1 <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "https://www.w3.org/TR/html4/loose.dtd"> 3 4 <html> 5 6 <head> 7 8 <title>Postfix REQUIRETLS Support</title> 9 10 <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> 11 <link rel='stylesheet' type='text/css' href='postfix-doc.css'> 12 13 </head> 14 15 <body> 16 17 <h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix REQUIRETLS Support</h1> 18 19 <hr> 20 21 <h2> Table of Contents </h2> 22 <ul> 23 24 <li> <a href="#purpose"> Purpose of this document </a> </li> 25 <li> <a href="#intro"> Introduction </a> </li> 26 <li> <a href="#perimeter"> REQUIRETLS for a perimeter MTA </a> 27 <ul> 28 <li> <a href="#inbound"> Receiving inbound messages with REQUIRETLS requests </a> 29 <li> <a href="#lmtp-smtp"> LMTP and SMTP-based message stores and content filters content filters </a> 30 <li> <a href="#non-smtp"> Non-SMTP and non-LMTP content filters </a> 31 <li> <a href="#external"> Communication with external servers </a> 32 <li> <a href="#relax"> Relaxing REQUIRETLS for external deliveries </a> 33 </ul> 34 <li> <a href="#census"> An experiment: testing REQUIRETLS support </a> 35 <li> <a href="#requesting"> Requesting REQUIRETLS without SMTP </a> 36 <li> <a href="#ndrs"> Non-delivery notifications </a> </li> 37 <li> <a href="#summary"> REQUIRETLS quick summary </a> </li> 38 <li> <a href="#credits"> Credits </a> </li> 39 40 </ul> 41 42 <h2> <a name="purpose"> Purpose of this document </a> </h2> 43 44 <p> This document covers Postfix configuration for the REQUIRETLS 45 extension. The purpose of these settings is to make REQUIRETLS 46 support usable in an existing environment where REQUIRETLS support 47 is still uncommon, with a path towards a future with REQUIRETLS. 48 </p> 49 50 <h2> <a name="intro"> Introduction </a> </h2> 51 52 <p> The REQUIRETLS extension in ESMTP is defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>. When 53 a sender requests REQUIRETLS. the message must be sent only over 54 strongly-authenticated SMTP or LMTP connections. </p> 55 56 <p> Specifically: </p> 57 58 <ul> 59 60 <li> <p> Every server in the forward path to the final destination must 61 announce REQUIRETLS support. </p> 62 63 <blockquote> Challenge: as of 2025, only a few servers implement 64 REQUIRETLS. </blockquote> 65 66 <li> <p> Every server in the forward path must be looked up securely 67 (for example, with DNSSEC or HTTPS). </p> 68 69 <li> <p> Every server certificate in the forward path must be verified. In 70 practice, this involves DANE (+DNSSEC) or MTA-STS; custom configuration 71 would not scale. </p> 72 73 <blockquote> Challenge: as of 2025, many domains do not publish a 74 DANE or MTA-STS policy. </blockquote> 75 76 <li> <p> A message with REQUIRETLS must be returned to the sender if 77 any of the above requirements is not satisfied (no STARTTLS support, 78 no secure server lookup, no trusted or no matching server certificate, 79 or no server that announces REQUIRETLS support). </p> 80 81 </ul> 82 83 <p> For more background information, see the <a href="#summary"> 84 REQUIRETLS quick summary</a> below. </p> 85 86 <h2> <a name="perimeter"> REQUIRETLS for a perimeter MTA </a> </h2> 87 88 <p> In this text, a perimeter MTA is a mail system that operates 89 on the boundary of an administrative domain. It receives email 90 messages for the domain, and/or sends email messages on behalf 91 of the domain. </p> 92 93 <h3> <a name="inbound"> Receiving inbound messages with REQUIRETLS requests </a> </h3> 94 95 <p> Postfix has one global parameter setting that controls REQUIRETLS 96 support in all Postfix processes. The default setting is: 97 98 <blockquote> 99 <pre> 100 /etc/postfix/<a href="postconf.5.html">main.cf</a>: 101 <a href="postconf.5.html#requiretls_enable">requiretls_enable</a> = yes 102 </pre> 103 </blockquote> 104 105 <p> With this, the Postfix SMTP server will announce REQUIRETLS 106 support, and more importantly, will receive messages from senders 107 that for some reason request REQUIRETLS support -- messages that 108 you would otherwise not receive, assuming that the domain already 109 publishes a valid DANE and/or STS policy. </p> 110 111 <p> If all you need is to receive messages with REQUIRETLS, and 112 you do not insist on enforcing REQUIRETLS when sending or forwarding 113 messages, then you can stop reading this document after adding the 114 additional settings below. </p> 115 116 <blockquote> <p> NOTE: The configuration below may be suitable for 117 a personal domain, where the owner can decide what happens with all 118 messages. For domains that receive messages for other people, a 119 less radical approach may be better, as described in the sections 120 that follow. </p> </blockquote> 121 122 <blockquote> 123 <pre> 124 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>: 125 2 # Don't enforce REQUIRETLS when delivering mail with SMTP or LMTP. 126 3 <a href="postconf.5.html#smtp_requiretls_policy">smtp_requiretls_policy</a> = opportunistic 127 4 <a href="postconf.5.html#lmtp_requiretls_policy">lmtp_requiretls_policy</a> = opportunistic 128 5 129 6 # Don't detect or add a "Require-TLS-ESMTP: yes" header. 130 7 <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> = no 131 </pre> 132 </blockquote> 133 134 <ul> 135 136 <li> <p> Lines 3-4: These relax REQUIRETLS enforcement when delivering 137 a email to a message store, content filter, or other destination 138 that may not support REQUIRETLS. If a server does not support 139 STARTTLS or REQUIRETLS, then Postfix will simply deliver the message 140 as if the sender did not request REQUIRETLS. 141 142 <li> <p> Line 7: The <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> feature enables support 143 for a message header "Require-TLS-ESMTP: yes" that allows Postfix 144 to propagate the sender's REQUIRETLS request through a content 145 filter based on <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> or <a href="FILTER_README.html">FILTER_README</a>. This feature 146 can safely be disabled if the domain does not need to enforce 147 REQUIRETLS while delivering or forwarding messages. </p> 148 149 </ul> 150 151 <h3> <a name="lmtp-smtp"> LMTP and SMTP-based message stores and content filters </a> </h3> 152 153 <p> REQUIRETLS is historically not supported by message stores such 154 as Dovecot, and by content filters based on <a href="FILTER_README.html">FILTER_README</a> or 155 <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a>. The settings below allow for that reality, while 156 also preparing for future REQUIRETLS support. <p> 157 158 <p> The Postfix SMTP (LMTP) client supports a permissive REQUIRETLS 159 policy that is suitable for communication with internal message stores 160 and content filters based on <a href="FILTER_README.html">FILTER_README</a> or <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a>. </p> 161 162 <ul> 163 164 <li> <p> <b>opportunistic</b>: STARTTLS and REQUIRETLS support are 165 optional. When the sender requests REQUIRETLS, and an SMTP or LMTP 166 server supports STARTTLS and REQUIRETLS, then send REQUIRETLS, 167 otherwise simply deliver the message as if the sender did not request 168 REQUIRETLS. </p> 169 170 </ul> 171 172 <p> For a more complete definition of this enforcement level, see 173 the <a href="postconf.5.html#smtp_requiretls_policy">smtp_requiretls_policy</a> parameter documentation. </p> 174 175 <p> For REQUIRETLS, the relevant Postfix 3.11 configuration default 176 settings are: </p> 177 178 <blockquote> 179 <pre> 180 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>: 181 2 <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may 182 3 <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> = yes 183 4 <a href="postconf.5.html#lmtp_requiretls_policy">lmtp_requiretls_policy</a> = opportunistic 184 5 <a href="postconf.5.html#smtp_requiretls_policy">smtp_requiretls_policy</a> = 185 6 <a href="DATABASE_README.html#types">inline</a>:{ 186 7 { ${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}} = opportunistic } 187 8 { .${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}} = opportunistic } 188 9 { localhost = opportunistic } } 189 10 <a href="cidr_table.5.html">cidr</a>:{ 190 11 { 0.0.0.0/0 opportunistic } 191 12 { ::/0 opportunistic } } 192 13 ...to be completed in section "<a href="#external">Communication with external servers</a>"... 193 </pre> 194 </blockquote> 195 196 <ul> 197 198 <li> <p> Line 3: The <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> setting enables support 199 for a message header "Require-TLS-ESMTP: yes" that allows Postfix 200 to propagate the sender's REQUIRETLS request through a content 201 filter. This feature can safely be disabled if there is no need for 202 content inspection based on <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> or <a href="FILTER_README.html">FILTER_README</a>. 203 </p> 204 205 <li> <p> Lines 5-12: These make REQUIRETLS support optional for 206 internal destinations and content filters that are specified as a 207 symbolic name (lines 6-9) or as a numerical IP address (lines 10-12). 208 </p> 209 210 <li> <p> Lines 7 and 8 use ${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}} instead 211 of $<a href="postconf.5.html#mydomain">mydomain</a>. The function <a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{} returns $<a href="postconf.5.html#mydomain">mydomain</a> if 212 that contains only (7-bit) ASCII. If the <a href="postconf.5.html#mydomain">mydomain</a> value contains 213 non-ASCII characters, then <a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{} returns the 214 <tt>xn--mumble-mumble</tt> Punycode (A-label) form that Postfix 215 needs. This works around a limitation that may be eliminated in a 216 future Postfix version. </p> 217 218 <li> <p> Note: if you specify a domain list outside <a href="postconf.5.html">main.cf</a>, then 219 the automatic $<i>name</i> expansions and Punycode conversions will 220 not happen; you will need to enter real domain names and will need 221 to convert non-ASCII domains to Punycode. </p> 222 223 </ul> 224 225 <h3> <a name="non-smtp"> Non-SMTP and non-LMTP content filters </a> </h3> 226 227 <p> Postfix <a href="FILTER_README.html">FILTER_README</a> describes content inspection based on a 228 pipe-to-command approach. For REQUIRETLS, the relevant Postfix 3.11 229 default setting is: </p> 230 231 <blockquote> 232 <pre> 233 /etc/postfix/<a href="postconf.5.html">main.cf</a>: 234 <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> = yes 235 </pre> 236 </blockquote> 237 238 <p> The <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> feature enables support for a message 239 header "Require-TLS-ESMTP: yes" that allows Postfix to propagate the 240 sender's REQUIRETLS request through a content filter. This feature can 241 safely be disabled if there is no need for content inspection based on 242 <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> or <a href="FILTER_README.html">FILTER_README</a>. </p> 243 244 <h3> <a name="external"> Communication with external servers </a> </h3> 245 246 <p> For communication with external servers, the Postfix SMTP client 247 supports multiple enforcement levels: </p> 248 249 <ul> 250 251 <li> <p> <b>enforce</b>: When the sender requests REQUIRETLS, require 252 secure lookup of MX hosts (for example, using DNSSEC or HTTPS), 253 require a server certificate match (for example, based on a published 254 DANE or STS policy), and require that the remote server supports 255 REQUIRETLS. Otherwise return the message as undeliverable. </p> <p> 256 NOTE: this is also used implicitly when no REQUIRETLS policy match 257 is found. </p> 258 259 <li> <p> <b>opportunistic+starttls</b>: When the sender requests 260 REQUIRETLS, require that the server supports STARTTLS. Send REQUIRETLS 261 if the server supports REQUIRETLS, otherwise simply deliver the 262 message as if the sender did not request REQUIRETLS. </p> 263 264 <li> <p> <b>opportunistic</b>: STARTTLS and REQUIRETLS support are 265 optional. When the sender requests REQUIRETLS, and an SMTP or LMTP 266 server supports STARTTLS and REQUIRETLS, then send REQUIRETLS, 267 otherwise simply deliver the message as if the sender did not request 268 REQUIRETLS. </p> 269 270 </ul> 271 272 <p> For a more complete definition of these enforcement levels, 273 see the <a href="postconf.5.html#smtp_requiretls_policy">smtp_requiretls_policy</a> parameter documentation. </p> 274 275 <p> For sending mail with REQUIRETLS, the relevant Postfix 3.11 276 default settings are shown below, with one suggested setting in a 277 comment (line 2). 278 279 <p> The default settings below complete the earlier configuration 280 for <a href="#lmtp-smtp">message stores and content filters</a>, 281 with an 'enforce' policy for external deliveries (line 13). You can 282 disable the <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> feature (line 4) if a configuration 283 does not use content inspection based on <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> or 284 <a href="FILTER_README.html">FILTER_README</a>. </p> 285 286 <blockquote> 287 <pre> 288 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>: 289 2 # <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> = ...dane/sts plugin... 290 3 <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may 291 4 <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> = yes 292 5 <a href="postconf.5.html#smtp_requiretls_policy">smtp_requiretls_policy</a> = 293 6 <a href="DATABASE_README.html#types">inline</a>:{ 294 7 { ${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}} = opportunistic } 295 8 { .${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}} = opportunistic } 296 9 { localhost = opportunistic } } 297 10 <a href="cidr_table.5.html">cidr</a>:{ 298 11 { 0.0.0.0/0 opportunistic } 299 12 { ::/0 opportunistic } } 300 13 enforce 301 </pre> 302 </blockquote> 303 304 <ul> 305 306 <li> <p> New at line 13: The 'enforce' policy for external 307 destinations is technically correct, but is likely to suffer from 308 delivery failures because many domains do not publish a DANE or STS 309 policy, and many MTAs support STARTTLS but not REQUIRETLS. A perhaps 310 more practical policy may be found in the section <a href="#relax"> 311 Relaxing REQUIRETLS for external deliveries</a>. </p> 312 313 <li> <p> (Same as before) Line 3: The <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> setting 314 enables support for a message header "Require-TLS-ESMTP: yes" that 315 allows Postfix to propagate the sender's REQUIRETLS request through 316 a content filter. This feature can safely be disabled if there is 317 no need for content inspection based on <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> or 318 <a href="FILTER_README.html">FILTER_README</a>. </p> 319 320 <li> <p> (Same as before) Lines 5-12: These make REQUIRETLS support 321 optional for internal destinations and content filters that are 322 specified as a symbolic name (lines 6-9) or as a numerical IP address 323 (lines 10-12). 324 325 <li> <p> (Same as before) Lines 7 and 8 use ${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}} 326 instead of $<a href="postconf.5.html#mydomain">mydomain</a>. The function <a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{} returns $<a href="postconf.5.html#mydomain">mydomain</a> 327 if that contains only (7-bit) ASCII. If the <a href="postconf.5.html#mydomain">mydomain</a> value contains 328 non-ASCII characters, then <a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{} returns the 329 <tt>xn--mumble-mumble</tt> Punycode (A-label) form that Postfix 330 needs. This works around a limitation that may be eliminated in a 331 future Postfix version. </p> 332 333 <li> <p> (Same as before) Note: if you specify a domain list outside 334 <a href="postconf.5.html">main.cf</a>, then the automatic $<i>name</i> expansions and Punycode 335 conversions will not happen; you will need to enter real domain 336 names and will need to convert non-ASCII domains to Punycode.) </p> 337 338 </ul> 339 340 <h3> <a name="relax"> Relaxing REQUIRETLS for external deliveries </a> </h3> 341 342 <p> It may be desirable to make REQUIRETLS work with today's 343 infrastructure, by keeping the requirement for TLS, but relaxing 344 the requirements that a remote server supports REQUIRETLS and that 345 its server certificate matches a DANE or STS policy. The configuration 346 below makes that change by replacing the default 'enforce' with 347 'opportunistic+starttls' (line 13). </p> 348 349 <blockquote> 350 <pre> 351 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>: 352 2 <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may 353 3 # <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> = ...dane/sts plugin... 354 4 <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> = yes 355 5 <a href="postconf.5.html#smtp_requiretls_policy">smtp_requiretls_policy</a> = 356 6 <a href="DATABASE_README.html#types">inline</a>:{ 357 7 { ${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}} = opportunistic } 358 8 { .${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}} = opportunistic } 359 9 { localhost = opportunistic } } 360 10 <a href="cidr_table.5.html">cidr</a>:{ 361 11 { 0.0.0.0/0 opportunistic } 362 12 { ::/0 opportunistic } } 363 13 opportunistic+starttls 364 </pre> 365 </blockquote> 366 367 <ul> 368 369 <li> <p> New at line 13: the 'opportunistic+starttls' policy relaxes 370 the requirement that every MTA in the forward path of a message 371 supports REQUIRETLS, but in practice only one network hop needs to 372 be secured: from a sender's perimeter MTA to a receiver's perimeter 373 MTA. The network connections between user agents and their respective 374 perimeters are assumed to be already secure. </p> 375 376 <li> <p> (Same as before) Line 3: The <a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> setting 377 enables support for a message header "Require-TLS-ESMTP: yes" that 378 allows Postfix to propagate the sender's REQUIRETLS request through 379 a content filter. This feature can safely be disabled if there is 380 no need for content inspection based on <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> or 381 <a href="FILTER_README.html">FILTER_README</a>. </p> 382 383 <li> <p> (Same as before) Lines 5-12: These make REQUIRETLS support 384 optional for internal destinations and content filters that are 385 specified as a symbolic name (lines 6-9) or as a numerical IP address 386 (lines 10-12). 387 388 <li> <p> (Same as before) Lines 7 and 8 use ${<a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{$<a href="postconf.5.html#mydomain">mydomain</a>}} 389 instead of $<a href="postconf.5.html#mydomain">mydomain</a>. The function <a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{} returns $<a href="postconf.5.html#mydomain">mydomain</a> 390 if that contains only (7-bit) ASCII. If the <a href="postconf.5.html#mydomain">mydomain</a> value contains 391 non-ASCII characters, then <a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{} returns the 392 <tt>xn--mumble-mumble</tt> Punycode (A-label) form that Postfix 393 needs. This works around a limitation that may be eliminated in a 394 future Postfix version. </p> 395 396 <li> <p> (Same as before) Note: if you specify a domain list outside 397 <a href="postconf.5.html">main.cf</a>, then the automatic $<i>name</i> expansions and Punycode 398 conversions will not happen; you will need to enter real domain 399 names and will need to convert non-ASCII domains to Punycode.) </p> 400 401 </ul> 402 403 <h2> <a name="census"> An experiment: testing REQUIRETLS support </a> </h2> 404 405 <p> The 'opportunistic' enforcement level may be useful to discover 406 REQUIRETLS support globally. The idea is to turn on REQUIRETLS for 407 all outbound mail, and watch in Postfix TLS status logging how often 408 delivery is logged as "requiretls" (all requirements satisfied), 409 "requiretls:nocertmatch" (no DANE or STS policy, or certificate not 410 trusted or not matched), "requiretls:none" (no REQUIRETLS support), 411 or "requiretls:nostarttls". For more details on this logging format, 412 see <a href="postconf.5.html#smtp_log_tls_feature_status">smtp_log_tls_feature_status</a>.</p> 413 414 <h2> <a name="requesting"> Requesting REQUIRETLS without SMTP </a> </h2> 415 416 <p> There are two options: </p> 417 418 <ul> 419 420 <li> <p> Specify the Postfix-specific "<b>sendmail -Orequiretls=yes</b>" 421 command-line option. This option is always available, but may not 422 be convenient to use. <p> 423 424 <li> <p> Add a Postfix-specific "<b>Require-TLS-ESMTP: yes</b>" 425 message header. This is easier to use, but requires the setting 426 "<a href="postconf.5.html#requiretls_esmtp_header">requiretls_esmtp_header</a> = yes" which is not recommended for systems 427 without content filters based on <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> or <a href="FILTER_README.html">FILTER_README</a>. 428 </p> 429 430 </ul> 431 432 <blockquote> <b>Question</b>: perhaps there needs to be a parameter 433 setting to request REQUIRETLS for specific email sources or contexts? 434 </blockquote> 435 436 <h2> <a name="ndrs"> Non-delivery notifications </a> </h2> 437 438 <p> By default, Postfix redacts an undeliverable REQUIRETLS message as 439 described in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>, before returning it to the sender: </p> 440 441 <ul> 442 443 <li> <p> Remove the label "this message needs REQUIRETLS". The 444 purpose is to avoid loss of notifications when a reverse path does 445 not support REQUIRETLS, even though the forward path supported it. 446 </p> 447 448 <li> <p> Return only the message header, as if the message was 449 received with the <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a> DSN option "<tt>RET=HDRS</tt>". The 450 purpose is to limit the amount of information that may be exposed 451 in plaintext. </p> 452 453 </ul> 454 455 <p> The relevant default setting is: </p> 456 457 <blockquote> 458 <pre> 459 /etc/postfix/<a href="postconf.5.html">main.cf</a>: 460 <a href="postconf.5.html#requiretls_redact_dsn">requiretls_redact_dsn</a> = yes 461 </pre> 462 </blockquote> 463 464 <p> When a message was received with a "<tt>TLS-Required: no</tt>" 465 header, and REQUIRETLS was not requested, the "T<tt>LS-Required: 466 no</tt>" header is copied to the delivery status notification. </p> 467 468 <h2> <a name="summary"> REQUIRETLS quick summary </a> </h2> 469 470 <p> The REQUIRETLS extension in ESMTP allows a sender to request 471 that a message will be sent over connections that are protected 472 with TLS. <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a> defines two SMTP features: </p> 473 474 <ul> 475 476 <li> <p> A message header "TLS-Required: no" that disables TLS 477 enforcement: do not require a server certificate match, and allow 478 falling back to plaintext if TLS is unavailable. This may be useful 479 to report a TLS problem, as described in <a href="TLSRPT_README.html">TLSRPT_README</a>. This feature 480 has lower precedence than REQUIRETLS, and is not discussed further 481 in this document. </p> 482 483 <li> <p> An ESMTP protocol extension named "REQUIRETLS" that an SMTP 484 server may list in its EHLO response, and that an SMTP client may request 485 in a MAIL FROM command. This extension can be used only in an encrypted 486 session, as illustrated with the fragment below, where <tt>C</tt>=client 487 and <tt>S</tt>=server. </p> 488 489 <pre> 490 . . . 491 C: STARTTLS 492 S: 220 Ready to start TLS 493 C: EHLO client.example.org 494 S: 250-mail.example.com 495 . . . 496 250 REQUIRETLS 497 C: MAIL FROM:<sender (a] example.org> REQUIRETLS 498 S: 250 OK 499 . . . 500 </pre> 501 502 <li> <p> <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a> applies equally to message relay [<a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>], submission 503 [<a href="https://tools.ietf.org/html/rfc6409">RFC 6409</a>], and the LMTP Local Mail Transfer Protocol [<a href="https://tools.ietf.org/html/rfc2033">RFC 2033</a>]. </p> 504 505 <li> <p> REQUIRETLS is an <i>end-to-end</i> feature, unlike SMTP 506 which is <i>hop-by-hop</i>. When a sender requests REQUIRETLS, each 507 server in the forward path must support REQUIRETLS. </p> 508 509 <li> <p> Each connection in the forward path must be made to a server 510 that has been looked up securely (for example, with DNSSEC 511 or HTTPS). 512 513 <li> <p> Each server certificate must be verified. To match a server 514 certificate, the Postfix SMTP client needs to use an appropriate policy 515 type: </p> 516 517 <ul> 518 519 <li> <p> A TLS policy type 'secure' or 'verify', with certificate name 520 matching info. For example, a policy returned by an MTA-STS plugin that 521 looks up certificate matching info using HTTPS; 522 523 <li> <p> A TLS policy type 'dane-only', which looks up certificate or 524 public-key matching info using DNSSEC. For example, a policy that is 525 returned by a DANE+STS plugin; </p> 526 527 <li> <p> A TLS policy type 'dane', provided that both the nexthop 528 domain and its MX hosts are in DNSSEC-signed zones, and usable 529 DNSSEC-signed TLSA records are discovered. In other words, the 530 effective TLS policy remains DANE and is not downgraded because the 531 destination lacks DNSSEC and/or usable TLSA records; </p> 532 533 <li> <p> A TLS policy type 'fingerprint', with digital fingerprints. 534 This is a non-scalable solution for special deployments, mentioned 535 here only for completeness. </p> 536 537 </ul> 538 539 <li> <p> A message that requires REQUIRETLS must be returned to the 540 sender if any of the above requirements is not satisfied (no STARTTLS 541 support, no secure lookup of MX servers, no trusted or no matching 542 server certificate, or no server that announces REQUIRETLS support). 543 </p> 544 545 <li> <p> Returning an undeliverable message that requires REQUIRETLS 546 comes with its own challenges: the return path may differ from the 547 forward path, and the return path may not support REQUIRETLS all 548 the way back to the sender, even if the forward path supported 549 REQUIRETLS. By default, Postfix follows <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a> and redacts 550 bounce messages so that they can be sent without REQUIRETLS. </p> 551 552 </ul> 553 554 <h2> <a name="credits"> Credits </a> </h2> 555 556 <ul> 557 558 <li> In Postfix 3.10, Wietse Venema refactored SMTPUTF8 support and 559 extended it to propagate REQUIRETLS and "TLS-Required: no" information. 560 561 <li> In Postfix 3.11, Wietse added REQUIRETLS support to the Postfix 562 SMTP client; added a "<tt>tls=<i>status</i>/requiretls=<i>status</i></tt>" 563 field to the Postfix delivery status logging; added <a href="postconf.5.html#smtp_requiretls_policy">smtp_requiretls_policy</a> 564 support; added support for the "Require-TLS-ESMTP: yes" header to 565 propagate REQUIRETLS through non-Postfix programs, specifically 566 content filters. </li> 567 568 </ul> 569 570 </body> 571 572 </html> 573
Indexes created Mon Jun 22 00:25:11 UTC 2026