Almost a year after its previous 3.9 release, the latest stable version of the widely adopted mail transport agent (MTA) Postfix, 3.10, is out. In light of this, the older Postfix 3.6 will no longer receive maintenance releases.
Moreover, after the upgrade to 3.10, administrators should be aware of an internal protocol change requiring a postfix reload or a full restart to ensure the new delivery agent protocol functions correctly. Now, to the novelties.
One of the most significant highlights of Postfix 3.10 is its forward compatibility with OpenSSL 3.5 post-quantum cryptography. Administrators can manage algorithm selection directly through the new “tls_eecdh_auto_curves” and “tls_ffdhe_auto_groups” parameters. By setting these parameter values to empty, Postfix effectively defers the algorithm selection to OpenSSL’s own configuration.
In addition, the release includes support for the RFC 8689 “TLS-Required: no” message header. This feature makes it possible to request delivery of certain emails, such as TLSRPT summaries, even if the ideal TLS security settings cannot be enforced.
A major new capability also arrives with added support for the TLSRPT protocol. By publishing a specific policy in DNS, a domain can receive daily summaries of successful and failed TLS connections to that domain’s mail servers. This is especially useful for domains leveraging DANE or MTA-STS to protect email security.
On the privacy front, Postfix 3.10 introduces a new setting called “smtpd_hide_client_session,” which suppresses client session details in “Received:” headers. This option is expected to be particularly valuable for mail user agent submission services.
The new version also addresses non-ASCII character handling by adding support for RFC 2047 encoding in the “From:” headers. As a result, Postfix can encode full names that contain non-ASCII characters, avoiding potential compatibility issues with mail servers that do not support SMTPUTF8.
For those using MySQL or PostgreSQL databases, the latest release optimizes database performance by immediately reconnecting to a load balancer after a single failure rather than waiting 60 seconds.
Lastly, administrators will appreciate the enhanced logging features in Postfix 3.10. For instance, the Milter implementation logs the specific reason for a quarantine action instead of issuing the generic “milter triggers HOLD action.”
The SMTP server also logs queue IDs more consistently when connections end unexpectedly, simplifying log analysis. Additionally, logging messages related to Dovecot SASL now displays the exact authentication mechanism that failed, providing better troubleshooting details.
For more details on all changes, see the announcement.
