1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3 4<html> 5 6<head> 7 8<title>Postfix Backwards-Compatibility Safety Net</title> 9 10<meta http-equiv="Content-Type" content="text/html; charset=utf-8"> 11 12</head> 13 14<body> 15 16<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix 17Backwards-Compatibility Safety Net</h1> 18 19<hr> 20 21<h2>Purpose of this document </h2> 22 23<p> Postfix 3.0 introduces a safety net that runs Postfix programs 24with backwards-compatible default settings after an upgrade. The 25safety net will log a warning whenever a "new" default setting could 26have an negative effect on your mail flow. </p> 27 28<p>This document provides information on the following topics: </p> 29 30<ul> 31 32<li> <p> <a href="#overview">Detailed descriptions</a> of Postfix 33backwards-compatibility warnings. 34 35<li> <p> What backwards-compatible settings you may have to make 36permanent in main.cf or master.cf. </p> 37 38<li> <p> <a href="#turnoff">How to turn off</a> Postfix 39backwards-compatibility warnings. </p> 40 41</ul> 42 43<h2> <a name="overview"> Overview </a> </h2> 44 45<p> With backwards compatibility turned on, Postfix logs a message 46whenever a backwards-compatible default setting may be required for 47continuity of service. Based on this logging the system administrator 48can decide if any backwards-compatible settings need to be made 49permanent in main.cf or master.cf, before <a href="#turnoff">turning 50off the backwards-compatibility safety net</a> as described at the 51end of this document. </p> 52 53<p> Logged with compatibility_level < 1: </p> 54 55<ul> 56 57<li> <p> <a href="#append_dot_mydomain"> Using backwards-compatible 58default setting append_dot_mydomain=yes </a> </p> 59 60<li> <p> <a href="#chroot"> Using backwards-compatible default setting 61chroot=y</a> </p> 62 63</ul> 64 65<p> Logged with compatibility_level < 2: </p> 66 67<ul> 68 69<li><p> <a href="#relay_restrictions"> Using backwards-compatible 70default setting "smtpd_relay_restrictions = (empty)"</a> </p> 71 72<li> <p> <a href="#mynetworks_style"> Using backwards-compatible 73default setting mynetworks_style=subnet </a> </p> 74 75<li> <p> <a href="#relay_domains"> Using backwards-compatible default 76setting relay_domains=$mydestination </a> </p> 77 78<li> <p> <a href="#smtputf8_enable"> Using backwards-compatible 79default setting smtputf8_enable=no</a> </p> 80 81</ul> 82 83<p> Logged with compatibility_level < 3.6: </p> 84 85<ul> 86 87<li> <p> <a href="#smtpd_digest"> Using backwards-compatible 88default setting smtpd_tls_fingerprint_digest=md5</a> </p> 89 90<li> <p> <a href="#smtp_digest"> Using backwards-compatible 91default setting smtp_tls_fingerprint_digest=md5</a> </p> 92 93<li> <p> <a href="#smtp_digest"> Using backwards-compatible 94default setting lmtp_tls_fingerprint_digest=md5</a> </p> 95 96<li> <p> <a href="#relay_before_rcpt"> Using backwards-compatible 97default setting smtpd_relay_before_recipient_restrictions=no</a> </p> 98 99<li> <p> <a href="#respectful_logging"> Using backwards-compatible 100default setting respectful_logging=no</a> </p> 101 102</ul> 103 104<p> If such a message is logged in the context of a legitimate 105request, the system administrator should make the backwards-compatible 106setting permanent in main.cf or master.cf, as detailed in the 107sections that follow. </p> 108 109<p> When no more backwards-compatible settings need to be made 110permanent, the system administrator should <a href="#turnoff">turn 111off the backwards-compatibility safety net</a> as described at the 112end of this document. </p> 113 114<h2> <a name="append_dot_mydomain"> Using backwards-compatible default 115setting append_dot_mydomain=yes</a> </h2> 116 117<p> The append_dot_mydomain default value has changed from "yes" 118to "no". This could result in unexpected non-delivery of email after 119Postfix is updated from an older version. The backwards-compatibility 120safety net is designed to prevent such surprises. </p> 121 122<p> As long as the append_dot_mydomain parameter is left at 123its implicit default value, and the compatibility_level setting is 124less than 1, Postfix may log one of the following messages:</p> 125 126<ul> 127 128<li> <p> Messages about missing "localhost" in mydestination or 129other address class: </p> 130 131<blockquote> 132<pre> 133postfix/trivial-rewrite[14777]: using backwards-compatible 134 default setting append_dot_mydomain=yes to rewrite 135 "localhost" to "localhost.example.com"; please add 136 "localhost" to mydestination or other address class 137</pre> 138</blockquote> 139 140<p> If Postfix logs the above message, add "localhost" to 141mydestination (or virtual_alias_domains, virtual_mailbox_domains, 142or relay_domains) and execute the command "<b>postfix reload</b>". 143 144<li> <p> Messages about incomplete domains in email addresses: </p> 145 146<blockquote> 147<pre> 148postfix/trivial-rewrite[25835]: using backwards-compatible 149 default setting append_dot_mydomain=yes to rewrite "foo" to 150 "foo.example.com" 151</pre> 152</blockquote> 153 154<p> If Postfix logs the above message for domains different from 155"localhost", and the sender cannot be changed to use complete domain 156names in email addresses, then the system administrator should make 157the backwards-compatible setting "append_dot_mydomain = yes" permanent 158in main.cf: </p> 159 160<blockquote> 161<pre> 162# <b>postconf append_dot_mydomain=yes</b> 163# <b>postfix reload</b> 164</pre> 165</blockquote> 166 167</ul> 168 169<h2> <a name="chroot"> Using backwards-compatible default 170setting chroot=y</a> </h2> 171 172<p> The master.cf chroot default value has changed from "y" (yes) 173to "n" (no). The new default avoids the need for copies of system 174files under the Postfix queue directory. However, sites with strict 175security requirements may want to keep the chroot feature enabled 176after updating Postfix from an older version. The backwards-compatibility 177safety net is designed allow the administrator to choose if they 178want to keep the old behavior. </p> 179 180<p> As long as a master.cf chroot field is left at its 181implicit default value, and the compatibility_level setting 182is less than 1, Postfix may log the following message while it 183reads the master.cf file: </p> 184 185<blockquote> 186<pre> 187postfix/master[27664]: /etc/postfix/master.cf: line 72: using 188 backwards-compatible default setting chroot=y 189</pre> 190</blockquote> 191 192<p> If this service should remain chrooted, then the system 193administrator should make the backwards-compatible setting "chroot 194= y" permanent in master.cf. For example, to update the chroot 195setting for the "smtp inet" service: </p> 196 197<blockquote> 198<pre> 199# <b>postconf -F smtp/inet/chroot=y</b> 200# <b>postfix reload</b> 201</pre> 202</blockquote> 203 204<h2> <a name="relay_restrictions"> Using backwards-compatible default 205setting smtpd_relay_restrictions = (empty)</a> </h2> 206 207<p> The smtpd_relay_restrictions feature was introduced with Postfix 208version 2.10, as a safety mechanism for configuration errors in 209smtpd_recipient_restrictions that could make Postfix an open relay. 210</p> 211 212<p> The smtpd_relay_restrictions implicit default setting forbids 213mail to remote destinations from clients that don't match 214permit_mynetworks or permit_sasl_authenticated. This could result 215in unexpected 'Relay access denied' errors after Postfix is updated 216from an older Postfix version. The backwards-compatibility safety 217net is designed to prevent such surprises. </p> 218 219<p> When the compatibility_level less than 1, and the 220smtpd_relay_restrictions parameter is left at its implicit default 221setting, Postfix may log the following message: </p> 222 223<blockquote> 224<pre> 225postfix/smtpd[38463]: using backwards-compatible default setting 226 "smtpd_relay_restrictions = (empty)" to avoid "Relay access 227 denied" error for recipient "user@example.com" from client 228 "host.example.net[10.0.0.2]" 229</pre> 230</blockquote> 231 232<p> If this request should not be blocked, then the system 233administrator should make the backwards-compatible setting 234"smtpd_relay_restrictions=" (i.e. empty) permanent in main.cf: 235 236<blockquote> 237<pre> 238# <b>postconf smtpd_relay_restrictions=</b> 239# <b>postfix reload</b> 240</pre> 241</blockquote> 242 243<h2> <a name="mynetworks_style"> Using backwards-compatible default 244setting mynetworks_style=subnet</a> </h2> 245 246<p> The mynetworks_style default value has changed from "subnet" 247to "host". This parameter is used to implement the "permit_mynetworks" 248feature. The change could cause unexpected 'access denied' errors after 249Postfix is updated from an older version. The backwards-compatibility 250safety net is designed to prevent such surprises. </p> 251 252<p> As long as the mynetworks and mynetworks_style parameters are 253left at their implicit default values, and the compatibility_level 254setting is less than 2, the Postfix SMTP server may log one of the 255following messages: </p> 256 257<blockquote> 258<pre> 259postfix/smtpd[17375]: using backwards-compatible default setting 260 mynetworks_style=subnet to permit request from client 261 "foo.example.com[10.1.1.1]" 262</pre> 263</blockquote> 264 265<blockquote> 266<pre> 267postfix/postscreen[24982]: using backwards-compatible default 268 setting mynetworks_style=subnet to permit request from client 269 "10.1.1.1" 270</pre> 271</blockquote> 272 273<p> If the client request should not be rejected, then the system 274administrator should make the backwards-compatible setting 275"mynetworks_style = subnet" permanent in main.cf: </p> 276 277<blockquote> 278<pre> 279# <b>postconf mynetworks_style=subnet</b> 280# <b>postfix reload</b> 281</pre> 282</blockquote> 283 284<h2><a name="relay_domains"> Using backwards-compatible default 285setting relay_domains=$mydestination </a> </h2> 286 287<p> The relay_domains default value has changed from "$mydestination" 288to the empty value. This could result in unexpected 'Relay access 289denied' errors or ETRN errors after Postfix is updated from an older 290version. The backwards-compatibility safety net is designed to 291prevent such surprises. </p> 292 293<p> As long as the relay_domains parameter is left at its implicit 294default value, and the compatibility_level setting is less than 2, 295Postfix may log one of the following messages. </p> 296 297<ul> 298 299<li> <p> Messages about accepting mail for a remote domain:</p> 300 301<blockquote> 302<pre> 303postfix/smtpd[19052]: using backwards-compatible default setting 304 relay_domains=$mydestination to accept mail for domain 305 "foo.example.com" 306</pre> 307</blockquote> 308 309<blockquote> 310<pre> 311postfix/smtpd[19052]: using backwards-compatible default setting 312 relay_domains=$mydestination to accept mail for address 313 "user@foo.example.com" 314</pre> 315</blockquote> 316 317<li> <p> Messages about providing ETRN service for a remote domain:</p> 318 319<blockquote> 320<pre> 321postfix/smtpd[19138]: using backwards-compatible default setting 322 relay_domains=$mydestination to flush mail for domain 323 "bar.example.com" 324</pre> 325</blockquote> 326 327<blockquote> 328<pre> 329postfix/smtp[13945]: using backwards-compatible default setting 330 relay_domains=$mydestination to update fast-flush logfile for 331 domain "bar.example.com" 332</pre> 333</blockquote> 334 335</ul> 336 337<p> If Postfix should continue to accept mail for that domain or 338continue to provide ETRN service for that domain, then the system 339administrator should make the backwards-compatible setting 340"relay_domains = $mydestination" permanent in main.cf: </p> 341 342<blockquote> 343<pre> 344# <b>postconf 'relay_domains=$mydestination'</b> 345# <b>postfix reload</b> 346</pre> 347</blockquote> 348 349<p> Note: quotes are required as indicated above. </p> 350 351<p> Instead of $mydestination, it may be better to specify an 352explicit list of domain names. </p> 353 354<h2> <a name="smtputf8_enable"> Using backwards-compatible default 355setting smtputf8_enable=no</a> </h2> 356 357<p> The smtputf8_enable default value has changed from "no" to "yes". 358With the new "yes" setting, the Postfix SMTP server rejects non-ASCII 359addresses from clients that don't request SMTPUTF8 support, after 360Postfix is updated from an older version. The backwards-compatibility 361safety net is designed to prevent such surprises. </p> 362 363<p> As long as the smtputf8_enable parameter is left at its implicit 364default value, and the compatibility_level setting is 365less than 1, Postfix logs a warning each time an SMTP command uses a 366non-ASCII address localpart without requesting SMTPUTF8 support: </p> 367 368<blockquote> 369<pre> 370postfix/smtpd[27560]: using backwards-compatible default setting 371 smtputf8_enable=no to accept non-ASCII sender address 372 "??@example.org" from localhost[127.0.0.1] 373</pre> 374</blockquote> 375 376<blockquote> 377<pre> 378postfix/smtpd[27560]: using backwards-compatible default setting 379 smtputf8_enable=no to accept non-ASCII recipient address 380 "??@example.com" from localhost[127.0.0.1] 381</pre> 382</blockquote> 383 384<p> If the address should not be rejected, and the client cannot 385be updated to use SMTPUTF8, then the system administrator should 386make the backwards-compatible setting "smtputf8_enable = no" permanent 387in main.cf: 388 389<blockquote> 390<pre> 391# <b>postconf smtputf8_enable=no</b> 392# <b>postfix reload</b> 393</pre> 394</blockquote> 395 396<h2> <a name="smtpd_digest"> Using backwards-compatible 397default setting smtpd_tls_fingerprint_digest=md5</a> </h2> 398 399<p> The smtpd_tls_fingerprint_digest default value has changed from 400"md5" to "sha256". With the new "sha256" setting, the Postfix SMTP 401server avoids using the deprecated "md5" algorithm and computes a more 402secure digest of the client certificate. </p> 403 404<p> If you're using the default "md5" setting, or even an explicit 405"sha1" (also deprecated) setting, you should consider switching to 406"sha256". This will require updating any associated lookup table keys 407with the "sha256" digests of the expected client certificate or public 408key. </p> 409 410<p> As long as the smtpd_tls_fingerprint_digest parameter is left at its 411implicit default value, and the compatibility_level setting is less than 4123.6, Postfix logs a warning each time a client certificate or public key 413fingerprint is (potentially) used for access control: </p> 414 415<blockquote> 416<pre> 417postfix/smtpd[27560]: using backwards-compatible default setting 418 smtpd_tls_fingerprint_digest=md5 to compute certificate fingerprints 419</pre> 420</blockquote> 421 422<p> Since any client certificate fingerprints are passed in policy service 423lookups, and Postfix doesn't know whether the fingerprint will be used, the 424warning may also be logged when policy lookups are performed for connections 425that used a client certificate, even if the policy service does not in fact 426examine the client certificate. To reduce the noise somewhat, such warnings 427are issued at most once per smtpd(8) process instance. </p> 428 429<p> If you prefer to stick with "md5", you can suppress the warnings by 430making that setting explicit. After addressing any other compatibility 431warnings, you can <a href="#turnoff">update</a> your compatibility level. 432</p> 433 434<blockquote> 435<pre> 436# <b>postconf smtpd_tls_fingerprint_digest=md5</b> 437# <b>postfix reload</b> 438</pre> 439</blockquote> 440 441<h2> <a name="smtp_digest"> Using backwards-compatible 442default setting smtp_tls_fingerprint_digest=md5</a> </h2> 443 444<p> The smtp_tls_fingerprint_digest and lmtp_tls_fingerprint_digest 445default values have changed from "md5" to "sha256". With the new 446"sha256" setting, the Postfix SMTP and LMTP client avoids using the 447deprecated "md5" algorithm and computes a more secure digest of the 448server certificate. </p> 449 450<p> If you're using the default "md5" setting, or even an explicit 451"sha1" (also deprecated) setting, you should consider switching to 452"sha256". This will require updating any "fingerprint" security level 453policies in the TLS policy table to specify matching "sha256" digests of 454the expected server certificates or public keys. </p> 455 456<p> As long as the smtp_tls_fingerprint_digest (or LMTP equivalent) 457parameter is left at its implicit default value, and the 458compatibility_level setting is less than 3.6, Postfix logs a warning each 459time the "fingerprint" security level is used to specify matching "md5" 460digests of trusted server certificates or public keys: </p> 461 462<blockquote> 463<pre> 464postfix/smtp[27560]: using backwards-compatible default setting 465 smtp_tls_fingerprint_digest=md5 to compute certificate fingerprints 466</pre> 467</blockquote> 468 469<p> If you prefer to stick with "md5", you can suppress the warnings by 470making that setting explicit. After addressing any other compatibility 471warnings, you can <a href="#turnoff">update</a> your compatibility level. 472</p> 473 474<blockquote> 475<pre> 476# <b>postconf 'smtp_tls_fingerprint_digest = md5' \ 477 'lmtp_tls_fingerprint_digest = md5' </b> 478# <b>postfix reload</b> 479</pre> 480</blockquote> 481 482<h2> <a name="relay_before_rcpt"> Using backwards-compatible 483default setting smtpd_relay_before_recipient_restrictions=no</a> </h2> 484 485<p> The smtpd_relay_before_recipient_restrictions feature was 486introduced in Postfix version 3.6, to evaluate smtpd_relay_restrictions 487before smtpd_recipient_restrictions. Historically, smtpd_relay_restrictions 488was evaluated after smtpd_recipient_restrictions, contradicting 489documented behavior. </p> 490 491<blockquote> <p> Background: smtpd_relay_restrictions is 492primarily designed to enforce a mail relaying policy, while 493smtpd_recipient_restrictions is primarily designed to enforce spam 494blocking policy. Both are evaluated while replying to the RCPT TO 495command, and both support the same features. </p> </blockquote> 496 497<p> To maintain compatibility with earlier versions, Postfix will 498keep evaluating smtpd_recipient_restrictions before 499smtpd_relay_restrictions, as long as the compatibility_level is 500less than 3.6, and the smtpd_relay_before_recipient_restrictions 501parameter is left at its implicit default setting. As a reminder, 502Postfix may log the following message: </p> 503 504<blockquote> 505<pre> 506postfix/smtpd[54696]: using backwards-compatible default setting 507 smtpd_relay_before_recipient_restrictions=no to reject recipient 508 "user@example.com" from client "host.example.net[10.0.0.2]" 509</pre> 510</blockquote> 511 512<p> If Postfix should keep evaluating smtpd_recipient_restrictions 513before smtpd_relay_restrictions, then the system 514administrator should make the backwards-compatible setting 515"smtpd_relay_before_recipient_restrictions=no" permanent in main.cf: </p> 516 517<blockquote> 518<pre> 519# <b> postconf smtpd_relay_before_recipient_restrictions=no </b> 520# <b> postfix reload </b> 521</pre> 522</blockquote> 523 524<h2> <a name="respectful_logging"> Using backwards-compatible 525default setting respectful_logging=no</a> </h2> 526 527<p> Postfix version 3.6 deprecates configuration parameter names and 528logging that suggest white is better than black. Instead it prefers 529'allowlist, 'denylist', and variations of those words. While the renamed 530configuration parameters have backwards-compatible default values, 531the changes in logging could affect logfile analysis tools. </p> 532 533<p> To avoid breaking existing logfile analysis tools, Postfix will keep 534logging the deprecated form, as long as the respectful_logging parameter 535is left at its implicit default value, and the compatibility_level 536setting is less than 3.6. As a reminder, Postfix may log the following 537when a remote SMTP client is allowlisted or denylisted: </p> 538 539<blockquote> 540<pre> 541postfix/postscreen[22642]: Using backwards-compatible default setting 542 respectful_logging=no for client [<i>address</i>]:<i>port</i> 543</pre> 544</blockquote> 545 546<p> If Postfix should keep logging the deprecated form, then the 547system administrator should make the backwards-compatible setting 548"respectful_logging = no" permanent in main.cf. 549 550<blockquote> 551<pre> 552# <b>postconf "respectful_logging = no"</b> 553# <b>postfix reload</b> 554</pre> 555</blockquote> 556 557<h2> <a name="turnoff">Turning off the backwards-compatibility safety net</a> </h2> 558 559<p> Backwards compatibility is turned off by updating the 560compatibility_level setting in main.cf. </p> 561 562<blockquote> 563<pre> 564# <b>postconf compatibility_level=<i>N</i></b> 565# <b>postfix reload</b> 566</pre> 567</blockquote> 568 569<p> For <i>N</i> specify the number that is logged in your postfix(1) 570warning message: </p> 571 572<blockquote> 573<pre> 574warning: To disable backwards compatibility use "postconf compatibility_level=<i>N</i>" and "postfix reload" 575</pre> 576</blockquote> 577 578<p> Sites that don't care about backwards compatibility may set 579"compatibility_level = 9999" at their own risk. </p> 580 581<p> Starting with Postfix version 3.6, the compatibility level in 582the above warning message is the Postfix version that introduced 583the last incompatible change. The level is formatted as 584<i>major.minor.patch</i>, where <i>patch</i> is usually omitted and 585defaults to zero. Earlier compatibility levels are 0, 1 and 2. </p> 586 587<p> NOTE: Postfix 3.6 also introduces support for the "<level", 588"<=level", and other operators to compare compatibility levels. 589With the standard operators "<", "<=", etc., compatibility 590level "3.10" would be smaller than "3.9" which is undesirable. </p> 591 592</body> 593 594</html> 595
