1 <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "https://www.w3.org/TR/html4/loose.dtd"> 3 4 <html> 5 6 <head> 7 8 <title>Postfix Replacements for Deprecated Features </title> 9 10 <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> 11 <link rel='stylesheet' type='text/css' href='postfix-doc.css'> 12 13 </head> 14 15 <body> 16 17 <h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix 18 Replacements for Deprecated Features</h1> 19 20 <hr> 21 22 <h2>Purpose of this document </h2> 23 24 <p> This document describes Postfix features that are deprecated 25 (will be removed) or that have already been removed. It also has 26 tips for making an existing Postfix configuration more future-proof. 27 </p> 28 29 <p> Overview: </p> 30 31 <ul> 32 33 <li> <a href="#why"> Why deprecate? </a> 34 35 <li> <a href="#process"> Deprecation process </a> 36 37 <li> <a href="#features"> Deprecated features </a> 38 39 </ul> 40 41 <h2> <a name="why"> Why deprecate? </a> </h2> 42 43 <p> Sometimes, a Postfix feature needs to be replaced with a different 44 one. To give an example: </p> 45 46 <ul> 47 48 <li> <p> The initial Postfix TLS implementation used multiple boolean 49 parameters: one parameter to enable opportunistic TLS (for example, 50 "smtp_enforce_tls = yes") and one parameter to enable mandatory TLS 51 (for example, "smtp_require_tls = yes"). </p> 52 53 <li> <p> As we added support more features such as fingerprint, 54 dane, and so on, we decided not to add more boolean parameters. 55 Instead we introduced one configuration parameter to select from 56 multiple deployment models (for example, smtp_tls_security_level = 57 may | encrypt | dane, etc...). </p> 58 59 </ul> 60 61 <!-- 62 63 <p> Over time it has become clear that 'level' is too rigid, so this may 64 have to change again. Wietse and Viktor have been discussing a way to 65 specify a range with minimum properties that are required (e.g., encrypt) 66 and nice-to-have properties if they are available (dane or mta-sts). </p> 67 68 --> 69 70 <p> Having both the "old" and "new" way to configure Postfix is 71 convenient for existing Postfix installations, because their 72 configuration does not break after an upgrade to a new version. 73 Unfortunately, there are also disadvantages. Having multiple ways 74 to do similar things is not only confusing for newcomers, it also 75 makes Postfix harder to change. </p> 76 77 <h2> <a name="process"> Deprecation process </a> </h2> 78 79 <p> The basic process steps are: </p> 80 81 <ol> 82 83 <li> <p> Inform humans that a feature will be removed, and suggest 84 replacements, in logging and documentation. </p> 85 86 <li> <p> Remove the feature, and update logging and documentation. </p> 87 88 </ol> 89 90 <p> Disclaimer: it has taken 20 years for some features to be 91 removed. This past is not a guarantee for the future. </p> 92 93 <h2> <a name="features"> Deprecated features </a> </h2> 94 95 <p> The table summarizes removed or deprecated features and 96 replacements. Click on the "obsolete feature" name for a more 97 detailed description. </p> 98 99 <blockquote> 100 101 <table border="1"> 102 103 <tr> <th> Obsolete feature name </th> <th> Warning as <br> of version 104 </th> <th> Removed <br> in version </th> <th> Replacement </th> 105 </tr> 106 107 <tr> <td> <a href="#renamed"> authorized_verp_clients </a> </td> 108 <td align="center"> 3.11 </td> <td align="center"> - </td> <td> 109 smtpd_authorized_verp_clients </td> </tr> 110 111 <tr> <td> <a href="#renamed"> fallback_relay </a> </td> <td 112 align="center"> 3.11 </td> <td align="center"> - </td> <td> 113 smtp_fallback_relay </td> </tr> 114 115 <tr> <td> <a href="#renamed"> lmtp_per_record_deadline </a> </td> 116 <td align="center"> 3.11 </td> <td align="center"> - </td> <td> 117 lmtp_per_request_deadline </td> </tr> 118 119 <tr> <td> <a href="#renamed"> postscreen_blacklist_action </a> </td> 120 <td align="center"> 3.11 </td> <td align="center"> - </td> <td> 121 postscreen_denylist_action </td> </tr> 122 123 <tr> <td> <a href="#renamed"> postscreen_dnsbl_ttl </a> </td> <td 124 align="center"> 3.11 </td> <td align="center"> - </td> <td> 125 postscreen_dnsbl_max_ttl </td> </tr> 126 127 <tr> <td> <a href="#renamed"> postscreen_dnsbl_whitelist_threshold 128 </a> </td> <td align="center"> 3.11 </td> <td align="center"> - 129 </td> <td> 130 postscreen_dnsbl_allowlist_threshold </td> </tr> 131 132 <tr> <td> <a href="#renamed"> postscreen_whitelist_interfaces </a> 133 </td> <td align="center"> 3.11 </td> <td align="center"> - </td> 134 <td> postscreen_allowlist_interfaces </td> </tr> 135 136 <tr> <td> <a href="#renamed"> smtpd_client_connection_limit_exceptions 137 </a> </td> <td align="center"> 3.11 </td> <td align="center"> - 138 </td> <td> 139 smtpd_client_event_limit_exceptions </td> </tr> 140 141 <tr> <td> <a href="#renamed"> smtpd_per_record_deadline </a> </td> 142 <td align="center"> 3.11 </td> <td align="center"> - </td> <td> 143 smtpd_per_request_deadline </td> </tr> 144 145 <tr> <td> <a href="#renamed"> smtp_per_record_deadline </a> </td> 146 <td align="center"> 3.11 </td> <td align="center"> - </td> <td> 147 smtp_per_request_deadline </td> </tr> 148 149 <tr> <td> <a href="#renamed"> tlsproxy_client_level </a> </td> <td 150 align="center"> 3.11 </td> <td align="center"> - </td> <td> 151 tlsproxy_client_security_level </td> </tr> 152 153 <tr> <td> <a href="#renamed"> tlsproxy_client_policy </a> </td> <td 154 align="center"> 3.11 </td> <td align="center"> - </td> <td> 155 tlsproxy_client_policy_maps </td> </tr> 156 157 <tr> <td> <a href="#renamed"> virtual_maps </a> </td> <td align="center"> 158 3.11 </td> <td align="center"> - </td> <td> virtual_alias_maps </td> 159 </tr> 160 161 <!-- 162 163 <tr> <td> <a href="#tls_xdhx_auto"> 164 tls_eecdh_auto_curves </a> </td> <td align="center"> 3.11 165 </td> <td align="center"> - </td> <td> do not specify with OpenSSL 3.5 or later 166 </td> </tr> 167 168 <tr> <td> <a href="#tls_xdhx_auto"> 169 tls_ffdhe_auto_groups </a> </td> <td align="center"> 3.11 170 </td> <td align="center"> - </td> <td> do not specify with OpenSSL 3.5 or later 171 </td> </tr> 172 173 --> 174 175 <tr> <td> <a href="#cname_overrides_servername"> 176 smtp_cname_overrides_servername </a> </td> <td align="center"> 3.11 177 </td> <td align="center"> - </td> <td> do not specify (leave at default) 178 </td> </tr> 179 180 <tr> <td> <a href="#cname_overrides_servername"> 181 lmtp_cname_overrides_servername </a> </td> <td align="center"> 3.11 182 </td> <td align="center"> - </td> <td> do not specify (leave at default) 183 </td> </tr> 184 185 <tr> <td> <a href="#xxx_tls_enforce_peername"> 186 <i>xxx</i>_tls_enforce_peername </a> </td> <td align="center"> 3.11 187 </td> <td align="center"> - </td> <td> <i>xxx</i>_tls_security_level 188 </td> </tr> 189 190 <tr> <td> <a href="#disable_dns_lookups"> disable_dns_lookups </a> 191 </td> <td align="center"> 3.9 </td> <td align="center"> - </td> 192 <td> smtp_dns_support_level </td> </tr> 193 194 <tr> <td> <a href="#xxx_use_tls"> <i>xxx</i>_use_tls </a> </td> 195 <td align="center"> 3.9 </td> <td align="center"> - </td> <td> 196 <i>xxx</i>_tls_security_level </td> </tr> 197 198 <tr> <td> <a href="#xxx_enforce_tls"> <i>xxx</i>_enforce_tls </a> 199 </td> <td align="center"> 3.9 </td> <td align="center"> - </td> 200 <td> <i>xxx</i>_tls_security_level </td> </tr> 201 202 <tr> <td> <a href="#xxx_per_site"> <i>xxx</i>_per_site </a> </td> 203 <td align="center"> 3.9 </td> <td align="center"> - </td> <td> 204 <i>xxx</i>_policy_maps </td> </tr> 205 206 <tr> <td> <a href="#smtpd_tls_dh1024_param_file"> 207 smtpd_tls_dh1024_param_file </a> </td> <td align="center"> 3.9 </td> 208 <td align="center"> - </td> <td> do not specify (leave at default) 209 </td> </tr> 210 211 <tr> <td> <a href="#smtpd_tls_eecdh_grade"> smtpd_tls_eecdh_grade 212 </a> </td> <td align="center"> 3.9 </td> <td align="center"> - </td> 213 <td> do not specify (leave at default) </td> </tr> 214 215 <tr> <td> <a href="#permit_mx_backup"> permit_mx_backup </a> </td> 216 <td align="center"> 3.9 </td> <td align="center"> - </td> <td> 217 relay_domains </td> </tr> 218 219 <tr> <td> <a href="#check_relay_domains"> check_relay_domains </a> 220 </td> <td align="center"> 2.2 </td> <td align="center"> 3.9 </td> 221 <td> permit_mynetworks, reject_unauth_destination </td> </tr> 222 223 <tr> <td> <a href="#reject_maps_rbl"> reject_maps_rbl </a> </td> 224 <td align="center"> 2.1 </td> <td align="center"> 3.9 </td> <td> 225 reject_rbl_client </td> </tr> 226 227 <tr> <td> <a href="#permit_naked_ip_address"> permit_naked_ip_address 228 </a> </td> <td align="center"> 2.0 </td> <td align="center"> 3.9 229 </td> <td> permit_mynetworks, permit_sasl_authenticated </td> </tr> 230 231 </table> 232 233 </blockquote> 234 235 <h3> <a name="renamed"> Parameters that have been renamed for 236 consistency </a> </h3> 237 238 <p> The postconf(1) command logs one or more of the following: </p> 239 240 <ul> 241 242 <li> support for parameter "authorized_verp_clients" will be removed; 243 instead, specify "smtpd_authorized_verp_clients" </li> 244 245 <li> support for parameter "fallback_relay" will be removed; instead, 246 specify "smtp_fallback_relay" </li> 247 248 <li> support for parameter "lmtp_per_record_deadline" will be 249 removed; instead, specify "lmtp_per_request_deadline" </li> 250 251 <li> support for parameter "postscreen_blacklist_action" will be 252 removed; instead, specify "postscreen_denylist_action" </li> 253 254 <li> support for parameter "postscreen_dnsbl_ttl" will be removed; 255 instead, specify "postscreen_dnsbl_max_ttl" </li> 256 257 <li> support for parameter "postscreen_dnsbl_whitelist_threshold" 258 will be removed; instead, specify "postscreen_dnsbl_allowlist_threshold" 259 </li> 260 261 <li> support for parameter "postscreen_whitelist_interfaces" will 262 be removed; instead, specify "postscreen_allowlist_interfaces" </li> 263 264 <li> support for parameter "smtpd_client_connection_limit_exceptions" 265 will be removed; instead, specify "smtpd_client_event_limit_exceptions" 266 </li> 267 268 <li> support for parameter "smtp_per_record_deadline" will be 269 removed; instead, specify "smtp_per_request_deadline" </li> 270 271 <li> support for parameter "tlsproxy_client_level" will be removed; 272 instead, specify "tlsproxy_client_security_level" </li> 273 274 <li> support for parameter "tlsproxy_client_policy" will be removed; 275 instead, specify "tlsproxy_client_policy_maps" </li> 276 277 <li> support for parameter "virtual_maps" will be removed; instead, 278 specify "virtual_alias_maps" </li> 279 280 </ul> 281 282 <p> The above parameters have been renamed for consistency with other 283 parameters. For backwards compatibility, the old parameter values are 284 used as the default value for the new parameters, but they will 285 eventually be removed to eliminate clutter and confusion </p> 286 287 <p> To silence these warning messages, edit main.cf or master.cf, 288 and replace each obsolete parameter name with its replacement. </p> 289 290 <!-- 291 292 <h3> <a name="tls_xdhx_auto"> Obsolete auto group/curve configuration 293 </a> </h3> 294 295 <p> The postconf(1) command logs one of the following: </p> 296 297 <ul> 298 299 <li> support for parameter "tls_eecdh_auto_curves" will be removed; 300 instead, do not specify with OpenSSL 3.5 or later 301 302 <li> support for parameter "tls_ffdhe_auto_groups" will be removed; 303 instead, do not specify with OpenSSL 3.5 or later 304 305 </ul> 306 307 <p> The empty value is the default setting for both as of Postfix 308 3.11, when compiled with OpenSSL 3.5 or later. See tls_config_file 309 for a configuration example </p> 310 311 --> 312 313 <h3> <a name="cname_overrides_servername"> Obsolete CNAME override 314 for peer name configuration </a> </h3> 315 316 <p> The postconf(1) command logs one of the following: </p> 317 318 <ul> 319 320 <li> support for parameter "smtp_cname_overrides_servername" will be 321 removed; instead, do not specify 322 323 <li> support for parameter "lmtp_cname_overrides_servername" will be 324 removed; instead, do not specify 325 326 </ul> 327 328 <p> These features control whether a DNS CNAME record can override 329 the server peer name that Postfix will use for policy lookup or for 330 certificate verification. This behavior is disabled by default as of 331 Postfix 2.11, because it no longer solves a real problem. </p> 332 333 <h3> <a name="xxx_tls_enforce_peername"> Obsolete TLS peer name 334 match configuration </a> </h3> 335 336 <p> The postconf(1) command logs one of the following: </p> 337 338 <ul> 339 340 <li> support for parameter "lmtp_tls_enforce_peername" will be 341 removed; instead, specify "lmtp_tls_security_level" 342 343 <li> support for parameter "smtp_tls_enforce_peername" will be 344 removed; instead, specify "smtp_tls_security_level" 345 346 </ul> 347 348 <p> There are similarly-named parameters and warnings for postscreen(8) 349 and tlsproxy(8), but those parameters should rarely be specified 350 by hand. </p> 351 352 <p> Replace obsolete configuration with its replacement: </p> 353 354 <blockquote> 355 356 <table border="1"> 357 358 <tr> <th width="33%"> Goal </th> <th width="33%"> Obsolete configuration </th> <th> Replacement configuration </th> </tr> 359 360 <tr> <td> Enforce peer name match with server certificate </td> 361 <td> <i>xxx</i>_enforce_peername = yes </td> <td> <i>xxx</i>_security_level 362 = verify <br> <i>xxx</i>_security_level = secure </td> </tr> 363 364 <tr> <td> Disable peer name match with server certificate </td> 365 <td> <i>xxx</i>_enforce_peername = no </td> <td> <i>xxx</i>_security_level 366 = may <br> <i>xxx</i>_security_level = encrypt </td> </tr> 367 368 </table> 369 370 </blockquote> 371 372 <h3> <a name="disable_dns_lookups"> Obsolete DNS on/off configuration 373 </a> </h3> 374 375 <p> The postconf(1) command logs the following: </p> 376 377 <ul> 378 379 <li> support for parameter "disable_dns_lookups" will be removed; instead, specify "smtp_dns_support_level" 380 381 </ul> 382 383 <p> Replace obsolete configuration with its replacement: </p> 384 385 <blockquote> 386 387 <table border="1"> 388 389 <tr> <th width="33%"> Goal </th> <th width="33%"> Obsolete configuration 390 </th> <th> Replacement configuration </th> </tr> 391 392 <tr> <td> To disable DNS lookups in the Postfix SMTP/LMTP client 393 </td> <td> disable_dns_lookups = yes </td> <td> smtp_dns_support_level 394 = disabled </td> </tr> 395 396 <tr> <td> To enable DNS lookups in the Postfix SMTP/LMTP client </td> <td> 397 disable_dns_lookups = no </td> <td> 398 Leave smtp_dns_support_level at the implicit default which is empty, unless 399 you need a higher support level such as DNSSEC. </td> </tr> 400 401 </table> 402 403 </blockquote> 404 405 <h3> <a name="xxx_use_tls"> Obsolete opportunistic TLS configuration 406 </a> </h3> 407 408 <p> The postconf(1) command logs one of the following: </p> 409 410 <ul> 411 412 <li> support for parameter "lmtp_use_tls" will be removed; instead, specify "lmtp_tls_security_level" 413 414 <li> support for parameter "smtp_use_tls" will be removed; instead, specify "smtp_tls_security_level" 415 416 <li> support for parameter "smtpd_use_tls" will be removed; instead, specify "smtpd_tls_security_level" 417 418 </ul> 419 420 <p> There are similarly-named parameters and warnings for postscreen(8) 421 and tlsproxy(8), but those parameters should rarely be specified 422 by hand. </p> 423 424 <p> Replace obsolete configuration with its replacement: </p> 425 426 <blockquote> 427 428 <table border="1"> 429 430 <tr> <th width="33%"> Goal </th> <th width="33%"> Obsolete configuration </th> <th> Replacement configuration </th> </tr> 431 432 <tr> <td> To turn off TLS </td> <td> <i>xxx</i>_use_tls = no </td> 433 <td> <i>xxx</i>_security_level = none </td> </tr> 434 435 <tr> <td> To turn on opportunistic TLS </td> <td> <i>xxx</i>_use_tls 436 = yes </td> <td> <i>xxx</i>_security_level = may </td> </tr> 437 438 </table> 439 440 </blockquote> 441 442 <h3> <a name="xxx_enforce_tls"> Obsolete mandatory TLS configuration 443 </a> </h3> 444 445 <p> The postconf(1) command logs one of the following: </p> 446 447 <ul> 448 449 <li> support for parameter "lmtp_enforce_tls" will be removed; instead, specify "lmtp_tls_security_level" 450 451 <li> support for parameter "smtp_enforce_tls" will be removed; instead, specify "smtp_tls_security_level" 452 453 <li> support for parameter "smtpd_enforce_tls" will be removed; instead, specify "smtpd_tls_security_level" 454 455 </ul> 456 457 <p> There are similarly-named parameters and warnings for postscreen(8) 458 and tlsproxy(8), but those parameters should rarely be specified 459 by hand. </p> 460 461 <p> Replace obsolete configuration with its replacement: </p> 462 463 <blockquote> 464 465 <table border="1"> 466 467 <tr> <th width="33%"> Goal </th> <th width="33%"> Obsolete configuration </th> <th> Replacement configuration </th> </tr> 468 469 <tr> <td> To turn off mandatory TLS </td> <td> <i>xxx</i>_enforce_tls 470 = no </td> <td> <i>xxx</i>_security_level = may </td> </tr> 471 472 <tr> <td> To turn on mandatory TLS </td> <td> <i>xxx</i>_enforce_tls 473 = yes </td> <td> <i>xxx</i>_security_level = encrypt </td> </tr> 474 475 </table> 476 477 </blockquote> 478 479 <h3> <a name="xxx_per_site"> Obsolete TLS policy table configuration 480 </a> </h3> 481 482 <p> The postconf(1) command logs one of the following: </p> 483 484 <ul> 485 486 <li> support for parameter "lmtp_tls_per_site" will be removed; 487 instead, specify "lmtp_tls_policy_maps" 488 489 <li> support for parameter "smtp_tls_per_site" will be removed; 490 instead, specify "smtp_tls_policy_maps" 491 492 </ul> 493 494 <p> There is similarly-named parameter and warning for tlsproxy(8), 495 but that parameter should rarely be specified by hand. </p> 496 497 <p> Unfortunately, this is more than a name change: the table format 498 has changed too, as has the table search process. There is no simple 499 conversion of the obsolete form to its replacement. </p> 500 501 <h3> <a name="check_relay_domains"> check_relay_domains </a> </h3> 502 503 <p> Depending on the Postfix version, the Postfix SMTP daemon logs 504 following warning: </p> 505 506 <ul> 507 508 <li> support for restriction "check_relay_domains" has been removed 509 in Postfix 3.9"; instead, specify "reject_unauth_destination" 510 511 <li> support for restriction "check_relay_domains" will be removed 512 from Postfix; use "reject_unauth_destination" instead 513 514 </ul> 515 516 <p> This feature was removed because it would relay based on the 517 client domain name, which is not robust. </p> 518 519 <p> Recommended configuration to prevent an "open relay" problem 520 with the SMTP service on port 25: 521 </p> 522 523 <blockquote> 524 <pre> 525 main.cf: 526 smtpd_recipient_restrictions = 527 permit_mynetworks, 528 permit_sasl_authenticated, 529 reject_unauth_destination 530 ...other restrictions... 531 </pre> 532 </blockquote> 533 534 <p> Or equivalent in smtpd_relay_restrictions. </p> 535 536 <h3> <a name="permit_mx_backup"> permit_mx_backup</a> </h3> 537 538 <p> The Postfix version 3.9 and later SMTP daemon logs the following 539 warning: </p> 540 541 <ul> 542 543 <li> support for restriction "permit_mx_backup" will be removed 544 from Postfix; instead, specify "relay_domains" 545 546 </ul> 547 548 <p> This feature will be removed because it is too difficult to 549 configure recipient address validation, making Postfix a source of 550 backscatter bounces. </p> 551 552 <p> To specify the domains that Postfix will provide MX backup 553 service for, see <a href="STANDARD_CONFIGURATION_README.html#backup"> 554 Configuring Postfix as primary or backup MX host for a remote 555 site</a>. </p> 556 557 <h3> <a name="reject_maps_rbl"> reject_maps_rbl</a> </h3> 558 559 <p> Depending on the Postfix version, the SMTP daemon logs one of 560 the following warnings: </p> 561 562 <ul> 563 564 <li> support for restriction "reject_maps_rbl" has been removed in 565 Postfix 3.9"; instead, specify "reject_rbl_client domain-name" 566 567 <li> support for restriction "reject_maps_rbl" will be removed from 568 Postfix; use "reject_rbl_client domain-name" instead 569 570 </ul> 571 572 <p> This feature was replaced because "MAPS RBL" is the name of a 573 specific reputation service. The reject_rbl_client feature provides 574 a superset of the reject_maps_rbl functionality. </p> 575 576 <p> Recommended configuration: </p> 577 578 <blockquote> 579 <pre> 580 main.cf: 581 smtpd_recipient_restrictions = 582 permit_mynetworks, 583 permit_sasl_authenticated, 584 reject_unauth_destination 585 reject_rbl_client <i>domain-name</i> 586 ...other restrictions... 587 </pre> 588 </blockquote> 589 590 <p> Where <i>domain-name</i> is the domain name of a DNS reputation service. </p> 591 592 <h3> <a name="permit_naked_ip_address"> permit_naked_ip_address</a> </h3> 593 594 <p> Depending on the Postfix version, the SMTP daemon logs one of 595 the following warnings: </p> 596 597 <ul> 598 599 <li> support for restriction "permit_naked_ip_address" has been 600 removed in Postfix 3.9"; instead, specify "permit_mynetworks" or 601 "permit_sasl_authenticated" 602 603 <li> restriction permit_naked_ip_address is deprecated. Use 604 permit_mynetworks or permit_sasl_authenticated instead 605 606 </ul> 607 608 <p> This feature was removed because it was easy to get a false 609 match when smtpd_recipient_restrictions was intended to match a 610 remote SMTP client IP address. </p> 611 612 <p> Recommended configuration: </p> 613 614 <blockquote> 615 <pre> 616 main.cf: 617 smtpd_recipient_restrictions = 618 permit_mynetworks, 619 permit_sasl_authenticated, 620 reject_unauth_destination 621 reject_rbl_client <i>domain-name</i> 622 ...other restrictions... 623 </pre> 624 </blockquote> 625 626 <p> That is, no restriction on HELO or EHLO syntax. Such restrictions 627 ar rarely useful nowadays. 628 629 </body> 630 631 </html> 632
Indexes created Sat Jun 06 00:24:59 UTC 2026