1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
2        "http://www.w3.org/TR/html4/loose.dtd">
3
4<html>
5
6<head>
7
8<title>Postfix DSN Support </title>
9
10<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
11
12</head>
13
14<body>
15
16<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix
17DSN Support </h1>
18
19<hr>
20
21<h2>Introduction</h2>
22
23<p> Postfix version 2.3 introduces support for Delivery Status
24Notifications as described in RFC 3464. This gives senders control
25over successful and failed delivery notifications.  </p>
26
27<p> Specifically, DSN support gives an email sender the ability to
28specify: </p>
29
30<ul>
31
32<li> <p> What notifications are sent: success, failure, delay, or
33none. Normally, Postfix informs the sender only when mail delivery
34is delayed or when delivery fails.  </p>
35
36<li> <p> What content is returned in case of failure: only the
37message headers, or the full message. </p>
38
39<li> <p> An envelope ID that is returned as part of delivery status
40notifications. This identifies the message <i>submission</i>
41transaction, and must not be confused with the message ID, which
42identifies the message <i>content</i>. </p>
43
44</ul>
45
46<p> The implementation of DSN support involves extra parameters to
47the SMTP MAIL FROM and RCPT TO commands, as well as two Postfix
48sendmail command line options that provide a sub-set of the functions
49of the extra SMTP command parameters. </p>
50
51<p> This document has information on the following topics: </p>
52
53<ul>
54
55<li> <a href="#scope">Restricting the scope of "success" notifications</a>
56
57<li> <a href="#cli">Postfix sendmail command-line interface</a>
58
59<li> <a href="#compat">Postfix VERP support compatibility</a>
60
61</ul>
62
63<h2> <a name="scope">Restricting the scope of "success" notifications</a> </h2>
64
65<p> Just like reports of undeliverable mail, DSN reports of
66<i>successful</i> delivery can give away more information about the
67internal infrastructure than desirable.  Unfortunately, disallowing
68"success" notification requests requires disallowing other DSN
69requests as well. The RFCs do not offer the option to negotiate
70feature subsets. </p>
71
72<p> This is not as bad as it sounds. When you turn off DSN for
73remote inbound mail, remote senders with DSN support will still be
74informed that their mail reached your Postfix gateway successfully;
75they just will not get successful delivery notices from your internal
76systems. Remote senders lose very little: they can no longer specify
77how Postfix should report delayed or failed delivery.  </p>
78
79<p> Use the smtpd_discard_ehlo_keyword_address_maps feature if you
80wish to allow DSN requests from trusted clients but not from random
81strangers (see below for how to turn this off for all clients):
82</p>
83
84<blockquote>
85<pre>
86/etc/postfix/main.cf:
87    smtpd_discard_ehlo_keyword_address_maps =
88        cidr:/etc/postfix/esmtp_access
89
90/etc/postfix/esmtp_access:
91    # Allow DSN requests from local subnet only
92    192.168.0.0/28      silent-discard
93    0.0.0.0/0           silent-discard, dsn
94    ::/0                silent-discard, dsn
95</pre>
96</blockquote>
97
98<p> If you want to disallow all use of DSN requests from the network,
99use the smtpd_discard_ehlo_keywords feature: </p>
100
101<blockquote>
102<pre>
103/etc/postfix/main.cf:
104    smtpd_discard_ehlo_keywords = silent-discard, dsn
105</pre>
106</blockquote>
107
108<h2> <a name="cli">Postfix sendmail command-line interface</a> </h2>
109
110<p> Postfix has two Sendmail-compatible command-line options for
111DSN support. </p>
112
113<ul>
114
115<li> <p>  The first option specifies what notifications are sent
116for mail that is submitted via the Postfix sendmail(1) command line:
117</p>
118
119<blockquote>
120<pre>
121$ <b>sendmail -N success,delay,failure ...</b> (one or more of these)
122$ <b>sendmail -N never ...</b>                 (or just this by itself)
123</pre>
124</blockquote>
125
126<p> The built-in default corresponds with "delay,failure". </p>
127
128<li> <p> The second option specifies an envelope ID which is reported
129in delivery status notifications for mail that is submitted via the
130Postfix sendmail(1) command line: </p>
131
132<blockquote>
133<pre>
134$ <b>sendmail -V <i>envelope-id</i> ...</b>
135</pre>
136</blockquote>
137
138<p> Note: this conflicts with VERP support in older Postfix versions,
139as discussed in the next section. </p>
140
141</ul>
142
143<h2> <a name="compat">Postfix VERP support compatibility</a> </h2>
144
145<p> With Postfix versions before 2.3, the sendmail(1) command uses
146the -V command-line option to request VERP-style delivery.  In order
147to request VERP style delivery with Postfix 2.3 and later, you must
148specify -XV instead of -V. </p>
149
150<p> The Postfix 2.3 sendmail(1) command will recognize if you try
151to use -V for VERP-style delivery.  It will do the right thing and
152will remind you of the new syntax. </p>
153
154</body>
155
156</html>
157