUIRETLS support </a> </h2>

<p> The 'opportunistic' enforcement level may be useful to discover
REQUIRETLS support globally. The idea is to turn on REQUIRETLS for
all outbound mail, and watch in Postfix TLS status logging how often
delivery is logged as "requiretls" (all requirements satisfied),
"requiretls:nocertmatch" (no DANE or STS policy, or certificate not
trusted or not matched), "requiretls:none" (no REQUIRETLS support),
or "requiretls:nostarttls". For more details on this logging format,
see <a href="postconf.5.html#smtp_log_tls_feature_status">smtp_log_tls_feature_status</a>.</p>

<h2> <a name="requesting"> Requesting REQUIRETLS without SMTP </a> </h2>

<p> There are two options: </p>

<ul>

<li> <p> Specify the Postfix-specific "<b>sendmail -Orequiretls=yes</b>"
command-line option. This option is always available, but may not
be convenient to use. <p>

<li> <p> Add a Postfix-specific "<b>Require-TLS-ESMTP: yes</b>"
message header. This is easier to use, but requires the setting
"<a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> = yes" which is not recommended for systems
without content filters based on <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> or <a href="FILTER_README.html">FILTER_README</a>.
</p>

</ul>

<blockquote> <b>Question</b>: perhaps there needs to be a parameter
setting to request REQUIRETLS for specific email sources or contexts?
</blockquote>

<h2> <a name="ndrs"> Non-delivery notifications </a> </h2>

<p> By default, Postfix redacts an undeliverable REQUIRETLS message as
described in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>,  before returning it to the sender: </p>

<ul>

<li> <p> Remove the label "this message needs REQUIRETLS". The
purpose is to avoid loss of notifications when a reverse path does
not support REQUIRETLS, even though the forward path supported it.
</p>

<li> <p> Return only the message header, as if the message was
received with the <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a> DSN option "<tt>RET=HDRS</tt>". The
purpose is to limit the amount of information that may be exposed
in plaintext. </p>

</ul>

<p> The relevant default setting is: </p>

<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
    <a href="postconf.5.html#requiretls_redact_dsn">requiretls_redact_dsn</a> = yes
</pre>
</blockquote>

<p> When a message was received with a "<tt>TLS-Required: no</tt>"
header, and REQUIRETLS was not requested, the "T<tt>LS-Required:
no</tt>" header is copied to the delivery status notification. </p>

<h2> <a name="summary"> REQUIRETLS quick summary </a> </h2>

<p> The REQUIRETLS extension in ESMTP allows a sender to request
that a message will be sent over connections that are protected
with TLS. <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a> defines two SMTP features: </p>

<ul>

<li> <p> A message header "TLS-Required: no" that disables TLS
enforcement: do not require a server certificate match, and allow
falling back to plaintext if TLS is unavailable. This may be useful
to report a TLS problem, as described in <a href="TLSRPT_README.html">TLSRPT_README</a>. This feature
has lower precedence than REQUIRETLS, and is not discussed further
in this document. </p>

<li> <p> An ESMTP protocol extension named "REQUIRETLS" that an SMTP
server may list in its EHLO response, and that an SMTP client may request
in a MAIL FROM command. This extension can be used only in an encrypted
session, as illustrated with the fragment below, where <tt>C</tt>=client
and <tt>S</tt>=server. </p>

<pre>
. . .
C: STARTTLS
S: 220 Ready to start TLS
C: EHLO client.example.org
S: 250-mail.example.com 
   . . .
   250 REQUIRETLS
C: MAIL FROM:&lt;sender@@example.org&gt; REQUIRETLS
S: 250 OK
. . .
</pre>

<li> <p> <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a> applies equally to message relay [<a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>], submission
[<a href="https://tools.ietf.org/html/rfc6409">RFC 6409</a>], and the LMTP Local Mail Transfer Protocol [<a href="https://tools.ietf.org/html/rfc2033">RFC 2033</a>]. </p>

<li> <p> REQUIRETLS is an <i>end-to-end</i> feature, unlike SMTP
which is <i>hop-by-hop</i>. When a sender requests REQUIRETLS, each
server in the forward path must support REQUIRETLS. </p>

<li> <p> Each connection in the forward path must be made to a server
that has been looked up securely (for example, with DNSSEC
or HTTPS).

<li> <p> Each server certificate must be verified. To match a server
certificate, the Postfix SMTP client needs to use an appropriate policy
type: </p>

<ul>

<li> <p> A TLS policy type 'secure' or 'verify', with certificate name
matching info. For example, a policy returned by an MTA-STS plugin that
looks up certificate matching info using HTTPS;

<li> <p> A TLS policy type 'dane-only', which looks up certificate or
public-key matching info using DNSSEC. For example, a policy that is
returned by a DANE+STS plugin; </p>

<li> <p> A TLS policy type 'dane', provided that both the nexthop
domain and its MX hosts are in DNSSEC-signed zones, and usable
DNSSEC-signed TLSA records are discovered.  In other words, the
effective TLS policy remains DANE and is not downgraded because the
destination lacks DNSSEC and/or usable TLSA records; </p>

<li> <p> A TLS policy type 'fingerprint', with digital fingerprints.
This is a non-scalable solution for special deployments, mentioned
here only for completeness. </p>

</ul>

<li> <p> A message that requires REQUIRETLS must be returned to the
sender if any of the above requirements is not satisfied (no STARTTLS
support, no secure lookup of MX servers, no trusted or no matching
server certificate, or no server that announces REQUIRETLS support).
</p>

<li> <p> Returning an undeliverable message that requires REQUIRETLS
comes with its own challenges: the return path may differ from the
forward path, and the return path may not support REQUIRETLS all
the way back to the sender, even if the forward path supported
REQUIRETLS. By default, Postfix follows <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a> and redacts
bounce messages so that they can be sent without REQUIRETLS. </p>

</ul>

<h2> <a name="credits"> Credits </a> </h2>

<ul>

<li> In Postfix 3.10, Wietse Venema refactored SMTPUTF8 support and
extended it to propagate REQUIRETLS and "TLS-Required: no" information.

<li> In Postfix 3.11, Wietse added REQUIRETLS support to the Postfix
SMTP client; added a "<tt>tls=<i>status</i>/requiretls=<i>status</i></tt>"
field to the Postfix delivery status logging; added <a href="postconf.5.html#smtp_requiretls_policy">smtp_requiretls_policy</a>
support; added support for the "Require-TLS-ESMTP: yes" header to
propagate REQUIRETLS through non-Postfix programs, specifically
content filters. </li>

</ul>

</body>

</html>
@