[pfx] Re: What features to deprecate

Tue, 13 Feb 2024 09:48:54 -0800 

On Tue, Feb 13, 2024 at 12:23:32PM -0500, Wietse Venema via Postfix-users wrote:

> Over 25 years, Postfix has accumulated some features that 
> are essentially obsolete.
> 
> - permit_mx_backup is fundamentally incompatible with recipient
> address validation. There is no way to work around that with
> reject_unverified_recipient, because that requires that a domain
> is reachable, and in that case permit_mx_backup is not needed.
> Log a deprecation warning with compatibility_levels>=3.9.
> 
> - masquerade_domains complicates table-driven address validation.
> Log a deprecation warning with compatibility_levels>=3.9.
> 
> - disable_dns_lookups can be migrated to smtp_dns_support_level
> which implements a superset of the functionality. Log a deprecation
> warning with compatibility_levels>=3.9.
> 
> What else needs to go?

Obsoleted by TLS security levels:

    - lmtp_enforce_tls
    - lmtp_use_tls
    - postscreen_enforce_tls
    - postscreen_use_tls
    - smtp_enforce_tls
    - smtp_use_tls
    - smtpd_enforce_tls
    - smtpd_use_tls
    - tlsproxy_client_enforce_tls
    - tlsproxy_client_use_tls
    - tlsproxy_enforce_tls
    - tlsproxy_use_tls

Obsoleted by TLS policy maps:

    - lmtp_tls_per_site
    - smtp_tls_per_site
    - tlsproxy_client_per_site

Obsoleted by automatic negotiation in the SSL code:

    - smtpd_tls_dh1024_param_file = auto
    - smtpd_tls_eecdh_grade = auto

[ We could delete the underlying support code for the explicit choices,
  and always use 'auto' with a warning if the configuration specifies
  a different choice.  Mind you, automatic DH group negotiation is
  prone to choosing largish > 2048-bit groups, when the server will sign
  with a large RSA private key, but this feels somewhat justifiable. ]

Perhaps more controversial:

    - parent_domains_matches_subdomains

This should IMHO be empty, with all parent-domain rules being explicit.
Its convenience is offset by not entirely infrequent user confusion
about where ".domain" is required (transport(5) table) and where it is
not by default (access(5) table).

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to