xref: /netbsd-src/external/ibm-public/postfix/dist/proto/COMPATIBILITY_README.html (revision 059c16a85b0b39d60ad6d18f53c09510815afa2b) 
1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
2        "http://www.w3.org/TR/html4/loose.dtd">
3
4<html>
5
6<head>
7
8<title>Postfix Backwards-Compatibility Safety Net</title>
9
10<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
11<link rel='stylesheet' type='text/css' href='postfix-doc.css'>
12
13</head>
14
15<body>
16
17<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix
18Backwards-Compatibility Safety Net</h1>
19
20<hr>
21
22<h2>Purpose of this document </h2>
23
24<p> Postfix 3.0 introduces a safety net that runs Postfix programs
25with backwards-compatible default settings after an upgrade. The
26safety net will log a warning whenever a "new" default setting could
27have an negative effect on your mail flow. </p>
28
29<p>This document provides information on the following topics: </p>
30
31<ul>
32
33<li> <p> <a href="#overview">Detailed descriptions</a> of Postfix
34backwards-compatibility warnings.
35
36<li> <p> What backwards-compatible settings you may have to make
37permanent in main.cf or master.cf.  </p>
38
39<li> <p> <a href="#turnoff">How to turn off</a> Postfix
40backwards-compatibility warnings. </p>
41
42</ul>
43
44<h2> <a name="overview"> Overview </a> </h2>
45
46<p>  With backwards compatibility turned on, Postfix logs a message
47whenever a backwards-compatible default setting may be required for
48continuity of service.  Based on this logging the system administrator
49can decide if any backwards-compatible settings need to be made
50permanent in main.cf or master.cf, before <a href="#turnoff">turning
51off the backwards-compatibility safety net</a> as described at the
52end of this document. </p>
53
54<p> Logged with compatibility_level &lt; 1: </p>
55
56<ul>
57
58<li> <p> <a href="#append_dot_mydomain"> Using backwards-compatible
59default setting append_dot_mydomain=yes </a> </p>
60
61<li> <p> <a href="#chroot"> Using backwards-compatible default setting
62chroot=y</a> </p>
63
64</ul>
65
66<p> Logged with compatibility_level &lt; 2: </p>
67
68<ul>
69
70<li><p> <a href="#relay_restrictions"> Using backwards-compatible
71default setting "smtpd_relay_restrictions = (empty)"</a> </p>
72
73<li> <p> <a href="#mynetworks_style"> Using backwards-compatible
74default setting mynetworks_style=subnet </a> </p>
75
76<li> <p> <a href="#relay_domains"> Using backwards-compatible default
77setting relay_domains=$mydestination </a> </p>
78
79<li> <p> <a href="#smtputf8_enable"> Using backwards-compatible
80default setting smtputf8_enable=no</a> </p>
81
82</ul>
83
84<p> Logged with compatibility_level &lt; 3.6: </p>
85
86<ul>
87
88<li> <p> <a href="#smtpd_digest"> Using backwards-compatible
89default setting smtpd_tls_fingerprint_digest=md5</a> </p>
90
91<li> <p> <a href="#smtp_digest"> Using backwards-compatible
92default setting smtp_tls_fingerprint_digest=md5</a> </p>
93
94<li> <p> <a href="#smtp_digest"> Using backwards-compatible
95default setting lmtp_tls_fingerprint_digest=md5</a> </p>
96
97<li> <p> <a href="#relay_before_rcpt"> Using backwards-compatible
98default setting smtpd_relay_before_recipient_restrictions=no</a> </p>
99
100<li> <p> <a href="#respectful_logging"> Using backwards-compatible
101default setting respectful_logging=no</a> </p>
102
103</ul>
104
105<p> If such a message is logged in the context of a legitimate
106request, the system administrator should make the backwards-compatible
107setting permanent in main.cf or master.cf, as detailed in the
108sections that follow. </p>
109
110<p> When no more backwards-compatible settings need to be made
111permanent, the system administrator should <a href="#turnoff">turn
112off the backwards-compatibility safety net</a> as described at the
113end of this document. </p>
114
115<h2> <a name="append_dot_mydomain"> Using backwards-compatible default
116setting append_dot_mydomain=yes</a> </h2>
117
118<p> The append_dot_mydomain default value has changed from "yes"
119to "no". This could result in unexpected non-delivery of email after
120Postfix is updated from an older version. The backwards-compatibility
121safety net is designed to prevent such surprises. </p>
122
123<p> As long as the append_dot_mydomain parameter is left at
124its implicit default value, and the compatibility_level setting is
125less than 1, Postfix may log one of the following messages:</p>
126
127<ul>
128
129<li> <p> Messages about missing "localhost" in mydestination or
130other address class: </p>
131
132<blockquote>
133<pre>
134postfix/trivial-rewrite[14777]: using backwards-compatible
135    default setting append_dot_mydomain=yes to rewrite
136    "localhost" to "localhost.example.com"; please add
137    "localhost" to mydestination or other address class
138</pre>
139</blockquote>
140
141<p> If Postfix logs the above message, add "localhost" to
142mydestination (or virtual_alias_domains, virtual_mailbox_domains,
143or relay_domains) and execute the command "<b>postfix reload</b>".
144
145<li> <p> Messages about incomplete domains in email addresses: </p>
146
147<blockquote>
148<pre>
149postfix/trivial-rewrite[25835]: using backwards-compatible
150    default setting append_dot_mydomain=yes to rewrite "foo" to
151    "foo.example.com"
152</pre>
153</blockquote>
154
155<p> If Postfix logs the above message for domains different from
156"localhost", and the sender cannot be changed to use complete domain
157names in email addresses, then the system administrator should make
158the backwards-compatible setting "append_dot_mydomain = yes" permanent
159in main.cf: </p>
160
161<blockquote>
162<pre>
163# <b>postconf append_dot_mydomain=yes</b>
164# <b>postfix reload</b>
165</pre>
166</blockquote>
167
168</ul>
169
170<h2> <a name="chroot"> Using backwards-compatible default
171setting chroot=y</a> </h2>
172
173<p> The master.cf chroot default value has changed from "y" (yes)
174to "n" (no). The new default avoids the need for copies of system
175files under the Postfix queue directory. However, sites with strict
176security requirements may want to keep the chroot feature enabled
177after updating Postfix from an older version. The backwards-compatibility
178safety net is designed allow the administrator to choose if they
179want to keep the old behavior. </p>
180
181<p> As long as a master.cf chroot field is left at its
182implicit default value, and the compatibility_level setting
183is less than 1, Postfix may log the following message while it
184reads the master.cf file: </p>
185
186<blockquote>
187<pre>
188postfix/master[27664]: /etc/postfix/master.cf: line 72: using
189    backwards-compatible default setting chroot=y
190</pre>
191</blockquote>
192
193<p> If this service should remain chrooted, then the system
194administrator should make the backwards-compatible setting "chroot
195= y" permanent in master.cf.  For example, to update the chroot
196setting for the "smtp inet" service: </p>
197
198<blockquote>
199<pre>
200# <b>postconf -F smtp/inet/chroot=y</b>
201# <b>postfix reload</b>
202</pre>
203</blockquote>
204
205<h2> <a name="relay_restrictions"> Using backwards-compatible default
206setting smtpd_relay_restrictions = (empty)</a> </h2>
207
208<p> The smtpd_relay_restrictions feature was introduced with Postfix
209version 2.10, as a safety mechanism for configuration errors in
210smtpd_recipient_restrictions that could make Postfix an open relay.
211</p>
212
213<p> The smtpd_relay_restrictions implicit default setting forbids
214mail to remote destinations from clients that don't match
215permit_mynetworks or permit_sasl_authenticated. This could result
216in unexpected 'Relay access denied' errors after Postfix is updated
217from an older Postfix version. The backwards-compatibility safety
218net is designed to prevent such surprises. </p>
219
220<p> When the compatibility_level less than 1, and the
221smtpd_relay_restrictions parameter is left at its implicit default
222setting, Postfix may log the following message: </p>
223
224<blockquote>
225<pre>
226postfix/smtpd[38463]: using backwards-compatible default setting
227    "smtpd_relay_restrictions = (empty)" to avoid "Relay access
228    denied" error for recipient "user@example.com" from client
229    "host.example.net[10.0.0.2]"
230</pre>
231</blockquote>
232
233<p> If this request should not be blocked, then the system
234administrator should make the backwards-compatible setting
235"smtpd_relay_restrictions=" (i.e. empty) permanent in main.cf:
236
237<blockquote>
238<pre>
239# <b>postconf smtpd_relay_restrictions=</b>
240# <b>postfix reload</b>
241</pre>
242</blockquote>
243
244<h2> <a name="mynetworks_style"> Using backwards-compatible default
245setting mynetworks_style=subnet</a> </h2>
246
247<p> The mynetworks_style default value has changed from "subnet"
248to "host". This parameter is used to implement the "permit_mynetworks"
249feature. The change could cause unexpected 'access denied' errors after
250Postfix is updated from an older version. The backwards-compatibility
251safety net is designed to prevent such surprises. </p>
252
253<p> As long as the mynetworks and mynetworks_style parameters are
254left at their implicit default values, and the compatibility_level
255setting is less than 2, the Postfix SMTP server may log one of the
256following messages: </p>
257
258<blockquote>
259<pre>
260postfix/smtpd[17375]: using backwards-compatible default setting
261    mynetworks_style=subnet to permit request from client
262    "foo.example.com[10.1.1.1]"
263</pre>
264</blockquote>
265
266<blockquote>
267<pre>
268postfix/postscreen[24982]: using backwards-compatible default
269    setting mynetworks_style=subnet to permit request from client
270    "10.1.1.1"
271</pre>
272</blockquote>
273
274<p> If the client request should not be rejected, then the system
275administrator should make the backwards-compatible setting
276"mynetworks_style = subnet" permanent in main.cf: </p>
277
278<blockquote>
279<pre>
280# <b>postconf mynetworks_style=subnet</b>
281# <b>postfix reload</b>
282</pre>
283</blockquote>
284
285<h2><a name="relay_domains"> Using backwards-compatible default
286setting relay_domains=$mydestination </a> </h2>
287
288<p> The relay_domains default value has changed from "$mydestination"
289to the empty value. This could result in unexpected 'Relay access
290denied' errors or ETRN errors after Postfix is updated from an older
291version. The backwards-compatibility safety net is designed to
292prevent such surprises. </p>
293
294<p> As long as the relay_domains parameter is left at its implicit
295default value, and the compatibility_level setting is less than 2,
296Postfix may log one of the following messages.  </p>
297
298<ul>
299
300<li> <p> Messages about accepting mail for a remote domain:</p>
301
302<blockquote>
303<pre>
304postfix/smtpd[19052]: using backwards-compatible default setting
305    relay_domains=$mydestination to accept mail for domain
306    "foo.example.com"
307</pre>
308</blockquote>
309
310<blockquote>
311<pre>
312postfix/smtpd[19052]: using backwards-compatible default setting
313    relay_domains=$mydestination to accept mail for address
314    "user@foo.example.com"
315</pre>
316</blockquote>
317
318<li> <p> Messages about providing ETRN service for a remote domain:</p>
319
320<blockquote>
321<pre>
322postfix/smtpd[19138]: using backwards-compatible default setting
323    relay_domains=$mydestination to flush mail for domain
324    "bar.example.com"
325</pre>
326</blockquote>
327
328<blockquote>
329<pre>
330postfix/smtp[13945]: using backwards-compatible default setting
331    relay_domains=$mydestination to update fast-flush logfile for
332    domain "bar.example.com"
333</pre>
334</blockquote>
335
336</ul>
337
338<p> If Postfix should continue to accept mail for that domain or
339continue to provide ETRN service for that domain, then the system
340administrator should make the backwards-compatible setting
341"relay_domains = $mydestination" permanent in main.cf: </p>
342
343<blockquote>
344<pre>
345# <b>postconf 'relay_domains=$mydestination'</b>
346# <b>postfix reload</b>
347</pre>
348</blockquote>
349
350<p> Note: quotes are required as indicated above. </p>
351
352<p> Instead of $mydestination, it may be better to specify an
353explicit list of domain names. </p>
354
355<h2> <a name="smtputf8_enable"> Using backwards-compatible default
356setting smtputf8_enable=no</a> </h2>
357
358<p> The smtputf8_enable default value has changed from "no" to "yes".
359With the new "yes" setting, the Postfix SMTP server rejects non-ASCII
360addresses from clients that don't request SMTPUTF8 support, after
361Postfix is updated from an older version. The backwards-compatibility
362safety net is designed to prevent such surprises. </p>
363
364<p> As long as the smtputf8_enable parameter is left at its implicit
365default value, and the compatibility_level setting is
366less than 1, Postfix logs a warning each time an SMTP command uses a
367non-ASCII address localpart without requesting SMTPUTF8 support: </p>
368
369<blockquote>
370<pre>
371postfix/smtpd[27560]: using backwards-compatible default setting
372    smtputf8_enable=no to accept non-ASCII sender address
373    "??@example.org" from localhost[127.0.0.1]
374</pre>
375</blockquote>
376
377<blockquote>
378<pre>
379postfix/smtpd[27560]: using backwards-compatible default setting
380    smtputf8_enable=no to accept non-ASCII recipient address
381    "??@example.com" from localhost[127.0.0.1]
382</pre>
383</blockquote>
384
385<p> If the address should not be rejected, and the client cannot
386be updated to use SMTPUTF8, then the system administrator should
387make the backwards-compatible setting "smtputf8_enable = no" permanent
388in main.cf:
389
390<blockquote>
391<pre>
392# <b>postconf smtputf8_enable=no</b>
393# <b>postfix reload</b>
394</pre>
395</blockquote>
396
397<h2> <a name="smtpd_digest"> Using backwards-compatible
398default setting smtpd_tls_fingerprint_digest=md5</a> </h2>
399
400<p> The smtpd_tls_fingerprint_digest default value has changed from
401"md5" to "sha256".  With the new "sha256" setting, the Postfix SMTP
402server avoids using the deprecated "md5" algorithm and computes a more
403secure digest of the client certificate.  </p>
404
405<p> If you're using the default "md5" setting, or even an explicit
406"sha1" (also deprecated) setting, you should consider switching to
407"sha256".  This will require updating any associated lookup table keys
408with the "sha256" digests of the expected client certificate or public
409key.  </p>
410
411<p> As long as the smtpd_tls_fingerprint_digest parameter is left at its
412implicit default value, and the compatibility_level setting is less than
4133.6, Postfix logs a warning each time a client certificate or public key
414fingerprint is (potentially) used for access control: </p>
415
416<blockquote>
417<pre>
418postfix/smtpd[27560]: using backwards-compatible default setting
419    smtpd_tls_fingerprint_digest=md5 to compute certificate fingerprints
420</pre>
421</blockquote>
422
423<p> Since any client certificate fingerprints are passed in policy service
424lookups, and Postfix doesn't know whether the fingerprint will be used, the
425warning may also be logged when policy lookups are performed for connections
426that used a client certificate, even if the policy service does not in fact
427examine the client certificate.  To reduce the noise somewhat, such warnings
428are issued at most once per smtpd(8) process instance.  </p>
429
430<p> If you prefer to stick with "md5", you can suppress the warnings by
431making that setting explicit.  After addressing any other compatibility
432warnings, you can <a href="#turnoff">update</a> your compatibility level.
433</p>
434
435<blockquote>
436<pre>
437# <b>postconf smtpd_tls_fingerprint_digest=md5</b>
438# <b>postfix reload</b>
439</pre>
440</blockquote>
441
442<h2> <a name="smtp_digest"> Using backwards-compatible
443default setting smtp_tls_fingerprint_digest=md5</a> </h2>
444
445<p> The smtp_tls_fingerprint_digest and lmtp_tls_fingerprint_digest
446default values have changed from "md5" to "sha256".  With the new
447"sha256" setting, the Postfix SMTP and LMTP client avoids using the
448deprecated "md5" algorithm and computes a more secure digest of the
449server certificate.  </p>
450
451<p> If you're using the default "md5" setting, or even an explicit
452"sha1" (also deprecated) setting, you should consider switching to
453"sha256".  This will require updating any "fingerprint" security level
454policies in the TLS policy table to specify matching "sha256" digests of
455the expected server certificates or public keys.  </p>
456
457<p> As long as the smtp_tls_fingerprint_digest (or LMTP equivalent)
458parameter is left at its implicit default value, and the
459compatibility_level setting is less than 3.6, Postfix logs a warning each
460time the "fingerprint" security level is used to specify matching "md5"
461digests of trusted server certificates or public keys: </p>
462
463<blockquote>
464<pre>
465postfix/smtp[27560]: using backwards-compatible default setting
466    smtp_tls_fingerprint_digest=md5 to compute certificate fingerprints
467</pre>
468</blockquote>
469
470<p> If you prefer to stick with "md5", you can suppress the warnings by
471making that setting explicit.  After addressing any other compatibility
472warnings, you can <a href="#turnoff">update</a> your compatibility level.
473</p>
474
475<blockquote>
476<pre>
477# <b>postconf 'smtp_tls_fingerprint_digest = md5' \
478    'lmtp_tls_fingerprint_digest = md5' </b>
479# <b>postfix reload</b>
480</pre>
481</blockquote>
482
483<h2> <a name="relay_before_rcpt"> Using backwards-compatible
484default setting smtpd_relay_before_recipient_restrictions=no</a> </h2>
485
486<p> The smtpd_relay_before_recipient_restrictions feature was
487introduced in Postfix version 3.6, to evaluate smtpd_relay_restrictions
488before smtpd_recipient_restrictions. Historically, smtpd_relay_restrictions
489was evaluated after smtpd_recipient_restrictions, contradicting
490documented behavior. </p>
491
492<blockquote> <p> Background: smtpd_relay_restrictions is
493primarily designed to enforce a mail relaying policy, while
494smtpd_recipient_restrictions is primarily designed to enforce spam
495blocking policy. Both are evaluated while replying to the RCPT TO
496command, and both support the same features. </p> </blockquote>
497
498<p> To maintain compatibility with earlier versions, Postfix will
499keep evaluating smtpd_recipient_restrictions before
500smtpd_relay_restrictions, as long as the compatibility_level is
501less than 3.6, and the smtpd_relay_before_recipient_restrictions
502parameter is left at its implicit default setting. As a reminder,
503Postfix may log the following message: </p>
504
505<blockquote>
506<pre>
507postfix/smtpd[54696]: using backwards-compatible default setting
508    smtpd_relay_before_recipient_restrictions=no to reject recipient
509    "user@example.com" from client "host.example.net[10.0.0.2]"
510</pre>
511</blockquote>
512
513<p> If Postfix should keep evaluating smtpd_recipient_restrictions
514before smtpd_relay_restrictions, then the system
515administrator should make the backwards-compatible setting
516"smtpd_relay_before_recipient_restrictions=no" permanent in main.cf: </p>
517
518<blockquote>
519<pre>
520# <b> postconf smtpd_relay_before_recipient_restrictions=no </b>
521# <b> postfix reload </b>
522</pre>
523</blockquote>
524
525<h2> <a name="respectful_logging"> Using backwards-compatible
526default setting respectful_logging=no</a> </h2>
527
528<p> Postfix version 3.6 deprecates configuration parameter names and
529logging that suggest white is better than black. Instead it prefers
530'allowlist, 'denylist', and variations of those words. While the renamed
531configuration parameters have backwards-compatible default values,
532the changes in logging could affect logfile analysis tools. </p>
533
534<p> To avoid breaking existing logfile analysis tools, Postfix will keep
535logging the deprecated form, as long as the respectful_logging parameter
536is left at its implicit default value, and the compatibility_level
537setting is less than 3.6. As a reminder, Postfix may log the following
538when a remote SMTP client is allowlisted or denylisted: </p>
539
540<blockquote>
541<pre>
542postfix/postscreen[22642]: Using backwards-compatible default setting
543    respectful_logging=no for client [<i>address</i>]:<i>port</i>
544</pre>
545</blockquote>
546
547<p> If Postfix should keep logging the deprecated form, then the
548system administrator should make the backwards-compatible setting
549"respectful_logging = no" permanent in main.cf.
550
551<blockquote>
552<pre>
553# <b>postconf "respectful_logging = no"</b>
554# <b>postfix reload</b>
555</pre>
556</blockquote>
557
558<h2> <a name="turnoff">Turning off the backwards-compatibility safety net</a> </h2>
559
560<p> Backwards compatibility is turned off by updating the
561compatibility_level setting in main.cf. </p>
562
563<blockquote>
564<pre>
565# <b>postconf compatibility_level=<i>N</i></b>
566# <b>postfix reload</b>
567</pre>
568</blockquote>
569
570<p> For <i>N</i> specify the number that is logged in your postfix(1)
571warning message: </p>
572
573<blockquote>
574<pre>
575warning: To disable backwards compatibility use "postconf compatibility_level=<i>N</i>" and "postfix reload"
576</pre>
577</blockquote>
578
579<p> Sites that don't care about backwards compatibility may set
580"compatibility_level = 9999" at their own risk. </p>
581
582<p> Starting with Postfix version 3.6, the compatibility level in
583the above warning message is the Postfix version that introduced
584the last incompatible change. The level is formatted as
585<i>major.minor.patch</i>, where <i>patch</i> is usually omitted and
586defaults to zero. Earlier compatibility levels are 0, 1 and 2. </p>
587
588<p> NOTE: Postfix 3.6 also introduces support for the "&lt;level",
589"&lt;=level", and other operators to compare compatibility levels.
590With the standard operators "&lt;", "&lt;=", etc., compatibility
591level "3.10" would be smaller than "3.9" which is undesirable. </p>
592
593</body>
594
595</html>
596