head	1.1;
branch	1.1.1;
access;
symbols
	netbsd-11-0-RC6:1.1.1.1.2.1
	netbsd-11-0-RC5:1.1.1.1.2.1
	netbsd-11-0-RC4:1.1.1.1.2.1
	PFIX-3-11-2:1.1.1.2
	netbsd-11-0-RC3:1.1.1.1
	netbsd-11-0-RC2:1.1.1.1
	netbsd-11-0-RC1:1.1.1.1
	perseant-exfatfs:1.1.1.1.0.4
	perseant-exfatfs-base-20250801:1.1.1.1
	netbsd-11:1.1.1.1.0.2
	netbsd-11-base:1.1.1.1
	PFIX-3-10-1:1.1.1.1
	VENEMA:1.1.1;
locks; strict;
comment	@# @;


1.1
date	2025.02.25.19.11.36;	author christos;	state Exp;
branches
	1.1.1.1;
next	;
commitid	cLFKwpXD6DqXOSKF;

1.1.1.1
date	2025.02.25.19.11.36;	author christos;	state Exp;
branches
	1.1.1.1.2.1
	1.1.1.1.4.1;
next	1.1.1.2;
commitid	cLFKwpXD6DqXOSKF;

1.1.1.2
date	2026.05.09.18.39.11;	author christos;	state Exp;
branches;
next	;
commitid	mtbvlXzNqJaszaFG;

1.1.1.1.2.1
date	2026.05.11.17.13.38;	author martin;	state Exp;
branches;
next	;
commitid	2QeqaJm8KrXk4qFG;

1.1.1.1.4.1
date	2025.02.25.19.11.36;	author perseant;	state dead;
branches;
next	1.1.1.1.4.2;
commitid	23j6GFaDws3O875G;

1.1.1.1.4.2
date	2025.08.02.05.49.51;	author perseant;	state Exp;
branches;
next	;
commitid	23j6GFaDws3O875G;


desc
@@


1.1
log
@Initial revision
@
text
@<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
  "https://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

<title>Postfix TLSRPT notification Howto</title>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel='stylesheet' type='text/css' href='postfix-doc.css'>

</head>

<body>

<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix TLSRPT Howto</h1>

<hr>

<h2> Table of Contents </h2>

<ul>

<li> <a href="#intro"> Introduction </a> </li>
<li> <a href="#building"> Building Postfix with TLSRPT support </a>
<li> <a href="#using"> Turning on TLSRPT </a> </li>
<li> <a href="#logging"> TLSRPT Status logging </a> </li>
<li> <a href="#delivering"> Delivering TLSRPT summaries via email</a> </li>
<li> <a href="#mta-sts"> MTA-STS Support via smtp_tls_policy_maps </a> </li>
<li> <a href="#limitations"> Limitations </a></li>
<li> <a href="#credits"> Credits </a> </li>

</ul>

<h2> <a name="intro"> Introduction </a> </h2>

<p> The TLSRPT protocol is defined in <a href="https://tools.ietf.org/html/rfc8460">RFC 8460</a>. With this, an email
receiving domain can publish a policy in DNS, and request daily
summary reports for successful and failed SMTP over TLS connections
to that domain's MX hosts. Support for TLSRPT was added in Postfix
3.10. </p>

<p> A policy for domain <tt>example.com</tt> could look like this: </p>

<blockquote>
<pre>
_smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:smtp-tls-report@@example.com"
</pre>
</blockquote>

<p> Instead of <tt>mailto:</tt>, a policy may specify an <tt>https:</tt>
destination. </p>

<p> The diagram below shows how Postfix TLS handshake success and
failure events are collected and processed into daily summary
reports. </p>

<blockquote>

<table>

<tr> <td align="center" bgcolor="#f0f0ff"> Postfix SMTP and TLS
client engines </td> <td> <tt> &rarr; </tt> </td>

<td align="center" bgcolor="#f0f0ff"> <a
href="https://github.com/sys4/libtlsrpt">TLSRPT client library </a>
(linked into Postfix) </td> <td> <tt> &rarr; </tt> </td>

<td align="center" bgcolor="#f0f0ff"> <a
href="https://github.com/sys4/tlsrpt-reporter">TLSRPT collector,
fetcher, and summary generator</a> </td> <td> <tt> &rarr; </tt>
</td>

<td align="center" bgcolor="#f0f0ff"> Email or HTTP delivery </td>
</tr>

</table>

</blockquote>

<ul>

<li> <p> The Postfix SMTP and TLS client engines will generate a
"success" or "failure" event for each TLS handshake, </p>

<li> <p> They will pass those events to an in-process TLSRPT client
library that sends data over a local socket to </p>

<li> <p> A local TLSRPT collector that runs on each Postfix machine.
A TLSRPT fetcher gathers information from individual collectors,
and a central TLSRPT report generator produces daily summary reports.
</p>

</ul>

<p> The TLSRPT client library, and the infrastructure to collect,
fetch, and report TLSRPT information, are implemented and maintained
by sys4 at <a href="https://github.com/sys4/libtlsrpt">https://github.com/sys4/libtlsrpt</a> and
<a href="https://github.com/sys4/tlsrpt-reporter">https://github.com/sys4/tlsrpt-reporter</a>, respectively. </p>

<p> The Postfix implementation supports TLSRPT or domains with DANE
(Postfix built-in) and MTA-STS (through an <a href="#mta-sts">
smtp_tls_policy_maps plug-in</a>). </p>

<p> The Postfix <a href="smtp.8.html">smtp(8)</a> client process implements the SMTP client
engine. With "<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> = no", the <a href="smtp.8.html">smtp(8)</a> client
process also implements the TLS client engine. With
"<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> = yes", the <a href="smtp.8.html">smtp(8)</a> client process
delegates TLS processing to a Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> process. Either
way, Postfix will generate the exact same TLSRPT events. </p>

<h2> <a name="building"> Building Postfix with TLSRPT support </a>
</h2>

<p> These instructions assume that you build Postfix from source
code as described in the <a href="INSTALL.html">INSTALL</a> document. Some modification may
be required if you build Postfix from a vendor-specific source
package. </p>

<p> The Postfix TLSRPT client builds on a TLSRPT library which may
be available as a built package (rpm, deb, etc.), or which you can
build from source code from: </p>

<blockquote>
<p> <a href="https://github.com/sys4/libtlsrpt">https://github.com/sys4/libtlsrpt</a> </p>
</blockquote>

<p> The library is typically installed as a header file in
/usr/local/include/tlsrpt.h and an object library in
/usr/local/lib/libtlsrpt.a or /usr/local/lib/libtlsrpt.so. The
actual pathnames will depend on OS platform conventions. </p>

<p> In order to build Postfix with TLSRPT support, you will need
to add compiler options <tt>-DUSE_TLSRPT</tt> (to build with TLSRPT
support) and <tt>-I</tt> (with the directory containing the tlsrpt.h
header file), and you will need to add linker options to link with
the TLSRPT client library, for example: </p>

<blockquote>
<pre>
make -f Makefile.init makefiles \
  "CCARGS=-DUSE_TLSRPT -I/usr/local/include" \
  "AUXLIBS=-L/usr/local/lib -Wl,-rpath,/usr/local/lib -ltlsrpt"
</pre>
</blockquote>

<p> (On Solaris systems you may need to use "<tt>-Wl,-R</tt>" instead
of "<tt>-Wl,-rpath</tt>".) </p>

<p> Then, just run 'make'. </p>

<blockquote>

<p> Note: if your build command line already has CCARGS or AUXLIBS
settings, then simply append the above settings to the existing CCARGS
or AUXLIBS values: </p>

<pre>
make -f Makefile.init makefiles \
  "CCARGS=... -DUSE_TLSRPT -I/usr/local/include" \
  "AUXLIBS=... -L/usr/local/lib -Wl,-rpath,/usr/local/lib -ltlsrpt"
</pre>
</blockquote>

<h2> <a name="using"> Turning on TLSRPT </a> </h2>

<p> After installing Postfix TLSRPT support, you can enable TLSRPT
support in <a href="postconf.5.html">main.cf</a> like this: </p>

<blockquote>
<pre>
<a href="postconf.5.html#smtp_tlsrpt_enable">smtp_tlsrpt_enable</a> = yes
<a href="postconf.5.html#smtp_tlsrpt_socket_name">smtp_tlsrpt_socket_name</a> = path/to/socket
</pre>
</blockquote>

<p> The <a href="postconf.5.html#smtp_tlsrpt_socket_name">smtp_tlsrpt_socket_name</a> parameter specifies either an
absolute pathname, or a pathname that is relative to $<a href="postconf.5.html#queue_directory">queue_directory</a>.
</p>

<p> Notes: </p>

<ul>

<li> <p> The recommended socket location is still to be determined.
A good socket location would be under the Postfix queue directory,
for example: "<a href="postconf.5.html#smtp_tlsrpt_socket_name">smtp_tlsrpt_socket_name</a> = run/tlsrpt/tlsrpt.sock".
The advantage of using a relative name is that it will work equally
well whether or not Postfix chroot is turned on. </p>

<li> <p> Regardless of whether Postfix chroot is enabled, the TLSRPT
receiver (<tt>tlsrpt_collectd</tt>) will need to be configured with
the socket's absolute pathname. </p>

<li> <p> Do not specify a TLSRPT socket location under a Postfix socket
directory such as <tt>private</tt> or <tt>public</tt>. Only Postfix
programs should create sockets there. </p>

</ul>

<p> For details on how to run the TLSRPT collection and reporting
infrastructure, see the documentation at
<a href="https://github.com/sys4/tlsrpt-reporter">https://github.com/sys4/tlsrpt-reporter</a>.

<h2> <a name="logging"> TLSRPT Status logging </a> </h2>

<p> With TLSRPT support turned on, the Postfix TLSRPT client will
not only report an event to an invisible daily success/fail summary
queue, but it will also log a visible record to the mail logfile.
</p>

<p> Below are a few examples of logging from a Postfix SMTP client
or tlsproxy daemon: </p>

<blockquote>
<pre>
TLSRPT: status=success, domain=example.com, receiving_mx=mail.example.com[ipaddr]
&nbsp;
TLSRPT: status=failure, domain=example.org, receiving_mx=mail.example.org[ipaddr],
    failure_type=starttls_not_supported
&nbsp;
TLSRPT: status=failure, domain=example.net, receiving_mx=mail.example.net[ipaddr],
    failure_type=validation_failure, failure_reason=self-signed_certificate
</pre>
</blockquote>

<p> Notes: </p>

<ul>

<li> <p> Postfix logs and reports the TLSRPT status only for TLS
handshakes on a new SMTP connection. There is no TLS handshake, and
thus no TLSRPT status logging, when an SMTP connection is reused.
Such connections have Postfix SMTP client logging like this: </p>

<pre>
Verified <b>TLS connection reused</b> to mail.example.com[ipaddr]:25:
    TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
&nbsp;
Untrusted <b>TLS connection reused</b> to mail.example.com[ipaddr]:25:
    TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
</pre>

<li> <p> By default, Postfix does not report the TLSRPT status for
a TLS handshake that reuses a previously-negotiated TLS session
(there would be no new information to report). Specify
"<a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> = no" to report the TLSRPT
status for all TLS handshakes. This may be useful for troubleshooting.
</p>

<li> <p> Postfix logging for certificate verification failures may
differ between new or reused TLS sessions. </p>

<ul>

<li> <p> New TLS session:
</p>

<pre>
TLSRPT: status=failure, domain=example.org, receiving_mx=mail.example.org[ipaddr],
    <b>failure_type=validation_failure</b>, <b>failure_reason=self-signed_certificate</b>
</pre>

<li> <p> Reused TLS session: </p>

<pre>
mail.example.org[ipaddr]:25: <b>re-using session</b> with untrusted peer
    credential, look for details earlier in the log
TLSRPT: status=failure, domain=example.org, receiving_mx=mail.example.org[ipaddr],
    <b>failure_type=certificate_not_trusted</b>
</pre>

</ul>

<p> The logging may differ because a reused TLS session does not
have the details for why TLS authentication failed. </p>

</ul>

<h2> <a name="delivering"> Delivering TLSRPT summaries via email</a> </h2>

<p> <a href="https://datatracker.ietf.org/doc/html/rfc8460#section-3">RFC
8460 Section 3</a> specifies that an MTA must not enforce TLS
security when sending failure reports via email. </p>

<p> Options:

<ul>

<li> <p> In an email report, specify the "<b>TLS-Required: no</b>"
message header,
defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>, to reduce the Postfix SMTP client TLS security
level to "<b>may</b>" (that is, do not verify remote SMTP server
certificates, and fall back to plaintext if TLS is unavailable).
<br> <br> This feature is available in Postfix 3.10 and later. If
your outbound MTAs run an older version, you can use one of the
options described below. </p>

<li> <p> Do nothing. When TLS security enforcement is required but
fails, a TLSRPT summary message will be delayed
until the problem is addressed, or until the message expires
in the mail queue. Keep in mind that TLSRPT is not a real-time
monitoring service; it takes on average 12 hours before a failure
is reported through TLSRPT. </p>

<li> <p> On outbound MTAs that don't support the "<b>TLS-Required:
no</b>" header feature (such as Postfix 3.9 and earlier), disable
TLS security enforcement for the sender of TLSRPT summaries.
Implement the configuration below on outbound MTA instances (replace
noreply-smtp-tls-reporting@@example.com with your actual report
generator's sender address): </p>

<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
    # Limitation: this setting is overruled with <a href="postconf.5.html#transport_maps">transport_maps</a>.
    <a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> = <a href="DATABASE_README.html#types">inline</a>:{
        { noreply-smtp-tls-reporting@@example.com = allow-plaintext } }
&nbsp
/etc/postfix/<a href="master.5.html">master.cf</a>:
    # service name    type    private unpriv  chroot  wakeup  maxproc command
    allow-plaintext   unix    -       -       -       -       -       smtp
        -o { <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may }
        -o { <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> = <a href="DATABASE_README.html#types">static</a>:may }
</pre>

</ul>

<h2> <a name="mta-sts"> MTA-STS Support via smtp_tls_policy_maps
</a></h2>

<p> Postfix supports MTA-STS though an <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> policy
plugin, which replies with a TLS security level and name=value
attributes with certificate matching requirements. Postfix 3.10 and
later extend the policy plugin response with additional name=value
attributes that are needed for TLSRPT. </p>

<p> Examples of <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> plugins with MTA-STS support
are: </p>

<ul>

<li> <p> <a href="https://github.com/Zuplu/postfix-tlspol">
postfix-tlspol</a>, supports domains with DANE (using Postfix
built-in DANE), and domains with MTA-STS. </p>

<li> <p> <a href="https://github.com/Snawoot/postfix-mta-sts-resolver">
postfix-mta-sts-resolver</a>, supports domains with MTA-STS as of
release 1.5.0 (February 2025). </p>

</ul>

<p> Both plugins can generate the additional name=value attributes
that Postfix needs for TLSRPT support (as of February 2025). This
is enabled by setting a <tt>tlsrpt</tt> boolean in a plugin
configuration file.  This setting is safe with Postfix 3.10 and
later, even if Postfix TLSRPT support is disabled (at build time
or at run time). Postfix versions 3.9 and earlier will report a
policy error with "<tt>invalid attribute name</tt>". </p>

<p> The examples in the text below apply to this MTA-STS policy example
given in <a
href="https://datatracker.ietf.org/doc/html/rfc8461#section-3.2">
RFC 8461 Section 3.2</a>: </p>

<blockquote>
<pre>
version: STSv1
mode: enforce
mx: mail.example.com
mx: *.example.net
mx: backupmx.example.com
max_age: 604800
</pre>
</blockquote>

<p> The list of supported attributes is given below. Instead of
<tt>name=value</tt>, specify <tt>{ name = value }</tt> when a value
may contain whitespace. A policy response may contain line breaks.
</p>

<ul>

<li> <p> <tt> policy_type=<i>type</i> </tt> </p>

<p> Specify <tt>sts</tt> or <tt>no-policy-found</tt>. </p>

<p> Example: <tt>policy_type=sts</tt> </p> </li>

<li> <p> <tt> policy_domain=<i>name</i> </tt> </p>

<p> The domain that the MTA-STS policy applies to. </p>

<p> Example: <tt>policy_domain=example.com</tt> </p>

</li>

<li> <p> <tt> { policy_string = <i>value</i> } </tt> </p>

<p> Specify one <tt>policy_string</tt> instance for each MTA-STS
policy feature, enclosed inside "{" and "}" to protect whitespace
in attribute values. <p>

<p> Example: <tt> { policy_string = version: STSv1 } { policy_string
= mode: enforce } ...</tt> </p>

<p> The above form ignores whitespace after the opening "{", around
the "=", and before the closing "}".</p> </li>

<li> <p> <tt> mx_host_pattern=<i>pattern</i> </tt> </p>

<p> Specify one <tt>mx_host_pattern</tt> instance for each "mx:" feature
in the MTA-STS policy. </p>

<p> Example: <tt>mx_host_pattern=mail.example.com
mx_host_pattern=*.example.net ...</tt> </p> </li>

<li> <p> <tt> policy_failure=<i>type</i> </tt> </p>

<p> If specified, forces MTA-STS policy enforcement to fail with
the indicated error, even if a server certificate would satisfy
conventional PKI constraints. Valid errors are <tt>sts-policy-fetch-error,
sts-policy-invalid</tt>, <tt>sts-webpki-invalid</tt>, or the less
informative <tt>validation-failure</tt>. </p>

<p> Example: <tt>policy_failure=sts-webpki-invalid</tt> </p> </li>

<li> <p> <tt> policy_ttl=<i>time</i> </tt> (deprecated) </p>

<p> This attribute is deprecated. The <i>time</i> value is not used,
and support for this attribute will eventually be removed from the
code. </p> </li>

</ul>

<p> Notes: </p>

<ul>

<li> <p> Postfix 3.10 and later will accept these additional
attributes in an MTA-STS response even if Postfix TLSRPT support
is disabled (at build time or at run time). With Postfix TLSRPT
support turned off, Postfix may still use the <tt>policy_failure</tt>
attribute, and will ignore the attributes that are used only for
TLSRPT. </p>

<li> <p> It is an error to specify these attributes for a non-STS
policy. </p>

</ul>

<h2> <a name="limitations"> Limitations </a></h2>

<p> The Postfix TLSRPT implementation reports only TLS handshake
success or failure. It does not report failure to connect, or
connections that break before or after a TLS handshake. </p>

<p> The Postfix TLSRPT implementation reports at most one final TLS
handshake status (either 'success' or 'failure') per SMTP connection.
Postfix TLSRPT will not report a recoverable failure and then later
report a final status of 'success' for that same connection. The
reason is that it's too complicated to filter TLS errors and to
report error details from the TLS engine back to the SMTP protocol
engine. It just is not how Postfix works internally. </p>

<h2> <a name="credits"> Credits </a> </h2>

<ul>

<li> The TLSRPT client library, and the infrastructure to collect,
fetch, and report TLSRPT information, are implemented and maintained
by sys4. </li>

<li> Wietse Venema implemented the integration with Postfix.
</li>

</ul>

</body>

</html>
@


1.1.1.1
log
@Import postfix-3.10.1 (previous was 3.8.4)

Summary:

Postfix 3.9 (July 2022): This release focused on enhancing the TLS
(Transport Layer Security) capabilities of Postfix. It introduced
support for TLSv1.3, allowing for more secure and efficient encrypted
communications. Additionally, improvements were made to the handling
of TLSA records, which are used in DNS-based Authentication of
Named Entities (DANE) to associate TLS certificates with domain
names.

Postfix 3.10 (July 2023): This version brought significant updates
to Postfix's SMTP (Simple Mail Transfer Protocol) functionalities.
It added support for the SMTPUTF8 extension, enabling the use of
UTF-8 encoding in email addresses and headers, which is essential
for internationalization. The release also included performance
optimizations, particularly in the handling of large mail queues,
and introduced new configuration parameters to provide administrators
with finer control over mail processing.

The changes are described more in detail in:
3.10 changes: RELEASE_NOTES
3.9  changes: RELEASE_NOTES_3.9
3.8  changes: RELEASE_NOTES_3.8
@
text
@@


1.1.1.1.2.1
log
@Pull up the following, requested by christos in ticket #283:

	external/ibm-public/postfix//dist/README_FILES/NON_BERKELEYDB_README up to
	external/ibm-public/postfix//dist/README_FILES/REQUIRETLS_README up to
	external/ibm-public/postfix//dist/conf/postfix-non-bdb-script up to
	external/ibm-public/postfix//dist/html/NON_BERKELEYDB_README.html up to
	external/ibm-public/postfix//dist/html/REQUIRETLS_README.html up to
	external/ibm-public/postfix//dist/html/nbdb_reindexd.8.html up to
	external/ibm-public/postfix//dist/html/postfix-non-bdb.1.html up to
	external/ibm-public/postfix//dist/man/man1/postfix-non-bdb.1 up to
	external/ibm-public/postfix//dist/man/man8/nbdb_reindexd.8 up to
	external/ibm-public/postfix//dist/mantools/check-proxy-type-table up to
	external/ibm-public/postfix//dist/proto/NON_BERKELEYDB_README.html up to
	external/ibm-public/postfix//dist/proto/REQUIRETLS_README.html up to
	external/ibm-public/postfix//dist/src/cleanup/cleanup_message_test.c up to
	external/ibm-public/postfix//dist/src/global/ehlo_mask_test.c up to
	external/ibm-public/postfix//dist/src/global/nbdb_clnt.c up to
	external/ibm-public/postfix//dist/src/global/allowed_prefix.c up to
	external/ibm-public/postfix//dist/src/global/allowed_prefix.h up to
	external/ibm-public/postfix//dist/src/global/allowed_prefix_test.c up to
	external/ibm-public/postfix//dist/src/global/dict_sqlite_test.c up to
	external/ibm-public/postfix//dist/src/global/haproxy_srvr_test.c up to
	external/ibm-public/postfix//dist/src/global/login_sender_match_test.c up to
	external/ibm-public/postfix//dist/src/global/nbdb_clnt.h up to
	external/ibm-public/postfix//dist/src/global/nbdb_redirect.c up to
	external/ibm-public/postfix//dist/src/global/nbdb_redirect.h up to
	external/ibm-public/postfix//dist/src/global/nbdb_redirect_test.c up to
	external/ibm-public/postfix//dist/src/global/nbdb_surrogate.c up to
	external/ibm-public/postfix//dist/src/global/nbdb_surrogate.h up to
	external/ibm-public/postfix//dist/src/global/nbdb_surrogate_test.c up to
	external/ibm-public/postfix//dist/src/global/nbdb_util.c up to
	external/ibm-public/postfix//dist/src/global/nbdb_util.h up to
	external/ibm-public/postfix//dist/src/global/nbdb_util_test.c up to
	external/ibm-public/postfix//dist/src/global/pol_stats.c up to
	external/ibm-public/postfix//dist/src/global/pol_stats.h up to
	external/ibm-public/postfix//dist/src/global/pol_stats_test.c up to
	external/ibm-public/postfix//dist/src/postalias/mode_conflict_test.in up to
	external/ibm-public/postfix//dist/src/postalias/mode_conflict_test.ref up to
	external/ibm-public/postfix//dist/src/postconf/test77-main.cf up to
	external/ibm-public/postfix//dist/src/postconf/test77.ref up to
	external/ibm-public/postfix//dist/src/postconf/test78.ref up to
	external/ibm-public/postfix//dist/src/postconf/test79.ref up to
	external/ibm-public/postfix//dist/src/postconf/test80.ref up to
	external/ibm-public/postfix//dist/src/postconf/test81.ref up to
	external/ibm-public/postfix//dist/src/postconf/test82.ref up to
	external/ibm-public/postfix//dist/src/postconf/test83.ref up to
	external/ibm-public/postfix//dist/src/postconf/test84.ref up to
	external/ibm-public/postfix//dist/src/postconf/test85.ref up to
	external/ibm-public/postfix//dist/src/postconf/test86.ref up to
	external/ibm-public/postfix//dist/src/postconf/test87.ref up to
	external/ibm-public/postfix//dist/src/postconf/test91.ref up to
	external/ibm-public/postfix//dist/src/postmap/mode_conflict_test.in up to
	external/ibm-public/postfix//dist/src/postmap/mode_conflict_test.ref up to
	external/ibm-public/postfix//dist/src/postmulti/fake_strcmp.c up to
	external/ibm-public/postfix//dist/src/smtp/smtp_reqtls_policy.c up to
	external/ibm-public/postfix//dist/src/smtp/smtp_reqtls_policy.h up to
	external/ibm-public/postfix//dist/src/smtp/smtp_reqtls_policy_test.c up to
	external/ibm-public/postfix//dist/src/smtp/smtp_tls_policy_test.c up to
	external/ibm-public/postfix//dist/src/smtpd/smtpd_peer_test.c up to
	external/ibm-public/postfix//dist/src/util/dict_union_test.c up to
	external/ibm-public/postfix//dist/src/util/hash_fnv_test.c up to
	external/ibm-public/postfix//dist/src/util/mac_midna.h up to
	external/ibm-public/postfix//dist/src/util/normalize_v4mapped_addr.c up to
	external/ibm-public/postfix//dist/src/util/dict_debug.h up to
	external/ibm-public/postfix//dist/src/util/dict_debug_test.ref up to
	external/ibm-public/postfix//dist/src/util/dict_debug_test.sh up to
	external/ibm-public/postfix//dist/src/util/dict_pipe_test.c up to
	external/ibm-public/postfix//dist/src/util/mac_midna.c up to
	external/ibm-public/postfix//dist/src/util/normalize_v4mapped_addr.h up to
	external/ibm-public/postfix//dist/src/util/normalize_v4mapped_addr_test.c up to
	external/ibm-public/postfix//dist/src/util/ossl_digest.c up to
	external/ibm-public/postfix//dist/src/util/ossl_digest.h up to
	external/ibm-public/postfix//dist/src/util/ossl_digest_test.c up to
	external/ibm-public/postfix//dist/src/util/wrap_stat.c up to
	external/ibm-public/postfix//dist/src/util/wrap_stat.h up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/Makefile.in up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_index_as.c up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_index_as.h up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_index_as_test.c up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_process.c up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_process.h up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_process_test.c up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_reindexd.c up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_reindexd.h up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_safe.c up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_safe.h up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_safe_test.c up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_sniffer.c up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_sniffer.h up to
	external/ibm-public/postfix//dist/src/nbdb_reindexd/nbdb_sniffer_test.c up to
	external/ibm-public/postfix//dist/src/testing/Makefile.in up to
	external/ibm-public/postfix//dist/src/testing/dict_test_helper.c up to
	external/ibm-public/postfix//dist/src/testing/dict_test_helper.h up to
	external/ibm-public/postfix//dist/src/testing/mock_dict.c up to
	external/ibm-public/postfix//dist/src/testing/mock_dict.h up to
	external/ibm-public/postfix//dist/src/testing/mock_open_as.c up to
	external/ibm-public/postfix//dist/src/testing/mock_open_as.h up to
	external/ibm-public/postfix//dist/src/testing/mock_spawn_command.c up to
	external/ibm-public/postfix//dist/src/testing/mock_spawn_command.h up to
	external/ibm-public/postfix//dist/src/testing/mock_stat.c up to
	external/ibm-public/postfix//dist/src/testing/mock_stat.h up to
	external/ibm-public/postfix//dist/src/testing/msg_capture.c up to
	external/ibm-public/postfix//dist/src/testing/msg_capture.h up to
	external/ibm-public/postfix//dist/src/testing/nosleep.c up to
	external/ibm-public/postfix//dist/TESTING       up to
	external/ibm-public/postfix//dist/RELEASE_NOTES-3.10 up to
	external/ibm-public/postfix//dist/src/global/ehlo_mask.in delete
	external/ibm-public/postfix//dist/src/global/ehlo_mask.ref delete
	external/ibm-public/postfix//dist/src/util/dict_pipe_test.in delete
	external/ibm-public/postfix//dist/src/util/dict_pipe_test.ref delete
	external/ibm-public/postfix//dist/src/util/dict_union_test.in delete
	external/ibm-public/postfix//dist/src/util/dict_union_test.ref delete
	external/ibm-public/postfix/Makefile.inc        up to 1.32
	external/ibm-public/postfix/dist/HISTORY        up to 1.1.1.31
	external/ibm-public/postfix/dist/INSTALL        up to 1.1.1.11
	external/ibm-public/postfix/dist/Makefile.in    up to 1.1.1.12
	external/ibm-public/postfix/dist/RELEASE_NOTES  up to 1.1.1.19
	external/ibm-public/postfix/dist/makedefs       up to 1.18
	external/ibm-public/postfix/dist/README_FILES/AAAREADME up to 1.1.1.8
	external/ibm-public/postfix/dist/README_FILES/CDB_README up to 1.1.1.4
	external/ibm-public/postfix/dist/README_FILES/COMPATIBILITY_README up to 1.1.1.5
	external/ibm-public/postfix/dist/README_FILES/DATABASE_README up to 1.1.1.11
	external/ibm-public/postfix/dist/README_FILES/DEPRECATION_README up to 1.1.1.2
	external/ibm-public/postfix/dist/README_FILES/INSTALL up to 1.12
	external/ibm-public/postfix/dist/README_FILES/MULTI_INSTANCE_README up to 1.1.1.8
	external/ibm-public/postfix/dist/README_FILES/MYSQL_README up to 1.1.1.7
	external/ibm-public/postfix/dist/README_FILES/OVERVIEW up to 1.1.1.7
	external/ibm-public/postfix/dist/README_FILES/RELEASE_NOTES up to 1.1.1.19
	external/ibm-public/postfix/dist/README_FILES/SASL_README up to 1.1.1.13
	external/ibm-public/postfix/dist/README_FILES/SMTPUTF8_README up to 1.1.1.5
	external/ibm-public/postfix/dist/README_FILES/SOHO_README up to 1.1.1.6
	external/ibm-public/postfix/dist/README_FILES/STANDARD_CONFIGURATION_README up to 1.1.1.8
	external/ibm-public/postfix/dist/README_FILES/TLSRPT_README up to 1.1.1.2
	external/ibm-public/postfix/dist/README_FILES/UUCP_README up to 1.1.1.3
	external/ibm-public/postfix/dist/README_FILES/VIRTUAL_README up to 1.1.1.4
	external/ibm-public/postfix/dist/README_FILES/XCLIENT_README up to 1.1.1.5
	external/ibm-public/postfix/dist/conf/access    up to 1.1.1.10
	external/ibm-public/postfix/dist/conf/aliases   up to 1.1.1.7
	external/ibm-public/postfix/dist/conf/canonical up to 1.1.1.7
	external/ibm-public/postfix/dist/conf/generic   up to 1.1.1.6
	external/ibm-public/postfix/dist/conf/main.cf   up to 1.12
	external/ibm-public/postfix/dist/conf/postfix-files up to 1.11
	external/ibm-public/postfix/dist/conf/postfix-script up to 1.6
	external/ibm-public/postfix/dist/conf/postfix-tls-script up to 1.6
	external/ibm-public/postfix/dist/conf/relocated up to 1.1.1.5
	external/ibm-public/postfix/dist/conf/transport up to 1.1.1.6
	external/ibm-public/postfix/dist/conf/virtual   up to 1.1.1.8
	external/ibm-public/postfix/dist/html/CDB_README.html up to 1.1.1.6
	external/ibm-public/postfix/dist/html/COMPATIBILITY_README.html up to 1.1.1.6
	external/ibm-public/postfix/dist/html/DATABASE_README.html up to 1.1.1.12
	external/ibm-public/postfix/dist/html/DEPRECATION_README.html up to 1.1.1.2
	external/ibm-public/postfix/dist/html/INSTALL.html up to 1.12
	external/ibm-public/postfix/dist/html/MULTI_INSTANCE_README.html up to 1.1.1.11
	external/ibm-public/postfix/dist/html/MYSQL_README.html up to 1.1.1.7
	external/ibm-public/postfix/dist/html/Makefile.in up to 1.1.1.9
	external/ibm-public/postfix/dist/html/OVERVIEW.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/SASL_README.html up to 1.1.1.13
	external/ibm-public/postfix/dist/html/SMTPUTF8_README.html up to 1.1.1.6
	external/ibm-public/postfix/dist/html/SOHO_README.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/STANDARD_CONFIGURATION_README.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/TLSRPT_README.html up to 1.1.1.2
	external/ibm-public/postfix/dist/html/UUCP_README.html up to 1.1.1.6
	external/ibm-public/postfix/dist/html/VIRTUAL_README.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/XCLIENT_README.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/access.5.html up to 1.1.1.11
	external/ibm-public/postfix/dist/html/aliases.5.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/bounce.8.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/canonical.5.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/cidr_table.5.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/cleanup.8.html up to 1.1.1.11
	external/ibm-public/postfix/dist/html/defer.8.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/discard.8.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/error.8.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/generic.5.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/index.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/ldap_table.5.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/lmdb_table.5.html up to 1.1.1.6
	external/ibm-public/postfix/dist/html/lmtp.8.html up to 1.1.1.14
	external/ibm-public/postfix/dist/html/mailq.1.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/makedefs.1.html up to 1.1.1.5
	external/ibm-public/postfix/dist/html/memcache_table.5.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/mongodb_table.5.html up to 1.1.1.2
	external/ibm-public/postfix/dist/html/mysql_table.5.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/newaliases.1.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/nisplus_table.5.html up to 1.1.1.7
	external/ibm-public/postfix/dist/html/oqmgr.8.html up to 1.1.1.11
	external/ibm-public/postfix/dist/html/pcre_table.5.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/pgsql_table.5.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/postalias.1.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/postconf.1.html up to 1.1.1.13
	external/ibm-public/postfix/dist/html/postconf.5.html up to 1.22
	external/ibm-public/postfix/dist/html/postdrop.1.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/postfix-manuals.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/postfix-tls.1.html up to 1.1.1.5
	external/ibm-public/postfix/dist/html/postfix.1.html up to 1.1.1.11
	external/ibm-public/postfix/dist/html/postlog.1.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/postmap.1.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/postmulti.1.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/postqueue.1.html up to 1.1.1.11
	external/ibm-public/postfix/dist/html/postscreen.8.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/posttls-finger.1.html up to 1.1.1.7
	external/ibm-public/postfix/dist/html/proxymap.8.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/qmgr.8.html up to 1.1.1.11
	external/ibm-public/postfix/dist/html/regexp_table.5.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/relocated.5.html up to 1.1.1.7
	external/ibm-public/postfix/dist/html/sendmail.1.html up to 1.1.1.10
	external/ibm-public/postfix/dist/html/smtp.8.html up to 1.1.1.14
	external/ibm-public/postfix/dist/html/smtpd.8.html up to 1.1.1.15
	external/ibm-public/postfix/dist/html/socketmap_table.5.html up to 1.1.1.7
	external/ibm-public/postfix/dist/html/sqlite_table.5.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/tcp_table.5.html up to 1.1.1.8
	external/ibm-public/postfix/dist/html/trace.8.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/transport.5.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/virtual.5.html up to 1.1.1.9
	external/ibm-public/postfix/dist/html/virtual.8.html up to 1.1.1.9
	external/ibm-public/postfix/dist/man/Makefile.in up to 1.1.1.9
	external/ibm-public/postfix/dist/man/man1/makedefs.1 up to 1.5
	external/ibm-public/postfix/dist/man/man1/postalias.1 up to 1.5
	external/ibm-public/postfix/dist/man/man1/postconf.1 up to 1.6
	external/ibm-public/postfix/dist/man/man1/postdrop.1 up to 1.6
	external/ibm-public/postfix/dist/man/man1/postfix-tls.1 up to 1.4
	external/ibm-public/postfix/dist/man/man1/postfix.1 up to 1.8
	external/ibm-public/postfix/dist/man/man1/postlog.1 up to 1.7
	external/ibm-public/postfix/dist/man/man1/postmap.1 up to 1.5
	external/ibm-public/postfix/dist/man/man1/postmulti.1 up to 1.5
	external/ibm-public/postfix/dist/man/man1/postqueue.1 up to 1.6
	external/ibm-public/postfix/dist/man/man1/posttls-finger.1 up to 1.7
	external/ibm-public/postfix/dist/man/man1/sendmail.1 up to 1.6
	external/ibm-public/postfix/dist/man/man5/access.5 up to 1.6
	external/ibm-public/postfix/dist/man/man5/aliases.5 up to 1.7
	external/ibm-public/postfix/dist/man/man5/canonical.5 up to 1.6
	external/ibm-public/postfix/dist/man/man5/cidr_table.5 up to 1.7
	external/ibm-public/postfix/dist/man/man5/generic.5 up to 1.6
	external/ibm-public/postfix/dist/man/man5/ldap_table.5 up to 1.7
	external/ibm-public/postfix/dist/man/man5/lmdb_table.5 up to 1.4
	external/ibm-public/postfix/dist/man/man5/memcache_table.5 up to 1.3
	external/ibm-public/postfix/dist/man/man5/mongodb_table.5 up to 1.3
	external/ibm-public/postfix/dist/man/man5/mysql_table.5 up to 1.7
	external/ibm-public/postfix/dist/man/man5/nisplus_table.5 up to 1.3
	external/ibm-public/postfix/dist/man/man5/pcre_table.5 up to 1.6
	external/ibm-public/postfix/dist/man/man5/pgsql_table.5 up to 1.7
	external/ibm-public/postfix/dist/man/man5/postconf.5 up to 1.21
	external/ibm-public/postfix/dist/man/man5/regexp_table.5 up to 1.6
	external/ibm-public/postfix/dist/man/man5/relocated.5 up to 1.5
	external/ibm-public/postfix/dist/man/man5/socketmap_table.5 up to 1.5
	external/ibm-public/postfix/dist/man/man5/sqlite_table.5 up to 1.5
	external/ibm-public/postfix/dist/man/man5/tcp_table.5 up to 1.4
	external/ibm-public/postfix/dist/man/man5/transport.5 up to 1.5
	external/ibm-public/postfix/dist/man/man5/virtual.5 up to 1.7
	external/ibm-public/postfix/dist/man/man8/bounce.8 up to 1.6
	external/ibm-public/postfix/dist/man/man8/cleanup.8 up to 1.6
	external/ibm-public/postfix/dist/man/man8/discard.8 up to 1.4
	external/ibm-public/postfix/dist/man/man8/error.8 up to 1.4
	external/ibm-public/postfix/dist/man/man8/oqmgr.8 up to 1.4
	external/ibm-public/postfix/dist/man/man8/postscreen.8 up to 1.7
	external/ibm-public/postfix/dist/man/man8/proxymap.8 up to 1.5
	external/ibm-public/postfix/dist/man/man8/qmgr.8 up to 1.5
	external/ibm-public/postfix/dist/man/man8/smtp.8 up to 1.7
	external/ibm-public/postfix/dist/man/man8/smtpd.8 up to 1.7
	external/ibm-public/postfix/dist/man/man8/virtual.8 up to 1.5
	external/ibm-public/postfix/dist/mantools/check-postconf-unimplemented up to 1.1.1.2
	external/ibm-public/postfix/dist/mantools/check-spell-history up to 1.1.1.2
	external/ibm-public/postfix/dist/mantools/check-spell-proto-html up to 1.1.1.3
	external/ibm-public/postfix/dist/mantools/dehtml up to 1.1.1.3
	external/ibm-public/postfix/dist/mantools/postconf2man up to 1.1.1.7
	external/ibm-public/postfix/dist/mantools/postlink up to 1.1.1.15
	external/ibm-public/postfix/dist/mantools/srctoman up to 1.1.1.5
	external/ibm-public/postfix/dist/proto/CDB_README.html up to 1.1.1.6
	external/ibm-public/postfix/dist/proto/COMPATIBILITY_README.html up to 1.1.1.6
	external/ibm-public/postfix/dist/proto/DATABASE_README.html up to 1.1.1.12
	external/ibm-public/postfix/dist/proto/DEPRECATION_README.html up to 1.1.1.2
	external/ibm-public/postfix/dist/proto/INSTALL.html up to 1.12
	external/ibm-public/postfix/dist/proto/MULTI_INSTANCE_README.html up to 1.1.1.10
	external/ibm-public/postfix/dist/proto/MYSQL_README.html up to 1.1.1.7
	external/ibm-public/postfix/dist/proto/Makefile.in up to 1.1.1.9
	external/ibm-public/postfix/dist/proto/OVERVIEW.html up to 1.1.1.8
	external/ibm-public/postfix/dist/proto/SASL_README.html up to 1.1.1.13
	external/ibm-public/postfix/dist/proto/SMTPUTF8_README.html up to 1.1.1.6
	external/ibm-public/postfix/dist/proto/STANDARD_CONFIGURATION_README.html up to 1.1.1.8
	external/ibm-public/postfix/dist/proto/TLSRPT_README.html up to 1.1.1.2
	external/ibm-public/postfix/dist/proto/UUCP_README.html up to 1.1.1.5
	external/ibm-public/postfix/dist/proto/VIRTUAL_README.html up to 1.1.1.6
	external/ibm-public/postfix/dist/proto/XCLIENT_README.html up to 1.1.1.8
	external/ibm-public/postfix/dist/proto/access   up to 1.1.1.10
	external/ibm-public/postfix/dist/proto/aliases  up to 1.1.1.8
	external/ibm-public/postfix/dist/proto/canonical up to 1.1.1.7
	external/ibm-public/postfix/dist/proto/cidr_table up to 1.1.1.8
	external/ibm-public/postfix/dist/proto/generic  up to 1.1.1.6
	external/ibm-public/postfix/dist/proto/index.html up to 1.1.1.2
	external/ibm-public/postfix/dist/proto/ldap_table up to 1.1.1.9
	external/ibm-public/postfix/dist/proto/lmdb_table up to 1.1.1.4
	external/ibm-public/postfix/dist/proto/memcache_table up to 1.1.1.5
	external/ibm-public/postfix/dist/proto/mongodb_table up to 1.1.1.2
	external/ibm-public/postfix/dist/proto/mysql_table up to 1.1.1.10
	external/ibm-public/postfix/dist/proto/nisplus_table up to 1.1.1.4
	external/ibm-public/postfix/dist/proto/pcre_table up to 1.1.1.8
	external/ibm-public/postfix/dist/proto/pgsql_table up to 1.1.1.10
	external/ibm-public/postfix/dist/proto/postconf.html.prolog up to 1.1.1.7
	external/ibm-public/postfix/dist/proto/postconf.man.prolog up to 1.1.1.5
	external/ibm-public/postfix/dist/proto/postconf.proto up to 1.21
	external/ibm-public/postfix/dist/proto/regexp_table up to 1.1.1.8
	external/ibm-public/postfix/dist/proto/relocated up to 1.1.1.5
	external/ibm-public/postfix/dist/proto/socketmap_table up to 1.1.1.5
	external/ibm-public/postfix/dist/proto/sqlite_table up to 1.1.1.6
	external/ibm-public/postfix/dist/proto/stop     up to 1.1.1.9
	external/ibm-public/postfix/dist/proto/stop.double-cc up to 1.1.1.4
	external/ibm-public/postfix/dist/proto/stop.double-history up to 1.1.1.3
	external/ibm-public/postfix/dist/proto/stop.double-install-proto-text up to 1.1.1.3
	external/ibm-public/postfix/dist/proto/stop.double-proto-html up to 1.1.1.4
	external/ibm-public/postfix/dist/proto/stop.spell-cc up to 1.1.1.4
	external/ibm-public/postfix/dist/proto/stop.spell-history up to 1.1.1.3
	external/ibm-public/postfix/dist/proto/stop.spell-proto-html up to 1.1.1.4
	external/ibm-public/postfix/dist/proto/tcp_table up to 1.1.1.5
	external/ibm-public/postfix/dist/proto/transport up to 1.1.1.6
	external/ibm-public/postfix/dist/proto/virtual  up to 1.1.1.8
	external/ibm-public/postfix/dist/src/bounce/Makefile.in up to 1.1.1.7
	external/ibm-public/postfix/dist/src/bounce/bounce.c up to 1.6
	external/ibm-public/postfix/dist/src/bounce/bounce_notify_service.c up to 1.4
	external/ibm-public/postfix/dist/src/bounce/bounce_notify_util.c up to 1.6
	external/ibm-public/postfix/dist/src/bounce/bounce_notify_verp.c up to 1.4
	external/ibm-public/postfix/dist/src/bounce/bounce_one_service.c up to 1.4
	external/ibm-public/postfix/dist/src/bounce/bounce_trace_service.c up to 1.4
	external/ibm-public/postfix/dist/src/bounce/bounce_warn_service.c up to 1.4
	external/ibm-public/postfix/dist/src/cleanup/Makefile.in up to 1.1.1.11
	external/ibm-public/postfix/dist/src/cleanup/cleanup.c up to 1.10
	external/ibm-public/postfix/dist/src/cleanup/cleanup.h up to 1.12
	external/ibm-public/postfix/dist/src/cleanup/cleanup_api.c up to 1.6
	external/ibm-public/postfix/dist/src/cleanup/cleanup_bounce.c up to 1.4
	external/ibm-public/postfix/dist/src/cleanup/cleanup_init.c up to 1.9
	external/ibm-public/postfix/dist/src/cleanup/cleanup_message.c up to 1.6
	external/ibm-public/postfix/dist/src/cleanup/cleanup_milter.c up to 1.7
	external/ibm-public/postfix/dist/src/cleanup/cleanup_out_recipient.c up to 1.6
	external/ibm-public/postfix/dist/src/cleanup/cleanup_state.c up to 1.6
	external/ibm-public/postfix/dist/src/discard/Makefile.in up to 1.1.1.5
	external/ibm-public/postfix/dist/src/discard/discard.c up to 1.4
	external/ibm-public/postfix/dist/src/dns/dns.h  up to 1.8
	external/ibm-public/postfix/dist/src/dns/dns_lookup.c up to 1.10
	external/ibm-public/postfix/dist/src/error/Makefile.in up to 1.1.1.5
	external/ibm-public/postfix/dist/src/error/error.c up to 1.4
	external/ibm-public/postfix/dist/src/global/Makefile.in up to 1.1.1.12
	external/ibm-public/postfix/dist/src/global/abounce.c up to 1.5
	external/ibm-public/postfix/dist/src/global/ascii_header_text.c up to 1.3
	external/ibm-public/postfix/dist/src/global/ascii_header_text.h up to 1.3
	external/ibm-public/postfix/dist/src/global/bounce.c up to 1.5
	external/ibm-public/postfix/dist/src/global/bounce.h up to 1.3
	external/ibm-public/postfix/dist/src/global/cleanup_strflags.c up to 1.3
	external/ibm-public/postfix/dist/src/global/cleanup_user.h up to 1.5
	external/ibm-public/postfix/dist/src/global/config_known_tcp_ports.c up to 1.3
	external/ibm-public/postfix/dist/src/global/data_redirect.c up to 1.3
	external/ibm-public/postfix/dist/src/global/defer.c up to 1.5
	external/ibm-public/postfix/dist/src/global/defer.h up to 1.3
	external/ibm-public/postfix/dist/src/global/deliver_pass.c up to 1.5
	external/ibm-public/postfix/dist/src/global/dict_ldap.c up to 1.7
	external/ibm-public/postfix/dist/src/global/dict_memcache.c up to 1.4
	external/ibm-public/postfix/dist/src/global/dict_mongodb.c up to 1.3
	external/ibm-public/postfix/dist/src/global/dict_mysql.c up to 1.6
	external/ibm-public/postfix/dist/src/global/dict_pgsql.c up to 1.6
	external/ibm-public/postfix/dist/src/global/dict_proxy.c up to 1.4
	external/ibm-public/postfix/dist/src/global/dict_sqlite.c up to 1.6
	external/ibm-public/postfix/dist/src/global/dict_sqlite.h up to 1.2
	external/ibm-public/postfix/dist/src/global/dsn_util.c up to 1.2
	external/ibm-public/postfix/dist/src/global/ehlo_mask.c up to 1.4
	external/ibm-public/postfix/dist/src/global/ehlo_mask.h up to 1.4
	external/ibm-public/postfix/dist/src/global/haproxy_srvr.c up to 1.5
	external/ibm-public/postfix/dist/src/global/haproxy_srvr.h up to 1.3
	external/ibm-public/postfix/dist/src/global/header_opts.c up to 1.4
	external/ibm-public/postfix/dist/src/global/header_opts.h up to 1.4
	external/ibm-public/postfix/dist/src/global/log_adhoc.c up to 1.4
	external/ibm-public/postfix/dist/src/global/log_adhoc.h up to 1.2
	external/ibm-public/postfix/dist/src/global/login_sender_match.c up to 1.3
	external/ibm-public/postfix/dist/src/global/mail_conf.c up to 1.5
	external/ibm-public/postfix/dist/src/global/mail_conf.h up to 1.4
	external/ibm-public/postfix/dist/src/global/mail_params.c up to 1.7
	external/ibm-public/postfix/dist/src/global/mail_params.h up to 1.21
	external/ibm-public/postfix/dist/src/global/mail_proto.h up to 1.7
	external/ibm-public/postfix/dist/src/global/mail_version.h up to 1.8
	external/ibm-public/postfix/dist/src/global/maps.c up to 1.6
	external/ibm-public/postfix/dist/src/global/mime_garb3.ref up to 1.1.1.2
	external/ibm-public/postfix/dist/src/global/mime_state.c up to 1.4
	external/ibm-public/postfix/dist/src/global/mime_state.h up to 1.2
	external/ibm-public/postfix/dist/src/global/mynetworks.c up to 1.3
	external/ibm-public/postfix/dist/src/global/namadr_list.in up to 1.1.1.5
	external/ibm-public/postfix/dist/src/global/namadr_list.ref up to 1.1.1.6
	external/ibm-public/postfix/dist/src/global/own_inet_addr.c up to 1.3
	external/ibm-public/postfix/dist/src/global/pipe_command.c up to 1.3
	external/ibm-public/postfix/dist/src/global/post_mail.c up to 1.6
	external/ibm-public/postfix/dist/src/global/rec_type.h up to 1.5
	external/ibm-public/postfix/dist/src/global/reject_deliver_request.c up to 1.3
	external/ibm-public/postfix/dist/src/global/rfc2047_code.c up to 1.3
	external/ibm-public/postfix/dist/src/global/rfc2047_code.h up to 1.3
	external/ibm-public/postfix/dist/src/global/sendopts.c up to 1.3
	external/ibm-public/postfix/dist/src/global/sent.c up to 1.4
	external/ibm-public/postfix/dist/src/global/sent.h up to 1.3
	external/ibm-public/postfix/dist/src/global/server_acl.c up to 1.5
	external/ibm-public/postfix/dist/src/global/trace.c up to 1.4
	external/ibm-public/postfix/dist/src/global/trace.h up to 1.2
	external/ibm-public/postfix/dist/src/global/verify.c up to 1.5
	external/ibm-public/postfix/dist/src/global/verify.h up to 1.2
	external/ibm-public/postfix/dist/src/local/Makefile.in up to 1.1.1.10
	external/ibm-public/postfix/dist/src/local/forward.c up to 1.6
	external/ibm-public/postfix/dist/src/local/local.c up to 1.6
	external/ibm-public/postfix/dist/src/local/local.h up to 1.4
	external/ibm-public/postfix/dist/src/master/Makefile.in up to 1.1.1.9
	external/ibm-public/postfix/dist/src/master/event_server.c up to 1.5
	external/ibm-public/postfix/dist/src/master/multi_server.c up to 1.5
	external/ibm-public/postfix/dist/src/milter/milter8.c up to 1.7
	external/ibm-public/postfix/dist/src/milter/test-milter.c up to 1.5
	external/ibm-public/postfix/dist/src/oqmgr/Makefile.in up to 1.1.1.7
	external/ibm-public/postfix/dist/src/oqmgr/qmgr.c up to 1.4
	external/ibm-public/postfix/dist/src/oqmgr/qmgr_bounce.c up to 1.2
	external/ibm-public/postfix/dist/src/oqmgr/qmgr_defer.c up to 1.2
	external/ibm-public/postfix/dist/src/oqmgr/qmgr_message.c up to 1.6
	external/ibm-public/postfix/dist/src/pipe/Makefile.in up to 1.1.1.6
	external/ibm-public/postfix/dist/src/pipe/pipe.c up to 1.6
	external/ibm-public/postfix/dist/src/postalias/Makefile.in up to 1.1.1.8
	external/ibm-public/postfix/dist/src/postalias/postalias.c up to 1.7
	external/ibm-public/postfix/dist/src/postcat/postcat.c up to 1.6
	external/ibm-public/postfix/dist/src/postconf/Makefile.in up to 1.1.1.13
	external/ibm-public/postfix/dist/src/postconf/extract.awk up to 1.1.1.7
	external/ibm-public/postfix/dist/src/postconf/postconf.c up to 1.6
	external/ibm-public/postfix/dist/src/postconf/postconf.h up to 1.6
	external/ibm-public/postfix/dist/src/postconf/postconf_builtin.c up to 1.5
	external/ibm-public/postfix/dist/src/postconf/postconf_dbms.c up to 1.7
	external/ibm-public/postfix/dist/src/postconf/postconf_edit.c up to 1.4
	external/ibm-public/postfix/dist/src/postconf/postconf_lookup.c up to 1.5
	external/ibm-public/postfix/dist/src/postconf/postconf_main.c up to 1.5
	external/ibm-public/postfix/dist/src/postconf/postconf_master.c up to 1.9
	external/ibm-public/postfix/dist/src/postconf/postconf_unused.c up to 1.3
	external/ibm-public/postfix/dist/src/postconf/postconf_user.c up to 1.6
	external/ibm-public/postfix/dist/src/postconf/test18.ref up to 1.1.1.2
	external/ibm-public/postfix/dist/src/postconf/test2.ref up to 1.1.1.2
	external/ibm-public/postfix/dist/src/postconf/test28.ref up to 1.1.1.4
	external/ibm-public/postfix/dist/src/postconf/test29.ref up to 1.1.1.5
	external/ibm-public/postfix/dist/src/postconf/test57.ref up to 1.1.1.2
	external/ibm-public/postfix/dist/src/postconf/test59.ref up to 1.1.1.4
	external/ibm-public/postfix/dist/src/postconf/test67.ref up to 1.1.1.3
	external/ibm-public/postfix/dist/src/postconf/test76.ref up to 1.1.1.2
	external/ibm-public/postfix/dist/src/postdrop/postdrop.c up to 1.6
	external/ibm-public/postfix/dist/src/postfix/postfix.c up to 1.8
	external/ibm-public/postfix/dist/src/postlog/postlog.c up to 1.7
	external/ibm-public/postfix/dist/src/postmap/Makefile.in up to 1.1.1.9
	external/ibm-public/postfix/dist/src/postmap/postmap.c up to 1.7
	external/ibm-public/postfix/dist/src/postmulti/Makefile.in up to 1.1.1.6
	external/ibm-public/postfix/dist/src/postmulti/postmulti.c up to 1.5
	external/ibm-public/postfix/dist/src/postqueue/postqueue.c up to 1.6
	external/ibm-public/postfix/dist/src/postqueue/showq_compat.c up to 1.5
	external/ibm-public/postfix/dist/src/postqueue/showq_json.c up to 1.6
	external/ibm-public/postfix/dist/src/postscreen/postscreen.c up to 1.7
	external/ibm-public/postfix/dist/src/postscreen/postscreen_endpt.c up to 1.6
	external/ibm-public/postfix/dist/src/posttls-finger/posttls-finger.c up to 1.7
	external/ibm-public/postfix/dist/src/proxymap/Makefile.in up to 1.1.1.8
	external/ibm-public/postfix/dist/src/proxymap/proxymap.c up to 1.6
	external/ibm-public/postfix/dist/src/qmgr/Makefile.in up to 1.1.1.7
	external/ibm-public/postfix/dist/src/qmgr/qmgr.c up to 1.5
	external/ibm-public/postfix/dist/src/qmgr/qmgr_bounce.c up to 1.2
	external/ibm-public/postfix/dist/src/qmgr/qmgr_defer.c up to 1.2
	external/ibm-public/postfix/dist/src/qmgr/qmgr_message.c up to 1.6
	external/ibm-public/postfix/dist/src/sendmail/Makefile.in up to 1.1.1.6
	external/ibm-public/postfix/dist/src/sendmail/sendmail.c up to 1.6
	external/ibm-public/postfix/dist/src/showq/showq.c up to 1.6
	external/ibm-public/postfix/dist/src/smtp/Makefile.in up to 1.1.1.12
	external/ibm-public/postfix/dist/src/smtp/lmtp_params.c up to 1.7
	external/ibm-public/postfix/dist/src/smtp/smtp.c up to 1.15
	external/ibm-public/postfix/dist/src/smtp/smtp.h up to 1.7
	external/ibm-public/postfix/dist/src/smtp/smtp_connect.c up to 1.7
	external/ibm-public/postfix/dist/src/smtp/smtp_key.c up to 1.4
	external/ibm-public/postfix/dist/src/smtp/smtp_params.c up to 1.7
	external/ibm-public/postfix/dist/src/smtp/smtp_proto.c up to 1.7
	external/ibm-public/postfix/dist/src/smtp/smtp_rcpt.c up to 1.4
	external/ibm-public/postfix/dist/src/smtp/smtp_state.c up to 1.5
	external/ibm-public/postfix/dist/src/smtp/smtp_tls_policy.c up to 1.6
	external/ibm-public/postfix/dist/src/smtp/smtp_tlsrpt.c up to 1.3
	external/ibm-public/postfix/dist/src/smtp/smtp_trouble.c up to 1.4
	external/ibm-public/postfix/dist/src/smtpd/Makefile.in up to 1.1.1.13
	external/ibm-public/postfix/dist/src/smtpd/smtpd.c up to 1.22
	external/ibm-public/postfix/dist/src/smtpd/smtpd.h up to 1.7
	external/ibm-public/postfix/dist/src/smtpd/smtpd_chat.c up to 1.5
	external/ibm-public/postfix/dist/src/smtpd/smtpd_check.c up to 1.8
	external/ibm-public/postfix/dist/src/smtpd/smtpd_haproxy.c up to 1.4
	external/ibm-public/postfix/dist/src/smtpd/smtpd_peer.c up to 1.6
	external/ibm-public/postfix/dist/src/smtpd/smtpd_proxy.c up to 1.4
	external/ibm-public/postfix/dist/src/smtpd/smtpd_proxy.h up to 1.2
	external/ibm-public/postfix/dist/src/tls/Makefile.in up to 1.1.1.12
	external/ibm-public/postfix/dist/src/tls/tls.h  up to 1.7
	external/ibm-public/postfix/dist/src/tls/tls_client.c up to 1.15
	external/ibm-public/postfix/dist/src/tls/tls_dane.c up to 1.7
	external/ibm-public/postfix/dist/src/tls/tls_dane.sh up to 1.1.1.2
	external/ibm-public/postfix/dist/src/tls/tls_dh.c up to 1.7
	external/ibm-public/postfix/dist/src/tls/tls_misc.c up to 1.7
	external/ibm-public/postfix/dist/src/tls/tls_prng_file.c up to 1.3
	external/ibm-public/postfix/dist/src/tls/tls_proxy.h up to 1.6
	external/ibm-public/postfix/dist/src/tls/tls_proxy_client_misc.c up to 1.5
	external/ibm-public/postfix/dist/src/tls/tls_proxy_client_print.c up to 1.6
	external/ibm-public/postfix/dist/src/tls/tls_proxy_client_scan.c up to 1.6
	external/ibm-public/postfix/dist/src/tls/tls_server.c up to 1.14
	external/ibm-public/postfix/dist/src/tls/tls_verify.c up to 1.6
	external/ibm-public/postfix/dist/src/tls/tlsrpt_wrapper.c up to 1.3
	external/ibm-public/postfix/dist/src/tlsproxy/tlsproxy.c up to 1.8
	external/ibm-public/postfix/dist/src/tlsproxy/tlsproxy_state.c up to 1.4
	external/ibm-public/postfix/dist/src/trivial-rewrite/Makefile.in up to 1.1.1.7
	external/ibm-public/postfix/dist/src/trivial-rewrite/resolve.c up to 1.6
	external/ibm-public/postfix/dist/src/trivial-rewrite/trivial-rewrite.c up to 1.6
	external/ibm-public/postfix/dist/src/util/Makefile.in up to 1.1.1.13
	external/ibm-public/postfix/dist/src/util/alldig.c up to 1.4
	external/ibm-public/postfix/dist/src/util/argv.c up to 1.6
	external/ibm-public/postfix/dist/src/util/argv.h up to 1.6
	external/ibm-public/postfix/dist/src/util/dict.c up to 1.5
	external/ibm-public/postfix/dist/src/util/dict.h up to 1.7
	external/ibm-public/postfix/dist/src/util/dict_alloc.c up to 1.4
	external/ibm-public/postfix/dist/src/util/dict_cache.c up to 1.5
	external/ibm-public/postfix/dist/src/util/dict_cache.h up to 1.3
	external/ibm-public/postfix/dist/src/util/dict_cdb.c up to 1.5
	external/ibm-public/postfix/dist/src/util/dict_cidr.c up to 1.6
	external/ibm-public/postfix/dist/src/util/dict_db.c up to 1.5
	external/ibm-public/postfix/dist/src/util/dict_dbm.c up to 1.3
	external/ibm-public/postfix/dist/src/util/dict_debug.c up to 1.3
	external/ibm-public/postfix/dist/src/util/dict_env.c up to 1.2
	external/ibm-public/postfix/dist/src/util/dict_fail.c up to 1.3
	external/ibm-public/postfix/dist/src/util/dict_inline.c up to 1.6
	external/ibm-public/postfix/dist/src/util/dict_lmdb.c up to 1.5
	external/ibm-public/postfix/dist/src/util/dict_ni.c up to 1.2
	external/ibm-public/postfix/dist/src/util/dict_nis.c up to 1.2
	external/ibm-public/postfix/dist/src/util/dict_nisplus.c up to 1.2
	external/ibm-public/postfix/dist/src/util/dict_open.c up to 1.5
	external/ibm-public/postfix/dist/src/util/dict_pcre.c up to 1.6
	external/ibm-public/postfix/dist/src/util/dict_pipe.c up to 1.3
	external/ibm-public/postfix/dist/src/util/dict_random.c up to 1.5
	external/ibm-public/postfix/dist/src/util/dict_regexp.c up to 1.6
	external/ibm-public/postfix/dist/src/util/dict_sdbm.c up to 1.2
	external/ibm-public/postfix/dist/src/util/dict_seq.ref up to 1.1.1.2
	external/ibm-public/postfix/dist/src/util/dict_sockmap.c up to 1.7
	external/ibm-public/postfix/dist/src/util/dict_static.c up to 1.5
	external/ibm-public/postfix/dist/src/util/dict_surrogate.c up to 1.3
	external/ibm-public/postfix/dist/src/util/dict_tcp.c up to 1.3
	external/ibm-public/postfix/dist/src/util/dict_test.c up to 1.3
	external/ibm-public/postfix/dist/src/util/dict_thash.c up to 1.6
	external/ibm-public/postfix/dist/src/util/dict_union.c up to 1.4
	external/ibm-public/postfix/dist/src/util/dict_unix.c up to 1.2
	external/ibm-public/postfix/dist/src/util/dict_utf8_test.ref up to 1.1.1.2
	external/ibm-public/postfix/dist/src/util/hash_fnv.c up to 1.5
	external/ibm-public/postfix/dist/src/util/hex_code.c up to 1.5
	external/ibm-public/postfix/dist/src/util/hex_code.h up to 1.6
	external/ibm-public/postfix/dist/src/util/htable.c up to 1.5
	external/ibm-public/postfix/dist/src/util/inet_addr_list.c up to 1.3
	external/ibm-public/postfix/dist/src/util/inet_prefix_top.c up to 1.4
	external/ibm-public/postfix/dist/src/util/inet_proto.c up to 1.5
	external/ibm-public/postfix/dist/src/util/mac_expand.c up to 1.5
	external/ibm-public/postfix/dist/src/util/mac_expand.h up to 1.6
	external/ibm-public/postfix/dist/src/util/mac_expand.in up to 1.1.1.5
	external/ibm-public/postfix/dist/src/util/mac_expand.ref up to 1.1.1.5
	external/ibm-public/postfix/dist/src/util/match_list.c up to 1.4
	external/ibm-public/postfix/dist/src/util/midna_domain.c up to 1.6
	external/ibm-public/postfix/dist/src/util/mkmap_open.c up to 1.3
	external/ibm-public/postfix/dist/src/util/msg_vstream.c up to 1.2
	external/ibm-public/postfix/dist/src/util/myaddrinfo.c up to 1.4
	external/ibm-public/postfix/dist/src/util/myaddrinfo.h up to 1.5
	external/ibm-public/postfix/dist/src/util/myaddrinfo.ref up to 1.1.1.6
	external/ibm-public/postfix/dist/src/util/myaddrinfo.ref2 up to 1.1.1.2
	external/ibm-public/postfix/dist/src/util/myaddrinfo4.ref up to 1.1.1.3
	external/ibm-public/postfix/dist/src/util/myaddrinfo4.ref2 up to 1.1.1.2
	external/ibm-public/postfix/dist/src/util/myflock.c up to 1.4
	external/ibm-public/postfix/dist/src/util/name_mask.c up to 1.5
	external/ibm-public/postfix/dist/src/util/name_mask.h up to 1.2
	external/ibm-public/postfix/dist/src/util/name_mask.ref5 up to 1.1.1.2
	external/ibm-public/postfix/dist/src/util/name_mask.ref6 up to 1.1.1.2
	external/ibm-public/postfix/dist/src/util/netstring.c up to 1.5
	external/ibm-public/postfix/dist/src/util/normalize_ws.c up to 1.3
	external/ibm-public/postfix/dist/src/util/open_as.c up to 1.2
	external/ibm-public/postfix/dist/src/util/open_as.h up to 1.2
	external/ibm-public/postfix/dist/src/util/quote_for_json.c up to 1.3
	external/ibm-public/postfix/dist/src/util/sane_sockaddr_to_hostaddr.c up to 1.3
	external/ibm-public/postfix/dist/src/util/spawn_command.c up to 1.4
	external/ibm-public/postfix/dist/src/util/spawn_command.h up to 1.3
	external/ibm-public/postfix/dist/src/util/stringops.h up to 1.7
	external/ibm-public/postfix/dist/src/util/sys_defs.h up to 1.16
	external/ibm-public/postfix/dist/src/util/unescape.ref up to 1.1.1.3
	external/ibm-public/postfix/dist/src/util/vbuf_print.c up to 1.6
	external/ibm-public/postfix/dist/src/util/vbuf_print_test.in up to 1.1.1.2
	external/ibm-public/postfix/dist/src/util/vbuf_print_test.ref up to 1.1.1.2
	external/ibm-public/postfix/dist/src/util/vstream.c up to 1.6
	external/ibm-public/postfix/dist/src/util/vstream.h up to 1.5
	external/ibm-public/postfix/dist/src/util/vstring.c up to 1.5
	external/ibm-public/postfix/dist/src/util/vstring_vstream.c up to 1.3
	external/ibm-public/postfix/dist/src/verify/verify.c up to 1.6
	external/ibm-public/postfix/dist/src/virtual/Makefile.in up to 1.1.1.7
	external/ibm-public/postfix/dist/src/virtual/virtual.c up to 1.5
	external/ibm-public/postfix/dist/src/virtual/virtual.h up to 1.2
	external/ibm-public/postfix/dist/src/xsasl/xsasl_dovecot_server.c up to 1.6
	external/ibm-public/postfix/lib/global/Makefile up to 1.12
	external/ibm-public/postfix/lib/util/Makefile   up to 1.13
	external/ibm-public/postfix/libexec/smtp/Makefile up to 1.5
	doc/3RDPARTY						(manually edited)

Import Postfix 3.11.2.
@
text
@a27 1
<li> <a href="#reusing"> Connection reuse versus session resumption </a> </li>
d55 2
a56 2
<p> The diagram below shows how successful or failed Postfix TLS
handshake events are collected and processed into daily summary
d102 1
a102 1
<p> The Postfix implementation supports TLSRPT for domains with DANE
a205 43
<h2> <a name="reusing"> Connection reuse versus session resumption
</a> </h2>

<p> The Postfix SMTP client implements two kinds of reuse: </p>

<ul>

<li> <p> <b> SMTP Connection reuse: </b> a Postfix SMTP client
creates a new SMTP connection, sends one email message, and saves
the connection instead of closing it. Later, some SMTP client reuses
that connection, sends an email message, and saves or closes the
connection depending on whether it has reached some reuse limit.
Each connection can be used by only one Postfix SMTP client at a
time. </p>

<li> <p> <b> TLS Session resumption: </b> a Postfix SMTP client
saves the result from a "new" TLS handshake. Later, one or more
SMTP clients create a new SMTP connection and resume the saved TLS
session on their new connection. <p>

</ul>

<p> Of course there is a third case: </p>

<ul>

<li> <p> <b> Combined reuse and resumption: </b> a Postfix SMTP
client creates a new SMTP connection, sends one email message, saves
the result from a "new" TLS handshake, and also saves the connection
instead of closing it. Later, one SMTP client reuses (and saves)
that connection, one client at a time, and one or more clients
create a new SMTP connection and resume the saved TLS session on
their new connection. <p>

</ul>

<p> In all cases, there is no TLS handshake when a saved SMTP connection
is reused, and there is no "new" TLS handshake when a saved TLS session
is resumed. </p>

<p> As described next, Postfix will by default log and generate only a
TLSRPT event for a "new" TLS handshake.  </p>

d245 6
a250 6
<li> <p> With TLSRPT enabled, the Postfix SMTP client reports the
TLSRPT status for all TLS handshakes (the default as of Postfix
3.11).  Specify "<a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> = yes" (the
default with Postfix 3.10) to skip reporting TLS handshakes that
reuse a previously-negotiated TLS session as there would be no new
information to report. </p>
d332 1
a332 1
<p> Postfix supports MTA-STS through an <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> policy
@


1.1.1.2
log
@Import postfix 3.11.2 (previous was 3.10.1)

Changes in 3.11.2

Bugfix (defect introduced: Postfix 3.11): the proxymap(8) daemon
dereferenced an uninitialized pointer after a request protocol
error. This daemon is not exposed to local or remote users. Found
by Claude Opus 4.6.

Bugfix (defect introduced: 20260309) a change, to set the service_name
default value to "amnesiac", violated a test that parameter names
in postconf output must match 1:1 with parameter names in the
postlink script.

Changes in 3.11.1

Bugfix (defect introduced: 20260219): alias_maps errors when
default_database_type was not set in main.cf. Fix by Michael Tokarev.

Bugfix (defect introduced: Postfix 3.0): buffer over-read when
Postfix is configured with an enhanced status code not followed by
other text. For example, "5.7.2" without text after the three-number
code, in an access(5) table, header or body checks, or with "$rbl_code
$rbl_text" in rbl_reply_maps or default_rbl_reply. These are all
uncommon configurations. Problem reported by Kamil Frankowicz.

Bugfix (defect introduced: Postfix 3.3): null pointer in nbdb_reindexd(8)
because the "service_name" value was not propagated. Report by
Michael Tokarev.

During Postfix start-up, avoid a spurious error message from
nbdb_reindexd(8), when non_bdb_migration_level disables automatic
re-indexing.

Changes in 3.11.0

Postfix stable release 3.11.0 is available. Postfix 3.7 - 3.10 were
updated a few weeks ago; after that, Postfix 3.7 will no longer be
updated.

The main changes are below. See the RELEASE_NOTES file for further details.

Berkeley DB migration:

Some (Linux) distributions are removing support for BerkeleyDB
databases (In Postfix, this means we lose support for the hash:
and btree: lookup tables). See NON_BERKELEYDB_README for manual
and partially automatic migration from btree: to lmdb:, and from
hash: to lmdb: or cdb:.

The loss of BerkeleyDB affects Mailman versions that want to execute
commands like "postmap hash:/path/to/file" when a mailing list is
added or removed. Postfix provides a way to redirect such commands
to a supported database type.

You don't have to wait until BerkeleyDB support is removed. It can
make sense to migrate while BerkeleyDB support is still available
(mainly, less downtime).

Changes in TLS support:

Default TLS security. The Postfix SMTP client smtp_tls_security_level
default value is "may" if Postfix was built with TLS support, and
the compatibility_level is 3.11 or higher.

Support for the RFC 8689 "REQUIRETLS" verb in ESMTP. This requires
that every SMTP (and LMTP) server in the forward path is strongly
authenticated with DANE, STS, or equivalent, and that every server
announces REQUIRETLS support.

See REQUIRETLS_README for suggestions to carefully enforce REQUIRETLS
without causing massive mail delivery problems.

Logging the TLS security level. This shows the desired and actual
TLS security level enforcement status and, if a message requests
REQUIRETLS, the REQUIRETLS policy enforcement status. For a list
of examples see smtp_log_tls_feature_status

Workaround for an interface mismatch between the Postfix SMTP client
and MTA-STS policy plugins. This introduces a new parameter
smtp_tls_enforce_sts_mx_patterns (default: "yes"). The MTA-STS
plugin configuration needs to enable TLSRPT support, so that it
forwards STS policy attributes to Postfix. Both postfix-tlspol and
postfix-mta-sts-resolver have been updated accordingly.

With this, the Postfix SMTP client will connect to an MX host only
if its name matches any STS policy MX host pattern, and will match
a server certificate against the MX hostname. Otherwise, the old
behavior stays in effect: connect to any MX host listed in DNS,
and match a server certificate against any STS policy MX host
pattern.

Post-quantum cryptography support. With OpenSSL 3.5 and later,
change the tls_eecdh_auto_curves default value to avoid problems
with network infrastructure that mishandles TLS hello messages
larger than one (Ethernet) TCP segment. This problem is more
generally known as "protocol ossification".

Miscellaneous changes:

Deprecation of obsolete parameters. Postfix programs log a warning
that these parameters will be removed. See DEPRECATION_README for
a list of deprecated parameters.

JSON output support with "postconf -j|-jM|-jF|-jP", "postalias
-jq|-js", "postmap -jq|-js", and "postmulti -jl". No support is
planned for JSON input support.

Milter support: improved Milter error handling for messages that
arrive over a long-lived SMTP connection, by changing the default
milter_default_action from "tempfail" to the new "shutdown" action
(i.e. disconnect the remote SMTP client). This was already back-ported
to earlier stable releases.

For more changes in the 3.10 branch see:
https://www.postfix.org/announcements.html
@
text
@a27 1
<li> <a href="#reusing"> Connection reuse versus session resumption </a> </li>
d55 2
a56 2
<p> The diagram below shows how successful or failed Postfix TLS
handshake events are collected and processed into daily summary
d102 1
a102 1
<p> The Postfix implementation supports TLSRPT for domains with DANE
a205 43
<h2> <a name="reusing"> Connection reuse versus session resumption
</a> </h2>

<p> The Postfix SMTP client implements two kinds of reuse: </p>

<ul>

<li> <p> <b> SMTP Connection reuse: </b> a Postfix SMTP client
creates a new SMTP connection, sends one email message, and saves
the connection instead of closing it. Later, some SMTP client reuses
that connection, sends an email message, and saves or closes the
connection depending on whether it has reached some reuse limit.
Each connection can be used by only one Postfix SMTP client at a
time. </p>

<li> <p> <b> TLS Session resumption: </b> a Postfix SMTP client
saves the result from a "new" TLS handshake. Later, one or more
SMTP clients create a new SMTP connection and resume the saved TLS
session on their new connection. <p>

</ul>

<p> Of course there is a third case: </p>

<ul>

<li> <p> <b> Combined reuse and resumption: </b> a Postfix SMTP
client creates a new SMTP connection, sends one email message, saves
the result from a "new" TLS handshake, and also saves the connection
instead of closing it. Later, one SMTP client reuses (and saves)
that connection, one client at a time, and one or more clients
create a new SMTP connection and resume the saved TLS session on
their new connection. <p>

</ul>

<p> In all cases, there is no TLS handshake when a saved SMTP connection
is reused, and there is no "new" TLS handshake when a saved TLS session
is resumed. </p>

<p> As described next, Postfix will by default log and generate only a
TLSRPT event for a "new" TLS handshake.  </p>

d245 6
a250 6
<li> <p> With TLSRPT enabled, the Postfix SMTP client reports the
TLSRPT status for all TLS handshakes (the default as of Postfix
3.11).  Specify "<a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> = yes" (the
default with Postfix 3.10) to skip reporting TLS handshakes that
reuse a previously-negotiated TLS session as there would be no new
information to report. </p>
d332 1
a332 1
<p> Postfix supports MTA-STS through an <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> policy
@


1.1.1.1.4.1
log
@file TLSRPT_README.html was added on branch perseant-exfatfs on 2025-08-02 05:49:51 +0000
@
text
@d1 481
@


1.1.1.1.4.2
log
@Sync with HEAD
@
text
@a0 481
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
  "https://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

<title>Postfix TLSRPT notification Howto</title>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel='stylesheet' type='text/css' href='postfix-doc.css'>

</head>

<body>

<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix TLSRPT Howto</h1>

<hr>

<h2> Table of Contents </h2>

<ul>

<li> <a href="#intro"> Introduction </a> </li>
<li> <a href="#building"> Building Postfix with TLSRPT support </a>
<li> <a href="#using"> Turning on TLSRPT </a> </li>
<li> <a href="#logging"> TLSRPT Status logging </a> </li>
<li> <a href="#delivering"> Delivering TLSRPT summaries via email</a> </li>
<li> <a href="#mta-sts"> MTA-STS Support via smtp_tls_policy_maps </a> </li>
<li> <a href="#limitations"> Limitations </a></li>
<li> <a href="#credits"> Credits </a> </li>

</ul>

<h2> <a name="intro"> Introduction </a> </h2>

<p> The TLSRPT protocol is defined in <a href="https://tools.ietf.org/html/rfc8460">RFC 8460</a>. With this, an email
receiving domain can publish a policy in DNS, and request daily
summary reports for successful and failed SMTP over TLS connections
to that domain's MX hosts. Support for TLSRPT was added in Postfix
3.10. </p>

<p> A policy for domain <tt>example.com</tt> could look like this: </p>

<blockquote>
<pre>
_smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:smtp-tls-report@@example.com"
</pre>
</blockquote>

<p> Instead of <tt>mailto:</tt>, a policy may specify an <tt>https:</tt>
destination. </p>

<p> The diagram below shows how Postfix TLS handshake success and
failure events are collected and processed into daily summary
reports. </p>

<blockquote>

<table>

<tr> <td align="center" bgcolor="#f0f0ff"> Postfix SMTP and TLS
client engines </td> <td> <tt> &rarr; </tt> </td>

<td align="center" bgcolor="#f0f0ff"> <a
href="https://github.com/sys4/libtlsrpt">TLSRPT client library </a>
(linked into Postfix) </td> <td> <tt> &rarr; </tt> </td>

<td align="center" bgcolor="#f0f0ff"> <a
href="https://github.com/sys4/tlsrpt-reporter">TLSRPT collector,
fetcher, and summary generator</a> </td> <td> <tt> &rarr; </tt>
</td>

<td align="center" bgcolor="#f0f0ff"> Email or HTTP delivery </td>
</tr>

</table>

</blockquote>

<ul>

<li> <p> The Postfix SMTP and TLS client engines will generate a
"success" or "failure" event for each TLS handshake, </p>

<li> <p> They will pass those events to an in-process TLSRPT client
library that sends data over a local socket to </p>

<li> <p> A local TLSRPT collector that runs on each Postfix machine.
A TLSRPT fetcher gathers information from individual collectors,
and a central TLSRPT report generator produces daily summary reports.
</p>

</ul>

<p> The TLSRPT client library, and the infrastructure to collect,
fetch, and report TLSRPT information, are implemented and maintained
by sys4 at <a href="https://github.com/sys4/libtlsrpt">https://github.com/sys4/libtlsrpt</a> and
<a href="https://github.com/sys4/tlsrpt-reporter">https://github.com/sys4/tlsrpt-reporter</a>, respectively. </p>

<p> The Postfix implementation supports TLSRPT or domains with DANE
(Postfix built-in) and MTA-STS (through an <a href="#mta-sts">
smtp_tls_policy_maps plug-in</a>). </p>

<p> The Postfix <a href="smtp.8.html">smtp(8)</a> client process implements the SMTP client
engine. With "<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> = no", the <a href="smtp.8.html">smtp(8)</a> client
process also implements the TLS client engine. With
"<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> = yes", the <a href="smtp.8.html">smtp(8)</a> client process
delegates TLS processing to a Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> process. Either
way, Postfix will generate the exact same TLSRPT events. </p>

<h2> <a name="building"> Building Postfix with TLSRPT support </a>
</h2>

<p> These instructions assume that you build Postfix from source
code as described in the <a href="INSTALL.html">INSTALL</a> document. Some modification may
be required if you build Postfix from a vendor-specific source
package. </p>

<p> The Postfix TLSRPT client builds on a TLSRPT library which may
be available as a built package (rpm, deb, etc.), or which you can
build from source code from: </p>

<blockquote>
<p> <a href="https://github.com/sys4/libtlsrpt">https://github.com/sys4/libtlsrpt</a> </p>
</blockquote>

<p> The library is typically installed as a header file in
/usr/local/include/tlsrpt.h and an object library in
/usr/local/lib/libtlsrpt.a or /usr/local/lib/libtlsrpt.so. The
actual pathnames will depend on OS platform conventions. </p>

<p> In order to build Postfix with TLSRPT support, you will need
to add compiler options <tt>-DUSE_TLSRPT</tt> (to build with TLSRPT
support) and <tt>-I</tt> (with the directory containing the tlsrpt.h
header file), and you will need to add linker options to link with
the TLSRPT client library, for example: </p>

<blockquote>
<pre>
make -f Makefile.init makefiles \
  "CCARGS=-DUSE_TLSRPT -I/usr/local/include" \
  "AUXLIBS=-L/usr/local/lib -Wl,-rpath,/usr/local/lib -ltlsrpt"
</pre>
</blockquote>

<p> (On Solaris systems you may need to use "<tt>-Wl,-R</tt>" instead
of "<tt>-Wl,-rpath</tt>".) </p>

<p> Then, just run 'make'. </p>

<blockquote>

<p> Note: if your build command line already has CCARGS or AUXLIBS
settings, then simply append the above settings to the existing CCARGS
or AUXLIBS values: </p>

<pre>
make -f Makefile.init makefiles \
  "CCARGS=... -DUSE_TLSRPT -I/usr/local/include" \
  "AUXLIBS=... -L/usr/local/lib -Wl,-rpath,/usr/local/lib -ltlsrpt"
</pre>
</blockquote>

<h2> <a name="using"> Turning on TLSRPT </a> </h2>

<p> After installing Postfix TLSRPT support, you can enable TLSRPT
support in <a href="postconf.5.html">main.cf</a> like this: </p>

<blockquote>
<pre>
<a href="postconf.5.html#smtp_tlsrpt_enable">smtp_tlsrpt_enable</a> = yes
<a href="postconf.5.html#smtp_tlsrpt_socket_name">smtp_tlsrpt_socket_name</a> = path/to/socket
</pre>
</blockquote>

<p> The <a href="postconf.5.html#smtp_tlsrpt_socket_name">smtp_tlsrpt_socket_name</a> parameter specifies either an
absolute pathname, or a pathname that is relative to $<a href="postconf.5.html#queue_directory">queue_directory</a>.
</p>

<p> Notes: </p>

<ul>

<li> <p> The recommended socket location is still to be determined.
A good socket location would be under the Postfix queue directory,
for example: "<a href="postconf.5.html#smtp_tlsrpt_socket_name">smtp_tlsrpt_socket_name</a> = run/tlsrpt/tlsrpt.sock".
The advantage of using a relative name is that it will work equally
well whether or not Postfix chroot is turned on. </p>

<li> <p> Regardless of whether Postfix chroot is enabled, the TLSRPT
receiver (<tt>tlsrpt_collectd</tt>) will need to be configured with
the socket's absolute pathname. </p>

<li> <p> Do not specify a TLSRPT socket location under a Postfix socket
directory such as <tt>private</tt> or <tt>public</tt>. Only Postfix
programs should create sockets there. </p>

</ul>

<p> For details on how to run the TLSRPT collection and reporting
infrastructure, see the documentation at
<a href="https://github.com/sys4/tlsrpt-reporter">https://github.com/sys4/tlsrpt-reporter</a>.

<h2> <a name="logging"> TLSRPT Status logging </a> </h2>

<p> With TLSRPT support turned on, the Postfix TLSRPT client will
not only report an event to an invisible daily success/fail summary
queue, but it will also log a visible record to the mail logfile.
</p>

<p> Below are a few examples of logging from a Postfix SMTP client
or tlsproxy daemon: </p>

<blockquote>
<pre>
TLSRPT: status=success, domain=example.com, receiving_mx=mail.example.com[ipaddr]
&nbsp;
TLSRPT: status=failure, domain=example.org, receiving_mx=mail.example.org[ipaddr],
    failure_type=starttls_not_supported
&nbsp;
TLSRPT: status=failure, domain=example.net, receiving_mx=mail.example.net[ipaddr],
    failure_type=validation_failure, failure_reason=self-signed_certificate
</pre>
</blockquote>

<p> Notes: </p>

<ul>

<li> <p> Postfix logs and reports the TLSRPT status only for TLS
handshakes on a new SMTP connection. There is no TLS handshake, and
thus no TLSRPT status logging, when an SMTP connection is reused.
Such connections have Postfix SMTP client logging like this: </p>

<pre>
Verified <b>TLS connection reused</b> to mail.example.com[ipaddr]:25:
    TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
&nbsp;
Untrusted <b>TLS connection reused</b> to mail.example.com[ipaddr]:25:
    TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
</pre>

<li> <p> By default, Postfix does not report the TLSRPT status for
a TLS handshake that reuses a previously-negotiated TLS session
(there would be no new information to report). Specify
"<a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> = no" to report the TLSRPT
status for all TLS handshakes. This may be useful for troubleshooting.
</p>

<li> <p> Postfix logging for certificate verification failures may
differ between new or reused TLS sessions. </p>

<ul>

<li> <p> New TLS session:
</p>

<pre>
TLSRPT: status=failure, domain=example.org, receiving_mx=mail.example.org[ipaddr],
    <b>failure_type=validation_failure</b>, <b>failure_reason=self-signed_certificate</b>
</pre>

<li> <p> Reused TLS session: </p>

<pre>
mail.example.org[ipaddr]:25: <b>re-using session</b> with untrusted peer
    credential, look for details earlier in the log
TLSRPT: status=failure, domain=example.org, receiving_mx=mail.example.org[ipaddr],
    <b>failure_type=certificate_not_trusted</b>
</pre>

</ul>

<p> The logging may differ because a reused TLS session does not
have the details for why TLS authentication failed. </p>

</ul>

<h2> <a name="delivering"> Delivering TLSRPT summaries via email</a> </h2>

<p> <a href="https://datatracker.ietf.org/doc/html/rfc8460#section-3">RFC
8460 Section 3</a> specifies that an MTA must not enforce TLS
security when sending failure reports via email. </p>

<p> Options:

<ul>

<li> <p> In an email report, specify the "<b>TLS-Required: no</b>"
message header,
defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>, to reduce the Postfix SMTP client TLS security
level to "<b>may</b>" (that is, do not verify remote SMTP server
certificates, and fall back to plaintext if TLS is unavailable).
<br> <br> This feature is available in Postfix 3.10 and later. If
your outbound MTAs run an older version, you can use one of the
options described below. </p>

<li> <p> Do nothing. When TLS security enforcement is required but
fails, a TLSRPT summary message will be delayed
until the problem is addressed, or until the message expires
in the mail queue. Keep in mind that TLSRPT is not a real-time
monitoring service; it takes on average 12 hours before a failure
is reported through TLSRPT. </p>

<li> <p> On outbound MTAs that don't support the "<b>TLS-Required:
no</b>" header feature (such as Postfix 3.9 and earlier), disable
TLS security enforcement for the sender of TLSRPT summaries.
Implement the configuration below on outbound MTA instances (replace
noreply-smtp-tls-reporting@@example.com with your actual report
generator's sender address): </p>

<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
    # Limitation: this setting is overruled with <a href="postconf.5.html#transport_maps">transport_maps</a>.
    <a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> = <a href="DATABASE_README.html#types">inline</a>:{
        { noreply-smtp-tls-reporting@@example.com = allow-plaintext } }
&nbsp
/etc/postfix/<a href="master.5.html">master.cf</a>:
    # service name    type    private unpriv  chroot  wakeup  maxproc command
    allow-plaintext   unix    -       -       -       -       -       smtp
        -o { <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may }
        -o { <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> = <a href="DATABASE_README.html#types">static</a>:may }
</pre>

</ul>

<h2> <a name="mta-sts"> MTA-STS Support via smtp_tls_policy_maps
</a></h2>

<p> Postfix supports MTA-STS though an <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> policy
plugin, which replies with a TLS security level and name=value
attributes with certificate matching requirements. Postfix 3.10 and
later extend the policy plugin response with additional name=value
attributes that are needed for TLSRPT. </p>

<p> Examples of <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> plugins with MTA-STS support
are: </p>

<ul>

<li> <p> <a href="https://github.com/Zuplu/postfix-tlspol">
postfix-tlspol</a>, supports domains with DANE (using Postfix
built-in DANE), and domains with MTA-STS. </p>

<li> <p> <a href="https://github.com/Snawoot/postfix-mta-sts-resolver">
postfix-mta-sts-resolver</a>, supports domains with MTA-STS as of
release 1.5.0 (February 2025). </p>

</ul>

<p> Both plugins can generate the additional name=value attributes
that Postfix needs for TLSRPT support (as of February 2025). This
is enabled by setting a <tt>tlsrpt</tt> boolean in a plugin
configuration file.  This setting is safe with Postfix 3.10 and
later, even if Postfix TLSRPT support is disabled (at build time
or at run time). Postfix versions 3.9 and earlier will report a
policy error with "<tt>invalid attribute name</tt>". </p>

<p> The examples in the text below apply to this MTA-STS policy example
given in <a
href="https://datatracker.ietf.org/doc/html/rfc8461#section-3.2">
RFC 8461 Section 3.2</a>: </p>

<blockquote>
<pre>
version: STSv1
mode: enforce
mx: mail.example.com
mx: *.example.net
mx: backupmx.example.com
max_age: 604800
</pre>
</blockquote>

<p> The list of supported attributes is given below. Instead of
<tt>name=value</tt>, specify <tt>{ name = value }</tt> when a value
may contain whitespace. A policy response may contain line breaks.
</p>

<ul>

<li> <p> <tt> policy_type=<i>type</i> </tt> </p>

<p> Specify <tt>sts</tt> or <tt>no-policy-found</tt>. </p>

<p> Example: <tt>policy_type=sts</tt> </p> </li>

<li> <p> <tt> policy_domain=<i>name</i> </tt> </p>

<p> The domain that the MTA-STS policy applies to. </p>

<p> Example: <tt>policy_domain=example.com</tt> </p>

</li>

<li> <p> <tt> { policy_string = <i>value</i> } </tt> </p>

<p> Specify one <tt>policy_string</tt> instance for each MTA-STS
policy feature, enclosed inside "{" and "}" to protect whitespace
in attribute values. <p>

<p> Example: <tt> { policy_string = version: STSv1 } { policy_string
= mode: enforce } ...</tt> </p>

<p> The above form ignores whitespace after the opening "{", around
the "=", and before the closing "}".</p> </li>

<li> <p> <tt> mx_host_pattern=<i>pattern</i> </tt> </p>

<p> Specify one <tt>mx_host_pattern</tt> instance for each "mx:" feature
in the MTA-STS policy. </p>

<p> Example: <tt>mx_host_pattern=mail.example.com
mx_host_pattern=*.example.net ...</tt> </p> </li>

<li> <p> <tt> policy_failure=<i>type</i> </tt> </p>

<p> If specified, forces MTA-STS policy enforcement to fail with
the indicated error, even if a server certificate would satisfy
conventional PKI constraints. Valid errors are <tt>sts-policy-fetch-error,
sts-policy-invalid</tt>, <tt>sts-webpki-invalid</tt>, or the less
informative <tt>validation-failure</tt>. </p>

<p> Example: <tt>policy_failure=sts-webpki-invalid</tt> </p> </li>

<li> <p> <tt> policy_ttl=<i>time</i> </tt> (deprecated) </p>

<p> This attribute is deprecated. The <i>time</i> value is not used,
and support for this attribute will eventually be removed from the
code. </p> </li>

</ul>

<p> Notes: </p>

<ul>

<li> <p> Postfix 3.10 and later will accept these additional
attributes in an MTA-STS response even if Postfix TLSRPT support
is disabled (at build time or at run time). With Postfix TLSRPT
support turned off, Postfix may still use the <tt>policy_failure</tt>
attribute, and will ignore the attributes that are used only for
TLSRPT. </p>

<li> <p> It is an error to specify these attributes for a non-STS
policy. </p>

</ul>

<h2> <a name="limitations"> Limitations </a></h2>

<p> The Postfix TLSRPT implementation reports only TLS handshake
success or failure. It does not report failure to connect, or
connections that break before or after a TLS handshake. </p>

<p> The Postfix TLSRPT implementation reports at most one final TLS
handshake status (either 'success' or 'failure') per SMTP connection.
Postfix TLSRPT will not report a recoverable failure and then later
report a final status of 'success' for that same connection. The
reason is that it's too complicated to filter TLS errors and to
report error details from the TLS engine back to the SMTP protocol
engine. It just is not how Postfix works internally. </p>

<h2> <a name="credits"> Credits </a> </h2>

<ul>

<li> The TLSRPT client library, and the infrastructure to collect,
fetch, and report TLSRPT information, are implemented and maintained
by sys4. </li>

<li> Wietse Venema implemented the integration with Postfix.
</li>

</ul>

</body>

</html>
@


