This weekend a bunch of new Postfix code was promoted from
Postfix 3.11 non-production status to Postfix 3.11 production status.
This may show up soon in various distros under the name "postfix-current",
or similar. The 'up-stream' release is postfix-3.11-20251117.
- TLS feature status logging. The SMTP client logs "tcp=" statuys
info in-between "delays=" and "status=".
... delays=0.08/0.02/0.85/0.14, tls=dane, dsn=2.1.5, status= ...
(opportunistic DANE, verified server certificate)
... delays=0.06/0.05/6.6/0.04, tls=may:none, dsn=2.0.0, status=sent ...
(opportunistic TLS, but the server did not announce STARTTLS)
See https://www.postfix.org/postconf.5.html#smtp_log_tls_feature_status
for more examples.
- REQUIRETLS (RFC 8689). When a sender specifies "MAIL FROM:<addr>
REQUIRETLS..." then the Postfix SMTP client will require a TLS
connection to a 1) securely looked up MX host that 2) provides a
verified server certificate and that 3) announces REQUIRETLS
support.
In practice, 1) and 2) require DANE or STS policy support (typically
with a DANE/STS policy plugin), and 3) requires server support.
The vast majority of domains fails to meet all three requirements.
Therefore, Postfix provides options to make REQUIRETLS more usable.
See https://www.postfix.org/REQUIRETLS_README.html for guidance.
- SMTPUTF8: if a message delivery requires SMTPUTF8, but the MX
host does not announce SMTPUTF8 support, the Postfix SMTP client
will now try an alternate MX host instead of returning the message
immediately. This behavior was adopted from REQUIRETLS support.
Enjoy!
Wietse
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
