From 12a8ec36eaae6a4f5fd794d5f57baed73557bc3a Mon Sep 17 00:00:00 2001
From: georglauterbach <44545919+georglauterbach@users.noreply.github.com>
Date: Mon, 4 Dec 2023 00:41:03 +0100
Subject: [PATCH] update Postfix configuration

---
 CHANGELOG.md           | 9 +++++++++
 target/postfix/main.cf | 7 ++-----
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cef10d07..a4d7a446 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,15 @@ All notable changes to this project will be documented in this file. The format
 
 > **Note**: Changes and additions listed here are contained in the `:edge` image tag. These changes may not be as stable as released changes.
 
+### Breaking
+
+- Postfix
+  - `postscreen_dnsbl_whitelist_threshold` was renamed to `postscreen_dnsbl_allowlist_threshold`: this may affect users that monitor logs affected by this change (<https://www.postfix.org/COMPATIBILITY_README.html#respectful_logging>) ([#3403](https://github.com/docker-mailserver/docker-mailserver/pull/3403))
+  - `compatibility_level` was raised from `2` to `3.6` ([#3403](https://github.com/docker-mailserver/docker-mailserver/pull/3403))
+    - Usage in logging regarding white / black listing has been replaced with allow / deny listing. This may affect monitoring / analysis of logs output from Postfix that expect to match the prior terminology used.
+    - smtpd_relay_restrictions (relay policy) is now evaluated aftersmtpd_recipient_restrictions (spam policy). Previously it was evaluated before smtpd_recipient_restrictions. Mail to be relayed via DMS must now pass through the spam policy first.
+    - TLS fingerprint policy has changed default from MD5 to SHA256 (DMS does not modify this Postfix parameter).
+
 ### Added
 
 - **Dovecot:**
diff --git a/target/postfix/main.cf b/target/postfix/main.cf
index 8c329c94..7d4c74f1 100644
--- a/target/postfix/main.cf
+++ b/target/postfix/main.cf
@@ -75,7 +75,7 @@ postscreen_dnsbl_sites =
     list.dnswl.org=127.0.[0..255].1*-3
     list.dnswl.org=127.0.[0..255].[2..3]*-4
 postscreen_dnsbl_threshold = 3
-postscreen_dnsbl_whitelist_threshold = -1
+postscreen_dnsbl_allowlist_threshold = -1
 postscreen_greet_action = enforce
 postscreen_bare_newline_action = enforce
 
@@ -110,7 +110,4 @@ smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre
 # http://www.postfix.org/COMPATIBILITY_README.html
 # If backwards-compaitibilty log messages appear, fix them by explicitly adding
 # the legacy or new default value (alternatively raise the compatibility_level)
-#
-# TODO: The next compatibility_level is 3.6, when Postfix 3.6 is available consider
-# bumping this value after taking the compaitibilty changes into account.
-compatibility_level = 2
+compatibility_level = 3.6