main.cf add opendkim support

access

@@ -349,8 +349,14 @@
 #               recipient(s).  When multiple REDIRECT actions fire,
 #               only the last one takes effect.
 # 
-#               Note:  this action overrides the FILTER action, and
+#               Note  1:  this  action overrides the FILTER action,
-#               currently overrides all recipients of the  message.
+#               and currently overrides all recipients of the  mes-
+#               sage.
+# 
+#               Note 2: a REDIRECT address is subject to canonical-
+#               ization (add missing domain)  but  NOT  subject  to
+#               canonical,  masquerade,  bcc, or virtual alias map-
+#               ping.
 # 
 #               This feature is available in Postfix 2.1 and later.
 # 

access.sample

@@ -349,8 +349,14 @@
 #               recipient(s).  When multiple REDIRECT actions fire,
 #               only the last one takes effect.
 # 
-#               Note:  this action overrides the FILTER action, and
+#               Note  1:  this  action overrides the FILTER action,
-#               currently overrides all recipients of the  message.
+#               and currently overrides all recipients of the  mes-
+#               sage.
+# 
+#               Note 2: a REDIRECT address is subject to canonical-
+#               ization (add missing domain)  but  NOT  subject  to
+#               canonical,  masquerade,  bcc, or virtual alias map-
+#               ping.
 # 
 #               This feature is available in Postfix 2.1 and later.
 # 

aliases

@@ -44,14 +44,20 @@ decode:		root
 # SYNOPSIS
 #        newaliases
 # 
+#        postalias -q name [file-type]:[file-name]
+# 
 # DESCRIPTION
 #        The  optional aliases(5) table (alias_maps) redirects mail
 #        for local recipients. The redirections  are  processed  by
-#        the Postfix local(8) delivery agent.
+#        the  Postfix local(8) delivery agent. This table is always
+#        searched with an email address localpart (no  domain  por-
+#        tion).
 # 
 #        This  is  unlike  virtual(5) aliasing (virtual_alias_maps)
 #        which applies to all recipients:  local(8),  virtual,  and
 #        remote, and which is implemented by the cleanup(8) daemon.
+#        That table is often searched with  a  full  email  address
+#        (including domain).
 # 
 #        Normally, the aliases(5) table is specified as a text file
 #        that serves as input  to  the  postalias(1)  command.  The
@@ -137,7 +143,8 @@ decode:		root
 #        :include:/file/name
 #               Mail is sent to  the  destinations  listed  in  the
 #               named file.  Lines in :include: files have the same
-#               syntax as the right-hand side of alias entries.
+#               syntax  as  the  right-hand  side   of   aliases(5)
+#               entries.
 # 
 #               A  destination  can  be  any  destination  that  is
 #               described in this manual page. However, delivery to
@@ -199,10 +206,13 @@ decode:		root
 #               updated with "newaliases" or with "sendmail -bi".
 # 
 #        alias_maps (see 'postconf -d' output)
-#               Optional lookup tables with aliases that apply only
+#               Optional lookup tables that are searched only  with
-#               to   local(8)   recipients;  this  is  unlike  vir-
+#               an  email  address  localpart  (no domain) and that
-#               tual_alias_maps  that  apply  to  all   recipients:
+#               apply only to local(8) recipients; this  is  unlike
-#               local(8), virtual, and remote.
+#               virtual_alias_maps  that  are often searched with a
+#               full email  address  (including  domain)  and  that
+#               apply  to  all  recipients:  local(8), virtual, and
+#               remote.
 # 
 #        allow_mail_to_commands (alias, forward)
 #               Restrict local(8) mail delivery  to  external  com-

aliases.sample

@@ -44,14 +44,20 @@ decode:		root
 # SYNOPSIS
 #        newaliases
 # 
+#        postalias -q name [file-type]:[file-name]
+# 
 # DESCRIPTION
 #        The  optional aliases(5) table (alias_maps) redirects mail
 #        for local recipients. The redirections  are  processed  by
-#        the Postfix local(8) delivery agent.
+#        the  Postfix local(8) delivery agent. This table is always
+#        searched with an email address localpart (no  domain  por-
+#        tion).
 # 
 #        This  is  unlike  virtual(5) aliasing (virtual_alias_maps)
 #        which applies to all recipients:  local(8),  virtual,  and
 #        remote, and which is implemented by the cleanup(8) daemon.
+#        That table is often searched with  a  full  email  address
+#        (including domain).
 # 
 #        Normally, the aliases(5) table is specified as a text file
 #        that serves as input  to  the  postalias(1)  command.  The
@@ -137,7 +143,8 @@ decode:		root
 #        :include:/file/name
 #               Mail is sent to  the  destinations  listed  in  the
 #               named file.  Lines in :include: files have the same
-#               syntax as the right-hand side of alias entries.
+#               syntax  as  the  right-hand  side   of   aliases(5)
+#               entries.
 # 
 #               A  destination  can  be  any  destination  that  is
 #               described in this manual page. However, delivery to
@@ -199,10 +206,13 @@ decode:		root
 #               updated with "newaliases" or with "sendmail -bi".
 # 
 #        alias_maps (see 'postconf -d' output)
-#               Optional lookup tables with aliases that apply only
+#               Optional lookup tables that are searched only  with
-#               to   local(8)   recipients;  this  is  unlike  vir-
+#               an  email  address  localpart  (no domain) and that
-#               tual_alias_maps  that  apply  to  all   recipients:
+#               apply only to local(8) recipients; this  is  unlike
-#               local(8), virtual, and remote.
+#               virtual_alias_maps  that  are often searched with a
+#               full email  address  (including  domain)  and  that
+#               apply  to  all  recipients:  local(8), virtual, and
+#               remote.
 # 
 #        allow_mail_to_commands (alias, forward)
 #               Restrict local(8) mail delivery  to  external  com-

header_checks

@@ -346,10 +346,15 @@
 #               message is queued, it will be sent to the specified
 #               address instead of the intended recipient(s).
 # 
-#               Note: this action overrides the FILTER action,  and
+#               Note 1: this action overrides  the  FILTER  action,
-#               affects  all recipients of the message. If multiple
+#               and  affects all recipients of the message. If mul-
-#               REDIRECT actions fire, only the last  one  is  exe-
+#               tiple REDIRECT actions fire, only the last  one  is
-#               cuted.
+#               executed.
+# 
+#               Note 2: a REDIRECT address is subject to canonical-
+#               ization (add missing domain)  but  NOT  subject  to
+#               canonical,  masquerade,  bcc, or virtual alias map-
+#               ping.
 # 
 #               This feature is available in Postfix 2.1 and later.
 # 

header_checks.sample

@@ -346,10 +346,15 @@
 #               message is queued, it will be sent to the specified
 #               address instead of the intended recipient(s).
 # 
-#               Note: this action overrides the FILTER action,  and
+#               Note 1: this action overrides  the  FILTER  action,
-#               affects  all recipients of the message. If multiple
+#               and  affects all recipients of the message. If mul-
-#               REDIRECT actions fire, only the last  one  is  exe-
+#               tiple REDIRECT actions fire, only the last  one  is
-#               cuted.
+#               executed.
+# 
+#               Note 2: a REDIRECT address is subject to canonical-
+#               ization (add missing domain)  but  NOT  subject  to
+#               canonical,  masquerade,  bcc, or virtual alias map-
+#               ping.
 # 
 #               This feature is available in Postfix 2.1 and later.
 # 

main.cf

@@ -725,3 +725,9 @@ smtpd_recipient_restrictions =
 
 meta_directory = /usr/local/libexec/postfix
 shlib_directory = /usr/local/lib/postfix
+
+# opendkim
+milter_default_action = accept
+milter_protocol = 6
+smtpd_milters = inet:localhost:8891
+non_smtpd_milters = $smtpd_milters

main.cf.default

@@ -168,6 +168,7 @@ fork_delay = 1s
 forward_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
 forward_path = $home/.forward${recipient_delimiter}${extension}, $home/.forward
 frozen_delivered_to = yes
+full_name_encoding_charset = utf-8
 hash_queue_depth = 1
 hash_queue_names = deferred, defer
 header_address_token_limit = 10240
@@ -313,6 +314,9 @@ lmtp_tls_session_cache_timeout = 3600s
 lmtp_tls_trust_anchor_file =
 lmtp_tls_verify_cert_match = hostname
 lmtp_tls_wrappermode = no
+lmtp_tlsrpt_enable = no
+lmtp_tlsrpt_skip_reused_handshakes = yes
+lmtp_tlsrpt_socket_name =
 lmtp_transport_rate_delay = $default_transport_rate_delay
 lmtp_use_tls = no
 lmtp_xforward_timeout = 300s
@@ -341,9 +345,9 @@ local_transport_rate_delay = $default_transport_rate_delay
 luser_relay =
 mail_name = Postfix
 mail_owner = postfix
-mail_release_date = 20241204
+mail_release_date = 20250710
 mail_spool_directory = /var/mail
-mail_version = 3.9.1
+mail_version = 3.10.3
 mailbox_command =
 mailbox_command_maps =
 mailbox_delivery_lock = flock, dotlock
@@ -653,7 +657,7 @@ smtp_tls_cert_file =
 smtp_tls_chain_files =
 smtp_tls_ciphers = medium
 smtp_tls_connection_reuse = no
-smtp_tls_dane_insecure_mx_policy = ${{$smtp_tls_security_level} == {dane} ? {dane} : {may}}
+smtp_tls_dane_insecure_mx_policy = dane
 smtp_tls_dcert_file =
 smtp_tls_dkey_file = $smtp_tls_dcert_file
 smtp_tls_eccert_file =
@@ -682,6 +686,9 @@ smtp_tls_session_cache_timeout = 3600s
 smtp_tls_trust_anchor_file =
 smtp_tls_verify_cert_match = hostname
 smtp_tls_wrappermode = no
+smtp_tlsrpt_enable = no
+smtp_tlsrpt_skip_reused_handshakes = yes
+smtp_tlsrpt_socket_name =
 smtp_transport_rate_delay = $default_transport_rate_delay
 smtp_use_tls = no
 smtp_xforward_timeout = 300s
@@ -720,6 +727,7 @@ smtpd_forbidden_commands = CONNECT GET POST regexp:{{/^[^A-Z]/ Bogus}}
 smtpd_hard_error_limit = ${stress?{1}:{20}}
 smtpd_helo_required = no
 smtpd_helo_restrictions =
+smtpd_hide_client_session = no
 smtpd_history_flush_threshold = 100
 smtpd_junk_command_limit = ${stress?{1}:{100}}
 smtpd_log_access_permit_actions =
@@ -805,6 +813,7 @@ smtpd_upstream_proxy_timeout = 5s
 smtpd_use_tls = no
 smtputf8_autodetect_classes = sendmail, verify
 smtputf8_enable = ${{$compatibility_level} <level {1} ? {no} : {yes}}
+socketmap_max_reply_size = 100000
 soft_bounce = no
 stale_lock_time = 500s
 stress =
@@ -826,7 +835,7 @@ tls_config_name =
 tls_daemon_random_bytes = 32
 tls_dane_digests = sha512 sha256
 tls_disable_workarounds =
-tls_eecdh_auto_curves = X25519 X448 prime256v1 secp521r1 secp384r1
+tls_eecdh_auto_curves = X25519 X448 prime256v1 secp384r1 secp521r1
 tls_eecdh_strong_curve = prime256v1
 tls_eecdh_ultra_curve = secp384r1
 tls_export_cipherlist =
@@ -843,6 +852,7 @@ tls_random_exchange_name = ${data_directory}/prng_exch
 tls_random_prng_update_period = 3600s
 tls_random_reseed_period = 3600s
 tls_random_source = dev:/dev/urandom
+tls_required_enable = yes
 tls_server_sni_maps =
 tls_session_ticket_cipher = aes-256-cbc
 tls_ssl_options =

main.cf.sample

@@ -9,7 +9,7 @@
 # For common configuration examples, see BASIC_CONFIGURATION_README
 # and STANDARD_CONFIGURATION_README. To find these documents, use
 # the command "postconf html_directory readme_directory", or go to
-# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc.
+# https://www.postfix.org/BASIC_CONFIGURATION_README.html etc.
 #
 # For best results, change no more than 2-3 parameters at a time,
 # and test if Postfix still works after every change.
@@ -31,7 +31,7 @@
 #
 # The level below is what should be used with new (not upgrade) installs.
 #
-compatibility_level = 3.9
+compatibility_level = 3.10
 
 # SOFT BOUNCE
 #
@@ -685,5 +685,5 @@ inet_protocols = all
 
 # smtp CA path (default to system-wide location)
 smtp_tls_CApath = /etc/ssl/certs
-shlib_directory = /usr/local/lib/postfix
 meta_directory = /usr/local/libexec/postfix
+shlib_directory = /usr/local/lib/postfix

master.cf.sample

@@ -1,7 +1,7 @@
 #
 # Postfix master process configuration file.  For details on the format
 # of the file, see the master(5) manual page (command: "man 5 master" or
-# on-line: http://www.postfix.org/master.5.html).
+# on-line: https://www.postfix.org/master.5.html).
 #
 # Do not forget to execute "postfix reload" after editing this file.
 #
@@ -18,10 +18,12 @@ smtp      inet  n       -       n       -       -       smtpd
 #127.0.0.1:submission inet n -   n       -       -       smtpd
 #submission inet n       -       n       -       -       smtpd
 #  -o syslog_name=postfix/submission
+#  -o smtpd_forbid_unauth_pipelining=no
 #  -o smtpd_tls_security_level=encrypt
 #  -o smtpd_sasl_auth_enable=yes
 #  -o smtpd_tls_auth_only=yes
 #  -o local_header_rewrite_clients=static:all
+#  -o smtpd_hide_client_session=yes
 #  -o smtpd_reject_unlisted_recipient=no
 #     Instead of specifying complex smtpd_<xxx>_restrictions here,
 #     specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
@@ -37,9 +39,11 @@ smtp      inet  n       -       n       -       -       smtpd
 #127.0.0.1:submissions inet n  -       n       -       -       smtpd
 #submissions     inet  n       -       n       -       -       smtpd
 #  -o syslog_name=postfix/submissions
+#  -o smtpd_forbid_unauth_pipelining=no
 #  -o smtpd_tls_wrappermode=yes
 #  -o smtpd_sasl_auth_enable=yes
 #  -o local_header_rewrite_clients=static:all
+#  -o smtpd_hide_client_session=yes
 #  -o smtpd_reject_unlisted_recipient=no
 #     Instead of specifying complex smtpd_<xxx>_restrictions here,
 #     specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"

virtual

@@ -14,10 +14,12 @@
 #        The  optional  virtual(5) alias table (virtual_alias_maps)
 #        applies to all recipients: local(8), virtual, and  remote.
 #        This feature is implemented in the Postfix cleanup(8) dae-
-#        mon before mail is queued.
+#        mon before mail is queued.  These tables are often queried
+#        with a full email address (including domain).
 # 
 #        This  is  unlike  the  aliases(5) table (alias_maps) which
-#        applies only to local(8) recipients.
+#        applies only to local(8) recipients. That  table  is  only
+#        queried with the email address localpart (no domain).
 # 
 #        Virtual  aliasing is recursive; to terminate recursion for
 #        a specific address, alias that address to itself.
@@ -256,10 +258,12 @@
 #        command after a configuration change.
 # 
 #        virtual_alias_maps ($virtual_maps)
-#               Optional lookup tables with aliases that  apply  to
+#               Optional lookup tables that are often searched with
-#               all recipients: local(8), virtual, and remote; this
+#               a  full  email  address (including domain) and that
-#               is unlike alias_maps that apply  only  to  local(8)
+#               apply to all  recipients:  local(8),  virtual,  and
-#               recipients.
+#               remote;  this  is  unlike  alias_maps that are only
+#               searched  with  an  email  address  localpart   (no
+#               domain) and that apply only to local(8) recipients.
 # 
 #        virtual_alias_domains ($virtual_alias_maps)
 #               Postfix is the final destination for the  specified

virtual.sample

@@ -14,10 +14,12 @@
 #        The  optional  virtual(5) alias table (virtual_alias_maps)
 #        applies to all recipients: local(8), virtual, and  remote.
 #        This feature is implemented in the Postfix cleanup(8) dae-
-#        mon before mail is queued.
+#        mon before mail is queued.  These tables are often queried
+#        with a full email address (including domain).
 # 
 #        This  is  unlike  the  aliases(5) table (alias_maps) which
-#        applies only to local(8) recipients.
+#        applies only to local(8) recipients. That  table  is  only
+#        queried with the email address localpart (no domain).
 # 
 #        Virtual  aliasing is recursive; to terminate recursion for
 #        a specific address, alias that address to itself.
@@ -256,10 +258,12 @@
 #        command after a configuration change.
 # 
 #        virtual_alias_maps ($virtual_maps)
-#               Optional lookup tables with aliases that  apply  to
+#               Optional lookup tables that are often searched with
-#               all recipients: local(8), virtual, and remote; this
+#               a  full  email  address (including domain) and that
-#               is unlike alias_maps that apply  only  to  local(8)
+#               apply to all  recipients:  local(8),  virtual,  and
-#               recipients.
+#               remote;  this  is  unlike  alias_maps that are only
+#               searched  with  an  email  address  localpart   (no
+#               domain) and that apply only to local(8) recipients.
 # 
 #        virtual_alias_domains ($virtual_alias_maps)
 #               Postfix is the final destination for the  specified