OpenSSL in the Postfix MTA

The Postfix MTA supports email SMTP over TLS both as server (inbound) and client (outbound). Postfix makes extensive use of the OpenSSL TLS API, out of approximately 166k lines of code, around 12k LOC are TLS-related. Postfix. Multiple security models are available as either default or per-destination options: * cleartext ("none"), * opportunistic TLS ("may"), * unauthenticated mandatory TLS ("encrypt") * Pinned key/cert digests ("fingerprint") * opportunistic DANE TLS ("dane") * mandatory DANE TLS ("dane-only") * mandatory PKIX TLS ("secure") Advanced features include: * Explicit initialisation with a non-default configuration file and/or application name * Cross-process connection reuse * Cross-process external session cache (primarily for clients) * Ticket-based session resumption for servers, with regular session ticket encryption key rollover * Per destination trust anchors, * Multi-valued hostname checks, * SNI-based key pair selection, The DANE support in OpenSSL originated as code in Postfix, as part of which the X.509 certificate chain verification code was substantially cleaned up and extended. Other minor changes also originated in Postfix over the years.