Postfix with IPv6 and TLS

Dean Strik <>

Current version: patch 1.26 for Postfix releases 2.0.20 and 2.1.5.

NEWS: TLS and IPv6 support are incorporated in Postfix snapshot 2.2-20050117. No new 2.2-snapshot patches will be released.

Introduction and history

Even though the Postfix mail system is great, there is a number of features not implemented by the official source code. This includes, for example the possibility of encrypting sessions and authentication using TLS (Transport Layer Security, a version of SSL). Another feature not included in the official source, is IPv6: the next generation of the internet addressing protocol.

Patches to support these (and other features) have been written by others. The author of the great TLS patch is Lutz Jänicke.

In January 2005, the first Postfix 2.2 snapshot with IPv6 support was released. This snapshot incorporateds Dean Strik's IPv6 patch and Lutz Jänicke's TLS patch, both revised by Wietse Venema, author of Postfix.

Back to the IPv6 patch history. The original IPv6 patch was written by Mark Huizer, and then substantially improved by Jun-ichiro 'itojun' Hagino. Since then, we speak of the KAME patch. Unfortunately, the KAME patch was written for KAME/KAME-merged systems. So later on, it was ported to other stacks (notably USAGI) by people of the PLD Linux Distribution PLD. We speak of the PLD patch. A very important feature of the PLD patch was that it can work with Lutz' TLS patch.

Unfortunately, the KAME patch was not kept uptodate with newer Postfix versions. Several people have modified the patch so it would still compile with the later versions, but in many cases the patches were bug-ridden and did not add IPv6 support for newer features of Postfix.

Major changes to network address storage in Postfix were not integrated well. Until version 1.9 of my own derivation (see below), there was no support for IPv6 netmasks/prefixlengths, sometimes causing Postfix to be an open IPv6 relay.

When also the PLD patch wasn't kept uptodate enough for my liking, and several bugs were not addressed because they did not occur with the official PLD distribution, I decided to split off my own version of the patch. This patch would have several goals, not all of which are currently realized:

Now that IPv6 and TLS support have been included into an official Postfix 2.2 snapshot, this patch is close to the end of it's life, with the code part of the Postfix releases. Patches will however still be available for Postfix 2.1.x and, for a while, 2.0.x.


This software is provided "as-is". You are using it at your own risk. I will take no liability in any case.

Supported platforms

Currently, the following platforms are supported by the patch. Of course, it is required that IPv6 is supported by your kernel and system libraries.

Postfix may not work correctly on older versions of these operating systems. If you managed to get things working on another operating system, please let me know. Also, if you find any problems related to the IPv6 patch on one of the above platforms, please mail me a bug report. (Note: Postfix 2.2 snapshots with IPv6 also support IBM's AIX version 5.1 and up).

Latest version

The latest version of the patch is 1.26. The patch is distributed for both Postfix releases and Postfix snapshots. TLS+IPv6 combo patches are available as well as IPv6-only versions. TLS-only patches can be downloaded from Lutz J&aum;nicke's Postfix/TLS page.

Installation and configuration

The patch is distributed as a gzipped context diff (versions older than 1.16a used universal diff, but this was changed due to unidiff limitations).

We assume Postfix is already extracted, to the directory postfix-2.1.5.

  1. Decompress the patch:
    $ gunzip tls+ipv6-1.26-pf-2.1.5.patch.gz
  2. Change directory to the postfix source directory:
    $ cd postfix-2.1.5
  3. Apply the patch:
    $ patch -s -p 1 < ../tls+ipv6-1.26-pf-2.1.5.patch
  4. Build Postfix. The IPv6 patch does not require additional environment variables or arguments to 'make'. To enable TLS, add the flag -DHAS_SSL to the CCARGS make variable. See the TLS documentation for more information.

In theory, no special post-installation configuration of Postfix is required, although you may want to extend the value of the 'mynetworks' parameter to include the IPv6 networks the system is in. Also you can restrict Postfix to use IPv6-only or IPv4-only by changing the 'inet_interfaces' parameter. The parameters regarding IPv6 are documented in the file sample.ipv6 in the samples/ directory.


Here is a list of the most recent changes to the patch. The full ChangeLog can be found here.

Changes in 1.26

Changes in 1.25

Changes in 1.24

Changes in 1.23

For older versions, see the full ChangeLog.


Downloads of the patches are available by HTTP and FTP. Old versions can be found in the FTP tree only.

For ease of download, Postfix tarballs can be downloaded along with the patches.

Current version: 1.26

Patch ChangeLog HTTP FTP
Postfix release 2.1.5  
TLS+IPv6 patch 1.26 (gzipped) HTTP FTP
IPv6-only patch 1.26 (gzipped) HTTP FTP
Postfix source (gzipped tar) HTTP FTP
Postfix release 2.0.20  
TLS+IPv6 patch 1.26 (gzipped) HTTP FTP
IPv6-only patch 1.26 (gzipped) HTTP FTP
Postfix source (gzipped tar) HTTP FTP

Previous versions

Version 1.25 download overview (FTP and HTTP links).

Version 1.24 download overview (FTP and HTTP links).

Version 1.23 download overview (FTP and HTTP links).

Version 1.22 download overview (FTP and HTTP links).

Version 1.21/1.21a download overview (FTP and HTTP links).

Version 1.20 download overview (FTP and HTTP links).

Version 1.19: this version was soon replaced with version 1.20 to fix a bug introduced in 1.19 (see ChangeLog).

Version 1.18/1.18a/1.18b download overview (FTP and HTTP links).

Version 1.17 download overview (FTP and HTTP links).

Version 1.16: this version was soon replaced with version 1.17 as 1.16 introduced a bug that could possibly result in memory corruption in arbitrary places. Please no not use 1.16 but use 1.17 or newer instead.

Version 1.15 download overview (FTP and HTTP links).

Version 1.14 download overview (FTP and HTTP links).

For older versions, please look at the FTP site.

RPMs and other packages

Tuomo Soini provides source RPMs of Postfix with IPv6 support. You can find his Postfix RPM page here.

IPv6 support is also available as an option in Simon J Mudd's Postfix Source RPMs, also available via FTP.

I would be interested in linking to other RPMs and packages.


Dr. Peter Bieringer provides a version of his patch for simple SMTP authentication linked against TLS+IPv6 for Postfix releases.

Mailing lists

The Postfix-IPv6 and Postfix-IPv6-announce lists have been terminated. For questions and discussions, you can use the postfix-users mailing list (see the Postfix website).

Open issues and todo items

The patch comes with an IPv6-ChangeLog file. Please always validate whether you have the latest version. You can always download the latest ChangeLog at

The following 'issues' and todo items are known (none critical):

Of course there may be bugs in the patch. Please report bugs in the patch to Dean Strik. Please be thorough in the report.