1POSTCONF(5)                   File Formats Manual                  POSTCONF(5)
2
3
4

NAME

6       postconf - Postfix configuration parameters
7

SYNOPSIS

9       postconf parameter ...
10
11       postconf -e "parameter=value" ...
12

DESCRIPTION

14       The  Postfix main.cf configuration file specifies a small subset of all
15       the parameters that control the operation of the Postfix  mail  system.
16       Parameters not specified in main.cf are left at their default values.
17
18       The general format of the main.cf file is as follows:
19
20       ·      Each  logical line has the form "parameter = value".  Whitespace
21              around the "=" is ignored, as is whitespace at the end of a log‐
22              ical line.
23
24       ·      Empty  lines and whitespace-only lines are ignored, as are lines
25              whose first non-whitespace character is a `#'.
26
27       ·      A logical line starts with  non-whitespace  text.  A  line  that
28              starts with whitespace continues a logical line.
29
30       ·      A parameter value may refer to other parameters.
31
32              ·      The  expressions  "$name",  "${name}"  or  "$(name)"  are
33                     recursively replaced by the value of the named parameter.
34
35              ·      The expression "${name?value}" expands  to  "value"  when
36                     "$name" is non-empty. This form is supported with Postfix
37                     version 2.2 and later.
38
39              ·      The expression "${name:value}" expands  to  "value"  when
40                     "$name"  is  empty.  This  form is supported with Postfix
41                     version 2.2 and later.
42
43              ·      Specify "$$" to produce a single "$" character.
44
45       ·      When the same parameter is defined multiple times, only the last
46              instance is remembered.
47
48       ·      Otherwise,  the  order of main.cf parameter definitions does not
49              matter.
50
51       The remainder of this document is a description of all Postfix configu‐
52       ration parameters. Default values are shown after the parameter name in
53       parentheses, and can be looked up with the "postconf -d" command.
54
55       Note: this is not an invitation to make changes to  Postfix  configura‐
56       tion  parameters.  Unnecessary  changes can impair the operation of the
57       mail system.
58

2bounce_notice_recipient (default: postmaster)

60       The recipient of undeliverable mail that  cannot  be  returned  to  the
61       sender.  This feature is enabled with the notify_classes parameter.
62

access_map_defer_code (default: 450)

64       The  numerical  Postfix  SMTP server response code for an access(5) map
65       "defer" action, including "defer_if_permit" or "defer_if_reject". Prior
66       to Postfix 2.6, the response is hard-coded as "450".
67
68       Do  not  change  this  unless  you have a complete understanding of RFC
69       5321.
70
71       This feature is available in Postfix 2.6 and later.
72

access_map_reject_code (default: 554)

74       The numerical Postfix SMTP server response code for  an  access(5)  map
75       "reject" action.
76
77       Do  not  change  this  unless  you have a complete understanding of RFC
78       5321.
79

address_verify_cache_cleanup_interval (default: 12h)

81       The amount of time  between  verify(8)  address  verification  database
82       cleanup  runs.  This  feature  requires  that the database supports the
83       "delete" and "sequence" operators.  Specify a zero interval to  disable
84       database cleanup.
85
86       After  each  database cleanup run, the verify(8) daemon logs the number
87       of entries that were retained and dropped. A cleanup run is  logged  as
88       "partial"  when  the  daemon  terminates  early after "postfix reload",
89       "postfix stop", or no requests for $max_idle seconds.
90
91       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
92
93       This feature is available in Postfix 2.7.
94

address_verify_default_transport (default: $default_transport)

96       Overrides the default_transport parameter setting for address verifica‐
97       tion probes.
98
99       This feature is available in Postfix 2.1 and later.
100

address_verify_local_transport (default: $local_transport)

102       Overrides  the  local_transport parameter setting for address verifica‐
103       tion probes.
104
105       This feature is available in Postfix 2.1 and later.
106

address_verify_map (default: see postconf -d output)

108       Lookup table for persistent address verification status  storage.   The
109       table  is maintained by the verify(8) service, and is opened before the
110       process releases privileges.
111
112       The lookup table is persistent by  default  (Postfix  2.7  and  later).
113       Specify  an empty table name to keep the information in volatile memory
114       which is lost after "postfix reload" or "postfix  stop".  This  is  the
115       default with Postfix version 2.6 and earlier.
116
117       Specify a location in a file system that will not fill up. If the data‐
118       base becomes corrupted, the world comes to an end.  To  recover  delete
119       (NOT: truncate) the file and do "postfix reload".
120
121       Postfix  daemon  processes do not use root privileges when opening this
122       file (Postfix 2.5 and later).  The file must therefore be stored  under
123       a  Postfix-owned  directory such as the data_directory.  As a migration
124       aid, an attempt to open the file under a non-Postfix directory is redi‐
125       rected to the Postfix-owned data_directory, and a warning is logged.
126
127       Examples:
128
129       address_verify_map = hash:/var/lib/postfix/verify
130       address_verify_map = btree:/var/lib/postfix/verify
131
132       This feature is available in Postfix 2.1 and later.
133

address_verify_negative_cache (default: yes)

135       Enable caching of failed address verification probe results.  When this
136       feature is enabled, the cache may pollute quickly with  garbage.   When
137       this  feature  is  disabled, Postfix will generate an address probe for
138       every lookup.
139
140       This feature is available in Postfix 2.1 and later.
141

address_verify_negative_expire_time (default: 3d)

143       The time after which a failed probe expires from the address  verifica‐
144       tion cache.
145
146       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
147
148       This feature is available in Postfix 2.1 and later.
149

address_verify_negative_refresh_time (default: 3h)

151       The  time  after  which a failed address verification probe needs to be
152       refreshed.
153
154       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
155
156       This feature is available in Postfix 2.1 and later.
157

address_verify_poll_count (default: normal: 3, overload: 1)

159       How many times to query the verify(8) service for the completion of  an
160       address verification request in progress.
161
162       By  default,  the Postfix SMTP server polls the verify(8) service up to
163       three times under non-overload conditions, and  only  once  when  under
164       overload.  With Postfix version 2.5 and earlier, the SMTP server always
165       polls the verify(8) service up to three times by default.
166
167       Specify 1 to implement a crude form of  greylisting,  that  is,  always
168       defer the first delivery request for a new address.
169
170       Examples:
171
172       # Postfix <= 2.6 default
173       address_verify_poll_count = 3
174       # Poor man's greylisting
175       address_verify_poll_count = 1
176
177       This feature is available in Postfix 2.1 and later.
178

address_verify_poll_delay (default: 3s)

180       The delay between queries for the completion of an address verification
181       request in progress.
182
183       The default polling delay is 3 seconds.
184
185       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
186
187       This feature is available in Postfix 2.1 and later.
188

address_verify_positive_expire_time (default: 31d)

190       The time after which a successful probe expires from the address  veri‐
191       fication cache.
192
193       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
194
195       This feature is available in Postfix 2.1 and later.
196

address_verify_positive_refresh_time (default: 7d)

198       The  time  after which a successful address verification probe needs to
199       be refreshed.  The address verification status is not updated when  the
200       probe fails (optimistic caching).
201
202       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
203
204       This feature is available in Postfix 2.1 and later.
205

address_verify_relay_transport (default: $relay_transport)

207       Overrides  the  relay_transport parameter setting for address verifica‐
208       tion probes.
209
210       This feature is available in Postfix 2.1 and later.
211

address_verify_relayhost (default: $relayhost)

213       Overrides the relayhost  parameter  setting  for  address  verification
214       probes. This information can be overruled with the transport(5) table.
215
216       This feature is available in Postfix 2.1 and later.
217

address_verify_sender (default: $double_bounce_sender)

219       The  sender  address  to  use  in address verification probes; prior to
220       Postfix 2.5 the  default  was  "postmaster".  To  avoid  problems  with
221       address probes that are sent in response to address probes, the Postfix
222       SMTP server excludes the probe sender address  from  all  SMTPD  access
223       blocks.
224
225       Specify  an  empty value (address_verify_sender =) or <> if you want to
226       use the null sender address. Beware, some sites reject  mail  from  <>,
227       even though RFCs require that such addresses be accepted.
228
229       Examples:
230
231       address_verify_sender = <>
232       address_verify_sender = postmaster@my.domain
233
234       This feature is available in Postfix 2.1 and later.
235

address_verify_sender_dependent_default_transport_maps (default:

237       $sender_dependent_default_transport_maps)
238       Overrides the sender_dependent_default_transport_maps parameter setting
239       for address verification probes.
240
241       This feature is available in Postfix 2.7 and later.
242

address_verify_sender_dependent_relayhost_maps (default: $sender_depen‐

244       dent_relayhost_maps)
245       Overrides the  sender_dependent_relayhost_maps  parameter  setting  for
246       address verification probes.
247
248       This feature is available in Postfix 2.3 and later.
249

address_verify_sender_ttl (default: 0s)

251       The time between changes in the time-dependent portion of address veri‐
252       fication probe sender addresses. The time-dependent portion is appended
253       to  the  localpart  of  the  address  specified  with  the address_ver‐
254       ify_sender parameter. This feature is ignored  when  the  probe  sender
255       addresses  is  the null sender, i.e. the address_verify_sender value is
256       empty or <>.
257
258       Historically, the probe sender address was fixed. This has caused  such
259       addresses  to  end  up  on  spammer  mailing lists, and has resulted in
260       wasted network and processing resources.
261
262       To enable time-dependent probe sender  addresses,  specify  a  non-zero
263       time  value  (an integral value plus an optional one-letter suffix that
264       specifies the time unit).  Specify a value of at least  several  hours,
265       to  avoid  problems  with senders that use greylisting.  Avoid nice TTL
266       values, to make the result less predictable.  Time units are:  s  (sec‐
267       onds), m (minutes), h (hours), d (days), w (weeks).
268
269       This feature is available in Postfix 2.9 and later.
270

address_verify_service_name (default: verify)

272       The  name  of  the verify(8) address verification service. This service
273       maintains the status of sender and/or  recipient  address  verification
274       probes, and generates probes on request by other Postfix processes.
275

address_verify_transport_maps (default: $transport_maps)

277       Overrides the transport_maps parameter setting for address verification
278       probes.
279
280       This feature is available in Postfix 2.1 and later.
281

address_verify_virtual_transport (default: $virtual_transport)

283       Overrides the virtual_transport parameter setting for address verifica‐
284       tion probes.
285
286       This feature is available in Postfix 2.1 and later.
287

alias_database (default: see postconf -d output)

289       The  alias  databases  for  local(8)  delivery  that  are  updated with
290       "newaliases" or with "sendmail -bi".
291
292       This is a separate configuration parameter because not all  the  tables
293       specified with $alias_maps have to be local files.
294
295       Examples:
296
297       alias_database = hash:/etc/aliases
298       alias_database = hash:/etc/mail/aliases
299

alias_maps (default: see postconf -d output)

301       The alias databases that are used for local(8) delivery. See aliases(5)
302       for syntax details.
303
304       The default list is system dependent.  On systems with NIS, the default
305       is to search the local alias database, then the NIS alias database.
306
307       If  you  change  the  alias  database, run "postalias /etc/aliases" (or
308       wherever your system  stores  the  mail  alias  file),  or  simply  run
309       "newaliases" to build the necessary DBM or DB file.
310
311       The  local(8)  delivery agent disallows regular expression substitution
312       of $1 etc. in alias_maps, because that would open a security hole.
313
314       The local(8) delivery agent will silently ignore requests  to  use  the
315       proxymap(8)  server  within  alias_maps. Instead it will open the table
316       directly. Before Postfix version 2.2, the local(8) delivery agent  will
317       terminate with a fatal error.
318
319       Examples:
320
321       alias_maps = hash:/etc/aliases, nis:mail.aliases
322       alias_maps = hash:/etc/aliases
323

allow_mail_to_commands (default: alias, forward)

325       Restrict  local(8)  mail delivery to external commands.  The default is
326       to disallow delivery to "|command" in :include:  files (see  aliases(5)
327       for the text that defines this terminology).
328
329       Specify  zero  or more of: alias, forward or include, in order to allow
330       commands in aliases(5), .forward files or in :include:  files,  respec‐
331       tively.
332
333       Example:
334
335       allow_mail_to_commands = alias,forward,include
336

allow_mail_to_files (default: alias, forward)

338       Restrict  local(8)  mail  delivery to external files. The default is to
339       disallow "/file/name" destinations in :include:  files (see  aliases(5)
340       for the text that defines this terminology).
341
342       Specify  zero  or more of: alias, forward or include, in order to allow
343       "/file/name"  destinations  in  aliases(5),  .forward  files   and   in
344       :include:  files, respectively.
345
346       Example:
347
348       allow_mail_to_files = alias,forward,include
349

allow_min_user (default: no)

351       Allow a sender or recipient address to have `-' as the first character.
352       By default, this is not allowed, to avoid accidents with software  that
353       passes email addresses via the command line. Such software would not be
354       able to distinguish a malicious address from a bona  fide  command-line
355       option.  Although this can be prevented by inserting a "--" option ter‐
356       minator into the command line, this is  difficult  to  enforce  consis‐
357       tently and globally.
358
359       As  of  Postfix version 2.5, this feature is implemented by trivial-re‐
360       write(8).  With  earlier  versions  this  feature  was  implemented  by
361       qmgr(8) and was limited to recipient addresses only.
362

allow_percent_hack (default: yes)

364       Enable  the rewriting of the form "user%domain" to "user@domain".  This
365       is enabled by default.
366
367       Note: with Postfix version 2.2, message header address  rewriting  hap‐
368       pens only when one of the following conditions is true:
369
370       ·      The message is received with the Postfix sendmail(1) command,
371
372       ·      The  message  is  received  from  a  network client that matches
373              $local_header_rewrite_clients,
374
375       ·      The  message   is   received   from   the   network,   and   the
376              remote_header_rewrite_domain  parameter  specifies  a  non-empty
377              value.
378
379       To   get   the   behavior   before   Postfix   version   2.2,   specify
380       "local_header_rewrite_clients = static:all".
381
382       Example:
383
384       allow_percent_hack = no
385

allow_untrusted_routing (default: no)

387       Forward  mail  with sender-specified routing (user[@%!]remote[@%!]site)
388       from untrusted clients to destinations matching $relay_domains.
389
390       By default, this feature is turned off.  This closes a nasty open relay
391       loophole  where  a  backup  MX host can be tricked into forwarding junk
392       mail to a primary MX host which then spams it out to the world.
393
394       This parameter also controls if non-local addresses with  sender-speci‐
395       fied  routing  can  match  Postfix  access  tables.  By  default,  such
396       addresses cannot match Postfix access tables, because  the  address  is
397       ambiguous.
398

alternate_config_directories (default: empty)

400       A  list  of  non-default  Postfix configuration directories that may be
401       specified with "-c config_directory" on the command line,  or  via  the
402       MAIL_CONFIG environment parameter.
403
404       This list must be specified in the default Postfix configuration direc‐
405       tory, and is used by set-gid Postfix commands such as postqueue(1)  and
406       postdrop(1).
407

always_add_missing_headers (default: no)

409       Always  add (Resent-) From:, To:, Date: or Message-ID: headers when not
410       present.  Postfix 2.6 and later add these  headers  only  when  clients
411       match  the  local_header_rewrite_clients  parameter  setting.   Earlier
412       Postfix versions always add these headers; this may break  DKIM  signa‐
413       tures that cover non-existent headers.
414

always_bcc (default: empty)

416       Optional  address  that  receives a "blind carbon copy" of each message
417       that is received by the Postfix mail system.
418
419       Note: with Postfix 2.3 and later the BCC address is added as if it  was
420       specified  with  NOTIFY=NONE.  The sender will not be notified when the
421       BCC address is undeliverable,  as  long  as  all  down-stream  software
422       implements RFC 3461.
423
424       Note: with Postfix 2.2 and earlier the sender will be notified when the
425       BCC address is undeliverable.
426
427       Note: automatic BCC recipients are produced  only  for  new  mail.   To
428       avoid  mailer  loops,  automatic BCC recipients are not generated after
429       Postfix forwards mail  internally,  or  after  Postfix  generates  mail
430       itself.
431

anvil_rate_time_unit (default: 60s)

433       The  time  unit  over which client connection rates and other rates are
434       calculated.
435
436       This feature is implemented by the anvil(8) service which is  available
437       in Postfix version 2.2 and later.
438
439       The default interval is relatively short. Because of the high frequency
440       of updates, the anvil(8) server uses volatile memory only. Thus, infor‐
441       mation is lost whenever the process terminates.
442
443       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
444       The default time unit is s (seconds).
445

anvil_status_update_time (default: 600s)

447       How frequently the anvil(8) connection and rate  limiting  server  logs
448       peak usage information.
449
450       This feature is available in Postfix 2.2 and later.
451
452       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
453       The default time unit is s (seconds).
454

append_at_myorigin (default: yes)

456       With locally submitted mail, append the  string  "@$myorigin"  to  mail
457       addresses  without  domain  information.  With remotely submitted mail,
458       append the string "@$remote_header_rewrite_domain" instead.
459
460       Note 1: this feature is enabled by default and must not be turned  off.
461       Postfix does not support domain-less addresses.
462
463       Note 2: with Postfix version 2.2, message header address rewriting hap‐
464       pens only when one of the following conditions is true:
465
466       ·      The message is received with the Postfix sendmail(1) command,
467
468       ·      The message is received  from  a  network  client  that  matches
469              $local_header_rewrite_clients,
470
471       ·      The   message   is   received   from   the   network,   and  the
472              remote_header_rewrite_domain  parameter  specifies  a  non-empty
473              value.
474
475       To   get   the   behavior   before   Postfix   version   2.2,   specify
476       "local_header_rewrite_clients = static:all".
477

append_dot_mydomain (default: yes)

479       With  locally  submitted  mail,  append  the  string  ".$mydomain"   to
480       addresses  that  have no ".domain" information. With remotely submitted
481       mail, append the string ".$remote_header_rewrite_domain" instead.
482
483       Note 1: this feature is enabled by default. If disabled, users will not
484       be able to send mail to "user@partialdomainname" but will have to spec‐
485       ify full domain names instead.
486
487       Note 2: with Postfix version 2.2, message header address rewriting hap‐
488       pens only when one of the following conditions is true:
489
490       ·      The message is received with the Postfix sendmail(1) command,
491
492       ·      The  message  is  received  from  a  network client that matches
493              $local_header_rewrite_clients,
494
495       ·      The  message   is   received   from   the   network,   and   the
496              remote_header_rewrite_domain  parameter  specifies  a  non-empty
497              value.
498
499       To   get   the   behavior   before   Postfix   version   2.2,   specify
500       "local_header_rewrite_clients = static:all".
501

application_event_drain_time (default: 100s)

503       How long the postkick(1) command waits for a request to enter the Post‐
504       fix daemon process input buffer before giving up.
505
506       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
507       The default time unit is s (seconds).
508
509       This feature is available in Postfix 2.1 and later.
510

authorized_flush_users (default: static:anyone)

512       List of users who are authorized to flush the queue.
513
514       By default, all users are allowed to flush the queue.  Access is always
515       granted if the invoking user is the super-user or the $mail_owner user.
516       Otherwise, the real UID of the process is looked up in the system pass‐
517       word file, and access is granted only if the corresponding  login  name
518       is  on  the  access list.  The username "unknown" is used for processes
519       whose real UID is not found in the password file.
520
521       Specify a list of user names, "/file/name"  or  "type:table"  patterns,
522       separated  by  commas  and/or  whitespace.  The list is matched left to
523       right, and the search stops on the first match. A "/file/name"  pattern
524       is  replaced  by  its  contents; a "type:table" lookup table is matched
525       when a name matches a lookup key (the lookup result is ignored).   Con‐
526       tinue  long  lines  by  starting the next line with whitespace. Specify
527       "!pattern" to exclude a name from the list. The form  "!/file/name"  is
528       supported only in Postfix version 2.4 and later.
529
530       This feature is available in Postfix 2.2 and later.
531

authorized_mailq_users (default: static:anyone)

533       List of users who are authorized to view the queue.
534
535       By  default, all users are allowed to view the queue.  Access is always
536       granted if the invoking user is the super-user or the $mail_owner user.
537       Otherwise, the real UID of the process is looked up in the system pass‐
538       word file, and access is granted only if the corresponding  login  name
539       is  on  the  access list.  The username "unknown" is used for processes
540       whose real UID is not found in the password file.
541
542       Specify a list of user names, "/file/name"  or  "type:table"  patterns,
543       separated  by  commas  and/or  whitespace.  The list is matched left to
544       right, and the search stops on the first match. A "/file/name"  pattern
545       is  replaced  by  its  contents; a "type:table" lookup table is matched
546       when a name matches a lookup key (the lookup result is ignored).   Con‐
547       tinue  long  lines  by  starting the next line with whitespace. Specify
548       "!pattern" to exclude a user name from the list. The form "!/file/name"
549       is supported only in Postfix version 2.4 and later.
550
551       This feature is available in Postfix 2.2 and later.
552

authorized_submit_users (default: static:anyone)

554       List  of  users  who are authorized to submit mail with the sendmail(1)
555       command (and with the privileged postdrop(1) helper command).
556
557       By default, all users are allowed to submit mail.  Otherwise, the  real
558       UID of the process is looked up in the system password file, and access
559       is granted only if the corresponding login name is on the access  list.
560       The  username  "unknown"  is  used  for processes whose real UID is not
561       found in the password file. To deny mail submission access to all users
562       specify an empty list.
563
564       Specify  a  list  of user names, "/file/name" or "type:table" patterns,
565       separated by commas and/or whitespace. The  list  is  matched  left  to
566       right,  and the search stops on the first match. A "/file/name" pattern
567       is replaced by its contents; a "type:table"  lookup  table  is  matched
568       when  a name matches a lookup key (the lookup result is ignored).  Con‐
569       tinue long lines by starting the next  line  with  whitespace.  Specify
570       "!pattern" to exclude a user name from the list. The form "!/file/name"
571       is supported only in Postfix version 2.4 and later.
572
573       Example:
574
575       authorized_submit_users = !www, static:all
576
577       This feature is available in Postfix 2.2 and later.
578

authorized_verp_clients (default: $mynetworks)

580       What remote SMTP clients are allowed  to  specify  the  XVERP  command.
581       This  command  requests  that mail be delivered one recipient at a time
582       with a per recipient return address.
583
584       By default, only trusted clients are allowed to specify XVERP.
585
586       This parameter was introduced with Postfix version 1.1.   Postfix  ver‐
587       sion  2.1  renamed  this parameter to smtpd_authorized_verp_clients and
588       changed the default to none.
589
590       Specify a list of network/netmask patterns, separated by commas  and/or
591       whitespace.  The  mask specifies the number of bits in the network part
592       of a host address. You can also specify hostnames or .domain names (the
593       initial   dot   causes   the  domain  to  match  any  name  below  it),
594       "/file/name" or  "type:table"  patterns.   A  "/file/name"  pattern  is
595       replaced by its contents; a "type:table" lookup table is matched when a
596       table entry matches a lookup string (the  lookup  result  is  ignored).
597       Continue  long lines by starting the next line with whitespace. Specify
598       "!pattern" to exclude an address or network block from  the  list.  The
599       form "!/file/name" is supported only in Postfix version 2.4 and later.
600
601       Note:  IP  version 6 address information must be specified inside [] in
602       the  authorized_verp_clients  value,  and  in  files   specified   with
603       "/file/name".   IP  version  6 addresses contain the ":" character, and
604       would otherwise be confused with a "type:table" pattern.
605

backwards_bounce_logfile_compatibility (default: yes)

607       Produce additional bounce(8) logfile records that can be read by  Post‐
608       fix versions before 2.0. The current and more extensible "name = value"
609       format is needed in order to implement more  sophisticated  functional‐
610       ity.
611
612       This feature is available in Postfix 2.1 and later.
613

berkeley_db_create_buffer_size (default: 16777216)

615       The per-table I/O buffer size for programs that create Berkeley DB hash
616       or btree tables.  Specify a byte count.
617
618       This feature is available in Postfix 2.0 and later.
619

berkeley_db_read_buffer_size (default: 131072)

621       The per-table I/O buffer size for programs that read Berkeley  DB  hash
622       or btree tables.  Specify a byte count.
623
624       This feature is available in Postfix 2.0 and later.
625

best_mx_transport (default: empty)

627       Where  the  Postfix  SMTP  client should deliver mail when it detects a
628       "mail loops back to myself" error  condition.  This  happens  when  the
629       local  MTA is the best SMTP mail exchanger for a destination not listed
630       in   $mydestination,   $inet_interfaces,    $proxy_interfaces,    $vir‐
631       tual_alias_domains, or $virtual_mailbox_domains.  By default, the Post‐
632       fix SMTP client returns such mail as undeliverable.
633
634       Specify, for example, "best_mx_transport = local" to pass the mail from
635       the Postfix SMTP client to the local(8) delivery agent. You can specify
636       any message delivery "transport" or "transport:nexthop" that is defined
637       in  the master.cf file. See the transport(5) manual page for the syntax
638       and meaning of "transport" or "transport:nexthop".
639
640       However, this feature is expensive because it ties up  a  Postfix  SMTP
641       client  process while the local(8) delivery agent is doing its work. It
642       is more efficient (for Postfix) to list all hosted domains in  a  table
643       or database.
644

biff (default: yes)

646       Whether  or not to use the local biff service.  This service sends "new
647       mail" notifications to users who have requested new  mail  notification
648       with the UNIX command "biff y".
649
650       For  compatibility  reasons  this feature is on by default.  On systems
651       with lots of interactive users, the biff service can be  a  performance
652       drain.  Specify "biff = no" in main.cf to disable.
653

body_checks (default: empty)

655       Optional  lookup  tables  for  content  inspection  as specified in the
656       body_checks(5) manual page.
657
658       Note: with Postfix versions before 2.0, these rules inspect all content
659       after the primary message headers.
660

body_checks_size_limit (default: 51200)

662       How  much  text in a message body segment (or attachment, if you prefer
663       to use that term) is subjected to body_checks inspection.   The  amount
664       of text is limited to avoid scanning huge attachments.
665
666       This feature is available in Postfix 2.0 and later.
667

bounce_notice_recipient (default: postmaster)

669       The  recipient  of postmaster notifications with the message headers of
670       mail that Postfix did not deliver and of SMTP conversation  transcripts
671       of mail that Postfix did not receive.  This feature is enabled with the
672       notify_classes parameter.
673

bounce_queue_lifetime (default: 5d)

675       Consider a bounce message as undeliverable, when delivery fails with  a
676       temporary   error,   and   the  time  in  the  queue  has  reached  the
677       bounce_queue_lifetime limit.  By default, this limit is the same as for
678       regular mail.
679
680       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
681       The default time unit is d (days).
682
683       Specify 0 when mail delivery should be tried only once.
684
685       This feature is available in Postfix 2.1 and later.
686

bounce_service_name (default: bounce)

688       The name of the bounce(8) service. This service maintains a  record  of
689       failed delivery attempts and generates non-delivery notifications.
690
691       This feature is available in Postfix 2.0 and later.
692

bounce_size_limit (default: 50000)

694       The  maximal  amount  of  original  message text that is sent in a non-
695       delivery notification. Specify a byte count.  A message is returned  as
696       either message/rfc822 (the complete original) or as text/rfc822-headers
697       (the headers only).  With Postfix version 2.4 and earlier, a message is
698       always  returned as message/rfc822 and is truncated when it exceeds the
699       size limit.
700
701       Notes:
702
703       ·      If you  increase  this  limit,  then  you  should  increase  the
704              mime_nesting_limit value proportionally.
705
706       ·      Be  careful  when making changes.  Excessively large values will
707              result in the loss of non-delivery notifications, when a  bounce
708              message size exceeds a local or remote MTA's message size limit.
709

bounce_template_file (default: empty)

711       Pathname  of a configuration file with bounce message templates.  These
712       override the built-in templates of delivery status  notification  (DSN)
713       messages for undeliverable mail, for delayed mail, successful delivery,
714       or delivery verification. The bounce(5) manual page  describes  how  to
715       edit and test template files.
716
717       Template message body text may contain $name references to Postfix con‐
718       figuration parameters. The result of $name expansion can  be  previewed
719       with "postconf -b file_name" before the file is placed into the Postfix
720       configuration directory.
721
722       This feature is available in Postfix 2.3 and later.
723

broken_sasl_auth_clients (default: no)

725       Enable inter-operability with remote SMTP  clients  that  implement  an
726       obsolete  version  of  the  AUTH  command  (RFC 4954). Examples of such
727       clients are MicroSoft Outlook Express version 4 and MicroSoft  Exchange
728       version 5.0.
729
730       Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH
731       support in a non-standard way.
732

canonical_classes (default: envelope_sender, envelope_recipient,

734       header_sender, header_recipient)
735       What  addresses  are  subject  to  canonical_maps  address mapping.  By
736       default, canonical_maps address mapping is applied to  envelope  sender
737       and  recipient  addresses,  and  to  header sender and header recipient
738       addresses.
739
740       Specify  one   or   more   of:   envelope_sender,   envelope_recipient,
741       header_sender, header_recipient
742
743       This feature is available in Postfix 2.2 and later.
744

canonical_maps (default: empty)

746       Optional   address  mapping  lookup  tables  for  message  headers  and
747       envelopes.  The  mapping  is  applied  to  both  sender  and  recipient
748       addresses,  in  both  envelopes  and in headers, as controlled with the
749       canonical_classes parameter. This is typically used to clean  up  dirty
750       addresses from legacy mail systems, or to replace login names by First‐
751       name.Lastname.  The table format and lookups are documented in  canoni‐
752       cal(5).  For  an  overview  of  Postfix  address  manipulations see the
753       ADDRESS_REWRITING_README document.
754
755       If you use this feature, run "postmap /etc/postfix/canonical" to  build
756       the  necessary  DBM  or  DB  file  after every change. The changes will
757       become visible after a minute or so.  Use "postfix reload" to eliminate
758       the delay.
759
760       Note:  with Postfix version 2.2, message header address mapping happens
761       only when message header address rewriting is enabled:
762
763       ·      The message is received with the Postfix sendmail(1) command,
764
765       ·      The message is received  from  a  network  client  that  matches
766              $local_header_rewrite_clients,
767
768       ·      The   message   is   received   from   the   network,   and  the
769              remote_header_rewrite_domain  parameter  specifies  a  non-empty
770              value.
771
772       To   get   the   behavior   before   Postfix   version   2.2,   specify
773       "local_header_rewrite_clients = static:all".
774
775       Examples:
776
777       canonical_maps = dbm:/etc/postfix/canonical
778       canonical_maps = hash:/etc/postfix/canonical
779

cleanup_service_name (default: cleanup)

781       The name of the cleanup(8) service.  This  service  rewrites  addresses
782       into  the  standard form, and performs canonical(5) address mapping and
783       virtual(5) aliasing.
784
785       This feature is available in Postfix 2.0 and later.
786

command_directory (default: see postconf -d output)

788       The location of all postfix administrative commands.
789

command_execution_directory (default: empty)

791       The local(8) delivery agent working directory for delivery to  external
792       command.   Failure  to  change  directory  causes  the  delivery  to be
793       deferred.
794
795       The following $name expansions are done on  command_execution_directory
796       before  the  directory  is changed. Expansion happens in the context of
797       the delivery request.  The result of $name expansion is  filtered  with
798       the character set that is specified with the execution_directory_expan‐
799       sion_filter parameter.
800
801       $user  The recipient's username.
802
803       $shell The recipient's login shell pathname.
804
805       $home  The recipient's home directory.
806
807       $recipient
808              The full recipient address.
809
810       $extension
811              The optional recipient address extension.
812
813       $domain
814              The recipient domain.
815
816       $local The entire recipient localpart.
817
818       $recipient_delimiter
819              The system-wide recipient address extension delimiter.
820
821       ${name?value}
822              Expands to value when $name is non-empty.
823
824       ${name:value}
825              Expands to value when $name is empty.
826
827       Instead of $name you can also specify ${name} or $(name).
828
829       This feature is available in Postfix 2.2 and later.
830

command_expansion_filter (default: see postconf -d output)

832       Restrict the characters that the  local(8)  delivery  agent  allows  in
833       $name  expansions of $mailbox_command and $command_execution_directory.
834       Characters outside the allowed set are replaced by underscores.
835

command_time_limit (default: 1000s)

837       Time limit for delivery to external commands. This limit is used by the
838       local(8)  delivery agent, and is the default time limit for delivery by
839       the pipe(8) delivery agent.
840
841       Note: if you set this time limit to a large value you must  update  the
842       global ipc_timeout parameter as well.
843

config_directory (default: see postconf -d output)

845       The default location of the Postfix main.cf and master.cf configuration
846       files. This can be overruled via the following mechanisms:
847
848       ·      The MAIL_CONFIG environment variable (daemon processes and  com‐
849              mands).
850
851       ·      The "-c" command-line option (commands only).
852
853       With  Postfix command that run with set-gid privileges, a config_direc‐
854       tory override requires either root privileges, or it requires that  the
855       directory  is listed with the alternate_config_directories parameter in
856       the default main.cf file.
857

connection_cache_protocol_timeout (default: 5s)

859       Time limit for connection cache connect, send  or  receive  operations.
860       The time limit is enforced in the client.
861
862       This feature is available in Postfix 2.3 and later.
863

connection_cache_service_name (default: scache)

865       The name of the scache(8) connection cache service.  This service main‐
866       tains a limited pool of cached sessions.
867
868       This feature is available in Postfix 2.2 and later.
869

connection_cache_status_update_time (default: 600s)

871       How frequently the scache(8) server logs usage statistics with  connec‐
872       tion cache hit and miss rates for logical destinations and for physical
873       endpoints.
874

connection_cache_ttl_limit (default: 2s)

876       The maximal time-to-live value  that  the  scache(8)  connection  cache
877       server  allows.  Requests that specify a larger TTL will be stored with
878       the maximum allowed TTL. The purpose of this additional control  is  to
879       protect  the  infrastructure  against careless people. The cache TTL is
880       already bounded by $max_idle.
881

content_filter (default: empty)

883       After the message is queued, send the entire message to  the  specified
884       transport:destination.  The transport name specifies the first field of
885       a mail delivery agent definition in master.cf; the syntax of the  next-
886       hop  destination  is  described in the manual page of the corresponding
887       delivery agent.  More information about external content filters is  in
888       the Postfix FILTER_README file.
889
890       Notes:
891
892       ·      This  setting  has lower precedence than a FILTER action that is
893              specified in an access(5),  header_checks(5)  or  body_checks(5)
894              table.
895
896       ·      The  meaning  of an empty next-hop filter destination is version
897              dependent.  Postfix 2.7 and later will use the recipient domain;
898              earlier  versions  will  use $myhostname.  Specify "default_fil‐
899              ter_nexthop = $myhostname" for compatibility with Postfix 2.6 or
900              earlier,  or  specify  a  content_filter  value with an explicit
901              next-hop destination.
902

cyrus_sasl_config_path (default: empty)

904       Search path for Cyrus SASL application configuration  files,  currently
905       used  only  to  locate the $smtpd_sasl_path.conf file.  Specify zero or
906       more directories separated by a colon character, or an empty  value  to
907       use Cyrus SASL's built-in search path.
908
909       This  feature  is available in Postfix 2.5 and later when compiled with
910       Cyrus SASL 2.1.22 or later.
911

daemon_directory (default: see postconf -d output)

913       The directory with Postfix support programs and daemon programs.  These
914       should  not  be invoked directly by humans. The directory must be owned
915       by root.
916

daemon_table_open_error_is_fatal (default: no)

918       How a Postfix  daemon  process  handles  errors  while  opening  lookup
919       tables: gradual degradation or immediate termination.
920
921        no  (default)
922              Gradual  degradation:  a  daemon  process logs a message of type
923              "error" and continues execution with reduced functionality. Fea‐
924              tures that do not depend on the unavailable table will work nor‐
925              mally, while features that depend on the table will result in  a
926              type "warning" message.
927              When  the  notify_classes  parameter  value  contains the "data"
928              class, the Postfix SMTP server  and  client  will  report  tran‐
929              scripts  of  sessions  with an error because a table is unavail‐
930              able.
931
932        yes  (historical behavior)
933              Immediate termination: a daemon process logs a type "fatal" mes‐
934              sage and terminates immediately.  This option reduces the number
935              of possible code paths through Postfix,  and  may  therefore  be
936              slightly more secure than the default.
937
938       For  the sake of sanity, the number of type "error" messages is limited
939       to 13 over the lifetime of a daemon process.
940
941       This feature is available in Postfix 2.9 and later.
942

daemon_timeout (default: 18000s)

944       How much time a Postfix daemon process may take  to  handle  a  request
945       before it is terminated by a built-in watchdog timer.
946
947       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
948       The default time unit is s (seconds).
949

data_directory (default: see postconf -d output)

951       The directory with Postfix-writable data files  (for  example:  caches,
952       pseudo-random numbers).  This directory must be owned by the mail_owner
953       account, and must not be shared with non-Postfix software.
954
955       This feature is available in Postfix 2.5 and later.
956

debug_peer_level (default: 2)

958       The increment in verbose logging level when a remote client  or  server
959       matches a pattern in the debug_peer_list parameter.
960

debug_peer_list (default: empty)

962       Optional  list  of  remote client or server hostname or network address
963       patterns that cause the verbose logging level to increase by the amount
964       specified in $debug_peer_level.
965
966       Specify  domain  names, network/netmask patterns, "/file/name" patterns
967       or  "type:table"  lookup  tables.  The  right-hand  side  result   from
968       "type:table" lookups is ignored.
969
970       Pattern   matching   of   domain   names  is  controlled  by  the  par‐
971       ent_domain_matches_subdomains parameter.
972
973       Examples:
974
975       debug_peer_list = 127.0.0.1
976       debug_peer_list = example.com
977

debugger_command (default: empty)

979       The external command to  execute  when  a  Postfix  daemon  program  is
980       invoked with the -D option.
981
982       Use  "command  .. & sleep 5" so that the debugger can attach before the
983       process marches on. If you use an X-based debugger, be sure to  set  up
984       your XAUTHORITY environment variable before starting Postfix.
985
986       Note: the command is subject to $name expansion, before it is passed to
987       the default commmand interpreter. Specify "$$" to produce a single  "$"
988       character.
989
990       Example:
991
992       debugger_command =
993           PATH=/usr/bin:/usr/X11R6/bin
994           ddd $daemon_directory/$process_name $process_id & sleep 5
995

default_database_type (default: see postconf -d output)

997       The  default  database  type for use in newaliases(1), postalias(1) and
998       postmap(1) commands. On many UNIX systems the default  type  is  either
999       dbm  or  hash. The default setting is frozen when the Postfix system is
1000       built.
1001
1002       Examples:
1003
1004       default_database_type = hash
1005       default_database_type = dbm
1006

default_delivery_slot_cost (default: 5)

1008       How often the Postfix queue manager's scheduler is allowed  to  preempt
1009       delivery of one message with another.
1010
1011       Each  transport maintains a so-called "available delivery slot counter"
1012       for each message. One message can be preempted by another one when  the
1013       other  message  can  be  delivered  using no more delivery slots (i.e.,
1014       invocations of delivery agents) than the current  message  counter  has
1015       accumulated  (or  will  eventually  accumulate  -  see about slot loans
1016       below). This parameter controls how often is the counter incremented  -
1017       it  happens  after each default_delivery_slot_cost recipients have been
1018       delivered.
1019
1020       The cost of 0 is used to disable the preempting scheduling  completely.
1021       The minimum value the scheduling algorithm can use is 2 - use it if you
1022       want to maximize the message throughput rate. Although there is no max‐
1023       imum, it doesn't make much sense to use values above say 50.
1024
1025       The  only  reason why the value of 2 is not the default is the way this
1026       parameter affects the delivery of mailing-list mail. In the worst case,
1027       their   delivery   can   take   somewhere   between  (cost+1/cost)  and
1028       (cost/cost-1) times more than if the preemptive scheduler was disabled.
1029       The default value of 5 turns out to provide reasonable message response
1030       times while making sure the mailing-list deliveries are not extended by
1031       more than 20-25 percent even in the worst case.
1032
1033       Use  transport_delivery_slot_cost to specify a transport-specific over‐
1034       ride, where transport is the master.cf name  of  the  message  delivery
1035       transport.
1036
1037       Examples:
1038
1039       default_delivery_slot_cost = 0
1040       default_delivery_slot_cost = 2
1041

default_delivery_slot_discount (default: 50)

1043       The  default  value for transport-specific _delivery_slot_discount set‐
1044       tings.
1045
1046       This parameter speeds up the moment when a message preemption can  hap‐
1047       pen.  Instead  of  waiting  until  the  full  amount  of delivery slots
1048       required is available, the preemption can happen when  transport_deliv‐
1049       ery_slot_discount  percent of the required amount plus transport_deliv‐
1050       ery_slot_loan still remains to be  accumulated.   Note  that  the  full
1051       amount  will still have to be accumulated before another preemption can
1052       take place later.
1053
1054       Use transport_delivery_slot_discount to  specify  a  transport-specific
1055       override, where transport is the master.cf name of the message delivery
1056       transport.
1057

default_delivery_slot_loan (default: 3)

1059       The default value for transport-specific _delivery_slot_loan settings.
1060
1061       This parameter speeds up the moment when a message preemption can  hap‐
1062       pen.  Instead  of  waiting  until  the  full  amount  of delivery slots
1063       required is available, the preemption can happen when  transport_deliv‐
1064       ery_slot_discount  percent of the required amount plus transport_deliv‐
1065       ery_slot_loan still remains to be  accumulated.   Note  that  the  full
1066       amount  will still have to be accumulated before another preemption can
1067       take place later.
1068
1069       Use transport_delivery_slot_loan to specify a transport-specific  over‐
1070       ride,  where  transport  is  the master.cf name of the message delivery
1071       transport.
1072

default_destination_concurrency_failed_cohort_limit (default: 1)

1074       How many pseudo-cohorts must suffer  connection  or  handshake  failure
1075       before  a  specific  destination is considered unavailable (and further
1076       delivery is suspended). Specify zero to disable this feature. A  desti‐
1077       nation's pseudo-cohort failure count is reset each time a delivery com‐
1078       pletes without connection or handshake failure for that specific desti‐
1079       nation.
1080
1081       A  pseudo-cohort  is  the number of deliveries equal to a destination's
1082       delivery concurrency.
1083
1084       Use transport_destination_concurrency_failed_cohort_limit to specify  a
1085       transport-specific  override,  where transport is the master.cf name of
1086       the message delivery transport.
1087
1088       This feature is available in Postfix 2.5. The default setting  is  com‐
1089       patible with earlier Postfix versions.
1090

default_destination_concurrency_limit (default: 20)

1092       The  default maximal number of parallel deliveries to the same destina‐
1093       tion.  This is the default limit for delivery via the lmtp(8), pipe(8),
1094       smtp(8) and virtual(8) delivery agents.  With per-destination recipient
1095       limit > 1, a destination is a domain, otherwise it is a recipient.
1096
1097       Use transport_destination_concurrency_limit to specify a transport-spe‐
1098       cific  override,  where  transport is the master.cf name of the message
1099       delivery transport.
1100

default_destination_concurrency_negative_feedback (default: 1)

1102       The per-destination amount of delivery concurrency  negative  feedback,
1103       after  a  delivery  completes  with  a connection or handshake failure.
1104       Feedback values are in the range 0..1 inclusive.  With  negative  feed‐
1105       back,  concurrency  is  decremented  at  the beginning of a sequence of
1106       length 1/feedback. This is unlike positive feedback, where  concurrency
1107       is incremented at the end of a sequence of length 1/feedback.
1108
1109       As  of  Postfix  version  2.5, negative feedback cannot reduce delivery
1110       concurrency to zero.  Instead, a destination is  marked  dead  (further
1111       delivery  suspended)  after  the  failed  pseudo-cohort  count  reaches
1112       $default_destination_concurrency_failed_cohort_limit    (or     $trans‐
1113       port_destination_concurrency_failed_cohort_limit).   To make the sched‐
1114       uler completely immune to connection or handshake failures,  specify  a
1115       zero feedback value and a zero failed pseudo-cohort limit.
1116
1117       Specify one of the following forms:
1118
1119       number
1120
1121       number / number
1122              Constant  feedback.  The  value must be in the range 0..1 inclu‐
1123              sive.  The default setting of "1"  is  compatible  with  Postfix
1124              versions  before 2.5, where a destination's delivery concurrency
1125              is throttled down to zero (and further delivery suspended) after
1126              a single failed pseudo-cohort.
1127
1128       number / concurrency
1129              Variable  feedback  of  "number  / (delivery concurrency)".  The
1130              number must be in the range 0..1 inclusive. With number equal to
1131              "1",  a  destination's  delivery concurrency is decremented by 1
1132              after each failed pseudo-cohort.
1133
1134       A pseudo-cohort is the number of deliveries equal  to  a  destination's
1135       delivery concurrency.
1136
1137       Use  transport_destination_concurrency_negative_feedback  to  specify a
1138       transport-specific override, where transport is the master.cf  name  of
1139       the message delivery transport.
1140
1141       This  feature  is available in Postfix 2.5. The default setting is com‐
1142       patible with earlier Postfix versions.
1143

default_destination_concurrency_positive_feedback (default: 1)

1145       The per-destination amount of delivery concurrency  positive  feedback,
1146       after  a  delivery  completes  without connection or handshake failure.
1147       Feedback values are in  the  range  0..1  inclusive.   The  concurrency
1148       increases  until  it  reaches  the  per-destination maximal concurrency
1149       limit. With positive feedback, concurrency is incremented at the end of
1150       a  sequence  with  length 1/feedback. This is unlike negative feedback,
1151       where concurrency is decremented at the start of a sequence  of  length
1152       1/feedback.
1153
1154       Specify one of the following forms:
1155
1156       number
1157
1158       number / number
1159              Constant  feedback.   The value must be in the range 0..1 inclu‐
1160              sive. The default setting of "1" is compatible with Postfix ver‐
1161              sions  before  2.5,  where  a destination's delivery concurrency
1162              doubles after each successful pseudo-cohort.
1163
1164       number / concurrency
1165              Variable feedback of "number  /  (delivery  concurrency)".   The
1166              number must be in the range 0..1 inclusive. With number equal to
1167              "1", a destination's delivery concurrency is  incremented  by  1
1168              after each successful pseudo-cohort.
1169
1170       A  pseudo-cohort  is  the number of deliveries equal to a destination's
1171       delivery concurrency.
1172
1173       Use transport_destination_concurrency_positive_feedback  to  specify  a
1174       transport-specific  override,  where transport is the master.cf name of
1175       the message delivery transport.
1176
1177       This feature is available in Postfix 2.5 and later.
1178

default_destination_rate_delay (default: 0s)

1180       The default amount of delay that is inserted between individual  deliv‐
1181       eries  to  the  same destination; the resulting behavior depends on the
1182       value of the corresponding per-destination recipient limit.
1183
1184       ·      With a corresponding per-destination recipient limit  >  1,  the
1185              rate  delay  specifies  the  time between deliveries to the same
1186              domain.  Different domains are delivered in parallel, subject to
1187              the process limits specified in master.cf.
1188
1189       ·      With a corresponding per-destination recipient limit equal to 1,
1190              the rate delay specifies the time between deliveries to the same
1191              recipient.  Different recipients are delivered in parallel, sub‐
1192              ject to the process limits specified in master.cf.
1193
1194       To enable the delay, specify a non-zero time value (an  integral  value
1195       plus an optional one-letter suffix that specifies the time unit).
1196
1197       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
1198       The default time unit is s (seconds).
1199
1200       NOTE: the delay is enforced by the queue manager. The delay timer state
1201       does not survive "postfix reload" or "postfix stop".
1202
1203       Use  transport_destination_rate_delay  to  specify a transport-specific
1204       override, where transport is the master.cf name of the message delivery
1205       transport.
1206
1207       NOTE: with a non-zero _destination_rate_delay, specify a transport_des‐
1208       tination_concurrency_failed_cohort_limit of 10 or more to prevent Post‐
1209       fix  from  deferring  all  mail for the same destination after only one
1210       connection or handshake error.
1211
1212       This feature is available in Postfix 2.5 and later.
1213

default_destination_recipient_limit (default: 50)

1215       The default maximal number of recipients per message delivery.  This is
1216       the  default  limit  for delivery via the lmtp(8), pipe(8), smtp(8) and
1217       virtual(8) delivery agents.
1218
1219       Setting this parameter to a value of 1 affects email deliveries as fol‐
1220       lows:
1221
1222       ·      It changes the meaning of the corresponding per-destination con‐
1223              currency limit, from  concurrency  of  deliveries  to  the  same
1224              domain  into  concurrency  of  deliveries to the same recipient.
1225              Different recipients are delivered in parallel, subject  to  the
1226              process limits specified in master.cf.
1227
1228       ·      It changes the meaning of the corresponding per-destination rate
1229              delay, from the delay between deliveries to the same domain into
1230              the delay between deliveries to the same recipient.  Again, dif‐
1231              ferent recipients are delivered  in  parallel,  subject  to  the
1232              process limits specified in master.cf.
1233
1234       ·      It  changes  the  meaning of other corresponding per-destination
1235              settings in a similar manner, from settings for delivery to  the
1236              same domain into settings for delivery to the same recipient.
1237
1238       Use  transport_destination_recipient_limit  to specify a transport-spe‐
1239       cific override, where transport is the master.cf name  of  the  message
1240       delivery transport.
1241

default_extra_recipient_limit (default: 1000)

1243       The default value for the extra per-transport limit imposed on the num‐
1244       ber of in-memory recipients.  This extra recipient  space  is  reserved
1245       for  the  cases when the Postfix queue manager's scheduler preempts one
1246       message with another and suddenly needs some extra recipients slots for
1247       the chosen message in order to avoid performance degradation.
1248
1249       Use  transport_extra_recipient_limit  to  specify  a transport-specific
1250       override, where transport is the master.cf name of the message delivery
1251       transport.
1252

default_filter_nexthop (default: empty)

1254       When  a content_filter or FILTER request specifies no explicit next-hop
1255       destination, use $default_filter_nexthop instead; when  that  value  is
1256       empty,  use the domain in the recipient address.  Specify "default_fil‐
1257       ter_nexthop = $myhostname" for compatibility with Postfix  version  2.6
1258       and earlier, or specify an explicit next-hop destination with each con‐
1259       tent_filter value or FILTER action.
1260
1261       This feature is available in Postfix 2.7 and later.
1262

default_minimum_delivery_slots (default: 3)

1264       How many recipients a message must have in order to invoke the  Postfix
1265       queue  manager's  scheduling  algorithm  at  all.  Messages which would
1266       never accumulate at least this many delivery  slots  (subject  to  slot
1267       cost parameter as well) are never preempted.
1268
1269       Use  transport_minimum_delivery_slots  to  specify a transport-specific
1270       override, where transport is the master.cf name of the message delivery
1271       transport.
1272

default_privs (default: nobody)

1274       The  default rights used by the local(8) delivery agent for delivery to
1275       external file or command.  These  rights  are  used  when  delivery  is
1276       requested from an aliases(5) file that is owned by root, or when deliv‐
1277       ery is done on behalf of root. DO NOT SPECIFY A PRIVILEGED USER OR  THE
1278       POSTFIX OWNER.
1279

default_process_limit (default: 100)

1281       The  default  maximal  number of Postfix child processes that provide a
1282       given service. This limit can be overruled for specific services in the
1283       master.cf file.
1284

default_rbl_reply (default: see postconf -d output)

1286       The default Postfix SMTP server response template for a request that is
1287       rejected by an RBL-based restriction. This template can be overruled by
1288       specific entries in the optional rbl_reply_maps lookup table.
1289
1290       This feature is available in Postfix 2.0 and later.
1291
1292       The template is subject to exactly one level of $name substitution:
1293
1294       $client
1295              The client hostname and IP address, formatted as name[address].
1296
1297       $client_address
1298              The client IP address.
1299
1300       $client_name
1301              The       client       hostname      or      "unknown".      See
1302              reject_unknown_client_hostname for more details.
1303
1304       $reverse_client_name
1305              The client hostname from  address->name  lookup,  or  "unknown".
1306              See reject_unknown_reverse_client_hostname for more details.
1307
1308       $helo_name
1309              The hostname given in HELO or EHLO command or empty string.
1310
1311       $rbl_class
1312              The  blacklisted  entity type: Client host, Helo command, Sender
1313              address, or Recipient address.
1314
1315       $rbl_code
1316              The  numerical  SMTP  response  code,  as  specified  with   the
1317              maps_rbl_reject_code  configuration parameter. Note: The numeri‐
1318              cal SMTP response code is required, and must appear at the start
1319              of  the  reply. With Postfix version 2.3 and later this informa‐
1320              tion may be followed by an RFC 3463 enhanced status code.
1321
1322       $rbl_domain
1323              The RBL domain where $rbl_what is blacklisted.
1324
1325       $rbl_reason
1326              The reason why $rbl_what is blacklisted, or an empty string.
1327
1328       $rbl_what
1329              The entity that is blacklisted (an IP  address,  a  hostname,  a
1330              domain name, or an email address whose domain was blacklisted).
1331
1332       $recipient
1333              The recipient address or <> in case of the null address.
1334
1335       $recipient_domain
1336              The recipient domain or empty string.
1337
1338       $recipient_name
1339              The recipient address localpart or <> in case of null address.
1340
1341       $sender
1342              The sender address or <> in case of the null address.
1343
1344       $sender_domain
1345              The sender domain or empty string.
1346
1347       $sender_name
1348              The sender address localpart or <> in case of the null address.
1349
1350       ${name?text}
1351              Expands to `text' if $name is not empty.
1352
1353       ${name:text}
1354              Expands to `text' if $name is empty.
1355
1356       Instead of $name you can also specify ${name} or $(name).
1357
1358       Note:  when  an  enhanced status code is specified in an RBL reply tem‐
1359       plate, it is subject to modification.   The  following  transformations
1360       are  needed  when the same RBL reply template is used for client, helo,
1361       sender, or recipient access restrictions.
1362
1363       ·      When rejecting a sender address, the Postfix  SMTP  server  will
1364              transform  a  recipient  DSN status (e.g., 4.1.1-4.1.6) into the
1365              corresponding sender DSN status, and vice versa.
1366
1367       ·      When rejecting non-address information (such as the HELO command
1368              argument  or  the  client  hostname/address),  the  Postfix SMTP
1369              server will transform a sender or recipient DSN  status  into  a
1370              generic non-address DSN status (e.g., 4.0.0).
1371

default_recipient_limit (default: 20000)

1373       The default per-transport upper limit on the number of in-memory recip‐
1374       ients.  These limits take priority over the global qmgr_message_recipi‐
1375       ent_limit  after the message has been assigned to the respective trans‐
1376       ports.  See also default_extra_recipient_limit and qmgr_message_recipi‐
1377       ent_minimum.
1378
1379       Use transport_recipient_limit to specify a transport-specific override,
1380       where transport is the master.cf name of the  message  delivery  trans‐
1381       port.
1382

default_recipient_refill_delay (default: 5s)

1384       The  default  per-transport  maximum  delay between recipients refills.
1385       When not all message recipients fit into the memory at once, keep load‐
1386       ing  more  of them at least once every this many seconds.  This is used
1387       to make sure the recipients are refilled in  timely  manner  even  when
1388       $default_recipient_refill_limit is too high for too slow deliveries.
1389
1390       Use  transport_recipient_refill_delay  to  specify a transport-specific
1391       override, where transport is the master.cf name of the message delivery
1392       transport.
1393
1394       This feature is available in Postfix 2.4 and later.
1395

default_recipient_refill_limit (default: 100)

1397       The default per-transport limit on the number of recipients refilled at
1398       once.  When not all message recipients fit into  the  memory  at  once,
1399       keep  loading  more of them in batches of at least this many at a time.
1400       See also $default_recipient_refill_delay, which may result in recipient
1401       batches lower than this when this limit is too high for too slow deliv‐
1402       eries.
1403
1404       Use transport_recipient_refill_limit to  specify  a  transport-specific
1405       override, where transport is the master.cf name of the message delivery
1406       transport.
1407
1408       This feature is available in Postfix 2.4 and later.
1409

default_transport (default: smtp)

1411       The default mail delivery transport and next-hop destination for desti‐
1412       nations   that   do   not   match   $mydestination,   $inet_interfaces,
1413       $proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, or
1414       $relay_domains.    This   information   can   be   overruled  with  the
1415       sender_dependent_default_transport_maps parameter and with  the  trans‐
1416       port(5) table.
1417
1418       In  order  of  decreasing  precedence, the nexthop destination is taken
1419       from   $sender_dependent_default_transport_maps,    $default_transport,
1420       $sender_dependent_relayhost_maps,  $relayhost,  or  from  the recipient
1421       domain.
1422
1423       Specify a string of the form transport:nexthop, where transport is  the
1424       name  of  a mail delivery transport defined in master.cf.  The :nexthop
1425       destination is optional; its syntax is documented in the manual page of
1426       the corresponding delivery agent.
1427
1428       Example:
1429
1430       default_transport = uucp:relayhostname
1431

default_verp_delimiters (default: +=)

1433       The  two  default  VERP  delimiter  characters.  These are used when no
1434       explicit delimiters are specified with the SMTP XVERP command  or  with
1435       the  "sendmail  -V"  command-line  option.  Specify characters that are
1436       allowed by the verp_delimiter_filter setting.
1437
1438       This feature is available in Postfix 1.1 and later.
1439

defer_code (default: 450)

1441       The numerical Postfix SMTP server response  code  when  a  remote  SMTP
1442       client request is rejected by the "defer" restriction.
1443
1444       Do  not  change  this  unless  you have a complete understanding of RFC
1445       5321.
1446

defer_service_name (default: defer)

1448       The name of the defer service.  This  service  is  implemented  by  the
1449       bounce(8) daemon and maintains a record of failed delivery attempts and
1450       generates non-delivery notifications.
1451
1452       This feature is available in Postfix 2.0 and later.
1453

defer_transports (default: empty)

1455       The names of message delivery transports that should not  deliver  mail
1456       unless someone issues "sendmail -q" or equivalent. Specify zero or more
1457       names of mail delivery transports names that appear in the first  field
1458       of master.cf.
1459
1460       Example:
1461
1462       defer_transports = smtp
1463

delay_logging_resolution_limit (default: 2)

1465       The  maximal number of digits after the decimal point when logging sub-
1466       second delay values.  Specify a number in the range 0..6.
1467
1468       Large delay values are rounded off to an integral number seconds; delay
1469       values  below the delay_logging_resolution_limit are logged as "0", and
1470       small delay values are logged with at most two-digit precision.
1471
1472       The format of the "delays=a/b/c/d" logging is as follows:
1473
1474       ·      a = time from message arrival to last active queue entry
1475
1476       ·      b = time from last active queue entry to connection setup
1477
1478       ·      c = time in connection setup, including DNS, EHLO and STARTTLS
1479
1480       ·      d = time in message transmission
1481
1482       This feature is available in Postfix 2.3 and later.
1483

delay_notice_recipient (default: postmaster)

1485       The recipient of postmaster notifications with the message  headers  of
1486       mail that cannot be delivered within $delay_warning_time time units.
1487
1488       See also: delay_warning_time, notify_classes.
1489

delay_warning_time (default: 0h)

1491       The  time after which the sender receives a copy of the message headers
1492       of mail that is still queued.
1493
1494       To enable this feature, specify a  non-zero  time  value  (an  integral
1495       value plus an optional one-letter suffix that specifies the time unit).
1496
1497       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
1498       The default time unit is h (hours).
1499
1500       See also: delay_notice_recipient, notify_classes.
1501

deliver_lock_attempts (default: 20)

1503       The maximal number of attempts to acquire an exclusive lock on a  mail‐
1504       box file or bounce(8) logfile.
1505

deliver_lock_delay (default: 1s)

1507       The  time  between  attempts  to acquire an exclusive lock on a mailbox
1508       file or bounce(8) logfile.
1509
1510       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
1511       The default time unit is s (seconds).
1512

destination_concurrency_feedback_debug (default: no)

1514       Make  the  queue  manager's  feedback algorithm verbose for performance
1515       analysis purposes.
1516
1517       This feature is available in Postfix 2.5 and later.
1518

detect_8bit_encoding_header (default: yes)

1520       Automatically detect 8BITMIME body content by looking at Content-Trans‐
1521       fer-Encoding:  message  headers;  historically, this behavior was hard-
1522       coded to be "always on".
1523
1524       This feature is available in Postfix 2.5 and later.
1525

disable_dns_lookups (default: no)

1527       Disable DNS lookups in the Postfix SMTP and  LMTP  clients.  When  dis‐
1528       abled,  hosts  are looked up with the getaddrinfo() system library rou‐
1529       tine which normally also looks in /etc/hosts.
1530
1531       DNS lookups are enabled by default.
1532

disable_mime_input_processing (default: no)

1534       Turn off MIME processing while receiving mail. This means that no  spe‐
1535       cial  treatment is given to Content-Type: message headers, and that all
1536       text after the initial message headers is considered to be part of  the
1537       message body.
1538
1539       This feature is available in Postfix 2.0 and later.
1540
1541       Mime  input processing is enabled by default, and is needed in order to
1542       recognize MIME headers in message content.
1543

disable_mime_output_conversion (default: no)

1545       Disable the conversion of 8BITMIME format to 7BIT format.  Mime  output
1546       conversion  is  needed when the destination does not advertise 8BITMIME
1547       support.
1548
1549       This feature is available in Postfix 2.0 and later.
1550

disable_verp_bounces (default: no)

1552       Disable sending one bounce report per recipient.
1553
1554       The default, one per recipient, is what ezmlm needs.
1555
1556       This feature is available in Postfix 1.1 and later.
1557

disable_vrfy_command (default: no)

1559       Disable the SMTP VRFY command. This stops some techniques used to  har‐
1560       vest email addresses.
1561
1562       Example:
1563
1564       disable_vrfy_command = no
1565

dnsblog_reply_delay (default: 0s)

1567       A debugging aid to artificially delay DNS responses.
1568
1569       This feature is available in Postfix 2.8.
1570

dnsblog_service_name (default: dnsblog)

1572       The  name  of  the  dnsblog(8) service entry in master.cf. This service
1573       performs DNS white/blacklist lookups.
1574
1575       This feature is available in Postfix 2.8 and later.
1576

dont_remove (default: 0)

1578       Don't remove queue files and save them to the "saved" mail queue.  This
1579       is a debugging aid.  To inspect the envelope information and content of
1580       a Postfix queue file, use the postcat(1) command.
1581

double_bounce_sender (default: double-bounce)

1583       The sender address of postmaster notifications that  are  generated  by
1584       the  mail  system.  All  mail to this address is silently discarded, in
1585       order to terminate mail bounce loops.
1586

duplicate_filter_limit (default: 1000)

1588       The maximal number of addresses remembered  by  the  address  duplicate
1589       filter  for  aliases(5)  or virtual(5) alias expansion, or for showq(8)
1590       queue displays.
1591

empty_address_default_transport_maps_lookup_key (default: <>)

1593       The sender_dependent_default_transport_maps search string that will  be
1594       used instead of the null sender address.
1595
1596       This feature is available in Postfix 2.7 and later.
1597

empty_address_recipient (default: MAILER-DAEMON)

1599       The  recipient of mail addressed to the null address.  Postfix does not
1600       accept such addresses in SMTP commands, but they may still  be  created
1601       locally as the result of configuration or software error.
1602

empty_address_relayhost_maps_lookup_key (default: <>)

1604       The  sender_dependent_relayhost_maps  search  string  that will be used
1605       instead of the null sender address.
1606
1607       This feature is available in Postfix 2.5 and later. With  earlier  ver‐
1608       sions,  sender_dependent_relayhost_maps  lookups  were  skipped for the
1609       null sender address.
1610

enable_errors_to (default: no)

1612       Report mail delivery errors to the address specified with the non-stan‐
1613       dard  Errors-To: message header, instead of the envelope sender address
1614       (this feature is removed with Postfix version 2.2,  is  turned  off  by
1615       default  with  Postfix  version 2.1, and is always turned on with older
1616       Postfix versions).
1617

enable_long_queue_ids (default: no)

1619       Enable long, non-repeating, queue IDs (queue file names).  The  benefit
1620       of  non-repeating  names  is  simpler logfile analysis and easier queue
1621       migration (there is no need to run "postsuper"  to  change  queue  file
1622       names that don't match their message file inode number).
1623
1624       Note:  see below for how to prepare long queue file names for migration
1625       to Postfix <= 2.8.
1626
1627       Changing the parameter value to "yes" has the following effects:
1628
1629       ·      Existing queue file names are not affected.
1630
1631       ·      New queue files are created with names such as  3Pt2mN2VXxznjll.
1632              These  are encoded in a 52-character alphabet that contains dig‐
1633              its (0-9), upper-case letters (B-Z) and lower-case  letters  (b-
1634              z). For safety reasons the vowels (AEIOUaeiou) are excluded from
1635              the alphabet.  The name format is: 6 or more characters for  the
1636              time  in seconds, 4 characters for the time in microseconds, the
1637              'z'; the remainder is the file inode number encoded in the first
1638              51 characters of the 52-character alphabet.
1639
1640       ·      New messages have a Message-ID header with queueID@myhostname.
1641
1642       ·      The  mailq  (postqueue  -p)  output has a wider Queue ID column.
1643              The number of whitespace-separated fields is not changed.
1644
1645       ·      The hash_queue_depth algorithm uses the first characters of  the
1646              queue  file creation time in microseconds, after conversion into
1647              hexadecimal representation. This produces the same queue hashing
1648              behavior   as   if   the   queue  file  name  was  created  with
1649              "enable_long_queue_ids = no".
1650
1651       Changing the parameter value to "no" has the following effects:
1652
1653       ·      Existing long queue file names are renamed  to  the  short  form
1654              (while running "postfix reload" or "postsuper").
1655
1656       ·      New  queue files are created with names such as C3CD21F3E90 from
1657              a hexadecimal alphabet that contains digits (0-9) and upper-case
1658              letters  (A-F). The name format is: 5 characters for the time in
1659              microseconds; the remainder is the file inode number.
1660
1661       ·      New  messages  have  a  Message-ID   header   with   YYYYMMDDHH‐
1662              MMSS.queueid@myhostname,  where  YYYYMMDDHHMMSS  are  the  year,
1663              month, day, hour, minute and second.
1664
1665       ·      The mailq (postqueue -p) output has  the  same  format  as  with
1666              Postfix <= 2.8.
1667
1668       ·      The  hash_queue_depth algorithm uses the first characters of the
1669              queue file name, with the hexadecimal representation of the file
1670              creation time in microseconds.
1671
1672       Before migration to Postfix <= 2.8, the following commands are required
1673       to convert long queue file names into short names:
1674
1675       # postfix stop
1676       # postconf enable_long_queue_ids=no
1677       # postsuper
1678
1679       Repeat the postsuper command until it reports no more queue  file  name
1680       changes.
1681
1682       This feature is available in Postfix 2.9 and later.
1683

enable_original_recipient (default: yes)

1685       Enable  support  for  the  X-Original-To message header. This header is
1686       needed for multi-recipient mailboxes.
1687
1688       When this parameter is set  to  yes,  the  cleanup(8)  daemon  performs
1689       duplicate elimination on distinct pairs of (original recipient, rewrit‐
1690       ten recipient), and generates non-empty original recipient  queue  file
1691       records.
1692
1693       When this parameter is set to no, the cleanup(8) daemon performs dupli‐
1694       cate elimination on the rewritten recipient address only, and generates
1695       empty original recipient queue file records.
1696
1697       This  feature  is available in Postfix 2.1 and later. With Postfix ver‐
1698       sion 2.0, support for the X-Original-To message header is always turned
1699       on.  Postfix  versions before 2.0 have no support for the X-Original-To
1700       message header.
1701

error_notice_recipient (default: postmaster)

1703       The recipient of postmaster notifications about mail delivery  problems
1704       that  are  caused  by  policy,  resource,  software or protocol errors.
1705       These notifications are enabled with the notify_classes parameter.
1706

error_service_name (default: error)

1708       The name of the error(8) pseudo delivery  agent.  This  service  always
1709       returns mail as undeliverable.
1710
1711       This feature is available in Postfix 2.0 and later.
1712

execution_directory_expansion_filter (default: see postconf -d output)

1714       Restrict  the  characters  that  the  local(8) delivery agent allows in
1715       $name expansions of $command_execution_directory.   Characters  outside
1716       the allowed set are replaced by underscores.
1717
1718       This feature is available in Postfix 2.2 and later.
1719

expand_owner_alias (default: no)

1721       When  delivering  to an alias "aliasname" that has an "owner-aliasname"
1722       companion alias, set the envelope sender address to  the  expansion  of
1723       the "owner-aliasname" alias. Normally, Postfix sets the envelope sender
1724       address to the name of the "owner-aliasname" alias.
1725

export_environment (default: see postconf -d output)

1727       The list of environment variables that a Postfix process will export to
1728       non-Postfix  processes. The TZ variable is needed for sane time keeping
1729       on System-V-ish systems.
1730
1731       Specify a list of names and/or name=value pairs,  separated  by  white‐
1732       space  or  comma. The name=value form is supported with Postfix version
1733       2.1 and later.
1734
1735       Example:
1736
1737       export_environment = TZ PATH=/bin:/usr/bin
1738

extract_recipient_limit (default: 10240)

1740       The maximal number of recipient addresses  that  Postfix  will  extract
1741       from message headers when mail is submitted with "sendmail -t".
1742
1743       This feature was removed in Postfix version 2.1.
1744

fallback_relay (default: empty)

1746       Optional  list of relay hosts for SMTP destinations that can't be found
1747       or that are unreachable. With Postfix 2.3 this parameter is renamed  to
1748       smtp_fallback_relay.
1749
1750       By  default,  mail  is returned to the sender when a destination is not
1751       found, and delivery is deferred when a destination is unreachable.
1752
1753       The fallback relays must be SMTP destinations. Specify a domain,  host,
1754       host:port,  [host]:port,  [address]  or [address]:port; the form [host]
1755       turns off MX lookups.  If you specify multiple SMTP destinations, Post‐
1756       fix will try them in the specified order.
1757
1758       Note:  before  Postfix  2.2, do not use the fallback_relay feature when
1759       relaying mail for a backup  or  primary  MX  domain.  Mail  would  loop
1760       between  the Postfix MX host and the fallback_relay host when the final
1761       destination is unavailable.
1762
1763       ·      In main.cf specify "relay_transport = relay",
1764
1765       ·      In master.cf specify "-o fallback_relay =" (i.e., empty) at  the
1766              end of the relay entry.
1767
1768       ·      In transport maps, specify "relay:nexthop..."  as the right-hand
1769              side for backup or primary MX domain entries.
1770
1771       Postfix version 2.2 and later will not use the  fallback_relay  feature
1772       for destinations that it is MX host for.
1773

fallback_transport (default: empty)

1775       Optional  message  delivery  transport that the local(8) delivery agent
1776       should use for names that are not found in the aliases(5) or UNIX pass‐
1777       word database.
1778
1779       The  precedence  of  local(8)  delivery  features  from high to low is:
1780       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
1781       mailbox_command_maps,  mailbox_command, home_mailbox, mail_spool_direc‐
1782       tory, fallback_transport_maps, fallback_transport and luser_relay.
1783

fallback_transport_maps (default: empty)

1785       Optional lookup tables with per-recipient message  delivery  transports
1786       for  recipients  that the local(8) delivery agent could not find in the
1787       aliases(5) or UNIX password database.
1788
1789       The precedence of local(8) delivery  features  from  high  to  low  is:
1790       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
1791       mailbox_command_maps, mailbox_command, home_mailbox,  mail_spool_direc‐
1792       tory, fallback_transport_maps, fallback_transport and luser_relay.
1793
1794       For  safety  reasons, this feature does not allow $number substitutions
1795       in regular expression maps.
1796
1797       This feature is available in Postfix 2.3 and later.
1798

fast_flush_domains (default: $relay_domains)

1800       Optional list of destinations that  are  eligible  for  per-destination
1801       logfiles with mail that is queued to those destinations.
1802
1803       By  default,  Postfix maintains "fast flush" logfiles only for destina‐
1804       tions that the Postfix SMTP server is willing to  relay  to  (i.e.  the
1805       default    is:   "fast_flush_domains   =   $relay_domains";   see   the
1806       relay_domains parameter in the postconf(5) manual).
1807
1808       Specify a list of hosts or domains, "/file/name" patterns or  "type:ta‐
1809       ble"  lookup  tables,  separated by commas and/or whitespace.  Continue
1810       long lines by starting the next line with  whitespace.  A  "/file/name"
1811       pattern  is  replaced  by  its contents; a "type:table" lookup table is
1812       matched when the domain or its parent domain appears as lookup key.
1813
1814       Specify "fast_flush_domains =" (i.e., empty)  to  disable  the  feature
1815       altogether.
1816

fast_flush_purge_time (default: 7d)

1818       The  time  after which an empty per-destination "fast flush" logfile is
1819       deleted.
1820
1821       You can specify the time as a number, or as a number followed by a let‐
1822       ter  that  indicates  the  time  unit:  s=seconds,  m=minutes, h=hours,
1823       d=days, w=weeks.  The default time unit is days.
1824

fast_flush_refresh_time (default: 12h)

1826       The time after which  a  non-empty  but  unread  per-destination  "fast
1827       flush"  logfile  needs  to be refreshed.  The contents of a logfile are
1828       refreshed by requesting delivery of all messages listed in the logfile.
1829
1830       You can specify the time as a number, or as a number followed by a let‐
1831       ter  that  indicates  the  time  unit:  s=seconds,  m=minutes, h=hours,
1832       d=days, w=weeks.  The default time unit is hours.
1833

fault_injection_code (default: 0)

1835       Force specific internal tests to fail, to test the handling  of  errors
1836       that are difficult to reproduce otherwise.
1837

flush_service_name (default: flush)

1839       The  name  of the flush(8) service. This service maintains per-destina‐
1840       tion logfiles with the queue file names of  mail  that  is  queued  for
1841       those destinations.
1842
1843       This feature is available in Postfix 2.0 and later.
1844

fork_attempts (default: 5)

1846       The maximal number of attempts to fork() a child process.
1847

fork_delay (default: 1s)

1849       The delay between attempts to fork() a child process.
1850
1851       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
1852       The default time unit is s (seconds).
1853

forward_expansion_filter (default: see postconf -d output)

1855       Restrict the characters that the  local(8)  delivery  agent  allows  in
1856       $name  expansions of $forward_path.  Characters outside the allowed set
1857       are replaced by underscores.
1858

forward_path (default: see postconf -d output)

1860       The local(8) delivery agent search list for  finding  a  .forward  file
1861       with  user-specified  delivery methods. The first file that is found is
1862       used.
1863
1864       The following $name expansions are  done  on  forward_path  before  the
1865       search actually happens. The result of $name expansion is filtered with
1866       the character set that is specified with  the  forward_expansion_filter
1867       parameter.
1868
1869       $user  The recipient's username.
1870
1871       $shell The recipient's login shell pathname.
1872
1873       $home  The recipient's home directory.
1874
1875       $recipient
1876              The full recipient address.
1877
1878       $extension
1879              The optional recipient address extension.
1880
1881       $domain
1882              The recipient domain.
1883
1884       $local The entire recipient localpart.
1885
1886       $recipient_delimiter
1887              The system-wide recipient address extension delimiter.
1888
1889       ${name?value}
1890              Expands to value when $name is non-empty.
1891
1892       ${name:value}
1893              Expands to value when $name is empty.
1894
1895       Instead of $name you can also specify ${name} or $(name).
1896
1897       Examples:
1898
1899       forward_path = /var/forward/$user
1900       forward_path =
1901           /var/forward/$user/.forward$recipient_delimiter$extension,
1902           /var/forward/$user/.forward
1903

frozen_delivered_to (default: yes)

1905       Update  the local(8) delivery agent's idea of the Delivered-To: address
1906       (see prepend_delivered_header) only once, at the start  of  a  delivery
1907       attempt;  do  not  update  the  Delivered-To:  address  while expanding
1908       aliases or .forward files.
1909
1910       This feature is available in Postfix 2.3 and later. With older  Postfix
1911       releases,  the behavior is as if this parameter is set to "no". The old
1912       setting can be expensive with deeply nested aliases or .forward  files.
1913       When  an  alias  or .forward file changes the Delivered-To: address, it
1914       ties up one queue file and one cleanup process instance while  mail  is
1915       being forwarded.
1916

hash_queue_depth (default: 1)

1918       The number of subdirectory levels for queue directories listed with the
1919       hash_queue_names parameter. Queue hashing is  implemented  by  creating
1920       one  or  more  levels  of directories with one-character names.  Origi‐
1921       nally, these directory names were equal to the first characters of  the
1922       queue  file  name, with the hexadecimal representation of the file cre‐
1923       ation time in microseconds.
1924
1925       With long queue file names, queue hashing produces the same results  as
1926       with  short  names. The file creation time in microseconds is converted
1927       into hexadecimal form before the result is used for queue hashing.  The
1928       base  16 encoding gives finer control over the number of subdirectories
1929       than is possible with the base 52 encoding of long queue file names.
1930
1931       After changing the hash_queue_names or hash_queue_depth parameter, exe‐
1932       cute the command "postfix reload".
1933

hash_queue_names (default: deferred, defer)

1935       The names of queue directories that are split across multiple subdirec‐
1936       tory levels.
1937
1938       Before Postfix version 2.2, the default list of hashed queues was  sig‐
1939       nificantly  larger. Claims about improvements in file system technology
1940       suggest that hashing of the incoming and active  queues  is  no  longer
1941       needed.  Fewer  hashed  directories speed up the time needed to restart
1942       Postfix.
1943
1944       After changing the hash_queue_names or hash_queue_depth parameter, exe‐
1945       cute the command "postfix reload".
1946

header_address_token_limit (default: 10240)

1948       The  maximal number of address tokens are allowed in an address message
1949       header. Information that exceeds the limit is discarded.  The limit  is
1950       enforced by the cleanup(8) server.
1951

header_checks (default: empty)

1953       Optional  lookup tables for content inspection of primary non-MIME mes‐
1954       sage headers, as specified in the header_checks(5) manual page.
1955

header_size_limit (default: 102400)

1957       The maximal amount of memory in bytes for storing a message header.  If
1958       a  header is larger, the excess is discarded.  The limit is enforced by
1959       the cleanup(8) server.
1960

helpful_warnings (default: yes)

1962       Log warnings about  problematic  configuration  settings,  and  provide
1963       helpful suggestions.
1964
1965       This feature is available in Postfix 2.0 and later.
1966

home_mailbox (default: empty)

1968       Optional  pathname of a mailbox file relative to a local(8) user's home
1969       directory.
1970
1971       Specify a pathname ending in "/" for qmail-style delivery.
1972
1973       The precedence of local(8) delivery  features  from  high  to  low  is:
1974       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
1975       mailbox_command_maps, mailbox_command, home_mailbox,  mail_spool_direc‐
1976       tory, fallback_transport_maps, fallback_transport and luser_relay.
1977
1978       Examples:
1979
1980       home_mailbox = Mailbox
1981       home_mailbox = Maildir/
1982

hopcount_limit (default: 50)

1984       The maximal number of Received:  message headers that is allowed in the
1985       primary message headers. A message that exceeds the limit  is  bounced,
1986       in order to stop a mailer loop.
1987

html_directory (default: see postconf -d output)

1989       The  location of Postfix HTML files that describe how to build, config‐
1990       ure or operate a specific Postfix subsystem or feature.
1991

ignore_mx_lookup_error (default: no)

1993       Ignore DNS MX lookups that produce no response.  By default, the  Post‐
1994       fix SMTP client defers delivery and tries again after some delay.  This
1995       behavior is required by the SMTP standard.
1996
1997       Specify "ignore_mx_lookup_error = yes" to force a DNS A  record  lookup
1998       instead. This violates the SMTP standard and can result in mis-delivery
1999       of mail.
2000

import_environment (default: see postconf -d output)

2002       The list of environment parameters that a Postfix process  will  import
2003       from a non-Postfix parent process. Examples of relevant parameters:
2004
2005       TZ     Needed for sane time keeping on most System-V-ish systems.
2006
2007       DISPLAY
2008              Needed for debugging Postfix daemons with an X-windows debugger.
2009
2010       XAUTHORITY
2011              Needed for debugging Postfix daemons with an X-windows debugger.
2012
2013       MAIL_CONFIG
2014              Needed to make "postfix -c" work.
2015
2016       Specify  a  list  of names and/or name=value pairs, separated by white‐
2017       space or comma. The name=value form is supported with  Postfix  version
2018       2.1 and later.
2019

in_flow_delay (default: 1s)

2021       Time  to pause before accepting a new message, when the message arrival
2022       rate exceeds the message delivery rate. This feature is  turned  on  by
2023       default (it's disabled on SCO UNIX due to an SCO bug).
2024
2025       With  the default 100 Postfix SMTP server process limit, "in_flow_delay
2026       = 1s" limits the mail inflow to 100 messages per second above the  num‐
2027       ber of messages delivered per second.
2028
2029       Specify 0 to disable the feature. Valid delays are 0..10.
2030

inet_interfaces (default: all)

2032       The network interface addresses that this mail system receives mail on.
2033       Specify "all" to receive mail on all network interfaces (default),  and
2034       "loopback-only"  to  receive  mail  on loopback network interfaces only
2035       (Postfix version 2.2 and later).  The parameter also controls  delivery
2036       of mail to user@[ip.address].
2037
2038       Note 1: you need to stop and start Postfix when this parameter changes.
2039
2040       Note 2: address information may be enclosed inside [], but this form is
2041       not required here.
2042
2043       When inet_interfaces specifies just one IPv4 and/or IPv6  address  that
2044       is  not  a  loopback  address,  the  Postfix  SMTP client will use this
2045       address as the IP source address for outbound mail. Support for IPv6 is
2046       available in Postfix version 2.2 and later.
2047
2048       On  a multi-homed firewall with separate Postfix instances listening on
2049       the "inside" and "outside" interfaces, this can prevent  each  instance
2050       from being able to reach remote SMTP servers on the "other side" of the
2051       firewall. Setting smtp_bind_address to  0.0.0.0  avoids  the  potential
2052       problem for IPv4, and setting smtp_bind_address6 to :: solves the prob‐
2053       lem for IPv6.
2054
2055       A better solution for multi-homed firewalls is to leave inet_interfaces
2056       at  the default value and instead use explicit IP addresses in the mas‐
2057       ter.cf SMTP  server  definitions.   This  preserves  the  Postfix  SMTP
2058       client's  loop  detection,  by  ensuring that each side of the firewall
2059       knows that the other  IP  address  is  still  the  same  host.  Setting
2060       $inet_interfaces to a single IPv4 and/or IPV6 address is primarily use‐
2061       ful with virtual hosting of domains on  secondary  IP  addresses,  when
2062       each IP address serves a different domain (and has a different $myhost‐
2063       name setting).
2064
2065       See also the proxy_interfaces parameter, for network addresses that are
2066       forwarded to Postfix by way of a proxy or address translator.
2067
2068       Examples:
2069
2070       inet_interfaces = all (DEFAULT)
2071       inet_interfaces = loopback-only (Postfix version 2.2 and later)
2072       inet_interfaces = 127.0.0.1
2073       inet_interfaces = 127.0.0.1, [::1] (Postfix version 2.2 and later)
2074       inet_interfaces = 192.168.1.2, 127.0.0.1
2075

inet_protocols (default: all)

2077       The  Internet  protocols  Postfix  will  attempt  to use when making or
2078       accepting connections. Specify one or more of "ipv4" or  "ipv6",  sepa‐
2079       rated  by  whitespace or commas. The form "all" is equivalent to "ipv4,
2080       ipv6" or "ipv4", depending on whether the operating  system  implements
2081       IPv6.
2082
2083       With  Postfix 2.8 and earlier the default is "ipv4". For backwards com‐
2084       patibility with these releases, the Postfix 2.9 and later upgrade  pro‐
2085       cedure  appends  an explicit "inet_protocols = ipv4" setting to main.cf
2086       when no explicit setting is present. This compatibility workaround will
2087       be phased out as IPv6 deployment becomes more common.
2088
2089       This feature is available in Postfix 2.2 and later.
2090
2091       Note: you MUST stop and start Postfix after changing this parameter.
2092
2093       On systems that pre-date IPV6_V6ONLY support (RFC 3493), an IPv6 server
2094       will also accept IPv4 connections, even when IPv4 is  turned  off  with
2095       the  inet_protocols  parameter.   On  systems with IPV6_V6ONLY support,
2096       Postfix will use separate server sockets for IPv6 and  IPv4,  and  each
2097       will accept only connections for the corresponding protocol.
2098
2099       When  IPv4 support is enabled via the inet_protocols parameter, Postfix
2100       will look up DNS type A records, and will convert  IPv4-in-IPv6  client
2101       IP  addresses  (::ffff:1.2.3.4)  to their original IPv4 form (1.2.3.4).
2102       The latter is needed on hosts that pre-date  IPV6_V6ONLY  support  (RFC
2103       3493).
2104
2105       When  IPv6 support is enabled via the inet_protocols parameter, Postfix
2106       will do DNS type AAAA record lookups.
2107
2108       When both IPv4 and IPv6 support are enabled, the  Postfix  SMTP  client
2109       will attempt to connect via IPv6 before attempting to use IPv4.
2110
2111       Examples:
2112
2113       inet_protocols = ipv4
2114       inet_protocols = all (DEFAULT)
2115       inet_protocols = ipv6
2116       inet_protocols = ipv4, ipv6
2117

initial_destination_concurrency (default: 5)

2119       The  initial per-destination concurrency level for parallel delivery to
2120       the same destination.  With per-destination recipient limit > 1, a des‐
2121       tination is a domain, otherwise it is a recipient.
2122
2123       Use  transport_initial_destination_concurrency  to specify a transport-
2124       specific override, where transport is the master.cf name of the message
2125       delivery transport (Postfix 2.5 and later).
2126
2127       Warning:  with concurrency of 1, one bad message can be enough to block
2128       all mail to a site.
2129

internal_mail_filter_classes (default: empty)

2131       What categories of Postfix-generated mail are subject  to  before-queue
2132       content inspection by non_smtpd_milters, header_checks and body_checks.
2133       Specify zero or more of  the  following,  separated  by  whitespace  or
2134       comma.
2135
2136       bounce Inspect the content of delivery status notifications.
2137
2138       notify Inspect  the  content of postmaster notifications by the smtp(8)
2139              and smtpd(8) processes.
2140
2141       NOTE: It's generally not safe to enable content inspection of  Postfix-
2142       generated email messages. The user is warned.
2143
2144       This feature is available in Postfix 2.3 and later.
2145

invalid_hostname_reject_code (default: 501)

2147       The numerical Postfix SMTP server response code when the client HELO or
2148       EHLO command parameter is rejected by the  reject_invalid_helo_hostname
2149       restriction.
2150
2151       Do  not  change  this  unless  you have a complete understanding of RFC
2152       5321.
2153

ipc_idle (default: version dependent)

2155       The time after which a client closes  an  idle  internal  communication
2156       channel.  The purpose is to allow Postfix daemon processes to terminate
2157       voluntarily after they become idle. This is used, for example,  by  the
2158       Postfix address resolving and rewriting clients.
2159
2160       With Postfix 2.4 the default value was reduced from 100s to 5s.
2161
2162       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2163       The default time unit is s (seconds).
2164

ipc_timeout (default: 3600s)

2166       The time limit for sending or receiving information  over  an  internal
2167       communication  channel.  The purpose is to break out of deadlock situa‐
2168       tions. If the time limit is exceeded the software aborts with  a  fatal
2169       error.
2170
2171       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2172       The default time unit is s (seconds).
2173

ipc_ttl (default: 1000s)

2175       The time after which a client closes an active  internal  communication
2176       channel.  The purpose is to allow Postfix daemon processes to terminate
2177       voluntarily after reaching their client limit.  This is used, for exam‐
2178       ple, by the Postfix address resolving and rewriting clients.
2179
2180       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2181       The default time unit is s (seconds).
2182
2183       This feature is available in Postfix 2.1 and later.
2184

line_length_limit (default: 2048)

2186       Upon input, long lines are chopped up  into  pieces  of  at  most  this
2187       length; upon delivery, long lines are reconstructed.
2188

lmtp_address_preference (default: ipv6)

2190       The  LMTP-specific version of the smtp_address_preference configuration
2191       parameter.  See there for details.
2192
2193       This feature is available in Postfix 2.8 and later.
2194

lmtp_assume_final (default: no)

2196       When a remote LMTP server announces no DSN  support,  assume  that  the
2197       server  performs  final  delivery, and send "delivered" delivery status
2198       notifications instead of "relayed". The default  setting  is  backwards
2199       compatible  to avoid the infinitesimal possibility of breaking existing
2200       LMTP-based content filters.
2201

lmtp_bind_address (default: empty)

2203       The LMTP-specific version of the smtp_bind_address configuration param‐
2204       eter.  See there for details.
2205
2206       This feature is available in Postfix 2.3 and later.
2207

lmtp_bind_address6 (default: empty)

2209       The  LMTP-specific  version  of  the  smtp_bind_address6  configuration
2210       parameter.  See there for details.
2211
2212       This feature is available in Postfix 2.3 and later.
2213

lmtp_body_checks (default: empty)

2215       The LMTP-specific version of the smtp_body_checks configuration parame‐
2216       ter. See there for details.
2217
2218       This feature is available in Postfix 2.5 and later.
2219

lmtp_cache_connection (default: yes)

2221       Keep  Postfix LMTP client connections open for up to $max_idle seconds.
2222       When the LMTP client receives a request for  the  same  connection  the
2223       connection is reused.
2224
2225       This  parameter  is available in Postfix version 2.2 and earlier.  With
2226       Postfix version 2.3  and  later,  see  lmtp_connection_cache_on_demand,
2227       lmtp_connection_cache_destinations,        or       lmtp_connection_re‐
2228       use_time_limit.
2229
2230       The effectiveness of cached connections will be determined by the  num‐
2231       ber  of remote LMTP servers in use, and the concurrency limit specified
2232       for the Postfix LMTP client. Cached connections are closed under any of
2233       the following conditions:
2234
2235       ·      The  Postfix LMTP client idle time limit is reached.  This limit
2236              is specified with the Postfix max_idle configuration parameter.
2237
2238       ·      A delivery request specifies a different  destination  than  the
2239              one currently cached.
2240
2241       ·      The  per-process  limit  on  the  number of delivery requests is
2242              reached.  This limit is specified with the Postfix max_use  con‐
2243              figuration parameter.
2244
2245       ·      Upon  the  onset  of  another  delivery request, the remote LMTP
2246              server associated with the current session does not  respond  to
2247              the RSET command.
2248
2249       Most of these limitations have been with the Postfix a connection cache
2250       that is shared among multiple LMTP client programs.
2251

lmtp_cname_overrides_servername (default: yes)

2253       The LMTP-specific version of the  smtp_cname_overrides_servername  con‐
2254       figuration parameter.  See there for details.
2255
2256       This feature is available in Postfix 2.3 and later.
2257

lmtp_connect_timeout (default: 0s)

2259       The  Postfix LMTP client time limit for completing a TCP connection, or
2260       zero (use the operating system built-in time limit).  When  no  connec‐
2261       tion  can  be  made within the deadline, the LMTP client tries the next
2262       address on the mail exchanger list.
2263
2264       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2265       The default time unit is s (seconds).
2266
2267       Example:
2268
2269       lmtp_connect_timeout = 30s
2270

lmtp_connection_cache_destinations (default: empty)

2272       The  LMTP-specific  version  of  the smtp_connection_cache_destinations
2273       configuration parameter.  See there for details.
2274
2275       This feature is available in Postfix 2.3 and later.
2276

lmtp_connection_cache_on_demand (default: yes)

2278       The LMTP-specific version of the  smtp_connection_cache_on_demand  con‐
2279       figuration parameter.  See there for details.
2280
2281       This feature is available in Postfix 2.3 and later.
2282

lmtp_connection_cache_time_limit (default: 2s)

2284       The  LMTP-specific version of the smtp_connection_cache_time_limit con‐
2285       figuration parameter.  See there for details.
2286
2287       This feature is available in Postfix 2.3 and later.
2288

lmtp_connection_reuse_time_limit (default: 300s)

2290       The LMTP-specific version of the smtp_connection_reuse_time_limit  con‐
2291       figuration parameter.  See there for details.
2292
2293       This feature is available in Postfix 2.3 and later.
2294

lmtp_data_done_timeout (default: 600s)

2296       The  Postfix  LMTP  client time limit for sending the LMTP ".", and for
2297       receiving the  remote  LMTP  server  response.   When  no  response  is
2298       received  within the deadline, a warning is logged that the mail may be
2299       delivered multiple times.
2300
2301       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2302       The default time unit is s (seconds).
2303

lmtp_data_init_timeout (default: 120s)

2305       The  Postfix  LMTP client time limit for sending the LMTP DATA command,
2306       and for receiving the remote LMTP server response.
2307
2308       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2309       The default time unit is s (seconds).
2310

lmtp_data_xfer_timeout (default: 180s)

2312       The  Postfix  LMTP  client time limit for sending the LMTP message con‐
2313       tent.  When the connection stalls for more than $lmtp_data_xfer_timeout
2314       the LMTP client terminates the transfer.
2315
2316       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2317       The default time unit is s (seconds).
2318

lmtp_defer_if_no_mx_address_found (default: no)

2320       The LMTP-specific version of the smtp_defer_if_no_mx_address_found con‐
2321       figuration parameter.  See there for details.
2322
2323       This feature is available in Postfix 2.3 and later.
2324

lmtp_destination_concurrency_limit (default: $default_destination_concur‐

2326       rency_limit)
2327       The maximal number of parallel deliveries to the same  destination  via
2328       the  lmtp  message  delivery  transport.  This limit is enforced by the
2329       queue manager. The message delivery transport name is the  first  field
2330       in the entry in the master.cf file.
2331

lmtp_destination_recipient_limit (default: $default_destination_recipi‐

2333       ent_limit)
2334       The maximal number of recipients  per  message  for  the  lmtp  message
2335       delivery  transport.  This  limit is enforced by the queue manager. The
2336       message delivery transport name is the first field in the entry in  the
2337       master.cf file.
2338
2339       Setting this parameter to a value of 1 changes the meaning of lmtp_des‐
2340       tination_concurrency_limit from concurrency per domain into concurrency
2341       per recipient.
2342

lmtp_discard_lhlo_keyword_address_maps (default: empty)

2344       Lookup  tables,  indexed  by  the remote LMTP server address, with case
2345       insensitive lists of LHLO keywords (pipelining, starttls,  auth,  etc.)
2346       that  the  Postfix  LMTP client will ignore in the LHLO response from a
2347       remote LMTP server. See lmtp_discard_lhlo_keywords for details. The ta‐
2348       ble  is  not  indexed  by  hostname  for  consistency  with  smtpd_dis‐
2349       card_ehlo_keyword_address_maps.
2350
2351       This feature is available in Postfix 2.3 and later.
2352

lmtp_discard_lhlo_keywords (default: empty)

2354       A case insensitive list of LHLO keywords (pipelining,  starttls,  auth,
2355       etc.)  that  the  Postfix  LMTP client will ignore in the LHLO response
2356       from a remote LMTP server.
2357
2358       This feature is available in Postfix 2.3 and later.
2359
2360       Notes:
2361
2362       ·      Specify the silent-discard pseudo keyword to prevent this action
2363              from being logged.
2364
2365       ·      Use  the  lmtp_discard_lhlo_keyword_address_maps feature to dis‐
2366              card LHLO keywords selectively.
2367

lmtp_dns_resolver_options (default: empty)

2369       The LMTP-specific version of the  smtp_dns_resolver_options  configura‐
2370       tion parameter.  See there for details.
2371
2372       This feature is available in Postfix 2.8 and later.
2373

lmtp_enforce_tls (default: no)

2375       The LMTP-specific version of the smtp_enforce_tls configuration parame‐
2376       ter.  See there for details.
2377
2378       This feature is available in Postfix 2.3 and later.
2379

lmtp_generic_maps (default: empty)

2381       The LMTP-specific version of the smtp_generic_maps configuration param‐
2382       eter.  See there for details.
2383
2384       This feature is available in Postfix 2.3 and later.
2385

lmtp_header_checks (default: empty)

2387       The  LMTP-specific  version  of  the  smtp_header_checks  configuration
2388       parameter. See there for details.
2389
2390       This feature is available in Postfix 2.5 and later.
2391

lmtp_host_lookup (default: dns)

2393       The LMTP-specific version of the smtp_host_lookup configuration parame‐
2394       ter.  See there for details.
2395
2396       This feature is available in Postfix 2.3 and later.
2397

lmtp_lhlo_name (default: $myhostname)

2399       The hostname to send in the LMTP LHLO command.
2400
2401       The  default  value  is  the  machine  hostname.  Specify a hostname or
2402       [ip.add.re.ss].
2403
2404       This information can be specified in the  main.cf  file  for  all  LMTP
2405       clients,  or  it  can be specified in the master.cf file for a specific
2406       client, for example:
2407
2408           /etc/postfix/master.cf:
2409               mylmtp ... lmtp -o lmtp_lhlo_name=foo.bar.com
2410
2411       This feature is available in Postfix 2.3 and later.
2412

lmtp_lhlo_timeout (default: 300s)

2414       The Postfix LMTP client time limit for sending the  LHLO  command,  and
2415       for receiving the initial remote LMTP server response.
2416
2417       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2418       The default time unit is s (seconds).
2419

lmtp_line_length_limit (default: 990)

2421       The LMTP-specific version of the  smtp_line_length_limit  configuration
2422       parameter.  See there for details.
2423
2424       This feature is available in Postfix 2.3 and later.
2425

lmtp_mail_timeout (default: 300s)

2427       The  Postfix  LMTP client time limit for sending the MAIL FROM command,
2428       and for receiving the remote LMTP server response.
2429
2430       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2431       The default time unit is s (seconds).
2432

lmtp_mime_header_checks (default: empty)

2434       The  LMTP-specific version of the smtp_mime_header_checks configuration
2435       parameter. See there for details.
2436
2437       This feature is available in Postfix 2.5 and later.
2438

lmtp_mx_address_limit (default: 5)

2440       The LMTP-specific version of  the  smtp_mx_address_limit  configuration
2441       parameter.  See there for details.
2442
2443       This feature is available in Postfix 2.3 and later.
2444

lmtp_mx_session_limit (default: 2)

2446       The  LMTP-specific  version  of the smtp_mx_session_limit configuration
2447       parameter.  See there for details.
2448
2449       This feature is available in Postfix 2.3 and later.
2450

lmtp_nested_header_checks (default: empty)

2452       The LMTP-specific version of the  smtp_nested_header_checks  configura‐
2453       tion parameter. See there for details.
2454
2455       This feature is available in Postfix 2.5 and later.
2456

lmtp_per_record_deadline (default: no)

2458       The LMTP-specific version of the smtp_per_record_deadline configuration
2459       parameter.  See there for details.
2460
2461       This feature is available in Postfix 2.9 and later.
2462

lmtp_pix_workaround_delay_time (default: 10s)

2464       The LMTP-specific version of the smtp_pix_workaround_delay_time config‐
2465       uration parameter.  See there for details.
2466
2467       This feature is available in Postfix 2.3 and later.
2468

lmtp_pix_workaround_maps (default: empty)

2470       The LMTP-specific version of the smtp_pix_workaround_maps configuration
2471       parameter.  See there for details.
2472
2473       This feature is available in Postfix 2.4 and later.
2474

lmtp_pix_workaround_threshold_time (default: 500s)

2476       The LMTP-specific  version  of  the  smtp_pix_workaround_threshold_time
2477       configuration parameter.  See there for details.
2478
2479       This feature is available in Postfix 2.3 and later.
2480

lmtp_pix_workarounds (default: empty)

2482       The  LMTP-specific  version  of  the  smtp_pix_workaround configuration
2483       parameter.  See there for details.
2484
2485       This feature is available in Postfix 2.4 and later.
2486

lmtp_quit_timeout (default: 300s)

2488       The Postfix LMTP client time limit for sending the  QUIT  command,  and
2489       for receiving the remote LMTP server response.
2490
2491       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2492       The default time unit is s (seconds).
2493

lmtp_quote_rfc821_envelope (default: yes)

2495       The LMTP-specific version of the smtp_quote_rfc821_envelope  configura‐
2496       tion parameter.  See there for details.
2497
2498       This feature is available in Postfix 2.3 and later.
2499

lmtp_randomize_addresses (default: yes)

2501       The LMTP-specific version of the smtp_randomize_addresses configuration
2502       parameter.  See there for details.
2503
2504       This feature is available in Postfix 2.3 and later.
2505

lmtp_rcpt_timeout (default: 300s)

2507       The Postfix LMTP client time limit for sending the RCPT TO command, and
2508       for receiving the remote LMTP server response.
2509
2510       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2511       The default time unit is s (seconds).
2512

lmtp_reply_filter (default: empty)

2514       The LMTP-specific version of the smtp_reply_filter configuration param‐
2515       eter.  See there for details.
2516
2517       This feature is available in Postfix 2.7 and later.
2518

lmtp_rset_timeout (default: 20s)

2520       The  Postfix  LMTP  client time limit for sending the RSET command, and
2521       for receiving the remote LMTP server response. The  LMTP  client  sends
2522       RSET  in order to finish a recipient address probe, or to verify that a
2523       cached connection is still alive.
2524
2525       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2526       The default time unit is s (seconds).
2527

lmtp_sasl_auth_cache_name (default: empty)

2529       The  LMTP-specific  version of the smtp_sasl_auth_cache_name configura‐
2530       tion parameter.  See there for details.
2531
2532       This feature is available in Postfix 2.5 and later.
2533

lmtp_sasl_auth_cache_time (default: 90d)

2535       The LMTP-specific version of the  smtp_sasl_auth_cache_time  configura‐
2536       tion parameter.  See there for details.
2537
2538       This feature is available in Postfix 2.5 and later.
2539

lmtp_sasl_auth_enable (default: no)

2541       Enable SASL authentication in the Postfix LMTP client.
2542

lmtp_sasl_auth_soft_bounce (default: yes)

2544       The  LMTP-specific version of the smtp_sasl_auth_soft_bounce configura‐
2545       tion parameter.  See there for details.
2546
2547       This feature is available in Postfix 2.5 and later.
2548

lmtp_sasl_mechanism_filter (default: empty)

2550       The LMTP-specific version of the smtp_sasl_mechanism_filter  configura‐
2551       tion parameter.  See there for details.
2552
2553       This feature is available in Postfix 2.3 and later.
2554

lmtp_sasl_password_maps (default: empty)

2556       Optional  Postfix  LMTP client lookup tables with one username:password
2557       entry per host or domain.  If a remote host  or  domain  has  no  user‐
2558       name:password  entry,  then the Postfix LMTP client will not attempt to
2559       authenticate to the remote host.
2560

lmtp_sasl_path (default: empty)

2562       Implementation-specific information that is passed through to the  SASL
2563       plug-in implementation that is selected with lmtp_sasl_type.  Typically
2564       this specifies the name of a configuration file or rendezvous point.
2565
2566       This feature is available in Postfix 2.3 and later.
2567

lmtp_sasl_security_options (default: noplaintext, noanonymous)

2569       SASL security options; as of Postfix 2.3 the list of available features
2570       depends  on  the  SASL  client  implementation  that  is  selected with
2571       lmtp_sasl_type.
2572
2573       The following security features are defined for the cyrus  client  SASL
2574       implementation:
2575
2576       noplaintext
2577              Disallow authentication methods that use plaintext passwords.
2578
2579       noactive
2580              Disallow  authentication methods that are vulnerable to non-dic‐
2581              tionary active attacks.
2582
2583       nodictionary
2584              Disallow authentication methods that are vulnerable  to  passive
2585              dictionary attack.
2586
2587       noanonymous
2588              Disallow anonymous logins.
2589
2590       Example:
2591
2592       lmtp_sasl_security_options = noplaintext
2593

lmtp_sasl_tls_security_options (default: $lmtp_sasl_security_options)

2595       The LMTP-specific version of the smtp_sasl_tls_security_options config‐
2596       uration parameter.  See there for details.
2597
2598       This feature is available in Postfix 2.3 and later.
2599

lmtp_sasl_tls_verified_security_options (default: $lmtp_sasl_tls_secu‐

2601       rity_options)
2602       The   LMTP-specific   version   of   the   smtp_sasl_tls_verified_secu‐
2603       rity_options configuration parameter.  See there for details.
2604
2605       This feature is available in Postfix 2.3 and later.
2606

lmtp_sasl_type (default: cyrus)

2608       The SASL plug-in type that the  Postfix  LMTP  client  should  use  for
2609       authentication.   The available types are listed with the "postconf -A"
2610       command.
2611
2612       This feature is available in Postfix 2.3 and later.
2613

lmtp_send_dummy_mail_auth (default: no)

2615       The LMTP-specific version of the  smtp_send_dummy_mail_auth  configura‐
2616       tion parameter.  See there for details.
2617
2618       This feature is available in Postfix 2.9 and later.
2619

lmtp_send_xforward_command (default: no)

2621       Send  an  XFORWARD command to the remote LMTP server when the LMTP LHLO
2622       server response announces XFORWARD support.   This  allows  an  lmtp(8)
2623       delivery  agent,  used for content filter message injection, to forward
2624       the name, address, protocol and HELO name of the original client to the
2625       content  filter  and downstream queuing LMTP server.  Before you change
2626       the value to yes, it is best to make sure that your content filter sup‐
2627       ports this command.
2628
2629       This feature is available in Postfix 2.1 and later.
2630

lmtp_sender_dependent_authentication (default: no)

2632       The  LMTP-specific  version of the smtp_sender_dependent_authentication
2633       configuration parameter.  See there for details.
2634
2635       This feature is available in Postfix 2.3 and later.
2636

lmtp_skip_5xx_greeting (default: yes)

2638       The LMTP-specific version of the  smtp_skip_5xx_greeting  configuration
2639       parameter.  See there for details.
2640
2641       This feature is available in Postfix 2.3 and later.
2642

lmtp_skip_quit_response (default: no)

2644       Wait for the response to the LMTP QUIT command.
2645

lmtp_starttls_timeout (default: 300s)

2647       The  LMTP-specific  version  of the smtp_starttls_timeout configuration
2648       parameter.  See there for details.
2649
2650       This feature is available in Postfix 2.3 and later.
2651

lmtp_tcp_port (default: 24)

2653       The default TCP port that the Postfix LMTP client connects to.
2654

lmtp_tls_CAfile (default: empty)

2656       The LMTP-specific version of the smtp_tls_CAfile configuration  parame‐
2657       ter.  See there for details.
2658
2659       This feature is available in Postfix 2.3 and later.
2660

lmtp_tls_CApath (default: empty)

2662       The  LMTP-specific version of the smtp_tls_CApath configuration parame‐
2663       ter.  See there for details.
2664
2665       This feature is available in Postfix 2.3 and later.
2666

lmtp_tls_block_early_mail_reply (default: empty)

2668       The LMTP-specific version of the  smtp_tls_block_early_mail_reply  con‐
2669       figuration parameter.  See there for details.
2670
2671       This feature is available in Postfix 2.7 and later.
2672

lmtp_tls_cert_file (default: empty)

2674       The  LMTP-specific  version  of  the  smtp_tls_cert_file  configuration
2675       parameter.  See there for details.
2676
2677       This feature is available in Postfix 2.3 and later.
2678

lmtp_tls_ciphers (default: export)

2680       The LMTP-specific version of the smtp_tls_ciphers configuration parame‐
2681       ter. See there for details.
2682
2683       This feature is available in Postfix 2.6 and later.
2684

lmtp_tls_dcert_file (default: empty)

2686       The  LMTP-specific  version  of  the  smtp_tls_dcert_file configuration
2687       parameter.  See there for details.
2688
2689       This feature is available in Postfix 2.3 and later.
2690

lmtp_tls_dkey_file (default: $lmtp_tls_dcert_file)

2692       The  LMTP-specific  version  of  the  smtp_tls_dkey_file  configuration
2693       parameter.  See there for details.
2694
2695       This feature is available in Postfix 2.3 and later.
2696

lmtp_tls_eccert_file (default: empty)

2698       The  LMTP-specific  version  of  the smtp_tls_eccert_file configuration
2699       parameter.  See there for details.
2700
2701       This feature is available in Postfix 2.6 and  later,  when  Postfix  is
2702       compiled and linked with OpenSSL 1.0.0 or later.
2703

lmtp_tls_eckey_file (default: empty)

2705       The  LMTP-specific  version  of  the  smtp_tls_eckey_file configuration
2706       parameter.  See there for details.
2707
2708       This feature is available in Postfix 2.6 and  later,  when  Postfix  is
2709       compiled and linked with OpenSSL 1.0.0 or later.
2710

lmtp_tls_enforce_peername (default: yes)

2712       The  LMTP-specific  version of the smtp_tls_enforce_peername configura‐
2713       tion parameter.  See there for details.
2714
2715       This feature is available in Postfix 2.3 and later.
2716

lmtp_tls_exclude_ciphers (default: empty)

2718       The LMTP-specific version of the smtp_tls_exclude_ciphers configuration
2719       parameter.  See there for details.
2720
2721       This feature is available in Postfix 2.3 and later.
2722

lmtp_tls_fingerprint_cert_match (default: empty)

2724       The  LMTP-specific  version of the smtp_tls_fingerprint_cert_match con‐
2725       figuration parameter.  See there for details.
2726
2727       This feature is available in Postfix 2.5 and later.
2728

lmtp_tls_fingerprint_digest (default: md5)

2730       The LMTP-specific version of the smtp_tls_fingerprint_digest configura‐
2731       tion parameter.  See there for details.
2732
2733       This feature is available in Postfix 2.5 and later.
2734

lmtp_tls_key_file (default: $lmtp_tls_cert_file)

2736       The LMTP-specific version of the smtp_tls_key_file configuration param‐
2737       eter.  See there for details.
2738
2739       This feature is available in Postfix 2.3 and later.
2740

lmtp_tls_loglevel (default: 0)

2742       The LMTP-specific version of the smtp_tls_loglevel configuration param‐
2743       eter.  See there for details.
2744
2745       This feature is available in Postfix 2.3 and later.
2746

lmtp_tls_mandatory_ciphers (default: empty)

2748       The  LMTP-specific version of the smtp_tls_mandatory_ciphers configura‐
2749       tion parameter.  See there for details.
2750
2751       This feature is available in Postfix 2.3 and later.
2752

lmtp_tls_mandatory_exclude_ciphers (default: empty)

2754       The LMTP-specific  version  of  the  smtp_tls_mandatory_exclude_ciphers
2755       configuration parameter.  See there for details.
2756
2757       This feature is available in Postfix 2.3 and later.
2758

lmtp_tls_mandatory_protocols (default: !SSLv2)

2760       The  LMTP-specific version of the smtp_tls_mandatory_protocols configu‐
2761       ration parameter. See there for details.
2762
2763       This feature is available in Postfix 2.3 and later.
2764

lmtp_tls_note_starttls_offer (default: no)

2766       The LMTP-specific version of the smtp_tls_note_starttls_offer  configu‐
2767       ration parameter.  See there for details.
2768
2769       This feature is available in Postfix 2.3 and later.
2770

lmtp_tls_per_site (default: empty)

2772       The LMTP-specific version of the smtp_tls_per_site configuration param‐
2773       eter.  See there for details.
2774
2775       This feature is available in Postfix 2.3 and later.
2776

lmtp_tls_policy_maps (default: empty)

2778       The LMTP-specific version  of  the  smtp_tls_policy_maps  configuration
2779       parameter. See there for details.
2780
2781       This feature is available in Postfix 2.3 and later.
2782

lmtp_tls_protocols (default: empty)

2784       The  LMTP-specific  version  of  the  smtp_tls_protocols  configuration
2785       parameter. See there for details.
2786
2787       This feature is available in Postfix 2.6 and later.
2788

lmtp_tls_scert_verifydepth (default: 9)

2790       The LMTP-specific version of the smtp_tls_scert_verifydepth  configura‐
2791       tion parameter.  See there for details.
2792
2793       This feature is available in Postfix 2.3 and later.
2794

lmtp_tls_secure_cert_match (default: nexthop)

2796       The  LMTP-specific version of the smtp_tls_secure_cert_match configura‐
2797       tion parameter. See there for details.
2798
2799       This feature is available in Postfix 2.3 and later.
2800

lmtp_tls_security_level (default: empty)

2802       The LMTP-specific version of the smtp_tls_security_level  configuration
2803       parameter.  See there for details.
2804
2805       This feature is available in Postfix 2.3 and later.
2806

lmtp_tls_session_cache_database (default: empty)

2808       The  LMTP-specific  version of the smtp_tls_session_cache_database con‐
2809       figuration parameter. See there for details.
2810
2811       This feature is available in Postfix 2.3 and later.
2812

lmtp_tls_session_cache_timeout (default: 3600s)

2814       The LMTP-specific version of the smtp_tls_session_cache_timeout config‐
2815       uration parameter.  See there for details.
2816
2817       This feature is available in Postfix 2.3 and later.
2818

lmtp_tls_verify_cert_match (default: hostname)

2820       The  LMTP-specific version of the smtp_tls_verify_cert_match configura‐
2821       tion parameter. See there for details.
2822
2823       This feature is available in Postfix 2.3 and later.
2824

lmtp_use_tls (default: no)

2826       The LMTP-specific version of the smtp_use_tls configuration  parameter.
2827       See there for details.
2828
2829       This feature is available in Postfix 2.3 and later.
2830

lmtp_xforward_timeout (default: 300s)

2832       The  Postfix  LMTP  client time limit for sending the XFORWARD command,
2833       and for receiving the remote LMTP server response.
2834
2835       In case of problems the client does NOT try the  next  address  on  the
2836       mail exchanger list.
2837
2838       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2839       The default time unit is s (seconds).
2840
2841       This feature is available in Postfix 2.1 and later.
2842

local_command_shell (default: empty)

2844       Optional shell program for local(8) delivery  to  non-Postfix  command.
2845       By  default,  non-Postfix  commands are executed directly; commands are
2846       given to given to the default shell (typically, /bin/sh) only when they
2847       contain shell meta characters or shell built-in commands.
2848
2849       "sendmail's  restricted  shell" (smrsh) is what most people will use in
2850       order to restrict what programs can be run  from  e.g.  .forward  files
2851       (smrsh is part of the Sendmail distribution).
2852
2853       Note:  when  a  shell program is specified, it is invoked even when the
2854       command contains no shell built-in commands or meta characters.
2855
2856       Example:
2857
2858       local_command_shell = /some/where/smrsh -c
2859       local_command_shell = /bin/bash -c
2860

local_destination_concurrency_limit (default: 2)

2862       The maximal number of parallel deliveries via the local  mail  delivery
2863       transport   to  the  same  recipient  (when  "local_destination_recipi‐
2864       ent_limit = 1") or the maximal number of  parallel  deliveries  to  the
2865       same  local domain (when "local_destination_recipient_limit > 1"). This
2866       limit is enforced by the queue manager. The message delivery  transport
2867       name is the first field in the entry in the master.cf file.
2868
2869       A  low limit of 2 is recommended, just in case someone has an expensive
2870       shell command in a .forward file or in an alias (e.g., a  mailing  list
2871       manager).  You don't want to run lots of those at the same time.
2872

local_destination_recipient_limit (default: 1)

2874       The  maximal  number  of  recipients per message delivery via the local
2875       mail delivery transport. This limit is enforced by the  queue  manager.
2876       The  message delivery transport name is the first field in the entry in
2877       the master.cf file.
2878
2879       Setting this parameter to a value > 1 changes the meaning of local_des‐
2880       tination_concurrency_limit  from concurrency per recipient into concur‐
2881       rency per domain.
2882

local_header_rewrite_clients (default: permit_inet_interfaces)

2884       Rewrite message header addresses in mail from these clients and  update
2885       incomplete  addresses  with  the domain name in $myorigin or $mydomain;
2886       either don't rewrite message headers from other clients at all, or  re‐
2887       write  message  headers and update incomplete addresses with the domain
2888       specified in the remote_header_rewrite_domain parameter.
2889
2890       See  the  append_at_myorigin  and  append_dot_mydomain  parameters  for
2891       details of how domain names are appended to incomplete addresses.
2892
2893       Specify a list of zero or more of the following:
2894
2895       permit_inet_interfaces
2896              Append the domain name in $myorigin or $mydomain when the client
2897              IP address matches $inet_interfaces. This is enabled by default.
2898
2899       permit_mynetworks
2900              Append the domain name in $myorigin or $mydomain when the client
2901              IP  address  matches  any  network  or network address listed in
2902              $mynetworks. This setting will not prevent  remote  mail  header
2903              address rewriting when mail from a remote client is forwarded by
2904              a neighboring system.
2905
2906       permit_sasl_authenticated
2907              Append the domain name in $myorigin or $mydomain when the client
2908              is successfully authenticated via the RFC 4954 (AUTH) protocol.
2909
2910       permit_tls_clientcerts
2911              Append the domain name in $myorigin or $mydomain when the remote
2912              SMTP client TLS certificate fingerprint or  public  key  finger‐
2913              print  (Postfix  2.9 and later) is listed in $relay_clientcerts.
2914              The  fingerprint  digest  algorithm  is  configurable  via   the
2915              smtpd_tls_fingerprint_digest  parameter (hard-coded as md5 prior
2916              to Postfix version 2.5).
2917
2918       permit_tls_all_clientcerts
2919              Append the domain name in $myorigin or $mydomain when the remote
2920              SMTP client TLS certificate is successfully verified, regardless
2921              of whether it is listed on the server,  and  regardless  of  the
2922              certifying authority.
2923
2924       check_address_map type:table
2925
2926       type:table
2927              Append the domain name in $myorigin or $mydomain when the client
2928              IP address matches  the  specified  lookup  table.   The  lookup
2929              result  is  ignored, and no subnet lookup is done. This is suit‐
2930              able for, e.g., pop-before-smtp lookup tables.
2931
2932       Examples:
2933
2934       The Postfix < 2.2 backwards compatible setting: always rewrite  message
2935       headers,   and  always  append  my  own  domain  to  incomplete  header
2936       addresses.
2937
2938           local_header_rewrite_clients = static:all
2939
2940       The purist (and default) setting: rewrite headers  only  in  mail  from
2941       Postfix sendmail and in SMTP mail from this machine.
2942
2943           local_header_rewrite_clients = permit_inet_interfaces
2944
2945       The intermediate setting: rewrite header addresses and append $myorigin
2946       or $mydomain information only with mail  from  Postfix  sendmail,  from
2947       local clients, or from authorized SMTP clients.
2948
2949       Note:  this setting will not prevent remote mail header address rewrit‐
2950       ing when mail from a remote client is forwarded by a  neighboring  sys‐
2951       tem.
2952
2953           local_header_rewrite_clients = permit_mynetworks,
2954               permit_sasl_authenticated permit_tls_clientcerts
2955               check_address_map hash:/etc/postfix/pop-before-smtp
2956

local_recipient_maps (default: proxy:unix:passwd.byname $alias_maps)

2958       Lookup tables with all names or addresses of local recipients: a recip‐
2959       ient  address  is  local  when  its  domain   matches   $mydestination,
2960       $inet_interfaces  or $proxy_interfaces.  Specify @domain as a wild-card
2961       for domains that do not have  a  valid  recipient  list.   Technically,
2962       tables  listed  with  $local_recipient_maps  are used as lists: Postfix
2963       needs to know only if a lookup string is found or not, but it does  not
2964       use the result from table lookup.
2965
2966       If  this  parameter  is  non-empty (the default), then the Postfix SMTP
2967       server will reject mail for unknown local users.
2968
2969       To turn off local recipient checking in the Postfix SMTP server,  spec‐
2970       ify "local_recipient_maps =" (i.e. empty).
2971
2972       The  default  setting  assumes  that  you use the default Postfix local
2973       delivery agent for local delivery. You need to update the local_recipi‐
2974       ent_maps setting if:
2975
2976       ·      You redefine the local delivery agent in master.cf.
2977
2978       ·      You redefine the "local_transport" setting in main.cf.
2979
2980       ·      You   use  the  "luser_relay",  "mailbox_transport",  or  "fall‐
2981              back_transport" feature of the Postfix local(8) delivery agent.
2982
2983       Details are described in the LOCAL_RECIPIENT_README file.
2984
2985       Beware: if the Postfix SMTP server runs chrooted, you  need  to  access
2986       the  passwd  file  via  the  proxymap(8)  service, in order to overcome
2987       chroot access restrictions. The alternative, maintaining a copy of  the
2988       system password file in the chroot jail is not practical.
2989
2990       Examples:
2991
2992       local_recipient_maps =
2993

local_transport (default: local:$myhostname)

2995       The  default mail delivery transport and next-hop destination for final
2996       delivery to domains listed with mydestination, and for [ipaddress] des‐
2997       tinations  that  match  $inet_interfaces  or  $proxy_interfaces.   This
2998       information can be overruled with the transport(5) table.
2999
3000       By default, local mail is delivered to the  transport  called  "local",
3001       which is just the name of a service that is defined the master.cf file.
3002
3003       Specify  a string of the form transport:nexthop, where transport is the
3004       name of a mail delivery transport defined in master.cf.   The  :nexthop
3005       destination is optional; its syntax is documented in the manual page of
3006       the corresponding delivery agent.
3007
3008       Beware: if you override the default local delivery agent then you  need
3009       to  review  the  LOCAL_RECIPIENT_README  document,  otherwise  the SMTP
3010       server may reject mail for local recipients.
3011

luser_relay (default: empty)

3013       Optional catch-all destination for  unknown  local(8)  recipients.   By
3014       default,  mail for unknown recipients in domains that match $mydestina‐
3015       tion, $inet_interfaces or $proxy_interfaces is returned  as  undeliver‐
3016       able.
3017
3018       The following $name expansions are done on luser_relay:
3019
3020       $domain
3021              The recipient domain.
3022
3023       $extension
3024              The recipient address extension.
3025
3026       $home  The recipient's home directory.
3027
3028       $local The entire recipient address localpart.
3029
3030       $recipient
3031              The full recipient address.
3032
3033       $recipient_delimiter
3034              The system-wide recipient address extension delimiter.
3035
3036       $shell The recipient's login shell.
3037
3038       $user  The recipient username.
3039
3040       ${name?value}
3041              Expands to value when $name has a non-empty value.
3042
3043       ${name:value}
3044              Expands to value when $name has an empty value.
3045
3046       Instead of $name you can also specify ${name} or $(name).
3047
3048       Note: luser_relay works only for the Postfix local(8) delivery agent.
3049
3050       Note:  if  you  use  this feature for accounts not in the UNIX password
3051       file, then you must specify "local_recipient_maps ="  (i.e.  empty)  in
3052       the  main.cf  file,  otherwise the Postfix SMTP server will reject mail
3053       for non-UNIX accounts with "User unknown in local recipient table".
3054
3055       Examples:
3056
3057       luser_relay = $user@other.host
3058       luser_relay = $local@other.host
3059       luser_relay = admin+$local
3060

mail_name (default: Postfix)

3062       The mail system name that is displayed in  Received:  headers,  in  the
3063       SMTP greeting banner, and in bounced mail.
3064

mail_owner (default: postfix)

3066       The  UNIX  system  account that owns the Postfix queue and most Postfix
3067       daemon processes.  Specify the name of  an  unprivileged  user  account
3068       that  does  not  share a user or group ID with other accounts, and that
3069       owns no other files or processes on the system.  In  particular,  don't
3070       specify nobody or daemon.  PLEASE USE A DEDICATED USER ID AND GROUP ID.
3071
3072       When  this  parameter value is changed you need to re-run "postfix set-
3073       permissions" (with Postfix version 2.0 and earlier: "/etc/postfix/post-
3074       install set-permissions".
3075

mail_release_date (default: see postconf -d output)

3077       The Postfix release date, in "YYYYMMDD" format.
3078

mail_spool_directory (default: see postconf -d output)

3080       The directory where local(8) UNIX-style mailboxes are kept. The default
3081       setting depends on the system type. Specify a  name  ending  in  /  for
3082       maildir-style delivery.
3083
3084       Note:  maildir  delivery  is done with the privileges of the recipient.
3085       If you use the mail_spool_directory setting for maildir style delivery,
3086       then  you must create the top-level maildir directory in advance. Post‐
3087       fix will not create it.
3088
3089       Examples:
3090
3091       mail_spool_directory = /var/mail
3092       mail_spool_directory = /var/spool/mail
3093

mail_version (default: see postconf -d output)

3095       The  version  of  the  mail   system.   Stable   releases   are   named
3096       major.minor.patchlevel.  Experimental releases also include the release
3097       date. The version string can be used in, for example, the SMTP greeting
3098       banner.
3099

mailbox_command (default: empty)

3101       Optional  external  command that the local(8) delivery agent should use
3102       for mailbox delivery.  The command is run with the user ID and the pri‐
3103       mary group ID privileges of the recipient.  Exception: command delivery
3104       for root executes with $default_privs privileges.  This is not a  prob‐
3105       lem,  because  1) mail for root should always be aliased to a real user
3106       and 2) don't log in as root, use "su" instead.
3107
3108       The following environment variables are exported to the command:
3109
3110       CLIENT_ADDRESS
3111              Remote client network address. Available in Postfix version  2.2
3112              and later.
3113
3114       CLIENT_HELO
3115              Remote  client EHLO command parameter. Available in Postfix ver‐
3116              sion 2.2 and later.
3117
3118       CLIENT_HOSTNAME
3119              Remote client hostname. Available in  Postfix  version  2.2  and
3120              later.
3121
3122       CLIENT_PROTOCOL
3123              Remote  client  protocol.  Available  in Postfix version 2.2 and
3124              later.
3125
3126       DOMAIN The domain part of the recipient address.
3127
3128       EXTENSION
3129              The optional address extension.
3130
3131       HOME   The recipient home directory.
3132
3133       LOCAL  The recipient address localpart.
3134
3135       LOGNAME
3136              The recipient's username.
3137
3138       ORIGINAL_RECIPIENT
3139              The entire recipient address, before any  address  rewriting  or
3140              aliasing.
3141
3142       RECIPIENT
3143              The full recipient address.
3144
3145       SASL_METHOD
3146              SASL  authentication  method specified in the remote client AUTH
3147              command. Available in Postfix version 2.2 and later.
3148
3149       SASL_SENDER
3150              SASL sender address specified in the  remote  client  MAIL  FROM
3151              command. Available in Postfix version 2.2 and later.
3152
3153       SASL_USER
3154              SASL  username  specified  in  the  remote  client AUTH command.
3155              Available in Postfix version 2.2 and later.
3156
3157       SENDER The full sender address.
3158
3159       SHELL  The recipient's login shell.
3160
3161       USER   The recipient username.
3162
3163       Unlike other  Postfix  configuration  parameters,  the  mailbox_command
3164       parameter  is  not subjected to $name substitutions. This is to make it
3165       easier to specify shell syntax (see example below).
3166
3167       If you can, avoid shell meta characters because they will force Postfix
3168       to  run  an  expensive shell process. If you're delivering via Procmail
3169       then running a shell won't make a noticeable difference  in  the  total
3170       cost.
3171
3172       Note:  if  you  use the mailbox_command feature to deliver mail system-
3173       wide, you must set up an alias that forwards mail for root  to  a  real
3174       user.
3175
3176       The  precedence  of  local(8)  delivery  features  from high to low is:
3177       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3178       mailbox_command_maps,  mailbox_command, home_mailbox, mail_spool_direc‐
3179       tory, fallback_transport_maps, fallback_transport and luser_relay.
3180
3181       Examples:
3182
3183       mailbox_command = /some/where/procmail
3184       mailbox_command = /some/where/procmail -a "$EXTENSION"
3185       mailbox_command = /some/where/maildrop -d "$USER"
3186               -f "$SENDER" "$EXTENSION"
3187

mailbox_command_maps (default: empty)

3189       Optional lookup tables with per-recipient external commands to use  for
3190       local(8) mailbox delivery.  Behavior is as with mailbox_command.
3191
3192       The  precedence  of  local(8)  delivery  features  from high to low is:
3193       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3194       mailbox_command_maps,  mailbox_command, home_mailbox, mail_spool_direc‐
3195       tory, fallback_transport_maps, fallback_transport and luser_relay.
3196

mailbox_delivery_lock (default: see postconf -d output)

3198       How to lock a UNIX-style local(8) mailbox before  attempting  delivery.
3199       For  a  list  of  available file locking methods, use the "postconf -l"
3200       command.
3201
3202       This setting is ignored  with  maildir  style  delivery,  because  such
3203       deliveries are safe without explicit locks.
3204
3205       Note:  The  dotlock  method  requires that the recipient UID or GID has
3206       write access to the parent directory of the mailbox file.
3207
3208       Note: the default setting of this parameter is system dependent.
3209

mailbox_size_limit (default: 51200000)

3211       The maximal size of any local(8) individual mailbox or maildir file, or
3212       zero  (no  limit).   In  fact, this limits the size of any file that is
3213       written to upon local delivery, including  files  written  by  external
3214       commands that are executed by the local(8) delivery agent.
3215
3216       This limit must not be smaller than the message size limit.
3217

mailbox_transport (default: empty)

3219       Optional  message  delivery  transport that the local(8) delivery agent
3220       should use for mailbox delivery to all local recipients, whether or not
3221       they are found in the UNIX passwd database.
3222
3223       The  precedence  of  local(8)  delivery  features  from high to low is:
3224       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3225       mailbox_command_maps,  mailbox_command, home_mailbox, mail_spool_direc‐
3226       tory, fallback_transport_maps, fallback_transport and luser_relay.
3227

mailbox_transport_maps (default: empty)

3229       Optional lookup tables with per-recipient message  delivery  transports
3230       to use for local(8) mailbox delivery, whether or not the recipients are
3231       found in the UNIX passwd database.
3232
3233       The precedence of local(8) delivery  features  from  high  to  low  is:
3234       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3235       mailbox_command_maps, mailbox_command, home_mailbox,  mail_spool_direc‐
3236       tory, fallback_transport_maps, fallback_transport and luser_relay.
3237
3238       For  safety  reasons, this feature does not allow $number substitutions
3239       in regular expression maps.
3240
3241       This feature is available in Postfix 2.3 and later.
3242

mailq_path (default: see postconf -d output)

3244       Sendmail  compatibility  feature  that  specifies  where  the   Postfix
3245       mailq(1)  command  is  installed.  This command can be used to list the
3246       Postfix mail queue.
3247

manpage_directory (default: see postconf -d output)

3249       Where the Postfix manual pages are installed.
3250

maps_rbl_domains (default: empty)

3252       Obsolete feature: use the reject_rbl_client feature instead.
3253

maps_rbl_reject_code (default: 554)

3255       The numerical Postfix SMTP server response  code  when  a  remote  SMTP
3256       client     request     is    blocked    by    the    reject_rbl_client,
3257       reject_rhsbl_client,  reject_rhsbl_reverse_client,  reject_rhsbl_sender
3258       or reject_rhsbl_recipient restriction.
3259
3260       Do  not  change  this  unless  you have a complete understanding of RFC
3261       5321.
3262

masquerade_classes (default: envelope_sender, header_sender, header_recipient)

3264
3265       What addresses are subject to address masquerading.
3266
3267       By   default,  address  masquerading  is  limited  to  envelope  sender
3268       addresses, and to header sender and header recipient  addresses.   This
3269       allows  you  to  use address masquerading on a mail gateway while still
3270       being able to forward mail to users on individual machines.
3271
3272       Specify  zero  or   more   of:   envelope_sender,   envelope_recipient,
3273       header_sender, header_recipient
3274

masquerade_domains (default: empty)

3276       Optional list of domains whose subdomain structure will be stripped off
3277       in email addresses.
3278
3279       The list is processed left to right, and processing stops at the  first
3280       match.  Thus,
3281
3282           masquerade_domains = foo.example.com example.com
3283
3284       strips  "user@any.thing.foo.example.com" to "user@foo.example.com", but
3285       strips "user@any.thing.else.example.com" to "user@example.com".
3286
3287       A domain name prefixed with ! means do not masquerade  this  domain  or
3288       its subdomains. Thus,
3289
3290           masquerade_domains = !foo.example.com example.com
3291
3292       does  not  change  "user@any.thing.foo.example.com"  or "user@foo.exam‐
3293       ple.com", but strips "user@any.thing.else.example.com"  to  "user@exam‐
3294       ple.com".
3295
3296       Note:  with  Postfix  version  2.2, message header address masquerading
3297       happens only when message header address rewriting is enabled:
3298
3299       ·      The message is received with the Postfix sendmail(1) command,
3300
3301       ·      The message is received  from  a  network  client  that  matches
3302              $local_header_rewrite_clients,
3303
3304       ·      The   message   is   received   from   the   network,   and  the
3305              remote_header_rewrite_domain  parameter  specifies  a  non-empty
3306              value.
3307
3308       To   get   the   behavior   before   Postfix   version   2.2,   specify
3309       "local_header_rewrite_clients = static:all".
3310
3311       Example:
3312
3313       masquerade_domains = $mydomain
3314

masquerade_exceptions (default: empty)

3316       Optional list of user names that are  not  subjected  to  address  mas‐
3317       querading, even when their address matches $masquerade_domains.
3318
3319       By default, address masquerading makes no exceptions.
3320
3321       Specify  a  list  of user names, "/file/name" or "type:table" patterns,
3322       separated by commas and/or whitespace. The  list  is  matched  left  to
3323       right,  and the search stops on the first match. A "/file/name" pattern
3324       is replaced by its contents; a "type:table"  lookup  table  is  matched
3325       when  a name matches a lookup key (the lookup result is ignored).  Con‐
3326       tinue long lines by starting the next  line  with  whitespace.  Specify
3327       "!pattern"  to  exclude a name from the list. The form "!/file/name" is
3328       supported only in Postfix version 2.4 and later.
3329
3330       Examples:
3331
3332       masquerade_exceptions = root, mailer-daemon
3333       masquerade_exceptions = root
3334

master_service_disable (default: empty)

3336       Selectively disable master(8) listener ports by service type or by ser‐
3337       vice  name  and type.  Specify a list of service types ("inet", "unix",
3338       "fifo", or "pass") or "name.type" tuples, where  "name"  is  the  first
3339       field  of a master.cf entry and "type" is a service type. As with other
3340       Postfix matchlists, a search stops at the first match.  Specify  "!pat‐
3341       tern"  to  exclude  a  service from the list. By default, all master(8)
3342       listener ports are enabled.
3343
3344       Note: this feature does not support "/file/name" or  "type:table"  pat‐
3345       terns,  nor  does  it  support  wildcards such as "*" or "all". This is
3346       intentional.
3347
3348       Examples:
3349
3350       # Turn on all master(8) listener ports (the default).
3351       master_service_disable =
3352       # Turn off only the main SMTP listener port.
3353       master_service_disable = smtp.inet
3354       # Turn off all TCP/IP listener ports.
3355       master_service_disable = inet
3356       # Turn off all TCP/IP listener ports except "foo".
3357       master_service_disable = !foo.inet, inet
3358
3359       This feature is available in Postfix 2.6 and later.
3360

max_idle (default: 100s)

3362       The maximum amount of time that an idle Postfix  daemon  process  waits
3363       for an incoming connection before terminating voluntarily.  This param‐
3364       eter is ignored by the Postfix queue manager and  by  other  long-lived
3365       Postfix daemon processes.
3366
3367       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
3368       The default time unit is s (seconds).
3369

max_use (default: 100)

3371       The maximal number  of  incoming  connections  that  a  Postfix  daemon
3372       process will service before terminating voluntarily.  This parameter is
3373       ignored by the Postfix queue manager and by  other  long-lived  Postfix
3374       daemon processes.
3375

maximal_backoff_time (default: 4000s)

3377       The maximal time between attempts to deliver a deferred message.
3378
3379       This parameter should be set to a value greater than or equal to $mini‐
3380       mal_backoff_time. See also $queue_run_delay.
3381
3382       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
3383       The default time unit is s (seconds).
3384

maximal_queue_lifetime (default: 5d)

3386       Consider  a message as undeliverable, when delivery fails with a tempo‐
3387       rary  error,  and  the  time  in  the  queue  has  reached  the   maxi‐
3388       mal_queue_lifetime limit.
3389
3390       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
3391       The default time unit is d (days).
3392
3393       Specify 0 when mail delivery should be tried only once.
3394

message_reject_characters (default: empty)

3396       The set of characters that Postfix will reject in message content.  The
3397       usual C-like escape sequences are recognized: \a \b \f \n \r \t \v \ddd
3398       (up to three octal digits) and \\.
3399
3400       Note 1: this feature does not recognize text that requires MIME  decod‐
3401       ing.  It  inspects  raw  message  content,  just like header_checks and
3402       body_checks.
3403
3404       Note 2: this  feature  is  disabled  with  "receive_override_options  =
3405       no_header_body_checks".
3406
3407       Example:
3408
3409       message_reject_characters = \0
3410
3411       This feature is available in Postfix 2.3 and later.
3412

message_size_limit (default: 10240000)

3414       The maximal size in bytes of a message, including envelope information.
3415
3416       Note:  be  careful  when making changes.  Excessively small values will
3417       result in the loss of non-delivery notifications, when a bounce message
3418       size exceeds the local or remote MTA's message size limit.
3419

message_strip_characters (default: empty)

3421       The  set  of  characters that Postfix will remove from message content.
3422       The usual C-like escape sequences are recognized: \a \b \f \n \r \t  \v
3423       \ddd (up to three octal digits) and \\.
3424
3425       Note  1: this feature does not recognize text that requires MIME decod‐
3426       ing. It inspects raw  message  content,  just  like  header_checks  and
3427       body_checks.
3428
3429       Note  2:  this  feature  is  disabled  with "receive_override_options =
3430       no_header_body_checks".
3431
3432       Example:
3433
3434       message_strip_characters = \0
3435
3436       This feature is available in Postfix 2.3 and later.
3437

milter_command_timeout (default: 30s)

3439       The time limit for sending an SMTP command to a  Milter  (mail  filter)
3440       application, and for receiving the response.
3441
3442       Specify  a non-zero time value (an integral value plus an optional one-
3443       letter suffix that specifies the time unit).
3444
3445       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
3446       The default time unit is s (seconds).
3447
3448       This feature is available in Postfix 2.3 and later.
3449

milter_connect_macros (default: see postconf -d output)

3451       The  macros  that  are  sent to Milter (mail filter) applications after
3452       completion of an SMTP connection.  See  MILTER_README  for  a  list  of
3453       available macro names and their meanings.
3454
3455       This feature is available in Postfix 2.3 and later.
3456

milter_connect_timeout (default: 30s)

3458       The  time  limit  for connecting to a Milter (mail filter) application,
3459       and for negotiating protocol options.
3460
3461       Specify a non-zero time value (an integral value plus an optional  one-
3462       letter suffix that specifies the time unit).
3463
3464       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
3465       The default time unit is s (seconds).
3466
3467       This feature is available in Postfix 2.3 and later.
3468

milter_content_timeout (default: 300s)

3470       The time limit for sending message content to a  Milter  (mail  filter)
3471       application, and for receiving the response.
3472
3473       Specify  a non-zero time value (an integral value plus an optional one-
3474       letter suffix that specifies the time unit).
3475
3476       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
3477       The default time unit is s (seconds).
3478
3479       This feature is available in Postfix 2.3 and later.
3480

milter_data_macros (default: see postconf -d output)

3482       The  macros  that  are sent to version 4 or higher Milter (mail filter)
3483       applications after the SMTP DATA command. See MILTER_README for a  list
3484       of available macro names and their meanings.
3485
3486       This feature is available in Postfix 2.3 and later.
3487

milter_default_action (default: tempfail)

3489       The  default action when a Milter (mail filter) application is unavail‐
3490       able or mis-configured. Specify one of the following:
3491
3492       accept Proceed as if the mail filter was not present.
3493
3494       reject Reject all further commands in this  session  with  a  permanent
3495              status code.
3496
3497       tempfail
3498              Reject  all  further  commands  in this session with a temporary
3499              status code.
3500
3501       quarantine
3502              Like "accept", but freeze  the  message  in  the  "hold"  queue.
3503              Available with Postfix 2.6 and later.
3504
3505       This feature is available in Postfix 2.3 and later.
3506

milter_end_of_data_macros (default: see postconf -d output)

3508       The macros that are sent to Milter (mail filter) applications after the
3509       message end-of-data. See MILTER_README for a list  of  available  macro
3510       names and their meanings.
3511
3512       This feature is available in Postfix 2.3 and later.
3513

milter_end_of_header_macros (default: see postconf -d output)

3515       The macros that are sent to Milter (mail filter) applications after the
3516       end of the message header. See MILTER_README for a  list  of  available
3517       macro names and their meanings.
3518
3519       This feature is available in Postfix 2.5 and later.
3520

milter_header_checks (default: empty)

3522       Optional  lookup  tables for content inspection of message headers that
3523       are produced by Milter applications.  See the  header_checks(5)  manual
3524       page available actions. Currently, PREPEND is not implemented.
3525
3526       The  following  example sends all mail that is marked as SPAM to a spam
3527       handling machine. Note that matches are case-insensitive by default.
3528
3529       /etc/postfix/main.cf:
3530           milter_header_checks = pcre:/etc/postfix/milter_header_checks
3531
3532       /etc/postfix/milter_header_checks:
3533           /^X-SPAM-FLAG:\s+YES/ FILTER mysmtp:sanitizer.example.com:25
3534
3535       The milter_header_checks mechanism could also be used for whitelisting.
3536       For example it could be used to skip heavy content inspection for DKIM-
3537       signed mail from known friendly domains.
3538
3539       This feature is available in Postfix 2.7, and as an optional patch  for
3540       Postfix 2.6.
3541

milter_helo_macros (default: see postconf -d output)

3543       The macros that are sent to Milter (mail filter) applications after the
3544       SMTP HELO or EHLO command. See MILTER_README for a  list  of  available
3545       macro names and their meanings.
3546
3547       This feature is available in Postfix 2.3 and later.
3548

milter_macro_daemon_name (default: $myhostname)

3550       The  {daemon_name}  macro  value for Milter (mail filter) applications.
3551       See MILTER_README for a list of available macro names and  their  mean‐
3552       ings.
3553
3554       This feature is available in Postfix 2.3 and later.
3555

milter_macro_v (default: $mail_name $mail_version)

3557       The  {v}  macro  value for Milter (mail filter) applications.  See MIL‐
3558       TER_README for a list of available macro names and their meanings.
3559
3560       This feature is available in Postfix 2.3 and later.
3561

milter_mail_macros (default: see postconf -d output)

3563       The macros that are sent to Milter (mail filter) applications after the
3564       SMTP MAIL FROM command. See MILTER_README for a list of available macro
3565       names and their meanings.
3566
3567       This feature is available in Postfix 2.3 and later.
3568

milter_protocol (default: 6)

3570       The mail filter protocol version and optional protocol  extensions  for
3571       communication  with  a  Milter  application;  prior  to Postfix 2.6 the
3572       default protocol is 2. Postfix sends this  version  number  during  the
3573       initial protocol handshake.  It should match the version number that is
3574       expected by the mail filter application (or by its Milter library).
3575
3576       Protocol versions:
3577
3578       2      Use Sendmail 8 mail filter  protocol  version  2  (default  with
3579              Sendmail version 8.11 .. 8.13 and Postfix version 2.3 ..  2.5).
3580
3581       3      Use Sendmail 8 mail filter protocol version 3.
3582
3583       4      Use Sendmail 8 mail filter protocol version 4.
3584
3585       6      Use  Sendmail  8  mail  filter  protocol version 6 (default with
3586              Sendmail version 8.14 and Postfix version 2.6).
3587
3588       Protocol extensions:
3589
3590       no_header_reply
3591              Specify this when the Milter application will not reply for each
3592              individual message header.
3593
3594       This feature is available in Postfix 2.3 and later.
3595

milter_rcpt_macros (default: see postconf -d output)

3597       The macros that are sent to Milter (mail filter) applications after the
3598       SMTP RCPT TO command. See MILTER_README for a list of  available  macro
3599       names and their meanings.
3600
3601       This feature is available in Postfix 2.3 and later.
3602

milter_unknown_command_macros (default: see postconf -d output)

3604       The  macros  that  are sent to version 3 or higher Milter (mail filter)
3605       applications after an unknown SMTP command.  See  MILTER_README  for  a
3606       list of available macro names and their meanings.
3607
3608       This feature is available in Postfix 2.3 and later.
3609

mime_boundary_length_limit (default: 2048)

3611       The maximal length of MIME multipart boundary strings. The MIME proces‐
3612       sor is unable to distinguish between boundary strings that do not  dif‐
3613       fer in the first $mime_boundary_length_limit characters.
3614
3615       This feature is available in Postfix 2.0 and later.
3616

mime_header_checks (default: $header_checks)

3618       Optional  lookup  tables for content inspection of MIME related message
3619       headers, as described in the header_checks(5) manual page.
3620
3621       This feature is available in Postfix 2.0 and later.
3622

mime_nesting_limit (default: 100)

3624       The maximal recursion level that the MIME processor will handle.  Post‐
3625       fix refuses mail that is nested deeper than the specified limit.
3626
3627       This feature is available in Postfix 2.0 and later.
3628

minimal_backoff_time (default: 300s)

3630       The  minimal time between attempts to deliver a deferred message; prior
3631       to Postfix 2.4 the default value was 1000s.
3632
3633       This parameter also limits the time an unreachable destination is  kept
3634       in the short-term, in-memory, destination status cache.
3635
3636       This parameter should be set greater than or equal to $queue_run_delay.
3637       See also $maximal_backoff_time.
3638
3639       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
3640       The default time unit is s (seconds).
3641

multi_instance_directories (default: empty)

3643       An  optional  list  of  non-default  Postfix configuration directories;
3644       these directories belong to additional Postfix instances that share the
3645       Postfix  executable  files  and  documentation with the default Postfix
3646       instance, and that  are  started,  stopped,  etc.,  together  with  the
3647       default  Postfix  instance.   Specify  a list of pathnames separated by
3648       comma or whitespace.
3649
3650       When $multi_instance_directories is empty, the postfix(1) command  runs
3651       in single-instance mode and operates on a single Postfix instance only.
3652       Otherwise, the postfix(1)  command  runs  in  multi-instance  mode  and
3653       invokes    the    multi-instance    manager    specified    with    the
3654       multi_instance_wrapper parameter. The multi-instance  manager  in  turn
3655       executes postfix(1) commands for the default instance and for all Post‐
3656       fix instances in $multi_instance_directories.
3657
3658       Currently, this parameter setting is ignored  except  for  the  default
3659       main.cf file.
3660
3661       This feature is available in Postfix 2.6 and later.
3662

multi_instance_enable (default: no)

3664       Allow  this  Postfix instance to be started, stopped, etc., by a multi-
3665       instance manager.  By default, new instances  are  created  in  a  safe
3666       state that prevents them from being started inadvertently.  This param‐
3667       eter is reserved for the multi-instance manager.
3668
3669       This feature is available in Postfix 2.6 and later.
3670

multi_instance_group (default: empty)

3672       The optional instance group name of  this  Postfix  instance.  A  group
3673       identifies  closely-related  Postfix  instances that the multi-instance
3674       manager can start, stop, etc., as a unit.  This parameter  is  reserved
3675       for the multi-instance manager.
3676
3677       This feature is available in Postfix 2.6 and later.
3678

multi_instance_name (default: empty)

3680       The  optional instance name of this Postfix instance. This name becomes
3681       also the default value for the syslog_name parameter.
3682
3683       This feature is available in Postfix 2.6 and later.
3684

multi_instance_wrapper (default: empty)

3686       The pathname of a multi-instance manager command  that  the  postfix(1)
3687       command  invokes when the multi_instance_directories parameter value is
3688       non-empty. The pathname may be followed by  initial  command  arguments
3689       separated  by  whitespace;  shell metacharacters such as quotes are not
3690       supported in this context.
3691
3692       The postfix(1) command invokes the manager command with the  postfix(1)
3693       non-option  command arguments on the manager command line, and with all
3694       installation configuration parameters exported into the manager command
3695       process environment. The manager command in turn invokes the postfix(1)
3696       command for individual Postfix instances as "postfix  -c  config_direc‐
3697       tory command".
3698
3699       This feature is available in Postfix 2.6 and later.
3700

multi_recipient_bounce_reject_code (default: 550)

3702       The  numerical  Postfix  SMTP  server  response code when a remote SMTP
3703       client request is blocked by the reject_multi_recipient_bounce restric‐
3704       tion.
3705
3706       Do  not  change  this  unless  you have a complete understanding of RFC
3707       5321.
3708
3709       This feature is available in Postfix 2.1 and later.
3710

mydestination (default: $myhostname, localhost.$mydomain, localhost)

3712       The list of domains that are delivered via  the  $local_transport  mail
3713       delivery  transport.  By  default this is the Postfix local(8) delivery
3714       agent which looks up all recipients in  /etc/passwd  and  /etc/aliases.
3715       The  SMTP  server  validates  recipient  addresses  with $local_recipi‐
3716       ent_maps and rejects non-existent recipients. See also the local domain
3717       class in the ADDRESS_CLASS_README file.
3718
3719       The  default  mydestination value specifies names for the local machine
3720       only.  On a mail domain gateway, you should also include $mydomain.
3721
3722       The  $local_transport  delivery  method  is  also  selected  for   mail
3723       addressed  to  user@[the.net.work.address]  of  the mail system (the IP
3724       addresses  specified  with  the  inet_interfaces  and  proxy_interfaces
3725       parameters).
3726
3727       Warnings:
3728
3729       ·      Do  not specify the names of virtual domains - those domains are
3730              specified elsewhere. See VIRTUAL_README for more information.
3731
3732       ·      Do not specify the names of domains that this machine is  backup
3733              MX host for. See STANDARD_CONFIGURATION_README for how to set up
3734              backup MX hosts.
3735
3736       ·      By default, the Postfix SMTP server rejects mail for  recipients
3737              not  listed  with  the  local_recipient_maps parameter.  See the
3738              postconf(5) manual for a description of the local_recipient_maps
3739              and unknown_local_recipient_reject_code parameters.
3740
3741       Specify  a  list  of host or domain names, "/file/name" or "type:table"
3742       patterns, separated by commas and/or whitespace. A "/file/name" pattern
3743       is  replaced  by  its  contents; a "type:table" lookup table is matched
3744       when a name matches a lookup key (the lookup result is ignored).   Con‐
3745       tinue long lines by starting the next line with whitespace.
3746
3747       Examples:
3748
3749       mydestination = $myhostname, localhost.$mydomain $mydomain
3750       mydestination = $myhostname, localhost.$mydomain www.$mydomain, ftp.$mydomain
3751

mydomain (default: see postconf -d output)

3753       The  internet  domain  name of this mail system.  The default is to use
3754       $myhostname minus the first component, or  "localdomain"  (Postfix  2.3
3755       and  later).   $mydomain is used as a default value for many other con‐
3756       figuration parameters.
3757
3758       Example:
3759
3760       mydomain = domain.tld
3761

myhostname (default: see postconf -d output)

3763       The internet hostname of this mail system. The default is  to  use  the
3764       fully-qualified  domain  name  (FQDN) from gethostname(), or to use the
3765       non-FQDN result from gethostname() and append  ".$mydomain".   $myhost‐
3766       name  is  used  as a default value for many other configuration parame‐
3767       ters.
3768
3769       Example:
3770
3771       myhostname = host.example.com
3772

mynetworks (default: see postconf -d output)

3774       The list of "trusted" remote SMTP clients  that  have  more  privileges
3775       than "strangers".
3776
3777       In particular, "trusted" SMTP clients are allowed to relay mail through
3778       Postfix.  See the smtpd_relay_restrictions parameter description in the
3779       postconf(5) manual.
3780
3781       You  can specify the list of "trusted" network addresses by hand or you
3782       can let Postfix do it for you (which is the default).  See the descrip‐
3783       tion of the mynetworks_style parameter for more information.
3784
3785       If  you specify the mynetworks list by hand, Postfix ignores the mynet‐
3786       works_style setting.
3787
3788       Specify a list of network addresses or network/netmask patterns,  sepa‐
3789       rated  by commas and/or whitespace. Continue long lines by starting the
3790       next line with whitespace.
3791
3792       The netmask specifies the number of bits in the network part of a  host
3793       address.   You  can also specify "/file/name" or "type:table" patterns.
3794       A "/file/name" pattern is replaced  by  its  contents;  a  "type:table"
3795       lookup table is matched when a table entry matches a lookup string (the
3796       lookup result is ignored).
3797
3798       The list is matched left to right, and the search stops  on  the  first
3799       match.   Specify "!pattern" to exclude an address or network block from
3800       the list. The form "!/file/name" is supported only in  Postfix  version
3801       2.4 and later.
3802
3803       Note:  IP  version 6 address information must be specified inside [] in
3804       the mynetworks value, and in files  specified  with  "/file/name".   IP
3805       version  6  addresses contain the ":" character, and would otherwise be
3806       confused with a "type:table" pattern.
3807
3808       Examples:
3809
3810       mynetworks = 127.0.0.0/8 168.100.189.0/28
3811       mynetworks = !192.168.0.1, 192.168.0.0/28
3812       mynetworks = 127.0.0.0/8 168.100.189.0/28 [::1]/128 [2001:240:587::]/64
3813       mynetworks = $config_directory/mynetworks
3814       mynetworks = hash:/etc/postfix/network_table
3815

mynetworks_style (default: subnet)

3817       The method to generate the default value for the mynetworks  parameter.
3818       This is the list of trusted networks for relay access control etc.
3819
3820       ·      Specify  "mynetworks_style  =  host" when Postfix should "trust"
3821              only the local machine.
3822
3823       ·      Specify "mynetworks_style = subnet" when Postfix should  "trust"
3824              remote  SMTP  clients  in  the  same IP subnetworks as the local
3825              machine.  On Linux, this works correctly  only  with  interfaces
3826              specified with the "ifconfig" command.
3827
3828       ·      Specify  "mynetworks_style  = class" when Postfix should "trust"
3829              remote SMTP clients in the same IP class A/B/C networks  as  the
3830              local  machine.   Don't  do  this  with a dialup site - it would
3831              cause  Postfix  to  "trust"  your  entire  provider's   network.
3832              Instead,  specify  an  explicit  mynetworks  list  by  hand,  as
3833              described with the mynetworks configuration parameter.
3834

myorigin (default: $myhostname)

3836       The domain name that locally-posted mail appears to come from, and that
3837       locally  posted mail is delivered to. The default, $myhostname, is ade‐
3838       quate for small sites.  If you run a domain with multiple machines, you
3839       should  (1) change this to $mydomain and (2) set up a domain-wide alias
3840       database that aliases each user to user@that.users.mailhost.
3841
3842       Example:
3843
3844       myorigin = $mydomain
3845

nested_header_checks (default: $header_checks)

3847       Optional lookup tables for content inspection of non-MIME message head‐
3848       ers  in  attached messages, as described in the header_checks(5) manual
3849       page.
3850
3851       This feature is available in Postfix 2.0 and later.
3852

newaliases_path (default: see postconf -d output)

3854       Sendmail compatibility feature  that  specifies  the  location  of  the
3855       newaliases(1) command. This command can be used to rebuild the local(8)
3856       aliases(5) database.
3857

non_fqdn_reject_code (default: 504)

3859       The numerical Postfix SMTP server reply code when a client  request  is
3860       rejected  by  the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender
3861       or reject_non_fqdn_recipient restriction.
3862

non_smtpd_milters (default: empty)

3864       A list of Milter (mail filter) applications for new mail that does  not
3865       arrive  via the Postfix smtpd(8) server. This includes local submission
3866       via the sendmail(1) command line, new mail that arrives via the Postfix
3867       qmqpd(8)  server,  and old mail that is re-injected into the queue with
3868       "postsuper -r".  Specify space or comma  as  separator.  See  the  MIL‐
3869       TER_README document for details.
3870
3871       This feature is available in Postfix 2.3 and later.
3872

notify_classes (default: resource, software)

3874       The  list  of  error  classes  that are reported to the postmaster. The
3875       default is to report only the most serious problems. The  paranoid  may
3876       wish  to  turn on the policy (UCE and mail relaying) and protocol error
3877       (broken mail software) reports.
3878
3879       NOTE: postmaster notifications  may  contain  confidential  information
3880       such  as  SASL passwords or message content.  It is the system adminis‐
3881       trator's responsibility to treat such information with care.
3882
3883       The error classes are:
3884
3885       bounce (also implies 2bounce)
3886              Send the postmaster copies of the headers of bounced  mail,  and
3887              send transcripts of SMTP sessions when Postfix rejects mail. The
3888              notification  is  sent  to  the  address  specified   with   the
3889              bounce_notice_recipient  configuration parameter (default: post‐
3890              master).
3891
3892       2bounce
3893              Send undeliverable bounced mail to the postmaster. The notifica‐
3894              tion    is    sent   to   the   address   specified   with   the
3895              2bounce_notice_recipient configuration parameter (default: post‐
3896              master).
3897
3898       data   Send  the  postmaster  a  transcript of the SMTP session with an
3899              error because a critical data file was unavailable. The  notifi‐
3900              cation   is   sent   to   the   address   specified   with   the
3901              error_notice_recipient configuration parameter  (default:  post‐
3902              master).
3903              This feature is available in Postfix 2.9 and later.
3904
3905       delay  Send  the  postmaster copies of the headers of delayed mail (see
3906              delay_warning_time). The notification is  sent  to  the  address
3907              specified  with the delay_notice_recipient configuration parame‐
3908              ter (default: postmaster).
3909
3910       policy Send the postmaster a transcript of  the  SMTP  session  when  a
3911              client request was rejected because of (UCE) policy. The notifi‐
3912              cation   is   sent   to   the   address   specified   with   the
3913              error_notice_recipient  configuration  parameter (default: post‐
3914              master).
3915
3916       protocol
3917              Send the postmaster a transcript of the SMTP session in case  of
3918              client  or  server  protocol errors. The notification is sent to
3919              the address specified with the error_notice_recipient configura‐
3920              tion parameter (default: postmaster).
3921
3922       resource
3923              Inform  the  postmaster  of  mail  not delivered due to resource
3924              problems.  The notification is sent  to  the  address  specified
3925              with    the   error_notice_recipient   configuration   parameter
3926              (default: postmaster).
3927
3928       software
3929              Inform the postmaster of mail  not  delivered  due  to  software
3930              problems.   The  notification  is  sent to the address specified
3931              with   the   error_notice_recipient   configuration    parameter
3932              (default: postmaster).
3933
3934       Examples:
3935
3936       notify_classes = bounce, delay, policy, protocol, resource, software
3937       notify_classes = 2bounce, resource, software
3938

owner_request_special (default: yes)

3940       Give  special  treatment to owner-listname and listname-request address
3941       localparts: don't split such addresses when the recipient_delimiter  is
3942       set to "-".  This feature is useful for mailing lists.
3943

parent_domain_matches_subdomains (default: see postconf -d output)

3945       What  Postfix  features match subdomains of "domain.tld" automatically,
3946       instead of  requiring  an  explicit  ".domain.tld"  pattern.   This  is
3947       planned  backwards compatibility:  eventually, all Postfix features are
3948       expected to require explicit  ".domain.tld"  style  patterns  when  you
3949       really want to match subdomains.
3950

permit_mx_backup_networks (default: empty)

3952       Restrict  the  use  of the permit_mx_backup SMTP access feature to only
3953       domains whose primary MX hosts match the listed networks.  The  parame‐
3954       ter  value  syntax  is the same as with the mynetworks parameter; note,
3955       however, that the default value is empty.
3956

pickup_service_name (default: pickup)

3958       The name of the pickup(8) service. This service  picks  up  local  mail
3959       submissions from the Postfix maildrop queue.
3960
3961       This feature is available in Postfix 2.0 and later.
3962

plaintext_reject_code (default: 450)

3964       The  numerical  Postfix  SMTP  server  response  code when a request is
3965       rejected by the reject_plaintext_session restriction.
3966
3967       This feature is available in Postfix 2.3 and later.
3968

postmulti_control_commands (default: reload flush)

3970       The postfix(1) commands that the postmulti(1) instance  manager  treats
3971       as  "control"  commands,  that  operate on running instances. For these
3972       commands, disabled instances are skipped.
3973
3974       This feature is available in Postfix 2.6 and later.
3975

postmulti_start_commands (default: start)

3977       The postfix(1) commands that the postmulti(1) instance  manager  treats
3978       as  "start"  commands.  For  these  commands,  disabled  instances  are
3979       "checked" rather than  "started",  and  failure  to  "start"  a  member
3980       instance  of  an  instance  group  will  abort  the  start-up  of later
3981       instances.
3982
3983       This feature is available in Postfix 2.6 and later.
3984

postmulti_stop_commands (default: see postconf -d output)

3986       The postfix(1) commands that the postmulti(1) instance  manager  treats
3987       as "stop" commands. For these commands, disabled instances are skipped,
3988       and enabled instances are processed in reverse order.
3989
3990       This feature is available in Postfix 2.6 and later.
3991

postscreen_access_list (default: permit_mynetworks)

3993       Permanent  white/blacklist  for  remote  SMTP  client   IP   addresses.
3994       postscreen(8) searches this list immediately after a remote SMTP client
3995       connects.  Specify a comma- or whitespace-separated  list  of  commands
3996       (in  upper  or  lower case) or lookup tables. The search stops upon the
3997       first command that fires for the client IP address.
3998
3999        permit_mynetworks
4000              Whitelist the client and terminate the search if the  client  IP
4001              address  matches  $mynetworks.  Do not subject the client to any
4002              before/after 220 greeting tests.  Pass  the  connection  immedi‐
4003              ately to a Postfix SMTP server process.
4004
4005        type:table
4006              Query the specified lookup table. Each table lookup result is an
4007              access list, except that access  lists  inside  a  table  cannot
4008              specify type:table entries.
4009              To  discourage  the use of hash, btree, etc. tables, there is no
4010              support for substring matching like smtpd(8).  Use  CIDR  tables
4011              instead.
4012
4013        permit
4014              Whitelist  the  client  and terminate the search. Do not subject
4015              the client to any before/after 220 greeting tests. Pass the con‐
4016              nection immediately to a Postfix SMTP server process.
4017
4018        reject
4019              Blacklist  the  client  and  terminate  the  search. Subject the
4020              client to  the  action  configured  with  the  postscreen_black‐
4021              list_action configuration parameter.
4022
4023        dunno All  postscreen(8)  access lists implicitly have this command at
4024              the end.
4025              When  dunno is executed inside a lookup table, return  from  the
4026              lookup table and evaluate the next command.
4027              When   dunno   is executed outside a lookup table, terminate the
4028              search, and subject the client to  the  configured  before/after
4029              220 greeting tests.
4030
4031       Example:
4032
4033       /etc/postfix/main.cf:
4034           postscreen_access_list = permit_mynetworks,
4035                 cidr:/etc/postfix/postscreen_access.cidr
4036           postscreen_blacklist_action = enforce
4037
4038       /etc/postfix/postscreen_access.cidr:
4039           # Rules are evaluated in the order as specified.
4040           # Blacklist 192.168.* except 192.168.0.1.
4041           192.168.0.1         dunno
4042           192.168.0.0/16      reject
4043
4044       This feature is available in Postfix 2.8.
4045

postscreen_bare_newline_action (default: ignore)

4047       The  action  that postscreen(8) takes when a remote SMTP client sends a
4048       bare newline character, that is, a newline  not  preceded  by  carriage
4049       return.  Specify one of the following:
4050
4051       ignore Ignore  the failure of this test. Allow other tests to complete.
4052              Do not repeat this test before some the result from  some  other
4053              test  expires.  This option is useful for testing and collecting
4054              statistics without blocking mail permanently.
4055
4056       enforce
4057              Allow other tests to complete. Reject attempts to  deliver  mail
4058              with  a 550 SMTP reply, and log the helo/sender/recipient infor‐
4059              mation.  Repeat this test the next time the client connects.
4060
4061       drop   Drop the connection immediately with a 521  SMTP  reply.  Repeat
4062              this test the next time the client connects.
4063
4064       This feature is available in Postfix 2.8.
4065

postscreen_bare_newline_enable (default: no)

4067       Enable  "bare newline" SMTP protocol tests in the postscreen(8) server.
4068       These tests are expensive: a remote SMTP client must  disconnect  after
4069       it passes the test, before it can talk to a real Postfix SMTP server.
4070
4071       This feature is available in Postfix 2.8.
4072

postscreen_bare_newline_ttl (default: 30d)

4074       The  amount  of time that postscreen(8) will use the result from a suc‐
4075       cessful "bare newline" SMTP protocol test. During this time, the client
4076       IP  address  is  excluded from this test. The default is long because a
4077       remote SMTP client must disconnect after it passes the test, before  it
4078       can talk to a real Postfix SMTP server.
4079
4080       Specify  a non-zero time value (an integral value plus an optional one-
4081       letter suffix that specifies the time unit).  Time units: s  (seconds),
4082       m (minutes), h (hours), d (days), w (weeks).
4083
4084       This feature is available in Postfix 2.8.
4085

postscreen_blacklist_action (default: ignore)

4087       The action that postscreen(8) takes when a remote SMTP client is perma‐
4088       nently blacklisted with the postscreen_access_list parameter.   Specify
4089       one of the following:
4090
4091       ignore (default)
4092              Ignore  this result. Allow other tests to complete.  Repeat this
4093              test the next time the client connects.  This option  is  useful
4094              for testing and collecting statistics without blocking mail.
4095
4096       enforce
4097              Allow  other  tests to complete. Reject attempts to deliver mail
4098              with a 550 SMTP reply, and log the helo/sender/recipient  infor‐
4099              mation.  Repeat this test the next time the client connects.
4100
4101       drop   Drop  the  connection  immediately with a 521 SMTP reply. Repeat
4102              this test the next time the client connects.
4103
4104       This feature is available in Postfix 2.8.
4105

postscreen_cache_cleanup_interval (default: 12h)

4107       The amount of time between postscreen(8)  cache  cleanup  runs.   Cache
4108       cleanup  increases  the load on the cache database and should therefore
4109       not be run frequently. This feature requires that  the  cache  database
4110       supports  the "delete" and "sequence" operators.  Specify a zero inter‐
4111       val to disable cache cleanup.
4112
4113       After each cache cleanup run, the postscreen(8) daemon logs the  number
4114       of  entries  that were retained and dropped. A cleanup run is logged as
4115       "partial" when the daemon  terminates  early  after  "postfix  reload",
4116       "postfix stop", or no requests for $max_idle seconds.
4117
4118       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4119
4120       This feature is available in Postfix 2.8.
4121

postscreen_cache_map (default: btree:$data_directory/postscreen_cache)

4123       Persistent storage for the postscreen(8) server decisions.
4124
4125       To   share   a   postscreen(8)  cache  between  multiple  postscreen(8)
4126       instances,  use  "postscreen_cache_map  =   proxy:btree:/path/to/file".
4127       This  requires Postfix version 2.9 or later; earlier proxymap(8) imple‐
4128       mentations don't support cache cleanup. For an alternative approach see
4129       the memcache_table(5) manpage.
4130
4131       This feature is available in Postfix 2.8.
4132

postscreen_cache_retention_time (default: 7d)

4134       The  amount  of time that postscreen(8) will cache an expired temporary
4135       whitelist entry before it is removed. This prevents clients from  being
4136       logged  as "NEW" just because their cache entry expired an hour ago. It
4137       also prevents the cache from filling up with clients that  passed  some
4138       deep protocol test once and never came back.
4139
4140       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4141
4142       This feature is available in Postfix 2.8.
4143

postscreen_client_connection_count_limit (default: $smtpd_client_connec‐

4145       tion_count_limit)
4146       How many simultaneous connections any remote SMTP client is allowed  to
4147       have  with the postscreen(8) daemon. By default, this limit is the same
4148       as with the Postfix SMTP server. Note that the triage process can  take
4149       several  seconds,  with  the time spent in postscreen_greet_wait delay,
4150       and with the time spent talking to  the  postscreen(8)  built-in  dummy
4151       SMTP protocol engine.
4152
4153       This feature is available in Postfix 2.8.
4154

postscreen_command_count_limit (default: 20)

4156       The  limit  on  the  total  number  of  commands  per  SMTP session for
4157       postscreen(8)'s built-in SMTP protocol engine.  This SMTP engine defers
4158       or  rejects all attempts to deliver mail, therefore there is no need to
4159       enforce separate limits on the number of junk commands and  error  com‐
4160       mands.
4161
4162       This feature is available in Postfix 2.8.
4163

postscreen_command_filter (default: $smtpd_command_filter)

4165       A  mechanism  to  transform  commands  from  remote  SMTP clients.  See
4166       smtpd_command_filter for further details.
4167
4168       This feature is available in Postfix 2.8 and later.
4169

postscreen_command_time_limit (default: ${stress?10}${stress:300}s)

4171       The time limit to read an  entire  command  line  with  postscreen(8)'s
4172       built-in SMTP protocol engine.
4173
4174       This feature is available in Postfix 2.8.
4175

postscreen_disable_vrfy_command (default: $disable_vrfy_command)

4177       Disable  the  SMTP  VRFY command in the postscreen(8) daemon.  See dis‐
4178       able_vrfy_command for details.
4179
4180       This feature is available in Postfix 2.8.
4181

postscreen_discard_ehlo_keyword_address_maps (default: $smtpd_dis‐

4183       card_ehlo_keyword_address_maps)
4184       Lookup  tables,  indexed  by  the remote SMTP client address, with case
4185       insensitive lists of EHLO keywords (pipelining, starttls,  auth,  etc.)
4186       that  the  postscreen(8) server will not send in the EHLO response to a
4187       remote SMTP client. See smtpd_discard_ehlo_keywords for  details.   The
4188       table is not searched by hostname for robustness reasons.
4189
4190       This feature is available in Postfix 2.8 and later.
4191

postscreen_discard_ehlo_keywords (default: $smtpd_discard_ehlo_keywords)

4193       A  case  insensitive list of EHLO keywords (pipelining, starttls, auth,
4194       etc.) that the postscreen(8) server will not send in the EHLO  response
4195       to a remote SMTP client. See smtpd_discard_ehlo_keywords for details.
4196
4197       This feature is available in Postfix 2.8 and later.
4198

postscreen_dnsbl_action (default: ignore)

4200       The  action  that  postscreen(8) takes when a remote SMTP client's com‐
4201       bined DNSBL score is equal to or greater than a threshold  (as  defined
4202       with  the postscreen_dnsbl_sites and postscreen_dnsbl_threshold parame‐
4203       ters).  Specify one of the following:
4204
4205       ignore (default)
4206              Ignore the failure of this test. Allow other tests to  complete.
4207              Repeat this test the next time the client connects.  This option
4208              is useful for testing and collecting statistics without blocking
4209              mail.
4210
4211       enforce
4212              Allow  other  tests to complete. Reject attempts to deliver mail
4213              with a 550 SMTP reply, and log the helo/sender/recipient  infor‐
4214              mation.  Repeat this test the next time the client connects.
4215
4216       drop   Drop  the  connection  immediately with a 521 SMTP reply. Repeat
4217              this test the next time the client connects.
4218
4219       This feature is available in Postfix 2.8.
4220

postscreen_dnsbl_reply_map (default: empty)

4222       A mapping from actual DNSBL domain name which includes a  secret  pass‐
4223       word,  to the DNSBL domain name that postscreen will reply with when it
4224       rejects mail.  When no mapping is found, the actual DNSBL  domain  will
4225       be used.
4226
4227       For maximal stability it is best to use a file that is read into memory
4228       such as pcre:, regexp: or texthash: (texthash:  is  similar  to  hash:,
4229       except  a)  there  is  no need to run postmap(1) before the file can be
4230       used, and b) texthash: does not detect changes after the file is read).
4231
4232       Example:
4233
4234       /etc/postfix/main.cf:
4235           postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
4236
4237       /etc/postfix/dnsbl_reply:
4238          secret.zen.spamhaus.org    zen.spamhaus.org
4239
4240       This feature is available in Postfix 2.8.
4241

postscreen_dnsbl_sites (default: empty)

4243       Optional list of DNS white/blacklist domains, filters and  weight  fac‐
4244       tors.  When  the  list  is  non-empty, the dnsblog(8) daemon will query
4245       these domains with  the  IP  addresses  of  remote  SMTP  clients,  and
4246       postscreen(8)  will  update an SMTP client's DNSBL score with each non-
4247       error reply.
4248
4249       Caution: when postscreen rejects mail, it replies with the DNSBL domain
4250       name.  Use  the  postscreen_dnsbl_reply_map  feature to hide "password"
4251       information in DNSBL domain names.
4252
4253       When a client's score is equal to or greater than the threshold  speci‐
4254       fied  with  postscreen_dnsbl_threshold, postscreen(8) can drop the con‐
4255       nection with the remote SMTP client.
4256
4257       Specify a list of domain=filter*weight entries, separated by  comma  or
4258       whitespace.
4259
4260       ·      When  no "=filter" is specified, postscreen(8) will use any non-
4261              error DNSBL reply.  Otherwise,  postscreen(8)  uses  only  DNSBL
4262              replies  that match the filter. The filter has the form d.d.d.d,
4263              where each d is a number, or a pattern inside []  that  contains
4264              one or more ";"-separated numbers or number..number ranges.
4265
4266       ·      When  no  "*weight"  is  specified, postscreen(8) increments the
4267              remote SMTP client's DNSBL score by 1.   Otherwise,  the  weight
4268              must be an integral number, and postscreen(8) adds the specified
4269              weight to the remote SMTP client's DNSBL score.  Specify a nega‐
4270              tive number for whitelisting.
4271
4272       ·      When  one  postscreen_dnsbl_sites  entry produces multiple DNSBL
4273              responses, postscreen(8) applies the weight at most once.
4274
4275       Examples:
4276
4277       To use example.com as a high-confidence blocklist, and  to  block  mail
4278       with example.net and example.org only when both agree:
4279
4280       postscreen_dnsbl_threshold = 2
4281       postscreen_dnsbl_sites = example.com*2, example.net, example.org
4282
4283       To filter only DNSBL replies containing 127.0.0.4:
4284
4285       postscreen_dnsbl_sites = example.com=127.0.0.4
4286
4287       This feature is available in Postfix 2.8.
4288

postscreen_dnsbl_threshold (default: 1)

4290       The  inclusive  lower bound for blocking a remote SMTP client, based on
4291       its combined DNSBL score as  defined  with  the  postscreen_dnsbl_sites
4292       parameter.
4293
4294       This feature is available in Postfix 2.8.
4295

postscreen_dnsbl_ttl (default: 1h)

4297       The  amount  of time that postscreen(8) will use the result from a suc‐
4298       cessful DNS blocklist test. During this time, the client IP address  is
4299       excluded  from  this  test.  The default is relatively short, because a
4300       good client can immediately talk to a real Postfix SMTP server.
4301
4302       Specify a non-zero time value (an integral value plus an optional  one-
4303       letter  suffix that specifies the time unit).  Time units: s (seconds),
4304       m (minutes), h (hours), d (days), w (weeks).
4305
4306       This feature is available in Postfix 2.8.
4307

postscreen_enforce_tls (default: $smtpd_enforce_tls)

4309       Mandatory TLS: announce STARTTLS support to remote  SMTP  clients,  and
4310       require      that      clients     use     TLS     encryption.      See
4311       smtpd_postscreen_enforce_tls for details.
4312
4313       This feature is available in Postfix 2.8 and  later.   Preferably,  use
4314       postscreen_tls_security_level instead.
4315

postscreen_expansion_filter (default: see postconf -d output)

4317       List  of  characters  that  are  permitted  in postscreen_reject_footer
4318       attribute expansions.  See smtpd_expansion_filter for further details.
4319
4320       This feature is available in Postfix 2.8 and later.
4321

postscreen_forbidden_commands (default: $smtpd_forbidden_commands)

4323       List of commands that the postscreen(8) server considers  in  violation
4324       of  the  SMTP  protocol.  See  smtpd_forbidden_commands for syntax, and
4325       postscreen_non_smtp_command_action for possible actions.
4326
4327       This feature is available in Postfix 2.8.
4328

postscreen_greet_action (default: ignore)

4330       The action that postscreen(8) takes when a remote  SMTP  client  speaks
4331       before    its    turn    within    the    time   specified   with   the
4332       postscreen_greet_wait parameter.  Specify one of the following:
4333
4334       ignore (default)
4335              Ignore the failure of this test. Allow other tests to  complete.
4336              Repeat this test the next time the client connects.  This option
4337              is useful for testing and collecting statistics without blocking
4338              mail.
4339
4340       enforce
4341              Allow  other  tests to complete. Reject attempts to deliver mail
4342              with a 550 SMTP reply, and log the helo/sender/recipient  infor‐
4343              mation.  Repeat this test the next time the client connects.
4344
4345       drop   Drop  the  connection  immediately with a 521 SMTP reply. Repeat
4346              this test the next time the client connects.
4347
4348       In either case, postscreen(8) will not whitelist the remote SMTP client
4349       IP address.
4350
4351       This feature is available in Postfix 2.8.
4352

postscreen_greet_banner (default: $smtpd_banner)

4354       The   text   in   the   optional  "220-text..."  server  response  that
4355       postscreen(8) sends ahead  of  the  real  Postfix  SMTP  server's  "220
4356       text..."  response,  in  an attempt to confuse bad SMTP clients so that
4357       they speak before their turn (pre-greet).  Specify an  empty  value  to
4358       disable this feature.
4359
4360       This feature is available in Postfix 2.8.
4361

postscreen_greet_ttl (default: 1d)

4363       The  amount  of time that postscreen(8) will use the result from a suc‐
4364       cessful PREGREET test. During this  time,  the  client  IP  address  is
4365       excluded  from  this  test.  The default is relatively short, because a
4366       good client can immediately talk to a real Postfix SMTP server.
4367
4368       Specify a non-zero time value (an integral value plus an optional  one-
4369       letter  suffix that specifies the time unit).  Time units: s (seconds),
4370       m (minutes), h (hours), d (days), w (weeks).
4371
4372       This feature is available in Postfix 2.8.
4373

postscreen_greet_wait (default: ${stress?2}${stress:6}s)

4375       The amount of time that postscreen(8) will wait for an SMTP  client  to
4376       send a command before its turn, and for DNS blocklist lookup results to
4377       arrive (default: up to 2 seconds under stress, up to 6  seconds  other‐
4378       wise).
4379
4380       Specify  a non-zero time value (an integral value plus an optional one-
4381       letter suffix that specifies the time unit).
4382
4383       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4384
4385       This feature is available in Postfix 2.8.
4386

postscreen_helo_required (default: $smtpd_helo_required)

4388       Require that a remote SMTP client sends HELO or EHLO before  commencing
4389       a MAIL transaction.
4390
4391       This feature is available in Postfix 2.8.
4392

postscreen_non_smtp_command_action (default: drop)

4394       The  action  that  postscreen(8)  takes when a remote SMTP client sends
4395       non-SMTP commands as specified with  the  postscreen_forbidden_commands
4396       parameter.  Specify one of the following:
4397
4398       ignore Ignore  the failure of this test. Allow other tests to complete.
4399              Do not repeat this test before some the result from  some  other
4400              test  expires.  This option is useful for testing and collecting
4401              statistics without blocking mail permanently.
4402
4403       enforce
4404              Allow other tests to complete. Reject attempts to  deliver  mail
4405              with  a 550 SMTP reply, and log the helo/sender/recipient infor‐
4406              mation.  Repeat this test the next time the client connects.
4407
4408       drop   Drop the connection immediately with a 521  SMTP  reply.  Repeat
4409              this  test the next time the client connects. This action is the
4410              same as with the Postfix SMTP server's  smtpd_forbidden_commands
4411              feature.
4412
4413       This feature is available in Postfix 2.8.
4414

postscreen_non_smtp_command_enable (default: no)

4416       Enable  "non-SMTP  command"  tests  in  the postscreen(8) server. These
4417       tests are expensive: a client must disconnect after it passes the test,
4418       before it can talk to a real Postfix SMTP server.
4419
4420       This feature is available in Postfix 2.8.
4421

postscreen_non_smtp_command_ttl (default: 30d)

4423       The  amount  of time that postscreen(8) will use the result from a suc‐
4424       cessful "non_smtp_command" SMTP protocol test. During  this  time,  the
4425       client  IP  address  is  excluded  from  this test. The default is long
4426       because a client must disconnect after it passes the  test,  before  it
4427       can talk to a real Postfix SMTP server.
4428
4429       Specify  a non-zero time value (an integral value plus an optional one-
4430       letter suffix that specifies the time unit).  Time units: s  (seconds),
4431       m (minutes), h (hours), d (days), w (weeks).
4432
4433       This feature is available in Postfix 2.8.
4434

postscreen_pipelining_action (default: enforce)

4436       The  action  that  postscreen(8)  takes when a remote SMTP client sends
4437       multiple commands instead of sending one command and  waiting  for  the
4438       server to respond.  Specify one of the following:
4439
4440       ignore Ignore  the failure of this test. Allow other tests to complete.
4441              Do not repeat this test before some the result from  some  other
4442              test  expires.  This option is useful for testing and collecting
4443              statistics without blocking mail permanently.
4444
4445       enforce
4446              Allow other tests to complete. Reject attempts to  deliver  mail
4447              with  a 550 SMTP reply, and log the helo/sender/recipient infor‐
4448              mation.  Repeat this test the next time the client connects.
4449
4450       drop   Drop the connection immediately with a 521  SMTP  reply.  Repeat
4451              this test the next time the client connects.
4452
4453       This feature is available in Postfix 2.8.
4454

postscreen_pipelining_enable (default: no)

4456       Enable  "pipelining"  SMTP  protocol tests in the postscreen(8) server.
4457       These tests are expensive: a  good  client  must  disconnect  after  it
4458       passes the test, before it can talk to a real Postfix SMTP server.
4459
4460       This feature is available in Postfix 2.8.
4461

postscreen_pipelining_ttl (default: 30d)

4463       The  amount  of time that postscreen(8) will use the result from a suc‐
4464       cessful "pipelining" SMTP protocol test. During this time,  the  client
4465       IP  address  is  excluded from this test. The default is long because a
4466       good client must disconnect after it passes the  test,  before  it  can
4467       talk to a real Postfix SMTP server.
4468
4469       Specify  a non-zero time value (an integral value plus an optional one-
4470       letter suffix that specifies the time unit).  Time units: s  (seconds),
4471       m (minutes), h (hours), d (days), w (weeks).
4472
4473       This feature is available in Postfix 2.8.
4474

postscreen_post_queue_limit (default: $default_process_limit)

4476       The number of clients that can be waiting for service from a real Post‐
4477       fix SMTP server process. When this queue  is  full,  all  clients  will
4478       receive a 421 response.
4479
4480       This feature is available in Postfix 2.8.
4481

postscreen_pre_queue_limit (default: $default_process_limit)

4483       The  number  of non-whitelisted clients that can be waiting for a deci‐
4484       sion whether they will receive service from a real Postfix SMTP  server
4485       process.  When  this  queue  is  full, all non-whitelisted clients will
4486       receive a 421 response.
4487
4488       This feature is available in Postfix 2.8.
4489
4491       Optional information that is appended after a 4XX or 5XX  postscreen(8)
4492       server response. See smtpd_reject_footer for further details.
4493
4494       This feature is available in Postfix 2.8 and later.
4495

postscreen_tls_security_level (default: $smtpd_tls_security_level)

4497       The  SMTP  TLS security level for the postscreen(8) server; when a non-
4498       empty value  is  specified,  this  overrides  the  obsolete  parameters
4499       postscreen_use_tls   and  postscreen_enforce_tls.  See  smtpd_tls_secu‐
4500       rity_level for details.
4501
4502       This feature is available in Postfix 2.8 and later.
4503

postscreen_upstream_proxy_protocol (default: empty)

4505       The name of the proxy protocol used by  an  optional  before-postscreen
4506       proxy  agent.  When  a proxy agent is used, this protocol conveys local
4507       and    remote     address     and     port     information.     Specify
4508       "postscreen_upstream_proxy_protocol  =  haproxy"  to enable the haproxy
4509       protocol.
4510
4511       This feature is available in Postfix 2.10 and later.
4512

postscreen_upstream_proxy_timeout (default: 5s)

4514       The  time  limit  for   the   proxy   protocol   specified   with   the
4515       postscreen_upstream_proxy_protocol parameter.
4516
4517       This feature is available in Postfix 2.10 and later.
4518

postscreen_use_tls (default: $smtpd_use_tls)

4520       Opportunistic  TLS:  announce  STARTTLS support to remote SMTP clients,
4521       but do not require that clients use TLS encryption.
4522
4523       This feature is available in Postfix 2.8 and  later.   Preferably,  use
4524       postscreen_tls_security_level instead.
4525

postscreen_watchdog_timeout (default: 10s)

4527       How  much  time a postscreen(8) process may take to respond to a remote
4528       SMTP client command or to perform a cache operation before it is termi‐
4529       nated  by  a  built-in watchdog timer.  This is a safety mechanism that
4530       prevents postscreen(8) from becoming non-responsive due  to  a  bug  in
4531       Postfix itself or in system software.  To avoid false alarms and unnec‐
4532       essary cache corruption this limit cannot be set under 10s.
4533
4534       Specify a non-zero time value (an integral value plus an optional  one-
4535       letter  suffix that specifies the time unit).  Time units: s (seconds),
4536       m (minutes), h (hours), d (days), w (weeks).
4537
4538       This feature is available in Postfix 2.8.
4539

postscreen_whitelist_interfaces (default: static:all)

4541       A list  of  local  postscreen(8)  server  IP  addresses  where  a  non-
4542       whitelisted  remote  SMTP  client  can obtain postscreen(8)'s temporary
4543       whitelist status. This status is required before the client can talk to
4544       a  Postfix  SMTP  server  process.   By  default,  a  client can obtain
4545       postscreen(8)'s whitelist status on any local postscreen(8)  server  IP
4546       address.
4547
4548       When postscreen(8) listens on both primary and backup MX addresses, the
4549       postscreen_whitelist_interfaces parameter can be configured to give the
4550       temporary  whitelist status only when a client connects to a primary MX
4551       address. Once a client is whitelisted it can talk  to  a  Postfix  SMTP
4552       server  on  any  address.  Thus, clients that connect only to backup MX
4553       addresses will never become whitelisted, and will never be  allowed  to
4554       talk to a Postfix SMTP server process.
4555
4556       Specify  a list of network addresses or network/netmask patterns, sepa‐
4557       rated by commas and/or whitespace. The netmask specifies the number  of
4558       bits  in  the  network  part  of a host address. Continue long lines by
4559       starting the next line with whitespace.
4560
4561       You  can  also  specify  "/file/name"  or  "type:table"  patterns.    A
4562       "/file/name" pattern is replaced by its contents; a "type:table" lookup
4563       table is matched when a table entry matches a lookup string (the lookup
4564       result is ignored).
4565
4566       The  list  is  matched left to right, and the search stops on the first
4567       match. Specify "!pattern" to exclude an address or network  block  from
4568       the list.
4569
4570       Note:  IP  version 6 address information must be specified inside [] in
4571       the postscreen_whitelist_interfaces value, and in files specified  with
4572       "/file/name".   IP  version  6 addresses contain the ":" character, and
4573       would otherwise be confused with a "type:table" pattern.
4574
4575       Example:
4576
4577       /etc/postfix/main.cf:
4578           # Don't whitelist connections to the backup IP address.
4579           postscreen_whitelist_interfaces = !168.100.189.8, static:all
4580
4581       This feature is available in Postfix 2.9 and later.
4582

prepend_delivered_header (default: command, file, forward)

4584       The message delivery contexts where the Postfix local(8) delivery agent
4585       prepends a Delivered-To:  message header with the address that the mail
4586       was delivered to. This information  is  used  for  mail  delivery  loop
4587       detection.
4588
4589       By  default,  the Postfix local delivery agent prepends a Delivered-To:
4590       header when forwarding mail and when delivering to file  (mailbox)  and
4591       command.  Turning  off the Delivered-To: header when forwarding mail is
4592       not recommended.
4593
4594       Specify zero or more of forward, file, or command.
4595
4596       Example:
4597
4598       prepend_delivered_header = forward
4599

process_id (read-only)

4601       The process ID of a Postfix command or daemon process.
4602

process_id_directory (default: pid)

4604       The location of Postfix PID files relative to  $queue_directory.   This
4605       is a read-only parameter.
4606

process_name (read-only)

4608       The process name of a Postfix command or daemon process.
4609

propagate_unmatched_extensions (default: canonical, virtual)

4611       What  address  lookup  tables copy an address extension from the lookup
4612       key to the lookup result.
4613
4614       For  example,  with  a  virtual(5)  mapping  of   "joe@example.com   =>
4615       joe.user@example.net",  the address "joe+foo@example.com" would rewrite
4616       to "joe.user+foo@example.net".
4617
4618       Specify zero or more of canonical, virtual, alias, forward, include  or
4619       generic.  These  cause address extension propagation with canonical(5),
4620       virtual(5), and aliases(5) maps, with local(8) .forward  and  :include:
4621       file lookups, and with smtp(8) generic maps, respectively.
4622
4623       Note:  enabling this feature for types other than canonical and virtual
4624       is likely to cause problems when mail  is  forwarded  to  other  sites,
4625       especially with mail that is sent to a mailing list exploder address.
4626
4627       Examples:
4628
4629       propagate_unmatched_extensions = canonical, virtual, alias,
4630               forward, include
4631       propagate_unmatched_extensions = canonical, virtual
4632

proxy_interfaces (default: empty)

4634       The  network interface addresses that this mail system receives mail on
4635       by way of a proxy or network address translation unit.
4636
4637       This feature is available in Postfix 2.0 and later.
4638
4639       You must specify your "outside" proxy/NAT addresses when your system is
4640       a  backup MX host for other domains, otherwise mail delivery loops will
4641       happen when the primary MX host is down.
4642
4643       Example:
4644
4645       proxy_interfaces = 1.2.3.4
4646

proxy_read_maps (default: see postconf -d output)

4648       The lookup tables that the proxymap(8) server is allowed to access  for
4649       the  read-only  service.  Table references that don't begin with proxy:
4650       are ignored.
4651
4652       This feature is available in Postfix 2.0 and later.
4653

proxy_write_maps (default: see postconf -d output)

4655       The lookup tables that the proxymap(8) server is allowed to access  for
4656       the  read-write  service.  Postfix-owned local database files should be
4657       stored under the Postfix-owned data_directory.  Table  references  that
4658       don't begin with proxy: are ignored.
4659
4660       This feature is available in Postfix 2.5 and later.
4661

proxymap_service_name (default: proxymap)

4663       The  name of the proxymap read-only table lookup service.  This service
4664       is normally implemented by the proxymap(8) daemon.
4665
4666       This feature is available in Postfix 2.6 and later.
4667

proxywrite_service_name (default: proxywrite)

4669       The name of the proxywrite read-write table lookup service.  This  ser‐
4670       vice is normally implemented by the proxymap(8) daemon.
4671
4672       This feature is available in Postfix 2.6 and later.
4673

qmgr_clog_warn_time (default: 300s)

4675       The minimal delay between warnings that a specific destination is clog‐
4676       ging up the Postfix active queue. Specify 0 to disable.
4677
4678       This feature is enabled with the helpful_warnings parameter.
4679
4680       This feature is available in Postfix 2.0 and later.
4681

qmgr_daemon_timeout (default: 1000s)

4683       How much time a Postfix queue manager process  may  take  to  handle  a
4684       request before it is terminated by a built-in watchdog timer.
4685
4686       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
4687       The default time unit is s (seconds).
4688
4689       This feature is available in Postfix 2.8 and later.
4690

qmgr_fudge_factor (default: 100)

4692       Obsolete feature: the percentage of delivery resources that a busy mail
4693       system will use up for delivery of a large mailing  list message.
4694
4695       This feature exists only in the oqmgr(8) old queue manager. The current
4696       queue manager solves the problem in a better way.
4697

qmgr_ipc_timeout (default: 60s)

4699       The time limit for the queue manager to  send  or  receive  information
4700       over an internal communication channel.  The purpose is to break out of
4701       deadlock situations. If the time limit is exceeded the software  either
4702       retries or aborts the operation.
4703
4704       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
4705       The default time unit is s (seconds).
4706
4707       This feature is available in Postfix 2.8 and later.
4708

qmgr_message_active_limit (default: 20000)

4710       The maximal number of messages in the active queue.
4711

qmgr_message_recipient_limit (default: 20000)

4713       The maximal number of recipients held in memory by  the  Postfix  queue
4714       manager,  and the maximal size of the short-term, in-memory "dead" des‐
4715       tination status cache.
4716

qmgr_message_recipient_minimum (default: 10)

4718       The minimal number of in-memory recipients for any message. This  takes
4719       priority  over  any  other in-memory recipient limits (i.e., the global
4720       qmgr_message_recipient_limit and the per transport _recipient_limit) if
4721       necessary. The minimum value allowed for this parameter is 1.
4722

qmqpd_authorized_clients (default: empty)

4724       What  remote  QMQP  clients  are allowed to connect to the Postfix QMQP
4725       server port.
4726
4727       By default, no client is allowed to use the service.  This  is  because
4728       the QMQP server will relay mail to any destination.
4729
4730       Specify  a  list  of  client  patterns. A list pattern specifies a host
4731       name, a domain name, an internet address, or  a  network/mask  pattern,
4732       where  the mask specifies the number of bits in the network part.  When
4733       a pattern specifies a file name, its contents are substituted  for  the
4734       file  name; when a pattern is a "type:table" table specification, table
4735       lookup is used instead.
4736
4737       Patterns are separated by whitespace and/or commas. In order to reverse
4738       the  result,  precede a pattern with an exclamation point (!). The form
4739       "!/file/name" is supported only in Postfix version 2.4 and later.
4740
4741       Example:
4742
4743       qmqpd_authorized_clients = !192.168.0.1, 192.168.0.0/24
4744

qmqpd_client_port_logging (default: no)

4746       Enable logging of the remote QMQP client port in addition to the  host‐
4747       name and IP address. The logging format is "host[address]:port".
4748
4749       This feature is available in Postfix 2.5 and later.
4750

qmqpd_error_delay (default: 1s)

4752       How  long  the Postfix QMQP server will pause before sending a negative
4753       reply to the remote QMQP client. The purpose is to slow  down  confused
4754       or malicious clients.
4755
4756       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
4757       The default time unit is s (seconds).
4758

qmqpd_timeout (default: 300s)

4760       The time limit for sending or receiving information over  the  network.
4761       If  a  read or write operation blocks for more than $qmqpd_timeout sec‐
4762       onds the Postfix QMQP server gives up and disconnects.
4763
4764       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
4765       The default time unit is s (seconds).
4766

queue_directory (default: see postconf -d output)

4768       The location of the Postfix top-level queue directory. This is the root
4769       directory of Postfix daemon processes that run chrooted.
4770

queue_file_attribute_count_limit (default: 100)

4772       The maximal number of (name=value) attributes that may be stored  in  a
4773       Postfix queue file. The limit is enforced by the cleanup(8) server.
4774
4775       This feature is available in Postfix 2.0 and later.
4776

queue_minfree (default: 0)

4778       The minimal amount of free space in bytes in the queue file system that
4779       is needed to receive mail.  This is currently used by the Postfix  SMTP
4780       server to decide if it will accept any mail at all.
4781
4782       By default, the Postfix SMTP server rejects MAIL FROM commands when the
4783       amount of free space is less than 1.5*$message_size_limit (Postfix ver‐
4784       sion  2.1  and  later).   To specify a higher minimum free space limit,
4785       specify a queue_minfree value that is at least 1.5*$message_size_limit.
4786
4787       With Postfix versions 2.0 and earlier, a queue_minfree  value  of  zero
4788       means there is no minimum required amount of free space.
4789

queue_run_delay (default: 300s)

4791       The  time  between  deferred queue scans by the queue manager; prior to
4792       Postfix 2.4 the default value was 1000s.
4793
4794       This parameter should be set  less  than  or  equal  to  $minimal_back‐
4795       off_time. See also $maximal_backoff_time.
4796
4797       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
4798       The default time unit is s (seconds).
4799

queue_service_name (default: qmgr)

4801       The name of the qmgr(8) service. This service manages the Postfix queue
4802       and schedules delivery requests.
4803
4804       This feature is available in Postfix 2.0 and later.
4805

rbl_reply_maps (default: empty)

4807       Optional  lookup  tables  with  RBL  response templates. The tables are
4808       indexed by the RBL domain name. By default, Postfix  uses  the  default
4809       template  as specified with the default_rbl_reply configuration parame‐
4810       ter. See there for a discussion of the syntax of RBL reply templates.
4811
4812       This feature is available in Postfix 2.0 and later.
4813

readme_directory (default: see postconf -d output)

4815       The location of Postfix README files that describe how to  build,  con‐
4816       figure or operate a specific Postfix subsystem or feature.
4817

receive_override_options (default: empty)

4819       Enable  or disable recipient validation, built-in content filtering, or
4820       address mapping. Typically, these are specified in  master.cf  as  com‐
4821       mand-line arguments for the smtpd(8), qmqpd(8) or pickup(8) daemons.
4822
4823       Specify  zero  or  more of the following options.  The options override
4824       main.cf settings and are either implemented by smtpd(8),  qmqpd(8),  or
4825       pickup(8) themselves, or they are forwarded to the cleanup server.
4826
4827       no_unknown_recipient_checks
4828              Do  not  try  to  reject  unknown recipients (SMTP server only).
4829              This is typically specified AFTER an external content filter.
4830
4831       no_address_mappings
4832              Disable canonical address mapping, virtual alias map  expansion,
4833              address  masquerading,  and  automatic  BCC  (blind carbon-copy)
4834              recipients. This is typically specified BEFORE an external  con‐
4835              tent filter.
4836
4837       no_header_body_checks
4838              Disable header/body_checks. This is typically specified AFTER an
4839              external content filter.
4840
4841       no_milters
4842              Disable Milter (mail filter)  applications.  This  is  typically
4843              specified AFTER an external content filter.
4844
4845       Note: when the "BEFORE content filter" receive_override_options setting
4846       is specified in the main.cf file, specify the  "AFTER  content  filter"
4847       receive_override_options setting in master.cf (and vice versa).
4848
4849       Examples:
4850
4851       receive_override_options =
4852           no_unknown_recipient_checks, no_header_body_checks
4853       receive_override_options = no_address_mappings
4854
4855       This feature is available in Postfix 2.1 and later.
4856

recipient_bcc_maps (default: empty)

4858       Optional  BCC  (blind  carbon-copy)  address  lookup tables, indexed by
4859       recipient address.  The BCC address  (multiple  results  are  not  sup‐
4860       ported) is added when mail enters from outside of Postfix.
4861
4862       This feature is available in Postfix 2.1 and later.
4863
4864       The table search order is as follows:
4865
4866       ·      Look  up  the  "user+extension@domain.tld" address including the
4867              optional address extension.
4868
4869       ·      Look up  the  "user@domain.tld"  address  without  the  optional
4870              address extension.
4871
4872       ·      Look up the "user+extension" address local part when the recipi‐
4873              ent domain equals $myorigin, $mydestination, $inet_interfaces or
4874              $proxy_interfaces.
4875
4876       ·      Look  up the "user" address local part when the recipient domain
4877              equals   $myorigin,    $mydestination,    $inet_interfaces    or
4878              $proxy_interfaces.
4879
4880       ·      Look up the "@domain.tld" part.
4881
4882       Specify  the  types  and  names of databases to use.  After change, run
4883       "postmap /etc/postfix/recipient_bcc".
4884
4885       Note: with Postfix 2.3 and later the BCC address is added as if it  was
4886       specified  with  NOTIFY=NONE.  The sender will not be notified when the
4887       BCC address is undeliverable,  as  long  as  all  down-stream  software
4888       implements RFC 3461.
4889
4890       Note: with Postfix 2.2 and earlier the sender will be notified when the
4891       BCC address is undeliverable.
4892
4893       Note: automatic BCC recipients are produced  only  for  new  mail.   To
4894       avoid  mailer  loops,  automatic BCC recipients are not generated after
4895       Postfix forwards mail  internally,  or  after  Postfix  generates  mail
4896       itself.
4897
4898       Example:
4899
4900       recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
4901

recipient_canonical_classes (default: envelope_recipient, header_recipient)

4903       What addresses are subject to recipient_canonical_maps address mapping.
4904       By default, recipient_canonical_maps  address  mapping  is  applied  to
4905       envelope recipient addresses, and to header recipient addresses.
4906
4907       Specify one or more of: envelope_recipient, header_recipient
4908
4909       This feature is available in Postfix 2.2 and later.
4910

recipient_canonical_maps (default: empty)

4912       Optional  address mapping lookup tables for envelope and header recipi‐
4913       ent addresses.  The table format and lookups are documented in  canoni‐
4914       cal(5).
4915
4916       Note: $recipient_canonical_maps is processed before $canonical_maps.
4917
4918       Example:
4919
4920       recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
4921

recipient_delimiter (default: empty)

4923       The  separator  between  user  names and address extensions (user+foo).
4924       See canonical(5), local(8), relocated(5) and virtual(5) for the effects
4925       this has on aliases, canonical, virtual, relocated and on .forward file
4926       lookups.  Basically,  the  software  tries  user+foo  and  .forward+foo
4927       before trying user and .forward.
4928
4929       Example:
4930
4931       recipient_delimiter = +
4932

reject_code (default: 554)

4934       The  numerical  Postfix  SMTP  server  response code when a remote SMTP
4935       client request is rejected by the "reject" restriction.
4936
4937       Do not change this unless you have  a  complete  understanding  of  RFC
4938       5321.
4939

reject_tempfail_action (default: defer_if_permit)

4941       The  Postfix  SMTP server's action when a reject-type restriction fails
4942       due to a temporary error condition. Specify "defer" to defer the remote
4943       SMTP  client  request  immediately.  With the default "defer_if_permit"
4944       action, the Postfix SMTP server continues to look for opportunities  to
4945       reject  mail,  and defers the client request only if it would otherwise
4946       be accepted.
4947
4948       For finer control, see:  unverified_recipient_tempfail_action,  unveri‐
4949       fied_sender_tempfail_action,    unknown_address_tempfail_action,    and
4950       unknown_helo_hostname_tempfail_action.
4951
4952       This feature is available in Postfix 2.6 and later.
4953

relay_clientcerts (default: empty)

4955       List of tables with remote SMTP client-certificate fingerprints or pub‐
4956       lic key fingerprints (Postfix 2.9 and later) for which the Postfix SMTP
4957       server will allow access with the permit_tls_clientcerts feature.   The
4958       fingerprint  digest algorithm is configurable via the smtpd_tls_finger‐
4959       print_digest parameter (hard-coded as  md5  prior  to  Postfix  version
4960       2.5).
4961
4962       Postfix  lookup tables are in the form of (key, value) pairs.  Since we
4963       only need the key, the value can be chosen freely, e.g.   the  name  of
4964       the   user   or  host:  D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80
4965       lutzpc.at.home
4966
4967       Example:
4968
4969       relay_clientcerts = hash:/etc/postfix/relay_clientcerts
4970
4971       For more fine-grained control,  use  check_ccert_access  to  select  an
4972       appropriate   access(5)   policy   for   each   client.   See  RESTRIC‐
4973       TION_CLASS_README.
4974
4975       Note: Postfix 2.9.0&ndash;2.9.5 computed  the  public  key  fingerprint
4976       incorrectly.  To  use public-key fingerprints, upgrade to Postfix 2.9.6
4977       or later.
4978
4979       This feature is available with Postfix version 2.2.
4980

relay_destination_concurrency_limit (default: $default_destination_concur‐

4982       rency_limit)
4983       The  maximal  number of parallel deliveries to the same destination via
4984       the relay message delivery transport. This limit  is  enforced  by  the
4985       queue  manager.  The message delivery transport name is the first field
4986       in the entry in the master.cf file.
4987
4988       This feature is available in Postfix 2.0 and later.
4989

relay_destination_recipient_limit (default: $default_destination_recipi‐

4991       ent_limit)
4992       The  maximal  number  of  recipients  per message for the relay message
4993       delivery transport. This limit is enforced by the  queue  manager.  The
4994       message  delivery transport name is the first field in the entry in the
4995       master.cf file.
4996
4997       Setting this  parameter  to  a  value  of  1  changes  the  meaning  of
4998       relay_destination_concurrency_limit  from  concurrency  per domain into
4999       concurrency per recipient.
5000
5001       This feature is available in Postfix 2.0 and later.
5002

relay_domains (default: $mydestination)

5004       What destination domains (and  subdomains  thereof)  this  system  will
5005       relay   mail  to.  Subdomain  matching  is  controlled  with  the  par‐
5006       ent_domain_matches_subdomains parameter.  For  details  about  how  the
5007       relay_domains   value   is  used,  see  the  description  of  the  per‐
5008       mit_auth_destination  and  reject_unauth_destination   SMTP   recipient
5009       restrictions.
5010
5011       Domains  that match $relay_domains are delivered with the $relay_trans‐
5012       port mail delivery  transport.  The  SMTP  server  validates  recipient
5013       addresses  with  $relay_recipient_maps and rejects non-existent recipi‐
5014       ents.   See   also   the   relay   domains   address   class   in   the
5015       ADDRESS_CLASS_README file.
5016
5017       Note: Postfix will not automatically forward mail for domains that list
5018       this  system  as  their  primary  or  backup  MX  host.  See  the  per‐
5019       mit_mx_backup restriction in the postconf(5) manual page.
5020
5021       Specify  a  list  of  host  or  domain  names, "/file/name" patterns or
5022       "type:table" lookup tables,  separated  by  commas  and/or  whitespace.
5023       Continue  long  lines  by  starting  the  next  line with whitespace. A
5024       "/file/name" pattern is replaced by its contents; a "type:table" lookup
5025       table  is matched when a (parent) domain appears as lookup key. Specify
5026       "!pattern" to exclude a domain from the list. The form "!/file/name" is
5027       supported only in Postfix version 2.4 and later.
5028

relay_domains_reject_code (default: 554)

5030       The  numerical  Postfix SMTP server response code when a client request
5031       is rejected by the reject_unauth_destination recipient restriction.
5032
5033       Do not change this unless you have  a  complete  understanding  of  RFC
5034       5321.
5035

relay_recipient_maps (default: empty)

5037       Optional  lookup  tables  with  all valid addresses in the domains that
5038       match $relay_domains. Specify @domain as a wild-card for  domains  that
5039       have  no valid recipient list, and become a source of backscatter mail:
5040       Postfix accepts spam for non-existent recipients and then floods  inno‐
5041       cent  people  with undeliverable mail.  Technically, tables listed with
5042       $relay_recipient_maps are used as lists: Postfix needs to know only  if
5043       a  lookup  string  is found or not, but it does not use the result from
5044       table lookup.
5045
5046       If this parameter is non-empty,  then  the  Postfix  SMTP  server  will
5047       reject mail to unknown relay users. This feature is off by default.
5048
5049       See  also  the  relay domains address class in the ADDRESS_CLASS_README
5050       file.
5051
5052       Example:
5053
5054       relay_recipient_maps = hash:/etc/postfix/relay_recipients
5055
5056       This feature is available in Postfix 2.0 and later.
5057

relay_transport (default: relay)

5059       The default mail delivery transport and next-hop destination for remote
5060       delivery  to domains listed with $relay_domains. In order of decreasing
5061       precedence, the nexthop destination  is  taken  from  $relay_transport,
5062       $sender_dependent_relayhost_maps,  $relayhost,  or  from  the recipient
5063       domain. This information can be overruled with the transport(5) table.
5064
5065       Specify a string of the form transport:nexthop, where transport is  the
5066       name  of  a mail delivery transport defined in master.cf.  The :nexthop
5067       destination is optional; its syntax is documented in the manual page of
5068       the corresponding delivery agent.
5069
5070       See  also  the  relay domains address class in the ADDRESS_CLASS_README
5071       file.
5072
5073       This feature is available in Postfix 2.0 and later.
5074

relayhost (default: empty)

5076       The next-hop destination of non-local mail; overrides non-local domains
5077       in recipient addresses. This information is overruled with relay_trans‐
5078       port,    sender_dependent_default_transport_maps,    default_transport,
5079       sender_dependent_relayhost_maps and with the transport(5) table.
5080
5081       On  an intranet, specify the organizational domain name. If your inter‐
5082       nal DNS uses no MX records, specify the name of  the  intranet  gateway
5083       host instead.
5084
5085       In  the  case  of SMTP, specify a domain name, hostname, hostname:port,
5086       [hostname]:port, [hostaddress] or [hostaddress]:port. The  form  [host‐
5087       name] turns off MX lookups.
5088
5089       If  you're  connected  via  UUCP,  see  the UUCP_README file for useful
5090       information.
5091
5092       Examples:
5093
5094       relayhost = $mydomain
5095       relayhost = [gateway.example.com]
5096       relayhost = uucphost
5097       relayhost = [an.ip.add.ress]
5098

relocated_maps (default: empty)

5100       Optional lookup tables  with  new  contact  information  for  users  or
5101       domains  that  no longer exist.  The table format and lookups are docu‐
5102       mented in relocated(5).
5103
5104       If you use this feature, run "postmap /etc/postfix/relocated" to  build
5105       the  necessary  DBM  or  DB file after change, then "postfix reload" to
5106       make the changes visible.
5107
5108       Examples:
5109
5110       relocated_maps = dbm:/etc/postfix/relocated
5111       relocated_maps = hash:/etc/postfix/relocated
5112

remote_header_rewrite_domain (default: empty)

5114       Don't rewrite message headers from remote  clients  at  all  when  this
5115       parameter  is  empty; otherwise, rewrite message headers and append the
5116       specified domain name to incomplete  addresses.   The  local_header_re‐
5117       write_clients parameter controls what clients Postfix considers local.
5118
5119       Examples:
5120
5121       The   safe   setting:  append  "domain.invalid"  to  incomplete  header
5122       addresses from remote SMTP clients, so that those addresses  cannot  be
5123       confused with local addresses.
5124
5125           remote_header_rewrite_domain = domain.invalid
5126
5127       The default, purist, setting: don't rewrite headers from remote clients
5128       at all.
5129
5130           remote_header_rewrite_domain =
5131

require_home_directory (default: no)

5133       Require that a local(8) recipient's home directory exists  before  mail
5134       delivery  is  attempted.  By  default this test is disabled.  It can be
5135       useful for environments that import home directories to the mail server
5136       (IMPORTING HOME DIRECTORIES IS NOT RECOMMENDED).
5137

reset_owner_alias (default: no)

5139       Reset  the local(8) delivery agent's idea of the owner-alias attribute,
5140       when delivering mail to a child alias that does not have its own  owner
5141       alias.
5142
5143       This  feature is available in Postfix 2.8 and later. With older Postfix
5144       releases, the behavior is as if this parameter is set to "yes".
5145
5146       As documented in aliases(5), when an alias name has a  companion  alias
5147       named  owner-name,  delivery errors will be reported to the owner alias
5148       instead of the sender. This configuration is  recommended  for  mailing
5149       lists.
5150
5151       A  less  known  property  of the owner alias is that it also forces the
5152       local(8) delivery agent to write local and remote addresses from  alias
5153       expansion to a new queue file, instead of attempting to deliver mail to
5154       local addresses as soon as they come out of alias expansion.
5155
5156       Writing local addresses from alias expansion to a new queue file allows
5157       for robust handling of temporary delivery errors: errors with one local
5158       member have no effect on deliveries to other members of the  list.   On
5159       the other hand, delivery to local addresses as soon as they come out of
5160       alias expansion is fragile: a temporary error with  one  local  address
5161       from alias expansion will cause the entire alias to be expanded repeat‐
5162       edly until the error goes away, or until the  message  expires  in  the
5163       queue.   In that case, a problem with one list member results in multi‐
5164       ple message deliveries to other list members.
5165
5166       The default behavior of Postfix 2.8 and later is  to  keep  the  owner-
5167       alias  attribute  of  the parent alias, when delivering mail to a child
5168       alias that does not have its own owner  alias.  Then,  local  addresses
5169       from that child alias will be written to a new queue file, and a tempo‐
5170       rary error with one local address will not  affect  delivery  to  other
5171       mailing list members.
5172
5173       Unfortunately,  older  Postfix releases reset the owner-alias attribute
5174       when delivering mail to a child alias that does not have its own  owner
5175       alias.   The  local(8)  delivery  agent  then attempts to deliver local
5176       addresses as soon as they come out of child alias expansion.  If deliv‐
5177       ery  to  any  address from child alias expansion fails with a temporary
5178       error condition, the entire mailing list  may  be  expanded  repeatedly
5179       until  the  mail expires in the queue, resulting in multiple deliveries
5180       of the same message to mailing list members.
5181

resolve_dequoted_address (default: yes)

5183       Resolve a recipient address safely instead  of  correctly,  by  looking
5184       inside quotes.
5185
5186       By  default,  the  Postfix  address resolver does not quote the address
5187       localpart as per RFC 822, so that additional @ or  %  or  !   operators
5188       remain visible. This behavior is safe but it is also technically incor‐
5189       rect.
5190
5191       If you  specify  "resolve_dequoted_address  =  no",  then  the  Postfix
5192       resolver will not know about additional @ etc. operators in the address
5193       localpart. This opens opportunities for obscure mail relay attacks with
5194       user@domain@domain  addresses  when  Postfix provides backup MX service
5195       for Sendmail systems.
5196

resolve_null_domain (default: no)

5198       Resolve an address that ends in the "@" null domain  as  if  the  local
5199       hostname were specified, instead of rejecting the address as invalid.
5200
5201       This  feature  is available in Postfix 2.1 and later.  Earlier versions
5202       always resolve the null domain as the local hostname.
5203
5204       The Postfix SMTP server uses this feature to reject  mail  from  or  to
5205       addresses  that end in the "@" null domain, and from addresses that re‐
5206       write into a form that ends in the "@" null domain.
5207

resolve_numeric_domain (default: no)

5209       Resolve "user@ipaddress" as "user@[ipaddress]",  instead  of  rejecting
5210       the address as invalid.
5211
5212       This feature is available in Postfix 2.3 and later.
5213

rewrite_service_name (default: rewrite)

5215       The  name  of  the  address  rewriting  service.  This service rewrites
5216       addresses to standard form and resolves them  to  a  (delivery  method,
5217       next-hop host, recipient) triple.
5218
5219       This feature is available in Postfix 2.0 and later.
5220

sample_directory (default: /etc/postfix)

5222       The  name  of  the  directory with example Postfix configuration files.
5223       Starting with Postfix 2.1, these files  have  been  replaced  with  the
5224       postconf(5) manual page.
5225

send_cyrus_sasl_authzid (default: no)

5227       When  authenticating  to  a remote SMTP or LMTP server with the default
5228       setting "no", send no SASL authoriZation ID (authzid);  send  only  the
5229       SASL authentiCation ID (authcid) plus the authcid's password.
5230
5231       The  non-default  setting  "yes"  enables the behavior of older Postfix
5232       versions.  These always send a SASL authzid that is equal to  the  SASL
5233       authcid,  but  this  causes  inter-operability  problems with some SMTP
5234       servers.
5235
5236       This feature is available in Postfix 2.4.4 and later.
5237

sender_based_routing (default: no)

5239       This parameter should not be used. It  was  replaced  by  sender_depen‐
5240       dent_relayhost_maps in Postfix version 2.3.
5241

sender_bcc_maps (default: empty)

5243       Optional  BCC  (blind  carbon-copy)  address  lookup tables, indexed by
5244       sender address.  The BCC address (multiple results are  not  supported)
5245       is added when mail enters from outside of Postfix.
5246
5247       This feature is available in Postfix 2.1 and later.
5248
5249       The table search order is as follows:
5250
5251       ·      Look  up  the  "user+extension@domain.tld" address including the
5252              optional address extension.
5253
5254       ·      Look up  the  "user@domain.tld"  address  without  the  optional
5255              address extension.
5256
5257       ·      Look  up the "user+extension" address local part when the sender
5258              domain equals  $myorigin,  $mydestination,  $inet_interfaces  or
5259              $proxy_interfaces.
5260
5261       ·      Look  up  the  "user"  address local part when the sender domain
5262              equals   $myorigin,    $mydestination,    $inet_interfaces    or
5263              $proxy_interfaces.
5264
5265       ·      Look up the "@domain.tld" part.
5266
5267       Specify  the  types  and  names of databases to use.  After change, run
5268       "postmap /etc/postfix/sender_bcc".
5269
5270       Note: with Postfix 2.3 and later the BCC address is added as if it  was
5271       specified  with  NOTIFY=NONE.  The sender will not be notified when the
5272       BCC address is undeliverable,  as  long  as  all  down-stream  software
5273       implements RFC 3461.
5274
5275       Note: with Postfix 2.2 and earlier the sender will be notified when the
5276       BCC address is undeliverable.
5277
5278       Note: automatic BCC recipients are produced  only  for  new  mail.   To
5279       avoid  mailer  loops,  automatic BCC recipients are not generated after
5280       Postfix forwards mail  internally,  or  after  Postfix  generates  mail
5281       itself.
5282
5283       Example:
5284
5285       sender_bcc_maps = hash:/etc/postfix/sender_bcc
5286

sender_canonical_classes (default: envelope_sender, header_sender)

5288       What  addresses  are  subject to sender_canonical_maps address mapping.
5289       By default, sender_canonical_maps address mapping is applied  to  enve‐
5290       lope sender addresses, and to header sender addresses.
5291
5292       Specify one or more of: envelope_sender, header_sender
5293
5294       This feature is available in Postfix 2.2 and later.
5295

sender_canonical_maps (default: empty)

5297       Optional  address  mapping lookup tables for envelope and header sender
5298       addresses.  The table format and  lookups  are  documented  in  canoni‐
5299       cal(5).
5300
5301       Example:  you  want to rewrite the SENDER address "user@ugly.domain" to
5302       "user@pretty.domain", while still being able to send mail to the RECIP‐
5303       IENT address "user@ugly.domain".
5304
5305       Note: $sender_canonical_maps is processed before $canonical_maps.
5306
5307       Example:
5308
5309       sender_canonical_maps = hash:/etc/postfix/sender_canonical
5310

sender_dependent_default_transport_maps (default: empty)

5312       A  sender-dependent override for the global default_transport parameter
5313       setting. The tables are searched by the  envelope  sender  address  and
5314       @domain.  A  lookup result of DUNNO terminates the search without over‐
5315       riding the global default_transport parameter setting.   This  informa‐
5316       tion is overruled with the transport(5) table.
5317
5318       Note:  this overrides default_transport, not transport_maps, and there‐
5319       fore the expected syntax is that of default_transport, not  the  syntax
5320       of  transport_maps.   Specifically,  this  does  not support the trans‐
5321       port_maps syntax for  null  transport,  null  nexthop,  or  null  email
5322       addresses.
5323
5324       For  safety  reasons, this feature does not allow $number substitutions
5325       in regular expression maps.
5326
5327       This feature is available in Postfix 2.7 and later.
5328

sender_dependent_relayhost_maps (default: empty)

5330       A sender-dependent override for the global relayhost parameter setting.
5331       The  tables  are searched by the envelope sender address and @domain. A
5332       lookup result of DUNNO terminates the  search  without  overriding  the
5333       global relayhost parameter setting (Postfix 2.6 and later). This infor‐
5334       mation    is    overruled    with    relay_transport,     sender_depen‐
5335       dent_default_transport_maps,  default_transport  and  with  the  trans‐
5336       port(5) table.
5337
5338       For safety reasons, this feature does not allow  $number  substitutions
5339       in regular expression maps.
5340
5341       This feature is available in Postfix 2.3 and later.
5342

sendmail_fix_line_endings (default: always)

5344       Controls  how  the Postfix sendmail command converts email message line
5345       endings from <CR><LF> into UNIX format (<LF>).
5346
5347       always Always convert message lines ending in <CR><LF>. This setting is
5348              the default with Postfix 2.9 and later.
5349
5350       strict Convert message lines ending in <CR><LF> only if the first input
5351              line ends in <CR><LF>. This setting is backwards-compatible with
5352              Postfix 2.8 and earlier.
5353
5354       never  Never  convert  message  lines  ending in <CR><LF>. This setting
5355              exists for completeness only.
5356
5357       This feature is available in Postfix 2.9 and later.
5358

sendmail_path (default: see postconf -d output)

5360       A Sendmail compatibility feature that specifies  the  location  of  the
5361       Postfix  sendmail(1)  command.  This command can be used to submit mail
5362       into the Postfix queue.
5363

service_throttle_time (default: 60s)

5365       How long the Postfix master(8)  waits  before  forking  a  server  that
5366       appears to be malfunctioning.
5367
5368       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
5369       The default time unit is s (seconds).
5370

setgid_group (default: postdrop)

5372       The group ownership of set-gid Postfix commands and  of  group-writable
5373       Postfix  directories.  When this parameter value is changed you need to
5374       re-run "postfix set-permissions" (with Postfix version 2.0 and earlier:
5375       "/etc/postfix/post-install set-permissions".
5376

show_user_unknown_table_name (default: yes)

5378       Display  the  name  of  the  recipient  table  in  the  "User  unknown"
5379       responses.  The extra detail makes trouble  shooting  easier  but  also
5380       reveals information that is nobody elses business.
5381
5382       This feature is available in Postfix 2.0 and later.
5383

showq_service_name (default: showq)

5385       The name of the showq(8) service. This service produces mail queue sta‐
5386       tus reports.
5387
5388       This feature is available in Postfix 2.0 and later.
5389

smtp_address_preference (default: any)

5391       The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP client
5392       will  try  first,  when  a destination has IPv6 and IPv4 addresses with
5393       equal MX preference. This feature has no effect unless the  inet_proto‐
5394       cols  setting enables both IPv4 and IPv6.  With Postfix 2.8 the default
5395       is "ipv6".
5396
5397       Notes for mail delivery between sites that have both IPv4 and IPv6 con‐
5398       nectivity:
5399
5400       ·      The  setting "smtp_address_preference = ipv6" is unsafe.  It can
5401              fail to deliver mail when there is an outage that affects  IPv6,
5402              while the destination is still reachable over IPv4.
5403
5404       ·      The  setting "smtp_address_preference = any" is safe. With this,
5405              mail will eventually be delivered even if  there  is  an  outage
5406              that affects IPv6 or IPv4, as long as it does not affect both.
5407
5408       This feature is available in Postfix 2.8 and later.
5409

smtp_always_send_ehlo (default: yes)

5411       Always send EHLO at the start of an SMTP session.
5412
5413       With  "smtp_always_send_ehlo  = no", the Postfix SMTP client sends EHLO
5414       only when the word "ESMTP" appears in the server greeting banner (exam‐
5415       ple: 220 spike.porcupine.org ESMTP Postfix).
5416

smtp_bind_address (default: empty)

5418       An  optional  numerical  network  address  that the Postfix SMTP client
5419       should bind to when making an IPv4 connection.
5420
5421       This can be specified in the main.cf file for all SMTP clients,  or  it
5422       can be specified in the master.cf file for a specific client, for exam‐
5423       ple:
5424
5425           /etc/postfix/master.cf:
5426               smtp ... smtp -o smtp_bind_address=11.22.33.44
5427
5428       Note 1: when inet_interfaces specifies no more than one  IPv4  address,
5429       and that address is a non-loopback address, it is automatically used as
5430       the smtp_bind_address.  This supports virtual IP hosting, but can be  a
5431       problem on multi-homed firewalls. See the inet_interfaces documentation
5432       for more detail.
5433
5434       Note 2: address information may be enclosed inside [], but this form is
5435       not required here.
5436

smtp_bind_address6 (default: empty)

5438       An  optional  numerical  network  address  that the Postfix SMTP client
5439       should bind to when making an IPv6 connection.
5440
5441       This feature is available in Postfix 2.2 and later.
5442
5443       This can be specified in the main.cf file for all SMTP clients,  or  it
5444       can be specified in the master.cf file for a specific client, for exam‐
5445       ple:
5446
5447           /etc/postfix/master.cf:
5448               smtp ... smtp -o smtp_bind_address6=1:2:3:4:5:6:7:8
5449
5450       Note 1: when inet_interfaces specifies no more than one  IPv6  address,
5451       and that address is a non-loopback address, it is automatically used as
5452       the smtp_bind_address6.  This supports virtual IP hosting, but can be a
5453       problem on multi-homed firewalls. See the inet_interfaces documentation
5454       for more detail.
5455
5456       Note 2: address information may be enclosed inside [], but this form is
5457       not recommended here.
5458

smtp_body_checks (default: empty)

5460       Restricted  body_checks(5)  tables  for the Postfix SMTP client.  These
5461       tables are searched while mail is being delivered.  Actions that change
5462       the delivery time or destination are not available.
5463
5464       This feature is available in Postfix 2.5 and later.
5465

smtp_cname_overrides_servername (default: version dependent)

5467       Allow  DNS  CNAME  records  to override the servername that the Postfix
5468       SMTP client uses for logging, SASL password lookup,  TLS  policy  deci‐
5469       sions,  or TLS certificate verification. The value "no" hardens Postfix
5470       smtp_tls_per_site hostname-based policies against false hostname infor‐
5471       mation  in DNS CNAME records, and makes SASL password file lookups more
5472       predictable. This is the default setting as of Postfix 2.3.
5473
5474       This feature is available in Postfix 2.2.9 and later.
5475

smtp_connect_timeout (default: 30s)

5477       The Postfix SMTP client time limit for completing a TCP connection,  or
5478       zero (use the operating system built-in time limit).
5479
5480       When  no  connection  can be made within the deadline, the Postfix SMTP
5481       client tries the next address on the mail exchanger list. Specify 0  to
5482       disable the time limit (i.e. use whatever timeout is implemented by the
5483       operating system).
5484
5485       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
5486       The default time unit is s (seconds).
5487

smtp_connection_cache_destinations (default: empty)

5489       Permanently  enable  SMTP connection caching for the specified destina‐
5490       tions.  With SMTP connection caching, a connection is not closed  imme‐
5491       diately  after  completion of a mail transaction.  Instead, the connec‐
5492       tion is kept open for up to $smtp_connection_cache_time_limit  seconds.
5493       This  allows  connections  to  be  reused for other deliveries, and can
5494       improve mail delivery performance.
5495
5496       Specify a comma or  white  space  separated  list  of  destinations  or
5497       pseudo-destinations:
5498
5499       ·      if  mail is sent without a relay host: a domain name (the right-
5500              hand side of an email address, without the [] around  a  numeric
5501              IP address),
5502
5503       ·      if  mail is sent via a relay host: a relay host name (without []
5504              or non-default TCP port), as specified  in  main.cf  or  in  the
5505              transport map,
5506
5507       ·      if  mail  is  sent via a UNIX-domain socket: a pathname (without
5508              the unix: prefix),
5509
5510       ·      a /file/name with  domain  names  and/or  relay  host  names  as
5511              defined above,
5512
5513       ·      a  "type:table" with domain names and/or relay host names on the
5514              left-hand side.  The right-hand side  result  from  "type:table"
5515              lookups is ignored.
5516
5517       This feature is available in Postfix 2.2 and later.
5518

smtp_connection_cache_on_demand (default: yes)

5520       Temporarily  enable  SMTP  connection caching while a destination has a
5521       high volume of mail in the active queue.  With SMTP connection caching,
5522       a  connection  is  not  closed  immediately  after completion of a mail
5523       transaction.  Instead, the connection is kept open for up to $smtp_con‐
5524       nection_cache_time_limit seconds.  This allows connections to be reused
5525       for other deliveries, and can improve mail delivery performance.
5526
5527       This feature is available in Postfix 2.2 and later.
5528

smtp_connection_cache_reuse_limit (default: 10)

5530       When SMTP connection caching is enabled, the number of  times  that  an
5531       SMTP session may be reused before it is closed.
5532
5533       This feature is available in Postfix 2.2. In Postfix 2.3 it is replaced
5534       by $smtp_connection_reuse_time_limit.
5535

smtp_connection_cache_time_limit (default: 2s)

5537       When SMTP connection caching is enabled, the amount  of  time  that  an
5538       unused  SMTP  client  socket  is kept open before it is closed.  Do not
5539       specify larger values without permission from the remote sites.
5540
5541       This feature is available in Postfix 2.2 and later.
5542

smtp_connection_reuse_time_limit (default: 300s)

5544       The amount of time during which Postfix will  use  an  SMTP  connection
5545       repeatedly.  The timer starts when the connection is initiated (i.e. it
5546       includes the connect, greeting and helo latency,  in  addition  to  the
5547       latencies of subsequent mail delivery transactions).
5548
5549       This feature addresses a performance stability problem with remote SMTP
5550       servers. This problem is not specific to Postfix: it  can  happen  when
5551       any  MTA  sends large amounts of SMTP email to a site that has multiple
5552       MX hosts.
5553
5554       The problem starts when one of a set of MX hosts  becomes  slower  than
5555       the  rest.   Even though SMTP clients connect to fast and slow MX hosts
5556       with equal probability, the slow MX host ends up with more simultaneous
5557       inbound  connections than the faster MX hosts, because the slow MX host
5558       needs more time to serve each client request.
5559
5560       The slow MX host becomes  a  connection  attractor.   If  one  MX  host
5561       becomes  N  times  slower  than  the  rest,  it dominates mail delivery
5562       latency unless there are more than N  fast  MX  hosts  to  counter  the
5563       effect.  And  if  the  number  of  MX hosts is smaller than N, the mail
5564       delivery latency becomes  effectively  that  of  the  slowest  MX  host
5565       divided by the total number of MX hosts.
5566
5567       The solution uses connection caching in a way that differs from Postfix
5568       version 2.2.  By limiting the amount of time during which a  connection
5569       can  be  used  repeatedly (instead of limiting the number of deliveries
5570       over that connection), Postfix not only restores fairness in  the  dis‐
5571       tribution of simultaneous connections across a set of MX hosts, it also
5572       favors deliveries over connections that perform well, which is  exactly
5573       what we want.
5574
5575       The  default  reuse time limit, 300s, is comparable to the various smtp
5576       transaction timeouts which are fair estimates of maximum excess latency
5577       for  a slow delivery.  Note that hosts may accept thousands of messages
5578       over a single connection  within  the  default  connection  reuse  time
5579       limit.  This number is much larger than the default Postfix version 2.2
5580       limit of 10 messages per cached connection. It may prove  necessary  to
5581       lower the limit to avoid interoperability issues with MTAs that exhibit
5582       bugs when many messages are delivered via a single connection.  A lower
5583       reuse  time limit risks losing the benefit of connection reuse when the
5584       average connection and mail delivery latency  exceeds  the  reuse  time
5585       limit.
5586
5587       This feature is available in Postfix 2.3 and later.
5588

smtp_data_done_timeout (default: 600s)

5590       The  Postfix  SMTP  client time limit for sending the SMTP ".", and for
5591       receiving the remote SMTP server response.
5592
5593       When no response is received within the deadline, a warning  is  logged
5594       that the mail may be delivered multiple times.
5595
5596       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
5597       The default time unit is s (seconds).
5598

smtp_data_init_timeout (default: 120s)

5600       The Postfix SMTP client time limit for sending the SMTP  DATA  command,
5601       and for receiving the remote SMTP server response.
5602
5603       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
5604       The default time unit is s (seconds).
5605

smtp_data_xfer_timeout (default: 180s)

5607       The Postfix SMTP client time limit for sending the  SMTP  message  con‐
5608       tent.    When   the   connection   makes  no  progress  for  more  than
5609       $smtp_data_xfer_timeout seconds the Postfix SMTP client terminates  the
5610       transfer.
5611
5612       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
5613       The default time unit is s (seconds).
5614

smtp_defer_if_no_mx_address_found (default: no)

5616       Defer mail delivery when no MX record resolves to an IP address.
5617
5618       The default (no) is to return the mail  as  undeliverable.  With  older
5619       Postfix  versions  the  default  was to keep trying to deliver the mail
5620       until someone fixed the MX record or until the mail was too old.
5621
5622       Note: the Postfix SMTP client always ignores MX records with  equal  or
5623       worse preference than the local MTA itself.
5624
5625       This feature is available in Postfix 2.1 and later.
5626

smtp_destination_concurrency_limit (default: $default_destination_concur‐

5628       rency_limit)
5629       The maximal number of parallel deliveries to the same  destination  via
5630       the  smtp  message  delivery  transport.  This limit is enforced by the
5631       queue manager. The message delivery transport name is the  first  field
5632       in the entry in the master.cf file.
5633

smtp_destination_recipient_limit (default: $default_destination_recipi‐

5635       ent_limit)
5636       The maximal number of recipients  per  message  for  the  smtp  message
5637       delivery  transport.  This  limit is enforced by the queue manager. The
5638       message delivery transport name is the first field in the entry in  the
5639       master.cf file.
5640
5641       Setting this parameter to a value of 1 changes the meaning of smtp_des‐
5642       tination_concurrency_limit from concurrency per domain into concurrency
5643       per recipient.
5644

smtp_discard_ehlo_keyword_address_maps (default: empty)

5646       Lookup  tables,  indexed  by  the remote SMTP server address, with case
5647       insensitive lists of EHLO keywords (pipelining, starttls,  auth,  etc.)
5648       that  the  Postfix  SMTP client will ignore in the EHLO response from a
5649       remote SMTP server. See smtp_discard_ehlo_keywords for details. The ta‐
5650       ble  is  not  indexed  by  hostname  for  consistency  with  smtpd_dis‐
5651       card_ehlo_keyword_address_maps.
5652
5653       This feature is available in Postfix 2.2 and later.
5654

smtp_discard_ehlo_keywords (default: empty)

5656       A case insensitive list of EHLO keywords (pipelining,  starttls,  auth,
5657       etc.)  that  the  Postfix  SMTP client will ignore in the EHLO response
5658       from a remote SMTP server.
5659
5660       This feature is available in Postfix 2.2 and later.
5661
5662       Notes:
5663
5664       ·      Specify the silent-discard pseudo keyword to prevent this action
5665              from being logged.
5666
5667       ·      Use  the  smtp_discard_ehlo_keyword_address_maps feature to dis‐
5668              card EHLO keywords selectively.
5669

smtp_dns_resolver_options (default: empty)

5671       DNS Resolver options for the Postfix SMTP client.  Specify zero or more
5672       of  the  following  options,  separated by comma or whitespace.  Option
5673       names are case-sensitive. Some options refer to domain names  that  are
5674       specified in the file /etc/resolv.conf or equivalent.
5675
5676       res_defnames
5677              Append  the current domain name to single-component names (those
5678              that do not contain a "." character). This can produce incorrect
5679              results, and is the hard-coded behavior prior to Postfix 2.8.
5680
5681       res_dnsrch
5682              Search  for  host  names  in  the  current  domain and in parent
5683              domains. This can produce incorrect results and is therefore not
5684              recommended.
5685
5686       This feature is available in Postfix 2.8 and later.
5687

smtp_enforce_tls (default: no)

5689       Enforcement  mode: require that remote SMTP servers use TLS encryption,
5690       and never send mail in the clear.  This also requires that  the  remote
5691       SMTP  server hostname matches the information in the remote server cer‐
5692       tificate, and that the remote SMTP server certificate was issued  by  a
5693       CA  that  is  trusted  by  the  Postfix SMTP client. If the certificate
5694       doesn't verify or the hostname doesn't match, delivery is deferred  and
5695       mail stays in the queue.
5696
5697       The  server  hostname is matched against all names provided as dNSNames
5698       in the SubjectAlternativeName.  If no dNSNames are specified, the  Com‐
5699       monName   is   checked.    The   behavior   may  be  changed  with  the
5700       smtp_tls_enforce_peername option.
5701
5702       This option is useful only if you are definitely  sure  that  you  will
5703       only  connect to servers that support RFC 2487 _and_ that provide valid
5704       server certificates.  Typical use is for clients that  send  all  their
5705       email to a dedicated mailhub.
5706
5707       This  feature  is  available in Postfix 2.2 and later. With Postfix 2.3
5708       and later use smtp_tls_security_level instead.
5709

smtp_fallback_relay (default: $fallback_relay)

5711       Optional list of relay hosts for SMTP destinations that can't be  found
5712       or that are unreachable. With Postfix 2.2 and earlier this parameter is
5713       called fallback_relay.
5714
5715       By default, mail is returned to the sender when a  destination  is  not
5716       found, and delivery is deferred when a destination is unreachable.
5717
5718       With  bulk  email  deliveries, it can be beneficial to run the fallback
5719       relay MTA on the same host, so that it can reuse the sender IP address.
5720       This  speeds up deliveries that are delayed by IP-based reputation sys‐
5721       tems (greylist, etc.).
5722
5723       The fallback relays must be SMTP destinations. Specify a domain,  host,
5724       host:port,  [host]:port,  [address]  or [address]:port; the form [host]
5725       turns off MX lookups.  If you specify multiple SMTP destinations, Post‐
5726       fix will try them in the specified order.
5727
5728       To  prevent  mailer loops between MX hosts and fall-back hosts, Postfix
5729       version 2.2 and later will not use the fallback relays for destinations
5730       that it is MX host for (assuming DNS lookup is turned on).
5731

smtp_generic_maps (default: empty)

5733       Optional  lookup  tables  that perform address rewriting in the Postfix
5734       SMTP client, typically to transform a  locally  valid  address  into  a
5735       globally  valid address when sending mail across the Internet.  This is
5736       needed when the local machine does not have  its  own  Internet  domain
5737       name, but uses something like localdomain.local instead.
5738
5739       The table format and lookups are documented in generic(5); examples are
5740       shown in the ADDRESS_REWRITING_README and STANDARD_CONFIGURATION_README
5741       documents.
5742
5743       This feature is available in Postfix 2.2 and later.
5744

smtp_header_checks (default: empty)

5746       Restricted  header_checks(5) tables for the Postfix SMTP client.  These
5747       tables are searched while mail is being delivered.  Actions that change
5748       the delivery time or destination are not available.
5749
5750       This feature is available in Postfix 2.5 and later.
5751

smtp_helo_name (default: $myhostname)

5753       The hostname to send in the SMTP EHLO or HELO command.
5754
5755       The  default  value  is  the  machine  hostname.  Specify a hostname or
5756       [ip.add.re.ss].
5757
5758       This information can be specified in the  main.cf  file  for  all  SMTP
5759       clients,  or  it  can be specified in the master.cf file for a specific
5760       client, for example:
5761
5762           /etc/postfix/master.cf:
5763               mysmtp ... smtp -o smtp_helo_name=foo.bar.com
5764
5765       This feature is available in Postfix 2.0 and later.
5766

smtp_helo_timeout (default: 300s)

5768       The Postfix SMTP client time limit for sending the HELO  or  EHLO  com‐
5769       mand, and for receiving the initial remote SMTP server response.
5770
5771       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
5772       The default time unit is s (seconds).
5773

smtp_host_lookup (default: dns)

5775       What mechanisms the Postfix SMTP client uses to look  up  a  host's  IP
5776       address.  This parameter is ignored when DNS lookups are disabled (see:
5777       disable_dns_lookups).
5778
5779       Specify one of the following:
5780
5781       dns    Hosts can be found in the DNS (preferred).
5782
5783       native Use the native naming service only (nsswitch.conf, or equivalent
5784              mechanism).
5785
5786       dns, native
5787              Use the native service for hosts not found in the DNS.
5788
5789       This feature is available in Postfix 2.1 and later.
5790

smtp_line_length_limit (default: 998)

5792       The  maximal  length of message header and body lines that Postfix will
5793       send via SMTP. This limit does not include the <CR><LF> at the  end  of
5794       each  line.  Longer lines are broken by inserting "<CR><LF><SPACE>", to
5795       minimize the damage to MIME formatted mail.
5796
5797       The Postfix limit of 998 characters not including <CR><LF>  is  consis‐
5798       tent  with  the  SMTP limit of 1000 characters including <CR><LF>.  The
5799       Postfix limit was 990 with Postfix 2.8 and earlier.
5800

smtp_mail_timeout (default: 300s)

5802       The Postfix SMTP client time limit for sending the MAIL  FROM  command,
5803       and for receiving the remote SMTP server response.
5804
5805       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
5806       The default time unit is s (seconds).
5807

smtp_mime_header_checks (default: empty)

5809       Restricted mime_header_checks(5) tables for the  Postfix  SMTP  client.
5810       These  tables are searched while mail is being delivered.  Actions that
5811       change the delivery time or destination are not available.
5812
5813       This feature is available in Postfix 2.5 and later.
5814

smtp_mx_address_limit (default: 5)

5816       The maximal number of MX (mail exchanger) IP addresses that can  result
5817       from  Postfix  SMTP  client mail exchanger lookups, or zero (no limit).
5818       Prior to Postfix version 2.3, this limit was disabled by default.
5819
5820       This feature is available in Postfix 2.1 and later.
5821

smtp_mx_session_limit (default: 2)

5823       The maximal number of SMTP sessions per  delivery  request  before  the
5824       Postfix  SMTP client gives up or delivers to a fall-back relay host, or
5825       zero (no limit). This restriction ignores sessions that  fail  to  com‐
5826       plete  the  SMTP initial handshake (Postfix version 2.2 and earlier) or
5827       that fail to complete the EHLO and TLS handshake (Postfix  version  2.3
5828       and later).
5829
5830       This feature is available in Postfix 2.1 and later.
5831

smtp_nested_header_checks (default: empty)

5833       Restricted  nested_header_checks(5) tables for the Postfix SMTP client.
5834       These tables are searched while mail is being delivered.  Actions  that
5835       change the delivery time or destination are not available.
5836
5837       This feature is available in Postfix 2.5 and later.
5838

smtp_never_send_ehlo (default: no)

5840       Never  send  EHLO  at  the  start  of  an  SMTP  session.  See also the
5841       smtp_always_send_ehlo parameter.
5842

smtp_per_record_deadline (default: no)

5844       Change the behavior of the smtp_*_timeout  time  limits,  from  a  time
5845       limit per read or write system call, to a time limit to send or receive
5846       a complete record (an SMTP command line, SMTP response line, SMTP  mes‐
5847       sage  content  line,  or TLS protocol message).  This limits the impact
5848       from hostile peers that trickle data one byte at a time.
5849
5850       Note: when per-record deadlines are enabled, a short timeout may  cause
5851       problems  with TLS over very slow network connections.  The reasons are
5852       that a TLS protocol message can be up to 16 kbytes long  (with  TLSv1),
5853       and that an entire TLS protocol message must be sent or received within
5854       the per-record deadline.
5855
5856       This feature is available in Postfix 2.9 and later. With older  Postfix
5857       releases, the behavior is as if this parameter is set to "no".
5858

smtp_pix_workaround_delay_time (default: 10s)

5860       How  long  the Postfix SMTP client pauses before sending ".<CR><LF>" in
5861       order to work around the PIX firewall "<CR><LF>.<CR><LF>" bug.
5862
5863       Choosing a too short time makes this workaround ineffective when  send‐
5864       ing large messages over slow network connections.
5865

smtp_pix_workaround_maps (default: empty)

5867       Lookup tables, indexed by the remote SMTP server address, with per-des‐
5868       tination workarounds for CISCO PIX firewall bugs.   The  table  is  not
5869       indexed   by   hostname  for  consistency  with  smtp_discard_ehlo_key‐
5870       word_address_maps.
5871
5872       This feature is available in Postfix 2.4 and later.
5873

smtp_pix_workaround_threshold_time (default: 500s)

5875       How long a message must be queued before the Postfix SMTP client  turns
5876       on  the  PIX  firewall  "<CR><LF>.<CR><LF>" bug workaround for delivery
5877       through firewalls with "smtp fixup" mode turned on.
5878
5879       By default, the workaround is turned off for mail that  is  queued  for
5880       less  than  500  seconds.  In  other  words, the workaround is normally
5881       turned off for the first delivery attempt.
5882
5883       Specify 0 to enable the PIX firewall "<CR><LF>.<CR><LF>" bug workaround
5884       upon the first delivery attempt.
5885

smtp_pix_workarounds (default: disable_esmtp, delay_dotcrlf)

5887       A  list  that specifies zero or more workarounds for CISCO PIX firewall
5888       bugs. These workarounds are implemented by  the  Postfix  SMTP  client.
5889       Workaround names are separated by comma or space, and are case insensi‐
5890       tive.  This parameter setting can  be  overruled  with  per-destination
5891       smtp_pix_workaround_maps settings.
5892
5893       delay_dotcrlf
5894              Insert  a  delay before sending ".<CR><LF>" after the end of the
5895              message content.  The delay is  subject  to  the  smtp_pix_work‐
5896              around_delay_time and smtp_pix_workaround_threshold_time parame‐
5897              ter settings.
5898
5899       disable_esmtp
5900              Disable all extended SMTP commands: send HELO instead of EHLO.
5901
5902       This feature is available in Postfix 2.4 and later.  The  default  set‐
5903       tings are backwards compatible with earlier Postfix versions.
5904

smtp_quit_timeout (default: 300s)

5906       The  Postfix  SMTP  client time limit for sending the QUIT command, and
5907       for receiving the remote SMTP server response.
5908
5909       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
5910       The default time unit is s (seconds).
5911

smtp_quote_rfc821_envelope (default: yes)

5913       Quote  addresses  in Postfix SMTP client MAIL FROM and RCPT TO commands
5914       as required by RFC 5321. This includes putting quotes around an address
5915       localpart that ends in ".".
5916
5917       The  default  is to comply with RFC 5321. If you have to send mail to a
5918       broken SMTP server, configure a special SMTP client in master.cf:
5919
5920           /etc/postfix/master.cf:
5921               broken-smtp . . . smtp -o smtp_quote_rfc821_envelope=no
5922
5923       and route mail for the destination in  question  to  the  "broken-smtp"
5924       message delivery with a transport(5) table.
5925
5926       This feature is available in Postfix 2.1 and later.
5927

smtp_randomize_addresses (default: yes)

5929       Randomize  the  order of equal-preference MX host addresses.  This is a
5930       performance feature of the Postfix SMTP client.
5931

smtp_rcpt_timeout (default: 300s)

5933       The Postfix SMTP client time limit for sending the SMTP  RCPT  TO  com‐
5934       mand, and for receiving the remote SMTP server response.
5935
5936       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
5937       The default time unit is s (seconds).
5938

smtp_reply_filter (default: empty)

5940       A mechanism to transform replies from remote SMTP servers one line at a
5941       time.   This  is  a last-resort tool to work around server replies that
5942       break inter-operability with  the  Postfix  SMTP  client.   Other  uses
5943       involve   fault   injection  to  test  Postfix's  handling  of  invalid
5944       responses.
5945
5946       Notes:
5947
5948       ·      In the case of a multi-line reply, the Postfix SMTP client  uses
5949              the  final  reply  line's numerical SMTP reply code and enhanced
5950              status code.
5951
5952       ·      The numerical SMTP reply code (XYZ) takes  precedence  over  the
5953              enhanced  status  code  (X.Y.Z).   When the enhanced status code
5954              initial digit differs from the SMTP reply code initial digit, or
5955              when no enhanced status code is present, the Postfix SMTP client
5956              uses a generic enhanced status code (X.0.0) instead.
5957
5958       Specify the name of a "type:table" lookup table. The search string is a
5959       single  SMTP reply line as received from the remote SMTP server, except
5960       that the trailing <CR><LF> are removed.  When the lookup succeeds,  the
5961       result replaces the single SMTP reply line.
5962
5963       Examples:
5964
5965       /etc/postfix/main.cf:
5966           smtp_reply_filter = pcre:/etc/postfix/reply_filter
5967
5968       /etc/postfix/reply_filter:
5969           # Transform garbage into "250-filler..." so that it looks like
5970           # one line from a multi-line reply. It does not matter what we
5971           # substitute here as long it has the right syntax.  The Postfix
5972           # SMTP client will use the final line's numerical SMTP reply
5973           # code and enhanced status code.
5974           !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage
5975
5976       This feature is available in Postfix 2.7.
5977

smtp_rset_timeout (default: 20s)

5979       The  Postfix  SMTP  client time limit for sending the RSET command, and
5980       for receiving the remote SMTP server response. The  SMTP  client  sends
5981       RSET  in order to finish a recipient address probe, or to verify that a
5982       cached session is still usable.
5983
5984       This feature is available in Postfix 2.1 and later.
5985

smtp_sasl_auth_cache_name (default: empty)

5987       An optional table to prevent repeated SASL authentication failures with
5988       the same remote SMTP server hostname, username and password. Each table
5989       (key, value) pair contains a server name, a username and password,  and
5990       the full server response. This information is stored when a remote SMTP
5991       server rejects an authentication attempt with a  535  reply  code.   As
5992       long  as the smtp_sasl_password_maps information does no change, and as
5993       long as the smtp_sasl_auth_cache_name information does not expire  (see
5994       smtp_sasl_auth_cache_time)  the Postfix SMTP client avoids SASL authen‐
5995       tication attempts with the same  server,  username  and  password,  and
5996       instead    bounces    or   defers   mail   as   controlled   with   the
5997       smtp_sasl_auth_soft_bounce configuration parameter.
5998
5999       Use  a  per-destination  delivery  concurrency  of  1   (for   example,
6000       "smtp_destination_concurrency_limit  =  1",  "relay_destination_concur‐
6001       rency_limit = 1", etc.), otherwise multiple delivery agents may experi‐
6002       ence a login failure at the same time.
6003
6004       The  table  must  be  accessed via the proxywrite service, i.e. the map
6005       name must start with "proxy:". The table should  be  stored  under  the
6006       directory specified with the data_directory parameter.
6007
6008       This  feature  uses  cryptographic  hashing to protect plain-text pass‐
6009       words, and requires that Postfix is compiled with TLS support.
6010
6011       Example:
6012
6013       smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
6014
6015       This feature is available in Postfix 2.5 and later.
6016

smtp_sasl_auth_cache_time (default: 90d)

6018       The maximal age of an  smtp_sasl_auth_cache_name  entry  before  it  is
6019       removed.
6020
6021       This feature is available in Postfix 2.5 and later.
6022

smtp_sasl_auth_enable (default: no)

6024       Enable SASL authentication in the Postfix SMTP client.  By default, the
6025       Postfix SMTP client uses no authentication.
6026
6027       Example:
6028
6029       smtp_sasl_auth_enable = yes
6030

smtp_sasl_auth_soft_bounce (default: yes)

6032       When a remote SMTP server rejects a SASL authentication request with  a
6033       535  reply code, defer mail delivery instead of returning mail as unde‐
6034       liverable. The latter behavior was hard-coded prior to Postfix  version
6035       2.5.
6036
6037       Note: the setting "yes" overrides the global soft_bounce parameter, but
6038       the setting "no" does not.
6039
6040       Example:
6041
6042       # Default as of Postfix 2.5
6043       smtp_sasl_auth_soft_bounce = yes
6044       # The old hard-coded default
6045       smtp_sasl_auth_soft_bounce = no
6046
6047       This feature is available in Postfix 2.5 and later.
6048

smtp_sasl_mechanism_filter (default: empty)

6050       If non-empty, a Postfix SMTP client filter for the remote SMTP server's
6051       list of offered SASL mechanisms.  Different client and server implemen‐
6052       tations may support different mechanism lists; by default, the  Postfix
6053       SMTP  client  will  use  the  intersection of the two. smtp_sasl_mecha‐
6054       nism_filter specifies an optional third  mechanism  list  to  intersect
6055       with.
6056
6057       Specify  mechanism  names, "/file/name" patterns or "type:table" lookup
6058       tables.  The  right-hand  side  result  from  "type:table"  lookups  is
6059       ignored.  Specify "!pattern" to exclude a mechanism name from the list.
6060       The form "!/file/name" is supported only in  Postfix  version  2.4  and
6061       later.
6062
6063       This feature is available in Postfix 2.2 and later.
6064
6065       Examples:
6066
6067       smtp_sasl_mechanism_filter = plain, login
6068       smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs
6069       smtp_sasl_mechanism_filter = !gssapi, !login, static:rest
6070

smtp_sasl_password_maps (default: empty)

6072       Optional  Postfix  SMTP client lookup tables with one username:password
6073       entry per remote hostname or domain, or  sender  address  when  sender-
6074       dependent  authentication is enabled.  If no username:password entry is
6075       found, then the Postfix SMTP client will not attempt to authenticate to
6076       the remote host.
6077
6078       The  Postfix  SMTP client opens the lookup table before going to chroot
6079       jail, so you can leave the password file in /etc/postfix.
6080

smtp_sasl_path (default: empty)

6082       Implementation-specific information that the Postfix SMTP client passes
6083       through  to  the  SASL  plug-in  implementation  that  is selected with
6084       smtp_sasl_type.  Typically this specifies the name of  a  configuration
6085       file or rendezvous point.
6086
6087       This feature is available in Postfix 2.3 and later.
6088

smtp_sasl_security_options (default: noplaintext, noanonymous)

6090       Postfix  SMTP  client SASL security options; as of Postfix 2.3 the list
6091       of available features depends on the SASL client implementation that is
6092       selected with smtp_sasl_type.
6093
6094       The  following  security features are defined for the cyrus client SASL
6095       implementation:
6096
6097       Specify zero or more of the following:
6098
6099       noplaintext
6100              Disallow methods that use plaintext passwords.
6101
6102       noactive
6103              Disallow methods subject to active (non-dictionary) attack.
6104
6105       nodictionary
6106              Disallow methods subject to passive (dictionary) attack.
6107
6108       noanonymous
6109              Disallow methods that allow anonymous authentication.
6110
6111       mutual_auth
6112              Only allow  methods  that  provide  mutual  authentication  (not
6113              available with SASL version 1).
6114
6115       Example:
6116
6117       smtp_sasl_security_options = noplaintext
6118

smtp_sasl_tls_security_options (default: $smtp_sasl_security_options)

6120       The  SASL  authentication security options that the Postfix SMTP client
6121       uses for TLS encrypted SMTP sessions.
6122
6123       This feature is available in Postfix 2.2 and later.
6124

smtp_sasl_tls_verified_security_options (default: $smtp_sasl_tls_secu‐

6126       rity_options)
6127       The  SASL  authentication security options that the Postfix SMTP client
6128       uses for TLS encrypted SMTP sessions with a  verified  server  certifi‐
6129       cate.
6130
6131       When  mail  is  sent  to the public MX host for the recipient's domain,
6132       server certificates are by default optional, and delivery proceeds even
6133       if  certificate  verification fails. For delivery via a submission ser‐
6134       vice that requires SASL authentication, it may be appropriate  to  send
6135       plaintext  passwords only when the connection to the server is strongly
6136       encrypted and the server identity is verified.
6137
6138       The smtp_sasl_tls_verified_security_options parameter makes it possible
6139       to  only  enable  plaintext  mechanisms when a secure connection to the
6140       server is available. Submission servers subject  to  this  policy  must
6141       either  have  verifiable  certificates  or offer suitable non-plaintext
6142       SASL mechanisms.
6143
6144       This feature is available in Postfix 2.6 and later.
6145

smtp_sasl_type (default: cyrus)

6147       The SASL plug-in type that the  Postfix  SMTP  client  should  use  for
6148       authentication.   The available types are listed with the "postconf -A"
6149       command.
6150
6151       This feature is available in Postfix 2.3 and later.
6152

smtp_send_dummy_mail_auth (default: no)

6154       Whether or not to append the "AUTH=<>" option to the MAIL FROM  command
6155       in  SASL-authenticated  SMTP sessions. The default is not to send this,
6156       to avoid problems with broken remote SMTP servers.  Before Postfix  2.9
6157       the behavior is as if "smtp_send_dummy_mail_auth = yes".
6158
6159       This feature is available in Postfix 2.9 and later.
6160

smtp_send_xforward_command (default: no)

6162       Send  the  non-standard  XFORWARD  command when the Postfix SMTP server
6163       EHLO response announces XFORWARD support.
6164
6165       This allows a Postfix SMTP delivery agent, used for injecting mail into
6166       a  content filter, to forward the name, address, protocol and HELO name
6167       of the original client to the content  filter  and  downstream  queuing
6168       SMTP   server.  This  can  produce  more  useful  logging  than  local‐
6169       host[127.0.0.1] etc.
6170
6171       This feature is available in Postfix 2.1 and later.
6172

smtp_sender_dependent_authentication (default: no)

6174       Enable sender-dependent authentication in the Postfix SMTP client; this
6175       is  available  only with SASL authentication, and disables SMTP connec‐
6176       tion caching to ensure that mail from different senders  will  use  the
6177       appropriate credentials.
6178
6179       This feature is available in Postfix 2.3 and later.
6180

smtp_skip_4xx_greeting (default: yes)

6182       Skip SMTP servers that greet with a 4XX status code (go away, try again
6183       later).
6184
6185       By default, the Postfix SMTP client moves on the next  mail  exchanger.
6186       Specify  "smtp_skip_4xx_greeting = no" if Postfix should defer delivery
6187       immediately.
6188
6189       This feature is available in Postfix 2.0 and  earlier.   Later  Postfix
6190       versions  always  skip remote SMTP servers that greet with a 4XX status
6191       code.
6192

smtp_skip_5xx_greeting (default: yes)

6194       Skip remote SMTP servers that greet with a 5XX status code (go away, do
6195       not try again later).
6196
6197       By  default,  the Postfix SMTP client moves on the next mail exchanger.
6198       Specify "smtp_skip_5xx_greeting = no" if Postfix should bounce the mail
6199       immediately.  The default setting is incorrect, but it is what a lot of
6200       people expect to happen.
6201

smtp_skip_quit_response (default: yes)

6203       Do not wait for the response to the SMTP QUIT command.
6204

smtp_starttls_timeout (default: 300s)

6206       Time limit for Postfix SMTP client write and read operations during TLS
6207       startup and shutdown handshake procedures.
6208
6209       This feature is available in Postfix 2.2 and later.
6210

smtp_tls_CAfile (default: empty)

6212       A  file  containing  CA certificates of root CAs trusted to sign either
6213       remote SMTP server certificates or intermediate CA certificates.  These
6214       are  loaded  into  memory  before  the smtp(8) client enters the chroot
6215       jail.  If  the  number  of  trusted  roots  is  large,  consider  using
6216       smtp_tls_CApath  instead,  but  note  that the latter directory must be
6217       present in the chroot jail if the smtp(8) client is chrooted. This file
6218       may  also be used to augment the client certificate trust chain, but it
6219       is  best  to  include  all  the  required  certificates   directly   in
6220       $smtp_tls_cert_file.
6221
6222       Specify  "smtp_tls_CAfile  =  /path/to/system_CA_file"  to use ONLY the
6223       system-supplied default certificate authority certificates.
6224
6225       Specify "tls_append_default_CA = no" to prevent Postfix from  appending
6226       the system-supplied default CAs and trusting third-party certificates.
6227
6228       Example:
6229
6230       smtp_tls_CAfile = /etc/postfix/CAcert.pem
6231
6232       This feature is available in Postfix 2.2 and later.
6233

smtp_tls_CApath (default: empty)

6235       Directory  with  PEM format certificate authority certificates that the
6236       Postfix SMTP client uses to verify a remote  SMTP  server  certificate.
6237       Don't  forget  to  create the necessary "hash" links with, for example,
6238       "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
6239
6240       To use this option in chroot mode, this directory (or a copy)  must  be
6241       inside the chroot jail.
6242
6243       Specify  "smtp_tls_CApath  =  /path/to/system_CA_directory" to use ONLY
6244       the system-supplied default certificate authority certificates.
6245
6246       Specify "tls_append_default_CA = no" to prevent Postfix from  appending
6247       the system-supplied default CAs and trusting third-party certificates.
6248
6249       Example:
6250
6251       smtp_tls_CApath = /etc/postfix/certs
6252
6253       This feature is available in Postfix 2.2 and later.
6254

smtp_tls_block_early_mail_reply (default: no)

6256       Try  to detect a mail hijacking attack based on a TLS protocol vulnera‐
6257       bility (CVE-2009-3555), where  an  attacker  prepends  malicious  HELO,
6258       MAIL,  RCPT,  DATA  commands to a Postfix SMTP client TLS session.  The
6259       attack would succeed with non-Postfix SMTP servers that  reply  to  the
6260       malicious HELO, MAIL, RCPT, DATA commands after negotiating the Postfix
6261       SMTP client TLS session.
6262
6263       This feature is available in Postfix 2.7.
6264

smtp_tls_cert_file (default: empty)

6266       File with the Postfix SMTP client RSA certificate in PEM format.   This
6267       file  may  also  contain  the  Postfix SMTP client private RSA key, and
6268       these may be the same as the Postfix SMTP server  RSA  certificate  and
6269       key file.
6270
6271       Do not configure client certificates unless you must present client TLS
6272       certificates to one or more servers. Client certificates are  not  usu‐
6273       ally  needed,  and  can cause problems in configurations that work well
6274       without them. The recommended setting is to let the defaults stand:
6275
6276           smtp_tls_cert_file =
6277           smtp_tls_key_file =
6278           smtp_tls_dcert_file =
6279           smtp_tls_dkey_file =
6280           smtp_tls_eccert_file =
6281           smtp_tls_eckey_file =
6282
6283       The best way to use the default settings is to comment  out  the  above
6284       parameters in main.cf if present.
6285
6286       To  enable  remote  SMTP servers to verify the Postfix SMTP client cer‐
6287       tificate, the issuing CA certificates must be  made  available  to  the
6288       server. You should include the required certificates in the client cer‐
6289       tificate file, the client certificate first,  then  the  issuing  CA(s)
6290       (bottom-up order).
6291
6292       Example: the certificate for "client.example.com" was issued by "inter‐
6293       mediate CA" which itself has a certificate issued by "root CA".  Create
6294       the  client.pem  file  with  "cat  client_cert.pem  intermediate_CA.pem
6295       root_CA.pem > client.pem".
6296
6297       If you also want to verify remote SMTP server  certificates  issued  by
6298       these  CAs,  you can add the CA certificates to the smtp_tls_CAfile, in
6299       which case it is not necessary to have them in the  smtp_tls_cert_file,
6300       smtp_tls_dcert_file or smtp_tls_eccert_file.
6301
6302       A certificate supplied here must be usable as an SSL client certificate
6303       and hence pass the "openssl verify -purpose sslclient ..." test.
6304
6305       Example:
6306
6307       smtp_tls_cert_file = /etc/postfix/client.pem
6308
6309       This feature is available in Postfix 2.2 and later.
6310

smtp_tls_cipherlist (default: empty)

6312       Obsolete Postfix < 2.3 control for the Postfix SMTP client  TLS  cipher
6313       list. As this feature applies to all TLS security levels, it is easy to
6314       create inter-operability problems  by  choosing  a  non-default  cipher
6315       list.  Do  not  use a non-default TLS cipher list on hosts that deliver
6316       email to the public Internet: you will  be  unable  to  send  email  to
6317       servers  that  only support the ciphers you exclude. Using a restricted
6318       cipher list may be more appropriate for an internal MTA, where one  can
6319       exert  some  control  over  the  TLS  software and settings of the peer
6320       servers.
6321
6322       Note: do not use "" quotes around the parameter value.
6323
6324       This feature is available in Postfix version 2.2. It is not  used  with
6325       Postfix 2.3 and later; use smtp_tls_mandatory_ciphers instead.
6326

smtp_tls_ciphers (default: export)

6328       The minimum TLS cipher grade that the Postfix SMTP client will use with
6329       opportunistic    TLS    encryption.    Cipher    types    listed     in
6330       smtp_tls_exclude_ciphers  are  excluded from the base definition of the
6331       selected cipher grade.  The  default  value  "export"  ensures  maximum
6332       inter-operability.  Because  encryption  is optional, stronger controls
6333       are not appropriate, and this setting SHOULD NOT be changed unless  the
6334       change is essential.
6335
6336       When   TLS   is   mandatory   the   cipher  grade  is  chosen  via  the
6337       smtp_tls_mandatory_ciphers configuration parameter, see there for  syn‐
6338       tax details. See smtp_tls_policy_maps for information on how to config‐
6339       ure ciphers on a per-destination basis.
6340
6341       Example:
6342       smtp_tls_ciphers = export
6343
6344       This feature is available in Postfix 2.6 and later. With earlier  Post‐
6345       fix  releases  only  the smtp_tls_mandatory_ciphers parameter is imple‐
6346       mented, and opportunistic TLS always uses "export" or better (i.e. all)
6347       ciphers.
6348

smtp_tls_dcert_file (default: empty)

6350       File  with the Postfix SMTP client DSA certificate in PEM format.  This
6351       file may also contain the Postfix SMTP client private DSA key.
6352
6353       See the discussion under smtp_tls_cert_file for more details.
6354
6355       Example:
6356
6357       smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
6358
6359       This feature is available in Postfix 2.2 and later.
6360

smtp_tls_dkey_file (default: $smtp_tls_dcert_file)

6362       File with the Postfix SMTP client DSA private key in PEM format.   This
6363       file  may be combined with the Postfix SMTP client DSA certificate file
6364       specified with $smtp_tls_dcert_file.
6365
6366       The private key must be accessible without a pass-phrase, i.e. it  must
6367       not be encrypted. File permissions should grant read-only access to the
6368       system superuser account ("root"), and no access to anyone else.
6369
6370       This feature is available in Postfix 2.2 and later.
6371

smtp_tls_eccert_file (default: empty)

6373       File with the Postfix SMTP client  ECDSA  certificate  in  PEM  format.
6374       This file may also contain the Postfix SMTP client ECDSA private key.
6375
6376       See the discussion under smtp_tls_cert_file for more details.
6377
6378       Example:
6379
6380       smtp_tls_eccert_file = /etc/postfix/ecdsa-ccert.pem
6381
6382       This  feature  is  available  in Postfix 2.6 and later, when Postfix is
6383       compiled and linked with OpenSSL 1.0.0 or later.
6384

smtp_tls_eckey_file (default: $smtp_tls_eccert_file)

6386       File with the Postfix SMTP client ECDSA  private  key  in  PEM  format.
6387       This  file  may be combined with the Postfix SMTP client ECDSA certifi‐
6388       cate file specified with $smtp_tls_eccert_file.
6389
6390       The private key must be accessible without a pass-phrase, i.e. it  must
6391       not be encrypted. File permissions should grant read-only access to the
6392       system superuser account ("root"), and no access to anyone else.
6393
6394       This feature is available in Postfix 2.6 and  later,  when  Postfix  is
6395       compiled and linked with OpenSSL 1.0.0 or later.
6396

smtp_tls_enforce_peername (default: yes)

6398       With  mandatory  TLS  encryption,  require  that the remote SMTP server
6399       hostname matches the information in the remote SMTP server certificate.
6400       As  of  RFC 2487 the requirements for hostname checking for MTA clients
6401       are not specified.
6402
6403       This option can be set to "no" to disable strict  peer  name  checking.
6404       This  setting  has  no  effect  on sessions that are controlled via the
6405       smtp_tls_per_site table.
6406
6407       Disabling the hostname verification can make sense in  closed  environ‐
6408       ment where special CAs are created.  If not used carefully, this option
6409       opens the danger of a "man-in-the-middle"  attack  (the  CommonName  of
6410       this attacker will be logged).
6411
6412       This  feature  is  available in Postfix 2.2 and later. With Postfix 2.3
6413       and later use smtp_tls_security_level instead.
6414

smtp_tls_exclude_ciphers (default: empty)

6416       List of ciphers or cipher types to exclude from the Postfix SMTP client
6417       cipher  list  at  all  TLS  security  levels.  This  is  not an OpenSSL
6418       cipherlist, it is a simple list separated by whitespace and/or  commas.
6419       The  elements  are a single cipher, or one or more "+" separated cipher
6420       properties, in which case only ciphers matching all the properties  are
6421       excluded.
6422
6423       Examples (some of these will cause problems):
6424
6425           smtp_tls_exclude_ciphers = aNULL
6426           smtp_tls_exclude_ciphers = MD5, DES
6427           smtp_tls_exclude_ciphers = DES+MD5
6428           smtp_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
6429           smtp_tls_exclude_ciphers = kEDH+aRSA
6430
6431       The  first  setting,  disables anonymous ciphers. The next setting dis‐
6432       ables ciphers that use the MD5 digest algorithm  or  the  (single)  DES
6433       encryption  algorithm.  The  next setting disables ciphers that use MD5
6434       and  DES  together.   The  next  setting  disables  the   two   ciphers
6435       "AES256-SHA" and "DES-CBC3-MD5". The last setting disables ciphers that
6436       use "EDH" key exchange with RSA authentication.
6437
6438       This feature is available in Postfix 2.3 and later.
6439

smtp_tls_fingerprint_cert_match (default: empty)

6441       List of acceptable remote SMTP server certificate fingerprints for  the
6442       "fingerprint"  TLS  security  level  (smtp_tls_security_level = finger‐
6443       print). At this security level, certificate authorities are  not  used,
6444       and  certificate expiration times are ignored. Instead, server certifi‐
6445       cates are verified directly via their certificate fingerprint or public
6446       key  fingerprint  (Postfix 2.9 and later). The fingerprint is a message
6447       digest of the server certificate (or public key). The digest  algorithm
6448       is selected via the smtp_tls_fingerprint_digest parameter.
6449
6450       When  an  smtp_tls_policy_maps  table entry specifies the "fingerprint"
6451       security level, any "match" attributes in that entry specify  the  list
6452       of  valid fingerprints for the corresponding destination. Multiple fin‐
6453       gerprints can be combined with  a  "|"  delimiter  in  a  single  match
6454       attribute, or multiple match attributes can be employed.
6455
6456       Example:  Certificate  fingerprint  verification with internal mailhub.
6457       Two matching fingerprints are listed. The  relayhost  may  be  multiple
6458       physical hosts behind a load-balancer, each with its own private/public
6459       key and self-signed certificate. Alternatively, a single relayhost  may
6460       be  in  the process of switching from one set of private/public keys to
6461       another, and both keys are trusted just prior to the transition.
6462
6463           relayhost = [mailhub.example.com]
6464           smtp_tls_security_level = fingerprint
6465           smtp_tls_fingerprint_digest = md5
6466           smtp_tls_fingerprint_cert_match =
6467               3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
6468               EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
6469
6470       Example: Certificate fingerprint verification  with  selected  destina‐
6471       tions.  As in the example above, we show two matching fingerprints:
6472
6473           /etc/postfix/main.cf:
6474               smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
6475               smtp_tls_fingerprint_digest = md5
6476
6477           /etc/postfix/tls_policy:
6478               example.com     fingerprint
6479                   match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
6480                   match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
6481
6482       This feature is available in Postfix 2.5 and later.
6483

smtp_tls_fingerprint_digest (default: md5)

6485       The  message digest algorithm used to construct remote SMTP server cer‐
6486       tificate  fingerprints.  At  the  "fingerprint"  TLS   security   level
6487       (smtp_tls_security_level = fingerprint), the server certificate is ver‐
6488       ified by directly matching its certificate fingerprint  or  its  public
6489       key fingerprint (Postfix 2.9 and later). The fingerprint is the message
6490       digest of the server certificate (or its public key) using the selected
6491       algorithm.  With  a  digest  algorithm  resistant to "second pre-image"
6492       attacks, it is not feasible to create a new public key and  a  matching
6493       certificate (or public/private key-pair) that has the same fingerprint.
6494
6495       The  default  algorithm  is  md5; this is consistent with the backwards
6496       compatible setting of the digest used to verify client certificates  in
6497       the SMTP server.
6498
6499       The  best practice algorithm is now sha1. Recent advances in hash func‐
6500       tion cryptanalysis have led to md5 being deprecated in favor  of  sha1.
6501       However,  as  long  as  there  are  no known "second pre-image" attacks
6502       against md5, its use in this context can still be considered safe.
6503
6504       While additional digest algorithms are often available  with  OpenSSL's
6505       libcrypto, only those used by libssl in SSL cipher suites are available
6506       to Postfix. For now this means just md5 or sha1.
6507
6508       To find the fingerprint of a specific certificate file, with a specific
6509       digest algorithm, run:
6510
6511           $ openssl x509 -noout -fingerprint -digest -in certfile.pem
6512
6513       The  text  to  the  right  of "=" sign is the desired fingerprint.  For
6514       example:
6515
6516           $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
6517           SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
6518
6519       To extract the public key fingerprint from an  X.509  certificate,  you
6520       need  to  extract  the  public key from the certificate and compute the
6521       appropriate digest of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
6522       key"  option  of  the  "x509" command extracts the public key always in
6523       "PEM" format. We pipe the result to another OpenSSL command  that  con‐
6524       verts the key to DER and then to the "dgst" command to compute the fin‐
6525       gerprint.
6526
6527       The actual command to transform the key to DER format  depends  on  the
6528       version  of OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" com‐
6529       mand supports all key types. With OpenSSL 0.9.8 and  earlier,  the  key
6530       type  is  always  RSA  (nobody uses DSA, and EC keys are not fully sup‐
6531       ported by 0.9.8), so the "rsa" command is used.
6532
6533           # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
6534           $ openssl x509 -in cert.pem -noout -pubkey |
6535               openssl pkey -pubin -outform DER |
6536               openssl dgst -sha1 -c
6537           (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
6538
6539           # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
6540           $ openssl x509 -in cert.pem -noout -pubkey |
6541               openssl rsa -pubin -outform DER |
6542               openssl dgst -md5 -c
6543           (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
6544
6545       The Postfix SMTP server and client log the peer (leaf) certificate fin‐
6546       gerprint  and  public  key  fingerprint  when  the TLS loglevel is 2 or
6547       higher.
6548
6549       Note: Postfix 2.9.0&ndash;2.9.5 computed  the  public  key  fingerprint
6550       incorrectly.  To  use public-key fingerprints, upgrade to Postfix 2.9.6
6551       or later.
6552
6553       This feature is available in Postfix 2.5 and later.
6554

smtp_tls_key_file (default: $smtp_tls_cert_file)

6556       File with the Postfix SMTP client RSA private key in PEM format.   This
6557       file  may be combined with the Postfix SMTP client RSA certificate file
6558       specified with $smtp_tls_cert_file.
6559
6560       The private key must be accessible without a pass-phrase, i.e. it  must
6561       not be encrypted. File permissions should grant read-only access to the
6562       system superuser account ("root"), and no access to anyone else.
6563
6564       Example:
6565
6566       smtp_tls_key_file = $smtp_tls_cert_file
6567
6568       This feature is available in Postfix 2.2 and later.
6569

smtp_tls_loglevel (default: 0)

6571       Enable additional Postfix SMTP client logging of  TLS  activity.   Each
6572       logging  level  also includes the information that is logged at a lower
6573       logging level.
6574
6575              0 Log only a summary message on TLS handshake completion &mdash;
6576              no logging of remote SMTP server certificate trust-chain verifi‐
6577              cation  errors  if  server  certificate  verification   is   not
6578              required.   With Postfix 2.8 and earlier, disable logging of TLS
6579              activity.
6580
6581              1 Also log remote SMTP server  trust-chain  verification  errors
6582              and  peer  certificate summary information. With Postfix 2.8 and
6583              earlier, log TLS handshake and certificate information.
6584
6585              2 Also log levels during TLS negotiation.
6586
6587              3 Also  log  hexadecimal  and  ASCII  dump  of  TLS  negotiation
6588              process.
6589
6590              4  Also  log hexadecimal and ASCII dump of complete transmission
6591              after STARTTLS.
6592
6593       Do not use "smtp_tls_loglevel = 2" or higher except in  case  of  prob‐
6594       lems. Use of loglevel 4 is strongly discouraged.
6595
6596       This feature is available in Postfix 2.2 and later.
6597

smtp_tls_mandatory_ciphers (default: medium)

6599       The minimum TLS cipher grade that the Postfix SMTP client will use with
6600       mandatory TLS encryption.  The default value "medium" is  suitable  for
6601       most destinations with which you may want to enforce TLS, and is beyond
6602       the reach of today's cryptanalytic  methods.  See  smtp_tls_policy_maps
6603       for information on how to configure ciphers on a per-destination basis.
6604
6605       The following cipher grades are supported:
6606
6607       export Enable  "EXPORT"  grade  or better OpenSSL ciphers.  This is the
6608              default for opportunistic encryption. It is not recommended  for
6609              mandatory encryption unless you must enforce TLS with "crippled"
6610              peers.  The  underlying  cipherlist   is   specified   via   the
6611              tls_export_cipherlist  configuration  parameter,  which  you are
6612              strongly encouraged to not change.
6613
6614       low    Enable "LOW" grade or better OpenSSL ciphers.  This  setting  is
6615              only  appropriate  for  internal  mail  servers.  The underlying
6616              cipherlist is specified via the tls_low_cipherlist configuration
6617              parameter, which you are strongly encouraged to not change.
6618
6619       medium Enable "MEDIUM" grade or better OpenSSL ciphers.  The underlying
6620              cipherlist is specified via the tls_medium_cipherlist configura‐
6621              tion parameter, which you are strongly encouraged to not change.
6622
6623       high   Enable  only  "HIGH" grade OpenSSL ciphers.  This setting may be
6624              appropriate when all mandatory TLS destinations (e.g.  when  all
6625              mail is routed to a suitably capable relayhost) support at least
6626              one "HIGH" grade cipher. The underlying cipherlist is  specified
6627              via  the  tls_high_cipherlist configuration parameter, which you
6628              are strongly encouraged to not change.
6629
6630       null   Enable only the "NULL" OpenSSL ciphers, these provide  authenti‐
6631              cation  without encryption.  This setting is only appropriate in
6632              the rare case that all servers are prepared to use NULL  ciphers
6633              (not  normally  enabled in TLS servers). A plausible use-case is
6634              an LMTP server listening on a UNIX-domain socket that is config‐
6635              ured  to  support  "NULL"  ciphers. The underlying cipherlist is
6636              specified via the tls_null_cipherlist  configuration  parameter,
6637              which you are strongly encouraged to not change.
6638
6639       The  underlying cipherlists for grades other than "null" include anony‐
6640       mous ciphers, but these are automatically filtered out if  the  Postfix
6641       SMTP  client is configured to verify server certificates.  You are very
6642       unlikely to need to take any steps to exclude anonymous  ciphers,  they
6643       are excluded automatically as necessary.  If you must exclude anonymous
6644       ciphers at the "may" or "encrypt" security  levels,  when  the  Postfix
6645       SMTP   client   does   not   need   or   use   peer  certificates,  set
6646       "smtp_tls_exclude_ciphers = aNULL". To exclude anonymous  ciphers  only
6647       when TLS is enforced, set "smtp_tls_mandatory_exclude_ciphers = aNULL".
6648
6649       This feature is available in Postfix 2.3 and later.
6650

smtp_tls_mandatory_exclude_ciphers (default: empty)

6652       Additional  list of ciphers or cipher types to exclude from the Postfix
6653       SMTP client cipher list at mandatory TLS  security  levels.  This  list
6654       works     in     addition     to    the    exclusions    listed    with
6655       smtp_tls_exclude_ciphers (see there for syntax details).
6656
6657       Starting with Postfix 2.6, the mandatory cipher exclusions can be spec‐
6658       ified   on  a  per-destination  basis  via  the  TLS  policy  "exclude"
6659       attribute. See smtp_tls_policy_maps for notes and examples.
6660
6661       This feature is available in Postfix 2.3 and later.
6662

smtp_tls_mandatory_protocols (default: !SSLv2)

6664       List of SSL/TLS protocols that the Postfix SMTP client  will  use  with
6665       mandatory  TLS  encryption.   In  main.cf  the  values are separated by
6666       whitespace, commas or colons. In the policy table "protocols" attribute
6667       (see  smtp_tls_policy_maps) the only valid separator is colon. An empty
6668       value means allow all protocols. The valid protocol names, (see  \fBfB‐
6669       SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".
6670
6671       Note:  As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
6672       "TLSv1.2". If an older Postfix version is linked against OpenSSL  1.0.1
6673       or  later,  these, or any other new protocol versions, are uncondition‐
6674       ally enabled.
6675
6676       With Postfix >= 2.5 the parameter syntax is expanded to support  proto‐
6677       col  exclusions.  One  can  now  explicitly  exclude  SSLv2  by setting
6678       "smtp_tls_mandatory_protocols = !SSLv2".  To  exclude  both  SSLv2  and
6679       SSLv3  set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing the
6680       protocols to include, rather than protocols to exclude,  is  supported,
6681       but not recommended. The exclusion form more closely matches the behav‐
6682       ior when the OpenSSL library is newer than Postfix.
6683
6684       Since SSL version 2 has known protocol weaknesses  and  is  now  depre‐
6685       cated,  the  default  setting  excludes  "SSLv2".   This  means that by
6686       default, SSL version 2 will not be used at the "encrypt" security level
6687       and higher.
6688
6689       See   the  documentation  of  the  smtp_tls_policy_maps  parameter  and
6690       TLS_README for more information about security levels.
6691
6692       Example:
6693
6694       # Preferred form with Postfix >= 2.5:
6695       smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
6696       # Alternative form.
6697       smtp_tls_mandatory_protocols = TLSv1
6698
6699       This feature is available in Postfix 2.3 and later.
6700

smtp_tls_note_starttls_offer (default: no)

6702       Log the hostname of a remote SMTP server that offers STARTTLS, when TLS
6703       is not already enabled for that server.
6704
6705       The logfile record looks like:
6706
6707       postfix/smtp[pid]:  Host offered STARTTLS: [name.of.host]
6708
6709       This feature is available in Postfix 2.2 and later.
6710

smtp_tls_per_site (default: empty)

6712       Optional lookup tables with the Postfix SMTP client TLS usage policy by
6713       next-hop destination and by remote SMTP  server  hostname.   When  both
6714       lookups  succeed,  the  more specific per-site policy (NONE, MUST, etc)
6715       overrides the less specific one (MAY), and  the  more  secure  per-site
6716       policy  (MUST, etc) overrides the less secure one (NONE).  With Postfix
6717       2.3  and  later  smtp_tls_per_site   is   strongly   discouraged:   use
6718       smtp_tls_policy_maps instead.
6719
6720       Use  of  the bare hostname as the per-site table lookup key is discour‐
6721       aged. Always use the full destination nexthop (enclosed in  []  with  a
6722       possible  ":port"  suffix).  A recipient domain or MX-enabled transport
6723       next-hop with no port suffix may look like  a  bare  hostname,  but  is
6724       still a suitable destination.
6725
6726       Specify  a  next-hop  destination  or  server hostname on the left-hand
6727       side; no wildcards are allowed. The next-hop destination is either  the
6728       recipient  domain, or the destination specified with a transport(5) ta‐
6729       ble, the relayhost parameter, or the relay_transport parameter.  On the
6730       right hand side specify one of the following keywords:
6731
6732       NONE   Don't  use TLS at all. This overrides a less specific MAY lookup
6733              result from the alternate host or next-hop lookup key, and over‐
6734              rides    the    global   smtp_use_tls,   smtp_enforce_tls,   and
6735              smtp_tls_enforce_peername settings.
6736
6737       MAY    Try to use TLS if the server announces  support,  otherwise  use
6738              the unencrypted connection. This has less precedence than a more
6739              specific result (including NONE)  from  the  alternate  host  or
6740              next-hop  lookup key, and has less precedence than the more spe‐
6741              cific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peer‐
6742              name = yes".
6743
6744       MUST_NOPEERMATCH
6745              Require  TLS encryption, but do not require that the remote SMTP
6746              server hostname matches  the  information  in  the  remote  SMTP
6747              server certificate, or that the server certificate was issued by
6748              a trusted CA. This overrides a less secure NONE or a  less  spe‐
6749              cific  MAY  lookup  result  from  the alternate host or next-hop
6750              lookup   key,   and   overrides   the    global    smtp_use_tls,
6751              smtp_enforce_tls and smtp_tls_enforce_peername settings.
6752
6753       MUST   Require  TLS  encryption,  require  that  the remote SMTP server
6754              hostname matches the information in the remote SMTP server  cer‐
6755              tificate,  and  require  that the remote SMTP server certificate
6756              was issued by a trusted CA. This overrides a  less  secure  NONE
6757              and  MUST_NOPEERMATCH  or a less specific MAY lookup result from
6758              the alternate host or next-hop lookup  key,  and  overrides  the
6759              global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peer‐
6760              name settings.
6761
6762       The above keywords correspond to the "none", "may", "encrypt" and "ver‐
6763       ify"  security  levels  for  the  new smtp_tls_security_level parameter
6764       introduced in Postfix 2.3. Starting with Postfix 2.3, and independently
6765       of  how  the  policy  is  specified, the smtp_tls_mandatory_ciphers and
6766       smtp_tls_mandatory_protocols parameters apply when  TLS  encryption  is
6767       mandatory.  Connections  for  which  encryption  is  optional typically
6768       enable all "export" grade and better ciphers (see smtp_tls_ciphers  and
6769       smtp_tls_protocols).
6770
6771       As long as no secure DNS lookup mechanism is available, false hostnames
6772       in MX or CNAME responses can change the server  hostname  that  Postfix
6773       uses  for  TLS  policy lookup and server certificate verification. Even
6774       with a perfect match between the server hostname and  the  server  cer‐
6775       tificate,  there is no guarantee that Postfix is connected to the right
6776       server.  See TLS_README (Closing a DNS loophole with obsolete  per-site
6777       TLS policies) for a possible work-around.
6778
6779       This  feature  is  available in Postfix 2.2 and later. With Postfix 2.3
6780       and later use smtp_tls_policy_maps instead.
6781

smtp_tls_policy_maps (default: empty)

6783       Optional lookup tables with the Postfix SMTP client TLS security policy
6784       by  next-hop  destination;  when  a  non-empty value is specified, this
6785       overrides the obsolete smtp_tls_per_site parameter.  See TLS_README for
6786       a more detailed discussion of TLS security levels.
6787
6788       The TLS policy table is indexed by the full next-hop destination, which
6789       is either the recipient domain, or the verbatim next-hop  specified  in
6790       the     transport    table,    $local_transport,    $virtual_transport,
6791       $relay_transport or $default_transport.  This  includes  any  enclosing
6792       square brackets and any non-default destination server port suffix. The
6793       LMTP socket type prefix (inet: or unix:) is not included in the  lookup
6794       key.
6795
6796       Only  the  next-hop  domain,  or $myhostname with LMTP over UNIX-domain
6797       sockets, is used as the nexthop name for certificate verification.  The
6798       port  and  any  enclosing  square brackets are used in the table lookup
6799       key, but are not used for server name verification.
6800
6801       When the lookup key is a domain name without enclosing square  brackets
6802       or  any  :port  suffix  (typically  the recipient domain), and the full
6803       domain is not found in the table, just as with the transport(5)  table,
6804       the  parent  domain starting with a leading "." is matched recursively.
6805       This allows one to specify a security policy for a recipient domain and
6806       all its sub-domains.
6807
6808       The  lookup result is a security level, followed by an optional list of
6809       whitespace and/or comma separated name=value attributes  that  override
6810       related  main.cf settings. The TLS security levels in order of increas‐
6811       ing security are:
6812
6813       none   No TLS. No additional attributes are supported at this level.
6814
6815       may    Opportunistic TLS. Since sending in  the  clear  is  acceptable,
6816              demanding  stronger  than  default  TLS  security merely reduces
6817              inter-operability. The optional "ciphers", "exclude" and "proto‐
6818              cols"  attributes  (available for opportunistic TLS with Postfix
6819              >=       2.6)       override       the       "smtp_tls_ciphers",
6820              "smtp_tls_exclude_ciphers"  and  "smtp_tls_protocols" configura‐
6821              tion parameters. When opportunistic TLS handshakes fail, Postfix
6822              retries  the  connection  with  TLS  disabled.  This allows mail
6823              delivery to sites with non-interoperable TLS implementations.
6824
6825       encrypt
6826              Mandatory TLS encryption. At this level and higher, the optional
6827              "protocols"  attribute  overrides  the  main.cf  smtp_tls_manda‐
6828              tory_protocols parameter, the optional "ciphers" attribute over‐
6829              rides  the main.cf smtp_tls_mandatory_ciphers parameter, and the
6830              optional "exclude" attribute  (Postfix  >=  2.6)  overrides  the
6831              main.cf  smtp_tls_mandatory_exclude_ciphers  parameter.  In  the
6832              policy table, multiple protocols or  excluded  ciphers  must  be
6833              separated  by colons, as attribute values may not contain white‐
6834              space or commas.
6835
6836       fingerprint
6837              Certificate fingerprint verification. Available with Postfix 2.5
6838              and later. At this security level, there are no trusted certifi‐
6839              cate authorities. The certificate trust chain, expiration  date,
6840              ...  are  not checked. Instead, the optional match attribute, or
6841              else  the  main.cf  smtp_tls_fingerprint_cert_match   parameter,
6842              lists the certificate fingerprints or the public key fingerprint
6843              (Postfix 2.9 and later) of the  valid  server  certificate.  The
6844              digest  algorithm  used to calculate the fingerprint is selected
6845              by the smtp_tls_fingerprint_digest parameter.  Multiple  finger‐
6846              prints  can  be  combined with a "|" delimiter in a single match
6847              attribute, or multiple match attributes can be employed. The ":"
6848              character  is  not used as a delimiter as it occurs between each
6849              pair of fingerprint (hexadecimal) digits.
6850
6851       verify Mandatory TLS verification.  At  this  security  level,  DNS  MX
6852              lookups  are  trusted to be secure enough, and the name verified
6853              in the server certificate is  usually  obtained  indirectly  via
6854              unauthenticated  DNS MX lookups.  The optional "match" attribute
6855              overrides the main.cf smtp_tls_verify_cert_match  parameter.  In
6856              the policy table, multiple match patterns and strategies must be
6857              separated by colons.  In practice explicit control over matching
6858              is more common with the "secure" policy, described below.
6859
6860       secure Secure-channel  TLS.  At  this  security  level, DNS MX lookups,
6861              though potentially used  to  determine  the  candidate  next-hop
6862              gateway  IP  addresses,  are not trusted to be secure enough for
6863              TLS peername verification. Instead, the default name verified in
6864              the  server  certificate is obtained directly from the next-hop,
6865              or is explicitly specified  via  the  optional  match  attribute
6866              which  overrides  the main.cf smtp_tls_secure_cert_match parame‐
6867              ter. In the policy table, multiple match patterns and strategies
6868              must be separated by colons.  The match attribute is most useful
6869              when multiple domains are supported by common server, the policy
6870              entries  for  additional  domains specify matching rules for the
6871              primary domain  certificate.  While  transport  table  overrides
6872              routing  the secondary domains to the primary nexthop also allow
6873              secure verification, they risk delivery to the wrong destination
6874              when  domains  change  hands or are re-assigned to new gateways.
6875              With the "match" attribute approach, routing is  not  perturbed,
6876              and mail is deferred if verification of a new MX host fails.
6877
6878       Example:
6879
6880       /etc/postfix/main.cf:
6881           smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
6882           # Postfix 2.5 and later
6883           smtp_tls_fingerprint_digest = md5
6884
6885       /etc/postfix/tls_policy:
6886           example.edu                 none
6887           example.mil                 may
6888           example.gov                 encrypt protocols=TLSv1
6889           example.com                 verify ciphers=high
6890           example.net                 secure
6891           .example.net                secure match=.example.net:example.net
6892           [mail.example.org]:587      secure match=nexthop
6893           # Postfix 2.5 and later
6894           [thumb.example.org]          fingerprint
6895            match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
6896            match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
6897
6898       Note:  The  hostname  strategy  if  listed  in a non-default setting of
6899       smtp_tls_secure_cert_match or in the match attribute in the policy  ta‐
6900       ble  can  render the secure level vulnerable to DNS forgery. Do not use
6901       the hostname strategy for secure-channel configurations in environments
6902       where DNS security is not assured.
6903
6904       This feature is available in Postfix 2.3 and later.
6905

smtp_tls_protocols (default: !SSLv2)

6907       List  of  TLS  protocols  that  the Postfix SMTP client will exclude or
6908       include with opportunistic TLS encryption. Starting with  Postfix  2.6,
6909       the Postfix SMTP client will by default not use the obsolete SSLv2 pro‐
6910       tocol.
6911
6912       In main.cf the values are separated by whitespace, commas or colons. In
6913       the policy table (see smtp_tls_policy_maps) the only valid separator is
6914       colon. An empty value means allow all  protocols.  The  valid  protocol
6915       names, (see \fBfBSSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".
6916
6917       Note:  As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
6918       "TLSv1.2". If an older Postfix version is linked against OpenSSL  1.0.1
6919       or  later,  these, or any other new protocol versions, are uncondition‐
6920       ally enabled.
6921
6922       To include a protocol list its name, to exclude  it,  prefix  the  name
6923       with  a  "!" character. To exclude SSLv2 even for opportunistic TLS set
6924       "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3"  set
6925       "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols
6926       to include, rather than protocols to exclude,  is  supported,  but  not
6927       recommended.  The exclusion form more closely matches the behavior when
6928       the OpenSSL library is newer than Postfix.
6929
6930       Example:
6931       # TLSv1 only!
6932       smtp_tls_protocols = !SSLv2, !SSLv3
6933
6934       This feature is available in Postfix 2.6 and later.
6935

smtp_tls_scert_verifydepth (default: 9)

6937       The verification depth for remote SMTP server certificates. A depth  of
6938       1 is sufficient if the issuing CA is listed in a local CA file.
6939
6940       The  default verification depth is 9 (the OpenSSL default) for compati‐
6941       bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
6942       value  was  5, but the limit was not actually enforced. If you have set
6943       this to a lower  non-default  value,  certificates  with  longer  trust
6944       chains  may  now fail to verify. Certificate chains with 1 or 2 CAs are
6945       common, deeper chains are more rare and any  number  between  5  and  9
6946       should suffice in practice. You can choose a lower number if, for exam‐
6947       ple, you trust certificates directly signed by an issuing  CA  but  not
6948       any CAs it delegates to.
6949
6950       This feature is available in Postfix 2.2 and later.
6951

smtp_tls_secure_cert_match (default: nexthop, dot-nexthop)

6953       How  the  Postfix  SMTP client verifies the server certificate peername
6954       for the "secure" TLS security level. In a  "secure"  TLS  policy  table
6955       ($smtp_tls_policy_maps)  entry the optional "match" attribute overrides
6956       this main.cf setting.
6957
6958       This parameter specifies one or more patterns or  strategies  separated
6959       by  commas,  whitespace  or colons.  In the policy table the only valid
6960       separator is the colon character.
6961
6962       For  a  description  of  the  pattern  and  strategy  syntax  see   the
6963       smtp_tls_verify_cert_match parameter. The "hostname" strategy should be
6964       avoided in this context, as in the absence  of  a  secure  global  DNS,
6965       using  the  results  of  MX  lookups in certificate verification is not
6966       immune to active (man-in-the-middle) attacks on DNS.
6967
6968       Sample main.cf setting:
6969
6970           smtp_tls_secure_cert_match = nexthop
6971
6972       Sample policy table override:
6973
6974           example.net     secure match=example.com:.example.com
6975           .example.net    secure match=example.com:.example.com
6976
6977       This feature is available in Postfix 2.3 and later.
6978

smtp_tls_security_level (default: empty)

6980       The default SMTP TLS security level for the Postfix SMTP client; when a
6981       non-empty  value  is  specified, this overrides the obsolete parameters
6982       smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
6983
6984       Specify one of the following security levels:
6985
6986       none   TLS will not be used unless enabled  for  specific  destinations
6987              via smtp_tls_policy_maps.
6988
6989       may    Opportunistic  TLS.  Use  TLS if this is supported by the remote
6990              SMTP server, otherwise use plaintext. Since sending in the clear
6991              is  acceptable,  demanding  stronger  than  default TLS security
6992              merely reduces inter-operability.   The  "smtp_tls_ciphers"  and
6993              "smtp_tls_protocols"  (Postfix  >= 2.6) configuration parameters
6994              provide control over the protocols and cipher  grade  used  with
6995              opportunistic  TLS.  With earlier releases the opportunistic TLS
6996              cipher grade is always "export" and no protocols  are  disabled.
6997              When  TLS  handshakes  fail,  the connection is retried with TLS
6998              disabled.  This allows mail delivery to sites with  non-interop‐
6999              erable TLS implementations.
7000
7001       encrypt
7002              Mandatory  TLS  encryption. Since a minimum level of security is
7003              intended, it is reasonable to  be  specific  about  sufficiently
7004              secure protocol versions and ciphers. At this security level and
7005              higher, the main.cf parameters smtp_tls_mandatory_protocols  and
7006              smtp_tls_mandatory_ciphers specify the TLS protocols and minimum
7007              cipher grade which the administrator considers secure enough for
7008              mandatory  encrypted  sessions.  This  security  level is not an
7009              appropriate default for systems delivering mail to the Internet.
7010
7011       fingerprint
7012              Certificate fingerprint verification. Available with Postfix 2.5
7013              and later. At this security level, there are no trusted certifi‐
7014              cate authorities. The certificate trust chain, expiration  date,
7015              ...    are    not   checked.   Instead,   the   smtp_tls_finger‐
7016              print_cert_match parameter lists the certificate fingerprint  or
7017              public  key  fingerprint  (Postfix  2.9  and later) of the valid
7018              server certificate. The digest algorithm used to  calculate  the
7019              fingerprint   is  selected  by  the  smtp_tls_fingerprint_digest
7020              parameter.
7021
7022       verify Mandatory TLS verification.  At  this  security  level,  DNS  MX
7023              lookups  are  trusted to be secure enough, and the name verified
7024              in the server certificate is  usually  obtained  indirectly  via
7025              unauthenticated  DNS  MX lookups. The smtp_tls_verify_cert_match
7026              parameter controls how the server name is verified. In  practice
7027              explicit  control  over  matching is more common at the "secure"
7028              level, described below. This security level is not an  appropri‐
7029              ate default for systems delivering mail to the Internet.
7030
7031       secure Secure-channel  TLS.   At  this  security level, DNS MX lookups,
7032              though potentially used  to  determine  the  candidate  next-hop
7033              gateway  IP  addresses,  are not trusted to be secure enough for
7034              TLS peername verification. Instead, the default name verified in
7035              the  server  certificate is obtained from the next-hop domain as
7036              specified in the smtp_tls_secure_cert_match configuration param‐
7037              eter.  The  default  matching  rule is that a server certificate
7038              matches when its name is equal to or is a sub-domain of the nex‐
7039              thop  domain.  This security level is not an appropriate default
7040              for systems delivering mail to the Internet.
7041
7042       Examples:
7043
7044       # No TLS. Formerly: smtp_use_tls=no and smtp_enforce_tls=no.
7045       smtp_tls_security_level = none
7046
7047       # Opportunistic TLS.
7048       smtp_tls_security_level = may
7049       # Postfix >= 2.6:
7050       # Do not tweak opportunistic ciphers or protocol unless it is essential
7051       # to do so (if a security vulnerability is found in the SSL library that
7052       # can be mitigated by disabling a particular protocol or raising the
7053       # cipher grade from "export" to "low" or "medium").
7054       smtp_tls_ciphers = export
7055       smtp_tls_protocols = !SSLv2
7056
7057       # Mandatory (high-grade) TLS encryption.
7058       smtp_tls_security_level = encrypt
7059       smtp_tls_mandatory_ciphers = high
7060
7061       # Mandatory TLS verification of hostname or nexthop domain.
7062       smtp_tls_security_level = verify
7063       smtp_tls_mandatory_ciphers = high
7064       smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
7065
7066       # Secure channel TLS with exact nexthop name match.
7067       smtp_tls_security_level = secure
7068       smtp_tls_mandatory_protocols = TLSv1
7069       smtp_tls_mandatory_ciphers = high
7070       smtp_tls_secure_cert_match = nexthop
7071
7072       # Certificate fingerprint verification (Postfix >= 2.5).
7073       # The CA-less "fingerprint" security level only scales to a limited
7074       # number of destinations. As a global default rather than a per-site
7075       # setting, this is practical when mail for all recipients is sent
7076       # to a central mail hub.
7077       relayhost = [mailhub.example.com]
7078       smtp_tls_security_level = fingerprint
7079       smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
7080       smtp_tls_mandatory_ciphers = high
7081       smtp_tls_fingerprint_cert_match =
7082           3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
7083           EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
7084
7085       This feature is available in Postfix 2.3 and later.
7086

smtp_tls_session_cache_database (default: empty)

7088       Name of the file containing the optional Postfix SMTP client  TLS  ses‐
7089       sion  cache. Specify a database type that supports enumeration, such as
7090       btree or sdbm; there is no need to support concurrent access.  The file
7091       is  created  if it does not exist. The smtp(8) daemon does not use this
7092       parameter directly, rather the cache is implemented indirectly  in  the
7093       tlsmgr(8) daemon. This means that per-smtp-instance master.cf overrides
7094       of this parameter are not effective.  Note,  that  each  of  the  cache
7095       databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
7096       base, $smtp_tls_session_cache_database (and with Postfix 2.3 and  later
7097       $lmtp_tls_session_cache_database), needs to be stored separately. It is
7098       not at this time possible to store multiple caches in  a  single  data‐
7099       base.
7100
7101       Note:  dbm  databases  are  not  suitable.  TLS session objects are too
7102       large.
7103
7104       As of version 2.5, Postfix no longer uses root privileges when  opening
7105       this  file.  The  file  should  now  be  stored under the Postfix-owned
7106       data_directory. As a migration aid, an attempt to open the file under a
7107       non-Postfix  directory  is  redirected to the Postfix-owned data_direc‐
7108       tory, and a warning is logged.
7109
7110       Example:
7111
7112       smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
7113
7114       This feature is available in Postfix 2.2 and later.
7115

smtp_tls_session_cache_timeout (default: 3600s)

7117       The expiration time of Postfix SMTP client TLS session  cache  informa‐
7118       tion.   A  cache cleanup is performed periodically every $smtp_tls_ses‐
7119       sion_cache_timeout seconds. As  with  $smtp_tls_session_cache_database,
7120       this  parameter  is  implemented  in the tlsmgr(8) daemon and therefore
7121       per-smtp-instance master.cf overrides are not possible.
7122
7123       This feature is available in Postfix 2.2 and later.
7124

smtp_tls_verify_cert_match (default: hostname)

7126       How the Postfix SMTP client verifies the  server  certificate  peername
7127       for  the  "verify"  TLS  security level. In a "verify" TLS policy table
7128       ($smtp_tls_policy_maps) entry the optional "match" attribute  overrides
7129       this main.cf setting.
7130
7131       This  parameter  specifies one or more patterns or strategies separated
7132       by commas, whitespace or colons.  In the policy table  the  only  valid
7133       separator is the colon character.
7134
7135       Patterns specify domain names, or domain name suffixes:
7136
7137       example.com
7138              Match  the  example.com domain, i.e. one of the names the server
7139              certificate must be example.com, upper and lower  case  distinc‐
7140              tions are ignored.
7141
7142       .example.com
7143              Match subdomains of the example.com domain, i.e. match a name in
7144              the server certificate that consists of  a  non-zero  number  of
7145              labels  followed by a .example.com suffix. Case distinctions are
7146              ignored.
7147
7148       Strategies specify a transformation from the  next-hop  domain  to  the
7149       expected name in the server certificate:
7150
7151       nexthop
7152              Match against the next-hop domain, which is either the recipient
7153              domain, or the transport  next-hop  configured  for  the  domain
7154              stripped  of  any  optional socket type prefix, enclosing square
7155              brackets and trailing port. When MX lookups are not  suppressed,
7156              this  is the original nexthop domain prior to the MX lookup, not
7157              the result of the MX lookup. For LMTP delivery  via  UNIX-domain
7158              sockets, the verified next-hop name is $myhostname.  This strat‐
7159              egy is suitable for  use  with  the  "secure"  policy.  Case  is
7160              ignored.
7161
7162       dot-nexthop
7163              As above, but match server certificate names that are subdomains
7164              of the next-hop domain. Case is ignored.
7165
7166       hostname
7167              Match against the hostname of the server, often obtained via  an
7168              unauthenticated DNS MX lookup. For LMTP delivery via UNIX-domain
7169              sockets, the verified name is $myhostname. This matches the ver‐
7170              ification  strategy  of  the  "MUST"  keyword  in  the  obsolete
7171              smtp_tls_per_site table, and is suitable for use with the  "ver‐
7172              ify"  security  level.  When  the  next-hop  name is enclosed in
7173              square brackets to suppress MX lookups, the "hostname"  strategy
7174              is the same as the "nexthop" strategy. Case is ignored.
7175
7176       Sample main.cf setting:
7177
7178       smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
7179
7180       Sample policy table override:
7181
7182       example.com     verify  match=hostname:nexthop
7183       .example.com    verify  match=example.com:.example.com:hostname
7184
7185       This feature is available in Postfix 2.3 and later.
7186

smtp_use_tls (default: no)

7188       Opportunistic  mode: use TLS when a remote SMTP server announces START‐
7189       TLS support, otherwise send the mail in the clear.  Beware:  some  SMTP
7190       servers  offer  STARTTLS  even if it is not configured.  With Postfix <
7191       2.3, if the TLS handshake fails, and  no  other  server  is  available,
7192       delivery  is deferred and mail stays in the queue. If this is a concern
7193       for you, use the smtp_tls_per_site feature instead.
7194
7195       This feature is available in Postfix 2.2 and later.  With  Postfix  2.3
7196       and later use smtp_tls_security_level instead.
7197

smtp_xforward_timeout (default: 300s)

7199       The  Postfix  SMTP  client time limit for sending the XFORWARD command,
7200       and for receiving the remote SMTP server response.
7201
7202       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
7203       The default time unit is s (seconds).
7204
7205       This feature is available in Postfix 2.1 and later.
7206

smtpd_authorized_verp_clients (default: $authorized_verp_clients)

7208       What  remote  SMTP  clients  are  allowed to specify the XVERP command.
7209       This command requests that mail be delivered one recipient  at  a  time
7210       with a per recipient return address.
7211
7212       By default, no clients are allowed to specify XVERP.
7213
7214       This  parameter was renamed with Postfix version 2.1. The default value
7215       is backwards compatible with Postfix version 2.0.
7216
7217       Specify a list of network/netmask patterns, separated by commas  and/or
7218       whitespace.  The  mask specifies the number of bits in the network part
7219       of a host address. You can also specify hostnames or .domain names (the
7220       initial   dot   causes   the  domain  to  match  any  name  below  it),
7221       "/file/name" or  "type:table"  patterns.   A  "/file/name"  pattern  is
7222       replaced by its contents; a "type:table" lookup table is matched when a
7223       table entry matches a lookup string (the  lookup  result  is  ignored).
7224       Continue  long lines by starting the next line with whitespace. Specify
7225       "!pattern" to exclude an address or network block from  the  list.  The
7226       form "!/file/name" is supported only in Postfix version 2.4 and later.
7227
7228       Note:  IP  version 6 address information must be specified inside [] in
7229       the smtpd_authorized_verp_clients value, and in  files  specified  with
7230       "/file/name".   IP  version  6 addresses contain the ":" character, and
7231       would otherwise be confused with a "type:table" pattern.
7232

smtpd_authorized_xclient_hosts (default: empty)

7234       What remote SMTP clients are allowed to use the XCLIENT feature.   This
7235       command  overrides  remote  SMTP  client  information  that is used for
7236       access control. Typical use is for SMTP-based content  filters,  fetch‐
7237       mail-like  programs,  or  SMTP  server  access  rule  testing.  See the
7238       XCLIENT_README document for details.
7239
7240       This feature is available in Postfix 2.1 and later.
7241
7242       By default, no clients are allowed to specify XCLIENT.
7243
7244       Specify a list of network/netmask patterns, separated by commas  and/or
7245       whitespace.  The  mask specifies the number of bits in the network part
7246       of a host address. You can also specify hostnames or .domain names (the
7247       initial   dot   causes   the  domain  to  match  any  name  below  it),
7248       "/file/name" or  "type:table"  patterns.   A  "/file/name"  pattern  is
7249       replaced by its contents; a "type:table" lookup table is matched when a
7250       table entry matches a lookup string (the  lookup  result  is  ignored).
7251       Continue  long lines by starting the next line with whitespace. Specify
7252       "!pattern" to exclude an address or network block from  the  list.  The
7253       form "!/file/name" is supported only in Postfix version 2.4 and later.
7254
7255       Note:  IP  version 6 address information must be specified inside [] in
7256       the smtpd_authorized_xclient_hosts value, and in files  specified  with
7257       "/file/name".   IP  version  6 addresses contain the ":" character, and
7258       would otherwise be confused with a "type:table" pattern.
7259

smtpd_authorized_xforward_hosts (default: empty)

7261       What remote SMTP clients are allowed to use the XFORWARD feature.  This
7262       command  forwards  information  that  is  used to improve logging after
7263       SMTP-based  content  filters.  See  the  XFORWARD_README  document  for
7264       details.
7265
7266       This feature is available in Postfix 2.1 and later.
7267
7268       By default, no clients are allowed to specify XFORWARD.
7269
7270       Specify  a list of network/netmask patterns, separated by commas and/or
7271       whitespace. The mask specifies the number of bits in the  network  part
7272       of a host address. You can also specify hostnames or .domain names (the
7273       initial  dot  causes  the  domain  to  match  any   name   below   it),
7274       "/file/name"  or  "type:table"  patterns.   A  "/file/name"  pattern is
7275       replaced by its contents; a "type:table" lookup table is matched when a
7276       table  entry  matches  a  lookup string (the lookup result is ignored).
7277       Continue long lines by starting the next line with whitespace.  Specify
7278       "!pattern"  to  exclude  an address or network block from the list. The
7279       form "!/file/name" is supported only in Postfix version 2.4 and later.
7280
7281       Note: IP version 6 address information must be specified inside  []  in
7282       the  smtpd_authorized_xforward_hosts value, and in files specified with
7283       "/file/name".  IP version 6 addresses contain the  ":"  character,  and
7284       would otherwise be confused with a "type:table" pattern.
7285

smtpd_banner (default: $myhostname ESMTP $mail_name)

7287       The  text that follows the 220 status code in the SMTP greeting banner.
7288       Some people like to see the mail version advertised. By default,  Post‐
7289       fix shows no version.
7290
7291       You MUST specify $myhostname at the start of the text. This is required
7292       by the SMTP protocol.
7293
7294       Example:
7295
7296       smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
7297

smtpd_client_connection_count_limit (default: 50)

7299       How many simultaneous connections any client is allowed to make to this
7300       service.   By  default,  the  limit  is set to half the default process
7301       limit value.
7302
7303       To disable this feature, specify a limit of 0.
7304
7305       WARNING: The purpose of this feature is to limit abuse. It must not  be
7306       used to regulate legitimate mail traffic.
7307
7308       This feature is available in Postfix 2.2 and later.
7309

smtpd_client_connection_rate_limit (default: 0)

7311       The maximal number of connection attempts any client is allowed to make
7312       to this service per time unit.  The time unit  is  specified  with  the
7313       anvil_rate_time_unit configuration parameter.
7314
7315       By  default,  a  client  can  make as many connections per time unit as
7316       Postfix can accept.
7317
7318       To disable this feature, specify a limit of 0.
7319
7320       WARNING: The purpose of this feature is to limit abuse. It must not  be
7321       used to regulate legitimate mail traffic.
7322
7323       This feature is available in Postfix 2.2 and later.
7324
7325       Example:
7326
7327       smtpd_client_connection_rate_limit = 1000
7328

smtpd_client_event_limit_exceptions (default: $mynetworks)

7330       Clients that are excluded from smtpd_client_*_count/rate_limit restric‐
7331       tions. See the mynetworks parameter description for the parameter value
7332       syntax.
7333
7334       By default, clients in trusted networks are excluded. Specify a list of
7335       network blocks, hostnames or .domain names (the initial dot causes  the
7336       domain to match any name below it).
7337
7338       Note:  IP  version 6 address information must be specified inside [] in
7339       the smtpd_client_event_limit_exceptions value, and in  files  specified
7340       with  "/file/name".   IP version 6 addresses contain the ":" character,
7341       and would otherwise be confused with a "type:table" pattern.
7342
7343       This feature is available in Postfix 2.2 and later.
7344

smtpd_client_message_rate_limit (default: 0)

7346       The maximal number of message delivery  requests  that  any  client  is
7347       allowed to make to this service per time unit, regardless of whether or
7348       not Postfix actually accepts those messages.  The time unit  is  speci‐
7349       fied with the anvil_rate_time_unit configuration parameter.
7350
7351       By  default,  a  client  can send as many message delivery requests per
7352       time unit as Postfix can accept.
7353
7354       To disable this feature, specify a limit of 0.
7355
7356       WARNING: The purpose of this feature is to limit abuse. It must not  be
7357       used to regulate legitimate mail traffic.
7358
7359       This feature is available in Postfix 2.2 and later.
7360
7361       Example:
7362
7363       smtpd_client_message_rate_limit = 1000
7364

smtpd_client_new_tls_session_rate_limit (default: 0)

7366       The  maximal  number of new (i.e., uncached) TLS sessions that a remote
7367       SMTP client is allowed to negotiate with this service  per  time  unit.
7368       The  time unit is specified with the anvil_rate_time_unit configuration
7369       parameter.
7370
7371       By default, a remote SMTP client can negotiate as many new TLS sessions
7372       per time unit as Postfix can accept.
7373
7374       To  disable  this  feature,  specify a limit of 0. Otherwise, specify a
7375       limit that is at least the per-client concurrent session limit, or else
7376       legitimate client sessions may be rejected.
7377
7378       WARNING:  The purpose of this feature is to limit abuse. It must not be
7379       used to regulate legitimate mail traffic.
7380
7381       This feature is available in Postfix 2.3 and later.
7382
7383       Example:
7384
7385       smtpd_client_new_tls_session_rate_limit = 100
7386

smtpd_client_port_logging (default: no)

7388       Enable logging of the remote SMTP client port in addition to the  host‐
7389       name and IP address. The logging format is "host[address]:port".
7390
7391       This feature is available in Postfix 2.5 and later.
7392

smtpd_client_recipient_rate_limit (default: 0)

7394       The maximal number of recipient addresses that any client is allowed to
7395       send to this service per time unit, regardless of whether or not  Post‐
7396       fix actually accepts those recipients.  The time unit is specified with
7397       the anvil_rate_time_unit configuration parameter.
7398
7399       By default, a client can send as many recipient addresses per time unit
7400       as Postfix can accept.
7401
7402       To disable this feature, specify a limit of 0.
7403
7404       WARNING:  The purpose of this feature is to limit abuse. It must not be
7405       used to regulate legitimate mail traffic.
7406
7407       This feature is available in Postfix 2.2 and later.
7408
7409       Example:
7410
7411       smtpd_client_recipient_rate_limit = 1000
7412

smtpd_client_restrictions (default: empty)

7414       Optional restrictions that the Postfix SMTP server applies in the  con‐
7415       text  of a client connection request.  See SMTPD_ACCESS_README, section
7416       "Delayed evaluation of SMTP access restriction lists" for a  discussion
7417       of evaluation context and time.
7418
7419       The default is to allow all connection requests.
7420
7421       Specify  a list of restrictions, separated by commas and/or whitespace.
7422       Continue  long  lines  by  starting  the  next  line  with  whitespace.
7423       Restrictions  are applied in the order as specified; the first restric‐
7424       tion that matches wins.
7425
7426       The following restrictions are specific to client  hostname  or  client
7427       network address information.
7428
7429       check_ccert_access type:table
7430              Use the remote SMTP client certificate fingerprint or the public
7431              key fingerprint (Postfix 2.9 and later) as lookup  key  for  the
7432              specified  access(5)  database;  with  Postfix version 2.2, also
7433              require that the remote SMTP client certificate is verified suc‐
7434              cessfully.  The fingerprint digest algorithm is configurable via
7435              the smtpd_tls_fingerprint_digest parameter  (hard-coded  as  md5
7436              prior  to  Postfix version 2.5).  This feature is available with
7437              Postfix version 2.2 and later.
7438
7439       check_client_access type:table
7440              Search the specified access database for  the  client  hostname,
7441              parent  domains,  client  IP  address,  or  networks obtained by
7442              stripping least significant octets.  See  the  access(5)  manual
7443              page for details.
7444
7445       check_client_mx_access type:table
7446              Search the specified access(5) database for the MX hosts for the
7447              client hostname, and execute the corresponding action.  Note:  a
7448              result  of  "OK" is not allowed for safety reasons. Instead, use
7449              DUNNO in order to exclude specific hosts from blacklists.   This
7450              feature is available in Postfix 2.7 and later.
7451
7452       check_client_ns_access type:table
7453              Search  the specified access(5) database for the DNS servers for
7454              the client  hostname,  and  execute  the  corresponding  action.
7455              Note:  a  result  of  "OK"  is  not  allowed for safety reasons.
7456              Instead, use DUNNO in  order  to  exclude  specific  hosts  from
7457              blacklists.  This feature is available in Postfix 2.7 and later.
7458
7459       check_reverse_client_hostname_access type:table
7460              Search  the specified access database for the unverified reverse
7461              client hostname, parent domains, client IP address, or  networks
7462              obtained   by   stripping  least  significant  octets.  See  the
7463              access(5) manual page for details.  Note: a result  of  "OK"  is
7464              not  allowed for safety reasons.  Instead, use DUNNO in order to
7465              exclude specific hosts from blacklists.  This feature is  avail‐
7466              able in Postfix 2.6 and later.
7467
7468       check_reverse_client_hostname_mx_access type:table
7469              Search the specified access(5) database for the MX hosts for the
7470              unverified reverse client hostname, and execute the  correspond‐
7471              ing  action.   Note:  a result of "OK" is not allowed for safety
7472              reasons.  Instead, use DUNNO in order to exclude specific  hosts
7473              from  blacklists.   This feature is available in Postfix 2.7 and
7474              later.
7475
7476       check_reverse_client_hostname_ns_access type:table
7477              Search the specified access(5) database for the DNS servers  for
7478              the  unverified  reverse client hostname, and execute the corre‐
7479              sponding action.  Note: a result of  "OK"  is  not  allowed  for
7480              safety reasons.  Instead, use DUNNO in order to exclude specific
7481              hosts from blacklists.  This feature is available in Postfix 2.7
7482              and later.
7483
7484       permit_inet_interfaces
7485              Permit   the   request   when  the  client  IP  address  matches
7486              $inet_interfaces.
7487
7488       permit_mynetworks
7489              Permit the request when the client IP address matches  any  net‐
7490              work or network address listed in  $mynetworks.
7491
7492       permit_sasl_authenticated
7493              Permit the request when the client is successfully authenticated
7494              via the RFC 4954 (AUTH) protocol.
7495
7496       permit_tls_all_clientcerts
7497              Permit the request when the remote SMTP  client  certificate  is
7498              verified  successfully.  This option must be used only if a spe‐
7499              cial CA issues the certificates and only this CA  is  listed  as
7500              trusted  CA.  Otherwise,  clients with a third-party certificate
7501              would also be allowed to relay.  Specify  "tls_append_default_CA
7502              =  no" when the trusted CA is specified with smtpd_tls_CAfile or
7503              smtpd_tls_CApath, to prevent Postfix from appending the  system-
7504              supplied  default  CAs.   This feature is available with Postfix
7505              version 2.2.
7506
7507       permit_tls_clientcerts
7508              Permit the request when the remote SMTP client certificate  fin‐
7509              gerprint  or  public  key fingerprint (Postfix 2.9 and later) is
7510              listed in $relay_clientcerts.  The fingerprint digest  algorithm
7511              is  configurable  via the smtpd_tls_fingerprint_digest parameter
7512              (hard-coded as md5 prior to Postfix version 2.5).  This  feature
7513              is available with Postfix version 2.2.
7514
7515       reject_rbl_client rbl_domain=d.d.d.d
7516              Reject  the  request when the reversed client network address is
7517              listed with the A record  "d.d.d.d"  under  rbl_domain  (Postfix
7518              version 2.1 and later only).  Each "d" is a number, or a pattern
7519              inside "[]" that contains one or more ";"-separated  numbers  or
7520              number..number  ranges  (Postfix  version 2.8 and later).  If no
7521              "=d.d.d.d" is specified, reject the request  when  the  reversed
7522              client  network  address  is  listed  with  any  A  record under
7523              rbl_domain.
7524              The maps_rbl_reject_code parameter specifies the  response  code
7525              for  rejected  requests  (default:   554), the default_rbl_reply
7526              parameter  specifies  the  default   server   reply,   and   the
7527              rbl_reply_maps   parameter  specifies tables with server replies
7528              indexed by rbl_domain.  This feature is available in Postfix 2.0
7529              and later.
7530
7531       permit_dnswl_client dnswl_domain=d.d.d.d
7532              Accept  the  request when the reversed client network address is
7533              listed with the A record "d.d.d.d" under dnswl_domain.  Each "d"
7534              is  a number, or a pattern inside "[]" that contains one or more
7535              ";"-separated  numbers  or   number..number   ranges.    If   no
7536              "=d.d.d.d"  is  specified,  accept the request when the reversed
7537              client network  address  is  listed  with  any  A  record  under
7538              dnswl_domain.
7539              For  safety,  permit_dnswl_client  is  silently  ignored when it
7540              would  override  reject_unauth_destination.    The   result   is
7541              DEFER_IF_REJECT  when  whitelist  lookup fails.  This feature is
7542              available in Postfix 2.8 and later.
7543
7544       reject_rhsbl_client rbl_domain=d.d.d.d
7545              Reject the request when the client hostname is listed with the A
7546              record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
7547              only).  Each "d" is a number, or a pattern inside "[]" that con‐
7548              tains one or more ";"-separated numbers or number..number ranges
7549              (Postfix version 2.8 and later).  If no "=d.d.d.d" is specified,
7550              reject the request when the client hostname is listed with any A
7551              record under rbl_domain. See the  reject_rbl_client  description
7552              above for additional RBL related configuration parameters.  This
7553              feature is available in Postfix 2.0 and later; with Postfix ver‐
7554              sion  2.8  and  later,  reject_rhsbl_reverse_client will usually
7555              produce better results.
7556
7557       permit_rhswl_client rhswl_domain=d.d.d.d
7558              Accept the request when the client hostname is listed with the A
7559              record "d.d.d.d" under rhswl_domain.  Each "d" is a number, or a
7560              pattern inside "[]" that contains one or more ";"-separated num‐
7561              bers  or  number..number  ranges. If no "=d.d.d.d" is specified,
7562              accept the request when the client hostname is listed with any A
7563              record under rhswl_domain.
7564              Caution:  client  name whitelisting is fragile, since the client
7565              name lookup can fail due  to  temporary  outages.   Client  name
7566              whitelisting  should  be  used only to reduce false positives in
7567              e.g.  DNS-based blocklists,  and  not  for  making  access  rule
7568              exceptions.
7569              For  safety,  permit_rhswl_client  is  silently  ignored when it
7570              would  override  reject_unauth_destination.    The   result   is
7571              DEFER_IF_REJECT  when  whitelist  lookup fails.  This feature is
7572              available in Postfix 2.8 and later.
7573
7574       reject_rhsbl_reverse_client rbl_domain=d.d.d.d
7575              Reject the request when the unverified reverse  client  hostname
7576              is  listed  with  the A record "d.d.d.d" under rbl_domain.  Each
7577              "d" is a number, or a pattern inside "[]" that contains  one  or
7578              more  ";"-separated  numbers  or  number..number  ranges.  If no
7579              "=d.d.d.d" is specified, reject the request when the  unverified
7580              reverse  client  hostname  is  listed  with  any  A record under
7581              rbl_domain. See  the  reject_rbl_client  description  above  for
7582              additional  RBL  related configuration parameters.  This feature
7583              is available in Postfix 2.8 and later.
7584
7585       reject_unknown_client_hostname      (with      Postfix      <      2.3:
7586       reject_unknown_client)
7587              Reject  the  request when 1) the client IP address->name mapping
7588              fails,  2)  the  name->address  mapping   fails,   or   3)   the
7589              name->address mapping does not match the client IP address.
7590              This      is     a     stronger     restriction     than     the
7591              reject_unknown_reverse_client_hostname feature,  which  triggers
7592              only under condition 1) above.
7593              The  unknown_client_reject_code parameter specifies the response
7594              code for rejected requests (default: 450). The reply  is  always
7595              450 in case the address->name or name->address lookup failed due
7596              to a temporary problem.
7597
7598       reject_unknown_reverse_client_hostname
7599              Reject  the  request  when  the  client  IP   address   has   no
7600              address->name mapping.
7601              This      is      a      weaker     restriction     than     the
7602              reject_unknown_client_hostname feature, which requires not  only
7603              that  the  address->name  and  name->address mappings exist, but
7604              also that the two mappings reproduce the client IP address.
7605              The unknown_client_reject_code parameter specifies the  response
7606              code  for rejected requests (default: 450).  The reply is always
7607              450 in case the address->name lookup failed due to  a  temporary
7608              problem.
7609              This feature is available in Postfix 2.3 and later.
7610
7611       In  addition,  you  can  use any of the following generic restrictions.
7612       These restrictions are applicable in any SMTP command context.
7613
7614       check_policy_service servername
7615              Query the specified policy server. See  the  SMTPD_POLICY_README
7616              document  for  details. This feature is available in Postfix 2.1
7617              and later.
7618
7619       defer  Defer the request. The client is told to try again  later.  This
7620              restriction  is useful at the end of a restriction list, to make
7621              the default policy explicit.
7622              The defer_code parameter specifies the SMTP  server  reply  code
7623              (default: 450).
7624
7625       defer_if_permit
7626              Defer  the  request if some later restriction would result in an
7627              explicit or implicit PERMIT  action.   This  is  useful  when  a
7628              blacklisting  feature  fails  due  to a temporary problem.  This
7629              feature is available in Postfix version 2.1 and later.
7630
7631       defer_if_reject
7632              Defer the request if some later restriction would  result  in  a
7633              REJECT action.  This is useful when a whitelisting feature fails
7634              due to a temporary problem.  This feature is available in  Post‐
7635              fix version 2.1 and later.
7636
7637       permit Permit  the  request. This restriction is useful at the end of a
7638              restriction list, to make the default policy explicit.
7639
7640       reject_multi_recipient_bounce
7641              Reject the request when the envelope sender is the null address,
7642              and the message has multiple envelope recipients. This usage has
7643              rare but  legitimate  applications:  under  certain  conditions,
7644              multi-recipient  mail  that  was  posted  with  the  DSN  option
7645              NOTIFY=NEVER may be forwarded with the null sender address.
7646              Note: this restriction can  only  work  reliably  when  used  in
7647              smtpd_data_restrictions    or    smtpd_end_of_data_restrictions,
7648              because the total number of recipients is not known at  an  ear‐
7649              lier stage of the SMTP conversation.  Use at the RCPT stage will
7650              only reject the second etc.  recipient.
7651              The multi_recipient_bounce_reject_code parameter  specifies  the
7652              response  code for rejected requests (default:  550).  This fea‐
7653              ture is available in Postfix 2.1 and later.
7654
7655       reject_plaintext_session
7656              Reject the request when the connection is  not  encrypted.  This
7657              restriction  should  not  be  used  before  the client has had a
7658              chance to negotiate encryption with the AUTH  or  STARTTLS  com‐
7659              mands.
7660              The  plaintext_reject_code parameter specifies the response code
7661              for rejected requests (default:  450).  This feature  is  avail‐
7662              able in Postfix 2.3 and later.
7663
7664       reject_unauth_pipelining
7665              Reject  the request when the client sends SMTP commands ahead of
7666              time where it is not allowed, or when the client sends SMTP com‐
7667              mands  ahead  of time without knowing that Postfix actually sup‐
7668              ports ESMTP command pipelining. This stops mail from  bulk  mail
7669              software  that improperly uses ESMTP command pipelining in order
7670              to speed up deliveries.
7671              With Postfix 2.6 and later, the SMTP server sets  a  per-session
7672              flag whenever it detects illegal pipelining, including pipelined
7673              EHLO or HELO commands. The reject_unauth_pipelining feature sim‐
7674              ply  tests  whether the flag was set at any point in time during
7675              the session.
7676              With older Postfix versions, reject_unauth_pipelining checks the
7677              current  status  of  the  input read queue, and its usage is not
7678              recommended in contexts other than smtpd_data_restrictions.
7679
7680       reject Reject the request. This restriction is useful at the end  of  a
7681              restriction  list,  to  make  the  default policy explicit.  The
7682              reject_code configuration parameter specifies the response  code
7683              for rejected requests (default: 554).
7684
7685       sleep seconds
7686              Pause  for  the specified number of seconds and proceed with the
7687              next restriction in the list, if any. This may stop zombie  mail
7688              when used as:
7689              /etc/postfix/main.cf:
7690                  smtpd_client_restrictions =
7691                      sleep 1, reject_unauth_pipelining
7692                  smtpd_delay_reject = no
7693              This feature is available in Postfix 2.3.
7694
7695       warn_if_reject
7696              A safety net for testing. When "warn_if_reject" is placed before
7697              a reject-type restriction, access  table  query,  or  check_pol‐
7698              icy_service  query, this logs a "reject_warning" message instead
7699              of rejecting a request (when a reject-type restriction fails due
7700              to  a  temporary error, this logs a "reject_warning" message for
7701              any implicit "defer_if_permit" actions that would normally  pre‐
7702              vent mail from being accepted by some later access restriction).
7703              This feature has no effect on defer_if_reject restrictions.
7704
7705       Other restrictions that are valid in this context:
7706
7707       ·      SMTP command specific restrictions that are described under  the
7708              smtpd_helo_restrictions,       smtpd_sender_restrictions      or
7709              smtpd_recipient_restrictions parameters. When  helo,  sender  or
7710              recipient  restrictions  are  listed under smtpd_client_restric‐
7711              tions, they have effect only with "smtpd_delay_reject = yes", so
7712              that  $smtpd_client_restrictions is evaluated at the time of the
7713              RCPT TO command.
7714
7715       Example:
7716
7717       smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname
7718

smtpd_command_filter (default: empty)

7720       A mechanism to transform commands from remote SMTP clients.  This is  a
7721       last-resort  tool to work around client commands that break inter-oper‐
7722       ability with the Postfix SMTP server.  Other uses involve fault  injec‐
7723       tion to test Postfix's handling of invalid commands.
7724
7725       Specify  the  name of a "type:table" lookup table. The search string is
7726       the SMTP command as received from the remote SMTP client,  except  that
7727       initial  whitespace  and the trailing <CR><LF> are removed.  The result
7728       value is executed by the Postfix SMTP server.
7729
7730       There is no need to use smtpd_command_filter for the following cases:
7731
7732       ·      Use "resolve_numeric_domain = yes" to accept "user@ipaddress".
7733
7734       ·      Postfix already accepts the correct form "user@[ipaddress]". Use
7735              virtual_alias_maps  or  canonical_maps  to  translate these into
7736              domain names if necessary.
7737
7738       ·      Use "strict_rfc821_envelopes = no" to accept "RCPT TO:<User Name
7739              <user@example.com>>".  Postfix  will ignore the "User Name" part
7740              and deliver to the <user@example.com> address.
7741
7742       Examples of problems that can be solved with  the  smtpd_command_filter
7743       feature:
7744
7745       /etc/postfix/main.cf:
7746           smtpd_command_filter = pcre:/etc/postfix/command_filter
7747
7748       /etc/postfix/command_filter:
7749           # Work around clients that send malformed HELO commands.
7750           /^HELO\s*$/ HELO domain.invalid
7751
7752           # Work around clients that send empty lines.
7753           /^\s*$/     NOOP
7754
7755           # Work around clients that send RCPT TO:<'user@domain'>.
7756           # WARNING: do not lose the parameters that follow the address.
7757           /^RCPT\s+TO:\s*<'([^[:space:]]+)'>(.*)/     RCPT TO:<$1>$2
7758
7759           # Append XVERP to MAIL FROM commands to request VERP-style delivery.
7760           # See VERP_README for more information on how to use Postfix VERP.
7761           /^(MAIL FROM:<listname@example\.com>.*)/   $1 XVERP
7762
7763           # Bounce-never mail sink. Use notify_classes=bounce,resource,software
7764           # to send bounced mail to the postmaster (with message body removed).
7765           /^(RCPT\s+TO:<.*>.*)\s+NOTIFY=\S+(.*)/ $1 NOTIFY=NEVER$2
7766           /^(RCPT\s+TO:.*)/                    $1 NOTIFY=NEVER
7767
7768       This feature is available in Postfix 2.7.
7769

smtpd_data_restrictions (default: empty)

7771       Optional  access  restrictions  that the Postfix SMTP server applies in
7772       the context of the SMTP DATA command.  See SMTPD_ACCESS_README, section
7773       "Delayed  evaluation of SMTP access restriction lists" for a discussion
7774       of evaluation context and time.
7775
7776       This feature is available in Postfix 2.0 and later.
7777
7778       Specify a list of restrictions, separated by commas and/or  whitespace.
7779       Continue  long  lines  by  starting  the  next  line  with  whitespace.
7780       Restrictions are applied in the order as specified; the first  restric‐
7781       tion that matches wins.
7782
7783       The following restrictions are valid in this context:
7784
7785       ·      Generic  restrictions  that can be used in any SMTP command con‐
7786              text, described under smtpd_client_restrictions.
7787
7788       ·      SMTP   command    specific    restrictions    described    under
7789              smtpd_client_restrictions,              smtpd_helo_restrictions,
7790              smtpd_sender_restrictions or smtpd_recipient_restrictions.
7791
7792       ·      However, no recipient information is available in  the  case  of
7793              multi-recipient mail. Acting on only one recipient would be mis‐
7794              leading,  because  any  decision  will  affect  all   recipients
7795              equally.  Acting on all recipients would require a possibly very
7796              large amount of memory, and would also  be  misleading  for  the
7797              reasons mentioned before.
7798
7799       Examples:
7800
7801       smtpd_data_restrictions = reject_unauth_pipelining
7802       smtpd_data_restrictions = reject_multi_recipient_bounce
7803

smtpd_delay_open_until_valid_rcpt (default: yes)

7805       Postpone  the  start  of an SMTP mail transaction until a valid RCPT TO
7806       command is received. Specify "no" to create a mail transaction as  soon
7807       as the Postfix SMTP server receives a valid MAIL FROM command.
7808
7809       With  sites  that  reject lots of mail, the default setting reduces the
7810       use of disk, CPU and memory resources. The downside  is  that  rejected
7811       recipients  are  logged  with NOQUEUE instead of a mail transaction ID.
7812       This complicates the logfile analysis of multi-recipient mail.
7813
7814       This feature is available in Postfix 2.3 and later.
7815

smtpd_delay_reject (default: yes)

7817       Wait until the RCPT TO command before evaluating $smtpd_client_restric‐
7818       tions, $smtpd_helo_restrictions and $smtpd_sender_restrictions, or wait
7819       until the ETRN command before evaluating $smtpd_client_restrictions and
7820       $smtpd_helo_restrictions.
7821
7822       This  feature  is  turned on by default because some clients apparently
7823       mis-behave when the Postfix SMTP server rejects  commands  before  RCPT
7824       TO.
7825
7826       The  default  setting  has  one major benefit: it allows Postfix to log
7827       recipient address information when rejecting a client  name/address  or
7828       sender  address, so that it is possible to find out whose mail is being
7829       rejected.
7830

smtpd_discard_ehlo_keyword_address_maps (default: empty)

7832       Lookup tables, indexed by the remote SMTP  client  address,  with  case
7833       insensitive  lists  of EHLO keywords (pipelining, starttls, auth, etc.)
7834       that the Postfix SMTP server will not send in the EHLO  response  to  a
7835       remote  SMTP  client. See smtpd_discard_ehlo_keywords for details.  The
7836       table is not searched by hostname for robustness reasons.
7837
7838       This feature is available in Postfix 2.2 and later.
7839

smtpd_discard_ehlo_keywords (default: empty)

7841       A case insensitive list of EHLO keywords (pipelining,  starttls,  auth,
7842       etc.)  that  the Postfix SMTP server will not send in the EHLO response
7843       to a remote SMTP client.
7844
7845       This feature is available in Postfix 2.2 and later.
7846
7847       Notes:
7848
7849       ·      Specify the silent-discard pseudo keyword to prevent this action
7850              from being logged.
7851
7852       ·      Use  the smtpd_discard_ehlo_keyword_address_maps feature to dis‐
7853              card EHLO keywords selectively.
7854

smtpd_end_of_data_restrictions (default: empty)

7856       Optional access restrictions that the Postfix SMTP  server  applies  in
7857       the  context of the SMTP END-OF-DATA command.  See SMTPD_ACCESS_README,
7858       section "Delayed evaluation of SMTP access  restriction  lists"  for  a
7859       discussion of evaluation context and time.
7860
7861       This feature is available in Postfix 2.2 and later.
7862
7863       See smtpd_data_restrictions for details and limitations.
7864

smtpd_enforce_tls (default: no)

7866       Mandatory  TLS:  announce  STARTTLS support to remote SMTP clients, and
7867       require that clients use TLS encryption.  According to  RFC  2487  this
7868       MUST NOT be applied in case of a publicly-referenced SMTP server.  This
7869       option is therefore off by default.
7870
7871       Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes".
7872
7873       Note 2: when invoked via  "sendmail  -bs",  Postfix  will  never  offer
7874       STARTTLS  due  to  insufficient privileges to access the server private
7875       key. This is intended behavior.
7876
7877       This feature is available in Postfix 2.2 and later.  With  Postfix  2.3
7878       and later use smtpd_tls_security_level instead.
7879

smtpd_error_sleep_time (default: 1s)

7881       With  Postfix  version  2.1  and  later: the SMTP server response delay
7882       after a client has made more than $smtpd_soft_error_limit  errors,  and
7883       fewer than $smtpd_hard_error_limit errors, without delivering mail.
7884
7885       With  Postfix  version  2.0  and  earlier: the SMTP server delay before
7886       sending a reject (4xx or 5xx) response, when the client has made  fewer
7887       than $smtpd_soft_error_limit errors without delivering mail.
7888

smtpd_etrn_restrictions (default: empty)

7890       Optional  restrictions that the Postfix SMTP server applies in the con‐
7891       text of  a  client  ETRN  command.   See  SMTPD_ACCESS_README,  section
7892       "Delayed  evaluation of SMTP access restriction lists" for a discussion
7893       of evaluation context and time.
7894
7895       The Postfix ETRN implementation accepts only destinations that are eli‐
7896       gible  for  the  Postfix "fast flush" service. See the ETRN_README file
7897       for details.
7898
7899       Specify a list of restrictions, separated by commas and/or  whitespace.
7900       Continue  long  lines  by  starting  the  next  line  with  whitespace.
7901       Restrictions are applied in the order as specified; the first  restric‐
7902       tion that matches wins.
7903
7904       The  following restrictions are specific to the domain name information
7905       received with the ETRN command.
7906
7907       check_etrn_access type:table
7908              Search the specified access database for the ETRN domain name or
7909              its parent domains. See the access(5) manual page for details.
7910
7911       Other restrictions that are valid in this context:
7912
7913       ·      Generic  restrictions  that can be used in any SMTP command con‐
7914              text, described under smtpd_client_restrictions.
7915
7916       ·      SMTP   command    specific    restrictions    described    under
7917              smtpd_client_restrictions and smtpd_helo_restrictions.
7918
7919       Example:
7920
7921       smtpd_etrn_restrictions = permit_mynetworks, reject
7922

smtpd_expansion_filter (default: see postconf -d output)

7924       What characters are allowed in $name expansions of RBL reply templates.
7925       Characters not in the allowed set are replaced  by  "_".   Use  C  like
7926       escapes to specify special characters such as whitespace.
7927
7928       This parameter is not subjected to $parameter expansion.
7929
7930       This feature is available in Postfix 2.0 and later.
7931

smtpd_forbidden_commands (default: CONNECT, GET, POST)

7933       List of commands that cause the Postfix SMTP server to immediately ter‐
7934       minate the session with a 221 code. This  can  be  used  to  disconnect
7935       clients  that obviously attempt to abuse the system. In addition to the
7936       commands listed in this parameter, commands that  follow  the  "Label:"
7937       format of message headers will also cause a disconnect.
7938
7939       This feature is available in Postfix 2.2 and later.
7940

smtpd_hard_error_limit (default: normal: 20, overload: 1)

7942       The  maximal  number  of errors a remote SMTP client is allowed to make
7943       without delivering mail. The Postfix SMTP server disconnects  when  the
7944       limit  is  exceeded.  Normally  the default limit is 20, but it changes
7945       under overload to just 1. With Postfix 2.5 and earlier, the SMTP server
7946       always allows up to 20 errors by default.
7947

smtpd_helo_required (default: no)

7949       Require  that  a  remote SMTP client introduces itself with the HELO or
7950       EHLO command before sending the MAIL command  or  other  commands  that
7951       require EHLO negotiation.
7952
7953       Example:
7954
7955       smtpd_helo_required = yes
7956

smtpd_helo_restrictions (default: empty)

7958       Optional  restrictions that the Postfix SMTP server applies in the con‐
7959       text of  a  client  HELO  command.   See  SMTPD_ACCESS_README,  section
7960       "Delayed  evaluation of SMTP access restriction lists" for a discussion
7961       of evaluation context and time.
7962
7963       The default is to permit everything.
7964
7965       Note:  specify  "smtpd_helo_required  =  yes"  to  fully  enforce  this
7966       restriction  (without  "smtpd_helo_required = yes", a client can simply
7967       skip smtpd_helo_restrictions by not sending HELO or EHLO).
7968
7969       Specify a list of restrictions, separated by commas and/or  whitespace.
7970       Continue  long  lines  by  starting  the  next  line  with  whitespace.
7971       Restrictions are applied in the order as specified; the first  restric‐
7972       tion that matches wins.
7973
7974       The  following  restrictions  are  specific to the hostname information
7975       received with the HELO or EHLO command.
7976
7977       check_helo_access type:table
7978              Search the specified access(5) database for  the  HELO  or  EHLO
7979              hostname  or  parent  domains,  and  execute  the  corresponding
7980              action.  Note: specify  "smtpd_helo_required  =  yes"  to  fully
7981              enforce this restriction (without "smtpd_helo_required = yes", a
7982              client can simply skip check_helo_access by not sending HELO  or
7983              EHLO).
7984
7985       check_helo_mx_access type:table
7986              Search the specified access(5) database for the MX hosts for the
7987              HELO or EHLO hostname, and  execute  the  corresponding  action.
7988              Note  1:  a  result  of  "OK" is not allowed for safety reasons.
7989              Instead, use DUNNO in  order  to  exclude  specific  hosts  from
7990              blacklists.   Note  2:  specify  "smtpd_helo_required  = yes" to
7991              fully enforce this restriction (without  "smtpd_helo_required  =
7992              yes", a client can simply skip check_helo_mx_access by not send‐
7993              ing HELO or EHLO).  This feature is available in Postfix 2.1 and
7994              later.
7995
7996       check_helo_ns_access type:table
7997              Search  the specified access(5) database for the DNS servers for
7998              the HELO or EHLO hostname, and execute the corresponding action.
7999              Note  1:  a  result  of  "OK" is not allowed for safety reasons.
8000              Instead, use DUNNO in  order  to  exclude  specific  hosts  from
8001              blacklists.   Note  2:  specify  "smtpd_helo_required  = yes" to
8002              fully enforce this restriction (without  "smtpd_helo_required  =
8003              yes", a client can simply skip check_helo_ns_access by not send‐
8004              ing HELO or EHLO). This feature is available in Postfix 2.1  and
8005              later.
8006
8007       reject_invalid_helo_hostname  (with Postfix < 2.3: reject_invalid_host‐
8008       name)
8009              Reject the request when the HELO or EHLO hostname is  malformed.
8010              Note:  specify "smtpd_helo_required = yes" to fully enforce this
8011              restriction (without "smtpd_helo_required = yes", a  client  can
8012              simply  skip reject_invalid_helo_hostname by not sending HELO or
8013              EHLO).
8014              The invalid_hostname_reject_code specifies the response code for
8015              rejected requests (default: 501).
8016
8017       reject_non_fqdn_helo_hostname       (with      Postfix      <      2.3:
8018       reject_non_fqdn_hostname)
8019              Reject the request when the HELO or  EHLO  hostname  is  not  in
8020              fully-qualified domain form, as required by the RFC. Note: spec‐
8021              ify "smtpd_helo_required = yes" to fully enforce  this  restric‐
8022              tion  (without  "smtpd_helo_required = yes", a client can simply
8023              skip reject_non_fqdn_helo_hostname by not sending HELO or EHLO).
8024              The non_fqdn_reject_code parameter specifies the  response  code
8025              for rejected requests (default: 504).
8026
8027       reject_rhsbl_helo rbl_domain=d.d.d.d
8028              Reject  the  request  when the HELO or EHLO hostname hostname is
8029              listed with the A record  "d.d.d.d"  under  rbl_domain  (Postfix
8030              version 2.1 and later only).  Each "d" is a number, or a pattern
8031              inside "[]" that contains one or more ";"-separated  numbers  or
8032              number..number  ranges  (Postfix  version 2.8 and later).  If no
8033              "=d.d.d.d" is specified, reject the request  when  the  HELO  or
8034              EHLO  hostname is listed with any A record under rbl_domain. See
8035              the reject_rbl_client description  for  additional  RBL  related
8036              configuration  parameters.  Note: specify "smtpd_helo_required =
8037              yes"   to    fully    enforce    this    restriction    (without
8038              "smtpd_helo_required   =   yes",   a   client  can  simply  skip
8039              reject_rhsbl_helo by not sending HELO or EHLO). This feature  is
8040              available in Postfix 2.0 and later.
8041
8042       reject_unknown_helo_hostname  (with Postfix < 2.3: reject_unknown_host‐
8043       name)
8044              Reject the request when the HELO or EHLO hostname has no  DNS  A
8045              or MX record.
8046              The unknown_hostname_reject_code parameter specifies the numeri‐
8047              cal response code for rejected requests (default: 450).
8048              The  unknown_helo_hostname_tempfail_action  parameter  specifies
8049              the  action  after a temporary DNS error (default: defer_if_per‐
8050              mit). Note: specify "smtpd_helo_required = yes" to fully enforce
8051              this  restriction (without "smtpd_helo_required = yes", a client
8052              can simply skip reject_unknown_helo_hostname by not sending HELO
8053              or EHLO).
8054
8055       Other restrictions that are valid in this context:
8056
8057       ·      Generic  restrictions  that can be used in any SMTP command con‐
8058              text, described under smtpd_client_restrictions.
8059
8060       ·      Client  hostname  or  network  address   specific   restrictions
8061              described under smtpd_client_restrictions.
8062
8063       ·      SMTP    command    specific    restrictions    described   under
8064              smtpd_sender_restrictions or smtpd_recipient_restrictions.  When
8065              sender    or    recipient    restrictions   are   listed   under
8066              smtpd_helo_restrictions,   they   have    effect    only    with
8067              "smtpd_delay_reject  = yes", so that $smtpd_helo_restrictions is
8068              evaluated at the time of the RCPT TO command.
8069
8070       Examples:
8071
8072       smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname
8073       smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname
8074

smtpd_history_flush_threshold (default: 100)

8076       The maximal number of lines in the Postfix SMTP server command  history
8077       before it is flushed upon receipt of EHLO, RSET, or end of DATA.
8078

smtpd_junk_command_limit (default: normal: 100, overload: 1)

8080       The  number  of  junk commands (NOOP, VRFY, ETRN or RSET) that a remote
8081       SMTP client can send before the Postfix SMTP server starts to increment
8082       the  error  counter  with each junk command.  The junk command count is
8083       reset after mail is delivered.  See also the smtpd_error_sleep_time and
8084       smtpd_soft_error_limit  configuration parameters.  Normally the default
8085       limit is 100, but it changes under overload to just 1. With Postfix 2.5
8086       and  earlier,  the SMTP server always allows up to 100 junk commands by
8087       default.
8088

smtpd_log_access_permit_actions (default: empty)

8090       Enable logging of the named "permit"  actions  in  SMTP  server  access
8091       lists  (by default, the SMTP server logs "reject" actions but not "per‐
8092       mit" actions).  This feature does not affect conditional  actions  such
8093       as "defer_if_permit".
8094
8095       Specify  a  list of "permit" action names, "/file/name" or "type:table"
8096       patterns, separated by commas and/or whitespace. The  list  is  matched
8097       left  to right, and the search stops on the first match. A "/file/name"
8098       pattern is replaced by its contents; a  "type:table"  lookup  table  is
8099       matched  when  a  name  matches  a  lookup  key  (the  lookup result is
8100       ignored).  Continue long lines by starting the next  line  with  white‐
8101       space. Specify "!pattern" to exclude a name from the list.
8102
8103       Examples:
8104
8105       /etc/postfix/main.cf:
8106           # Log all "permit" actions.
8107           smtpd_log_access_permit_actions = static:all
8108
8109       /etc/postfix/main.cf:
8110           # Log "permit_dnswl_client" only.
8111           smtpd_log_access_permit_actions = permit_dnswl_client
8112
8113       This feature is available in Postfix 2.10 and later.
8114

smtpd_milters (default: empty)

8116       A  list  of Milter (mail filter) applications for new mail that arrives
8117       via the Postfix smtpd(8) server. Specify space or comma  as  separator.
8118       See the MILTER_README document for details.
8119
8120       This feature is available in Postfix 2.3 and later.
8121

smtpd_noop_commands (default: empty)

8123       List of commands that the Postfix SMTP server replies to with "250 Ok",
8124       without doing any syntax checks and without changing state.  This  list
8125       overrides any commands built into the Postfix SMTP server.
8126

smtpd_null_access_lookup_key (default: <>)

8128       The  lookup key to be used in SMTP access(5) tables instead of the null
8129       sender address.
8130

smtpd_peername_lookup (default: yes)

8132       Attempt to look up the remote SMTP client hostname, and verify that the
8133       name  matches  the client IP address. A client name is set to "unknown"
8134       when it cannot be looked up or verified, or when name  lookup  is  dis‐
8135       abled.   Turning  off  name lookup reduces delays due to DNS lookup and
8136       increases the maximal inbound delivery rate.
8137
8138       This feature is available in Postfix 2.3 and later.
8139

smtpd_per_record_deadline (default: normal: no, overload: yes)

8141       Change the behavior of the smtpd_timeout time limit, from a time  limit
8142       per  read  or  write  system call, to a time limit to send or receive a
8143       complete record (an SMTP command line, SMTP response line, SMTP message
8144       content  line,  or  TLS protocol message).  This limits the impact from
8145       hostile peers that trickle data one byte at a time.
8146
8147       Note: when per-record deadlines are enabled, a short timeout may  cause
8148       problems  with TLS over very slow network connections.  The reasons are
8149       that a TLS protocol message can be up to 16 kbytes long  (with  TLSv1),
8150       and that an entire TLS protocol message must be sent or received within
8151       the per-record deadline.
8152
8153       This feature is available in Postfix 2.9 and later. With older  Postfix
8154       releases, the behavior is as if this parameter is set to "no".
8155

smtpd_policy_service_max_idle (default: 300s)

8157       The time after which an idle SMTPD policy service connection is closed.
8158
8159       This feature is available in Postfix 2.1 and later.
8160

smtpd_policy_service_max_ttl (default: 1000s)

8162       The  time  after  which  an  active  SMTPD policy service connection is
8163       closed.
8164
8165       This feature is available in Postfix 2.1 and later.
8166

smtpd_policy_service_timeout (default: 100s)

8168       The time limit for connecting to, writing to or receiving from a  dele‐
8169       gated SMTPD policy server.
8170
8171       This feature is available in Postfix 2.1 and later.
8172

smtpd_proxy_ehlo (default: $myhostname)

8174       How  the  Postfix SMTP server announces itself to the proxy filter.  By
8175       default, the Postfix hostname is used.
8176
8177       This feature is available in Postfix 2.1 and later.
8178

smtpd_proxy_filter (default: empty)

8180       The hostname and TCP port of the  mail  filtering  proxy  server.   The
8181       proxy  receives  all mail from the Postfix SMTP server, and is supposed
8182       to give the result to another Postfix SMTP server process.
8183
8184       Specify  "host:port"  or  "inet:host:port"  for  a  TCP  endpoint,   or
8185       "unix:pathname"  for  a UNIX-domain endpoint. The host can be specified
8186       as an IP address or as a symbolic name; no MX lookups are  done.   When
8187       no  "host"  or  "host:"   are  specified, the local machine is assumed.
8188       Pathname interpretation is relative to the Postfix queue directory.
8189
8190       This feature is available in Postfix 2.1 and later.
8191
8192       The "inet:" and "unix:" prefixes  are  available  in  Postfix  2.3  and
8193       later.
8194

smtpd_proxy_options (default: empty)

8196       List  of  options that control how the Postfix SMTP server communicates
8197       with a before-queue content filter. Specify zero or more of the follow‐
8198       ing, separated by comma or whitespace.
8199
8200       speed_adjust
8201              Do  not connect to a before-queue content filter until an entire
8202              message has been received. This reduces the number of simultane‐
8203              ous before-queue content filter processes.
8204
8205       NOTE  1:  A  filter  must not selectively reject recipients of a multi-
8206       recipient message.  Rejecting all recipients is OK, as is accepting all
8207       recipients.
8208
8209       NOTE  2:  This feature increases the minimum amount of free queue space
8210       by $message_size_limit. The extra space is needed to save  the  message
8211       to a temporary file.
8212
8213       This feature is available in Postfix 2.7 and later.
8214

smtpd_proxy_timeout (default: 100s)

8216       The  time  limit  for  connecting  to a proxy filter and for sending or
8217       receiving information.  When a  connection  fails  the  client  gets  a
8218       generic  error message while more detailed information is logged to the
8219       maillog file.
8220
8221       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
8222       The default time unit is s (seconds).
8223
8224       This feature is available in Postfix 2.1 and later.
8225

smtpd_recipient_limit (default: 1000)

8227       The  maximal  number of recipients that the Postfix SMTP server accepts
8228       per message delivery request.
8229

smtpd_recipient_overshoot_limit (default: 1000)

8231       The number of recipients that a remote SMTP client can send  in  excess
8232       of  the limit specified with $smtpd_recipient_limit, before the Postfix
8233       SMTP server increments the per-session  error  count  for  each  excess
8234       recipient.
8235

smtpd_recipient_restrictions (default: see postconf -d output)

8237       Optional  restrictions that the Postfix SMTP server applies in the con‐
8238       text of a client RCPT TO command, after smtpd_relay_restrictions.   See
8239       SMTPD_ACCESS_README,   section   "Delayed  evaluation  of  SMTP  access
8240       restriction lists" for a discussion of evaluation context and time.
8241
8242       With Postfix versions before 2.10, the rules for relay  permission  and
8243       spam blocking were combined under smtpd_recipient_restrictions, result‐
8244       ing in error-prone configuration.  As of Postfix 2.10, relay permission
8245       rules are preferably implemented with smtpd_relay_restrictions, so that
8246       a permissive spam blocking  policy  under  smtpd_recipient_restrictions
8247       will no longer result in a permissive mail relay policy.
8248
8249       For  backwards  compatibility, sites that migrate from Postfix versions
8250       before 2.10 can set smtpd_relay_restrictions to the  empty  value,  and
8251       use smtpd_recipient_restrictions exactly as before.
8252
8253       IMPORTANT:  Either  the  smtpd_relay_restrictions  or the smtpd_recipi‐
8254       ent_restrictions parameter must specify at least one of  the  following
8255       restrictions. Otherwise Postfix will refuse to receive mail:
8256
8257           reject, reject_unauth_destination
8258
8259           defer, defer_if_permit, defer_unauth_destination
8260
8261       Specify  a list of restrictions, separated by commas and/or whitespace.
8262       Continue  long  lines  by  starting  the  next  line  with  whitespace.
8263       Restrictions  are applied in the order as specified; the first restric‐
8264       tion that matches wins.
8265
8266       The following restrictions are specific to the recipient  address  that
8267       is received with the RCPT TO command.
8268
8269       check_recipient_access type:table
8270              Search the specified access(5) database for the resolved RCPT TO
8271              address, domain, parent domains, or localpart@, and execute  the
8272              corresponding action.
8273
8274       check_recipient_mx_access type:table
8275              Search the specified access(5) database for the MX hosts for the
8276              RCPT TO domain, and execute the corresponding action.   Note:  a
8277              result  of  "OK" is not allowed for safety reasons. Instead, use
8278              DUNNO in order to exclude specific hosts from blacklists.   This
8279              feature is available in Postfix 2.1 and later.
8280
8281       check_recipient_ns_access type:table
8282              Search  the specified access(5) database for the DNS servers for
8283              the RCPT TO domain, and execute the corresponding action.  Note:
8284              a result of "OK" is not allowed for safety reasons. Instead, use
8285              DUNNO in order to exclude specific hosts from blacklists.   This
8286              feature is available in Postfix 2.1 and later.
8287
8288       permit_auth_destination
8289              Permit the request when one of the following is true:
8290
8291       ·      Postfix  is  mail forwarder: the resolved RCPT TO domain matches
8292              $relay_domains or a subdomain thereof, and the address  contains
8293              no sender-specified routing (user@elsewhere@domain),
8294
8295       ·      Postfix  is  the  final destination: the resolved RCPT TO domain
8296              matches  $mydestination,  $inet_interfaces,   $proxy_interfaces,
8297              $virtual_alias_domains,  or  $virtual_mailbox_domains,  and  the
8298              address  contains  no   sender-specified   routing   (user@else‐
8299              where@domain).
8300
8301       permit_mx_backup
8302              Permit  the  request when the local mail system is backup MX for
8303              the RCPT TO domain, or when the domain is an authorized destina‐
8304              tion (see permit_auth_destination for definition).
8305
8306       ·      Safety:  permit_mx_backup  does  not  accept addresses that have
8307              sender-specified  routing   information   (example:   user@else‐
8308              where@domain).
8309
8310       ·      Safety:  permit_mx_backup  can  be  vulnerable  to  mis-use when
8311              access is not restricted with permit_mx_backup_networks.
8312
8313       ·      Safety: as of Postfix version 2.3,  permit_mx_backup  no  longer
8314              accepts the address when the local mail system is primary MX for
8315              the recipient domain.  Exception: permit_mx_backup  accepts  the
8316              address  when  it  specifies an authorized destination (see per‐
8317              mit_auth_destination for definition).
8318
8319       ·      Limitation: mail may be rejected in  case  of  a  temporary  DNS
8320              lookup problem with Postfix prior to version 2.0.
8321
8322       reject_non_fqdn_recipient
8323              Reject  the  request  when  the RCPT TO address is not in fully-
8324              qualified domain form, as required by the RFC.
8325              The non_fqdn_reject_code parameter specifies the  response  code
8326              for rejected requests (default: 504).
8327
8328       reject_rhsbl_recipient rbl_domain=d.d.d.d
8329              Reject  the request when the RCPT TO domain is listed with the A
8330              record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
8331              only).  Each "d" is a number, or a pattern inside "[]" that con‐
8332              tains one or more ";"-separated numbers or number..number ranges
8333              (Postfix  version 2.8 and later). If no "=d.d.d.d" is specified,
8334              reject the request when the RCPT TO domain is listed with any  A
8335              record under rbl_domain.
8336              The  maps_rbl_reject_code  parameter specifies the response code
8337              for rejected  requests  (default:  554);  the  default_rbl_reply
8338              parameter   specifies   the   default   server  reply;  and  the
8339              rbl_reply_maps parameter specifies tables  with  server  replies
8340              indexed  by  rbl_domain.   This  feature is available in Postfix
8341              version 2.0 and later.
8342
8343       reject_unauth_destination
8344              Reject the request unless one of the following is true:
8345
8346       ·      Postfix is mail forwarder: the resolved RCPT TO  domain  matches
8347              $relay_domains  or  a subdomain thereof, and contains no sender-
8348              specified routing (user@elsewhere@domain),
8349
8350       ·      Postfix is the final destination: the resolved  RCPT  TO  domain
8351              matches   $mydestination,  $inet_interfaces,  $proxy_interfaces,
8352              $virtual_alias_domains, or  $virtual_mailbox_domains,  and  con‐
8353              tains no sender-specified routing (user@elsewhere@domain).
8354              The  relay_domains_reject_code  parameter specifies the response
8355              code for rejected requests (default: 554).
8356
8357       defer_unauth_destination
8358              Reject the same requests as  reject_unauth_destination,  with  a
8359              non-permanent  error code.  This feature is available in Postfix
8360              2.10 and later.
8361
8362       reject_unknown_recipient_domain
8363              Reject the request when Postfix is not final destination for the
8364              recipient  domain,  and the RCPT TO domain has 1) no DNS A or MX
8365              record or 2) a malformed MX record such as a record with a zero-
8366              length MX hostname (Postfix version 2.3 and later).
8367              The  unknown_address_reject_code parameter specifies the numeri‐
8368              cal response code for rejected  requests  (default:  450).   The
8369              response is always 450 in case of a temporary DNS error.
8370              The   unknown_address_tempfail_action  parameter  specifies  the
8371              action after a temporary DNS error (default: defer_if_permit).
8372
8373       reject_unlisted_recipient  (with  Postfix  version  2.0:  check_recipi‐
8374       ent_maps)
8375              Reject the request when the RCPT TO address is not listed in the
8376              list  of  valid  recipients  for  its  domain  class.  See   the
8377              smtpd_reject_unlisted_recipient    parameter   description   for
8378              details.  This feature is available in Postfix 2.1 and later.
8379
8380       reject_unverified_recipient
8381              Reject the request when mail to the RCPT TO address is known  to
8382              bounce,  or when the recipient address destination is not reach‐
8383              able.  Address verification information is managed by  the  ver‐
8384              ify(8)  server;  see  the  ADDRESS_VERIFICATION_README  file for
8385              details.
8386              The  unverified_recipient_reject_code  parameter  specifies  the
8387              numerical  response  code  when  an  address  is known to bounce
8388              (default: 450, change into 550 when you are confident that it is
8389              safe to do so).
8390              The   unverified_recipient_defer_code  parameter  specifies  the
8391              numerical response code when an address probe failed  due  to  a
8392              temporary problem (default: 450).
8393              The unverified_recipient_tempfail_action parameter specifies the
8394              action after addres probe failure due  to  a  temporary  problem
8395              (default: defer_if_permit).
8396              This feature is available in Postfix 2.1 and later.
8397
8398       Other restrictions that are valid in this context:
8399
8400       ·      Generic  restrictions  that can be used in any SMTP command con‐
8401              text, described under smtpd_client_restrictions.
8402
8403       ·      SMTP   command    specific    restrictions    described    under
8404              smtpd_client_restrictions,      smtpd_helo_restrictions      and
8405              smtpd_sender_restrictions.
8406
8407       Example:
8408
8409       # The Postfix before 2.10 default mail relay policy. Later Postfix
8410       # versions implement this preferably with smtpd_relay_restrictions.
8411       smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
8412
8414       Optional information that is appended after each  Postfix  SMTP  server
8415       4XX or 5XX response.
8416
8417       The following example uses "\c" at the start of the template (supported
8418       in Postfix 2.10 and later) to suppress the line break between the reply
8419       text  and  the  footer  text. With earlier Postfix versions, the footer
8420       text always begins on a new line, and the "\c" is output literally.
8421
8422       /etc/postfix/main.cf:
8423           smtpd_reject_footer = \c. For assistance, call 800-555-0101.
8424            Please provide the following information in your problem report:
8425            time ($localtime), client ($client_address) and server
8426            ($server_name).
8427
8428       Server response:
8429
8430           550-5.5.1 <user@example> Recipient address rejected: User
8431           unknown. For assistance, call 800-555-0101. Please provide the
8432           following information in your problem report: time (Jan 4 15:42:00),
8433           client (192.168.1.248) and server (mail1.example.com).
8434
8435       Note: the above text is meant to make it easier  to  find  the  Postfix
8436       logfile  records  for  a  failed  SMTP  session. The text itself is not
8437       logged to the Postfix SMTP server's maillog file.
8438
8439       Be sure to keep the text as short as possible. Long text may  be  trun‐
8440       cated  before it is logged to the remote SMTP client's maillog file, or
8441       before it is returned to the sender in a delivery status notification.
8442
8443       This feature supports a limited  number  of  $name  attributes  in  the
8444       footer  text.  These  are  replaced by their current value for the SMTP
8445       session:
8446
8447       client_address
8448              The Client IP address that is logged in the maillog file.
8449
8450       client_port
8451              The client TCP port that is logged in the maillog file.
8452
8453       localtime
8454              The server local time (Mmm dd hh:mm:ss) that is  logged  in  the
8455              maillog file.
8456
8457       server_name
8458              The server's myhostname value.  This attribute is made available
8459              for sites with multiple MTAs (perhaps behind  a  load-balancer),
8460              where  the  server  name  can  help  the  server support team to
8461              quickly find the right log files.
8462
8463       Notes:
8464
8465       ·      NOT SUPPORTED are other attributes such as sender, recipient, or
8466              main.cf parameters.
8467
8468       ·      For  safety  reasons,  text  that  does  not match $smtpd_expan‐
8469              sion_filter is censored.
8470
8471       This feature supports the two-character sequence \n as a request for  a
8472       line break in the footer text. Postfix automatically inserts after each
8473       line break the three-digit SMTP reply code (and optional enhanced  sta‐
8474       tus code) from the original Postfix reject message.
8475
8476       To work around mail software that mis-handles multi-line replies, spec‐
8477       ify the two-character sequence \c at the start of the  template.   This
8478       suppresses  the  line  break between the reply text and the footer text
8479       (Postfix 2.10 and later).
8480
8481       This feature is available in Postfix 2.8 and later.
8482

smtpd_reject_unlisted_recipient (default: yes)

8484       Request that the Postfix SMTP server rejects mail for unknown recipient
8485       addresses,  even  when  no  explicit  reject_unlisted_recipient  access
8486       restriction is specified. This prevents the Postfix queue from  filling
8487       up with undeliverable MAILER-DAEMON messages.
8488
8489       An  address  is  always considered "known" when it matches a virtual(5)
8490       alias or a canonical(5) mapping.
8491
8492       ·      The recipient domain matches $mydestination, $inet_interfaces or
8493              $proxy_interfaces,   but   the   recipient   is  not  listed  in
8494              $local_recipient_maps, and $local_recipient_maps is not null.
8495
8496       ·      The recipient  domain  matches  $virtual_alias_domains  but  the
8497              recipient is not listed in $virtual_alias_maps.
8498
8499       ·      The  recipient  domain  matches $virtual_mailbox_domains but the
8500              recipient is not  listed  in  $virtual_mailbox_maps,  and  $vir‐
8501              tual_mailbox_maps is not null.
8502
8503       ·      The recipient domain matches $relay_domains but the recipient is
8504              not listed in $relay_recipient_maps,  and  $relay_recipient_maps
8505              is not null.
8506
8507       This feature is available in Postfix 2.1 and later.
8508

smtpd_reject_unlisted_sender (default: no)

8510       Request  that  the Postfix SMTP server rejects mail from unknown sender
8511       addresses, even when no explicit reject_unlisted_sender access restric‐
8512       tion  is specified. This can slow down an explosion of forged mail from
8513       worms or viruses.
8514
8515       An address is always considered "known" when it  matches  a  virtual(5)
8516       alias or a canonical(5) mapping.
8517
8518       ·      The  sender  domain  matches $mydestination, $inet_interfaces or
8519              $proxy_interfaces, but the sender is not listed in $local_recip‐
8520              ient_maps, and $local_recipient_maps is not null.
8521
8522       ·      The  sender domain matches $virtual_alias_domains but the sender
8523              is not listed in $virtual_alias_maps.
8524
8525       ·      The  sender  domain  matches  $virtual_mailbox_domains  but  the
8526              sender   is  not  listed  in  $virtual_mailbox_maps,  and  $vir‐
8527              tual_mailbox_maps is not null.
8528
8529       ·      The sender domain matches $relay_domains but the sender  is  not
8530              listed  in  $relay_recipient_maps,  and $relay_recipient_maps is
8531              not null.
8532
8533       This feature is available in Postfix 2.1 and later.
8534

smtpd_relay_restrictions (default: permit_mynetworks, permit_sasl_authenti‐

8536       cated, defer_unauth_destination)
8537       Access restrictions for mail relay control that the Postfix SMTP server
8538       applies in the context of the RCPT  TO  command,  before  smtpd_recipi‐
8539       ent_restrictions.  See SMTPD_ACCESS_README, section "Delayed evaluation
8540       of SMTP access restriction lists" for a discussion of  evaluation  con‐
8541       text and time.
8542
8543       With  Postfix  versions before 2.10, the rules for relay permission and
8544       spam blocking were combined under smtpd_recipient_restrictions, result‐
8545       ing in error-prone configuration.  As of Postfix 2.10, relay permission
8546       rules are preferably implemented with smtpd_relay_restrictions, so that
8547       a  permissive  spam  blocking policy under smtpd_recipient_restrictions
8548       will no longer result in a permissive mail relay policy.
8549
8550       For backwards compatibility, sites that migrate from  Postfix  versions
8551       before  2.10  can  set smtpd_relay_restrictions to the empty value, and
8552       use smtpd_recipient_restrictions exactly as before.
8553
8554       By default, the Postfix SMTP server accepts:
8555
8556       ·      Mail from clients whose IP address matches $mynetworks, or:
8557
8558       ·      Mail to remote destinations that  match  $relay_domains,  except
8559              for  addresses that contain sender-specified routing (user@else‐
8560              where@domain), or:
8561
8562       ·      Mail  to  local  destinations  that  match  $inet_interfaces  or
8563              $proxy_interfaces,  $mydestination,  $virtual_alias_domains,  or
8564              $virtual_mailbox_domains.
8565
8566       IMPORTANT: Either the  smtpd_relay_restrictions  or  the  smtpd_recipi‐
8567       ent_restrictions  parameter  must specify at least one of the following
8568       restrictions. Otherwise Postfix will refuse to receive mail:
8569
8570           reject, reject_unauth_destination
8571
8572           defer, defer_if_permit, defer_unauth_destination
8573
8574       Specify a list of restrictions, separated by commas and/or  whitespace.
8575       Continue  long  lines  by  starting the next line with whitespace.  The
8576       same restrictions  are  available  as  documented  under  smtpd_recipi‐
8577       ent_restrictions.
8578
8579       This feature is available in Postix 2.10 and later.
8580

smtpd_restriction_classes (default: empty)

8582       User-defined aliases for groups of access restrictions. The aliases can
8583       be specified in smtpd_recipient_restrictions etc., and  on  the  right-
8584       hand side of a Postfix access(5) table.
8585
8586       One  major  application  is for implementing per-recipient UCE control.
8587       See the RESTRICTION_CLASS_README document for other examples.
8588

smtpd_sasl_application_name (default: smtpd)

8590       The application name that the Postfix SMTP server uses for SASL  server
8591       initialization.  This controls the name of the SASL configuration file.
8592       The default value is smtpd, corresponding to a SASL configuration  file
8593       named smtpd.conf.
8594
8595       This  feature  is available in Postfix 2.1 and 2.2. With Postfix 2.3 it
8596       was renamed to smtpd_sasl_path.
8597

smtpd_sasl_auth_enable (default: no)

8599       Enable SASL authentication in the Postfix SMTP server. By default,  the
8600       Postfix SMTP server does not use authentication.
8601
8602       If a remote SMTP client is authenticated, the permit_sasl_authenticated
8603       access restriction can be used to permit relay access, like this:
8604
8605           # With Postfix 2.10 and later, the mail relay policy is
8606           # preferably specified under smtpd_relay_restrictions.
8607           smtpd_relay_restrictions =
8608               permit_mynetworks, permit_sasl_authenticated, ...
8609
8610       # With Postfix before 2.10, the relay policy can be
8611       # specified only under smtpd_recipient_restrictions.
8612       smtpd_recipient_restrictions =
8613           permit_mynetworks, permit_sasl_authenticated, ...
8614
8615       To reject all SMTP connections from  unauthenticated  clients,  specify
8616       "smtpd_delay_reject = yes" (which is the default) and use:
8617
8618           smtpd_client_restrictions = permit_sasl_authenticated, reject
8619
8620       See the SASL_README file for SASL configuration and operation details.
8621

smtpd_sasl_authenticated_header (default: no)

8623       Report  the  SASL authenticated user name in the smtpd(8) Received mes‐
8624       sage header.
8625
8626       This feature is available in Postfix 2.3 and later.
8627

smtpd_sasl_exceptions_networks (default: empty)

8629       What remote SMTP clients the Postfix SMTP server will  not  offer  AUTH
8630       support to.
8631
8632       Some  clients  (Netscape  4  at  least)  have a bug that causes them to
8633       require a login and password whenever AUTH  is  offered,  whether  it's
8634       necessary  or  not.  To work around this, specify, for example, $mynet‐
8635       works to prevent Postfix from offering AUTH to local clients.
8636
8637       Specify a list of network/netmask patterns, separated by commas  and/or
8638       whitespace.  The  mask specifies the number of bits in the network part
8639       of a host address. You can also "/file/name" or "type:table"  patterns.
8640       A  "/file/name"  pattern  is  replaced  by its contents; a "type:table"
8641       lookup table is matched when a table entry matches a lookup string (the
8642       lookup  result  is  ignored).  Continue long lines by starting the next
8643       line with whitespace. Specify "!pattern" to exclude an address or  net‐
8644       work  block from the list.  The form "!/file/name" is supported only in
8645       Postfix version 2.4 and later.
8646
8647       Note: IP version 6 address information must be specified inside  []  in
8648       the  smtpd_sasl_exceptions_networks  value, and in files specified with
8649       "/file/name".  IP version 6 addresses contain the  ":"  character,  and
8650       would otherwise be confused with a "type:table" pattern.
8651
8652       Example:
8653
8654       smtpd_sasl_exceptions_networks = $mynetworks
8655
8656       This feature is available in Postfix 2.1 and later.
8657

smtpd_sasl_local_domain (default: empty)

8659       The name of the Postfix SMTP server's local SASL authentication realm.
8660
8661       By default, the local authentication realm name is the null string.
8662
8663       Examples:
8664
8665       smtpd_sasl_local_domain = $mydomain
8666       smtpd_sasl_local_domain = $myhostname
8667

smtpd_sasl_path (default: smtpd)

8669       Implementation-specific information that the Postfix SMTP server passes
8670       through to the  SASL  plug-in  implementation  that  is  selected  with
8671       smtpd_sasl_type.   Typically this specifies the name of a configuration
8672       file or rendezvous point.
8673
8674       This feature is available in Postfix 2.3 and later. In earlier releases
8675       it was called smtpd_sasl_application_name.
8676

smtpd_sasl_security_options (default: noanonymous)

8678       Postfix  SMTP  server SASL security options; as of Postfix 2.3 the list
8679       of available features depends on the SASL server implementation that is
8680       selected with smtpd_sasl_type.
8681
8682       The  following  security features are defined for the cyrus server SASL
8683       implementation:
8684
8685       Restrict what authentication mechanisms the Postfix  SMTP  server  will
8686       offer  to  the client.  The list of available authentication mechanisms
8687       is system dependent.
8688
8689       Specify zero or more of the following:
8690
8691       noplaintext
8692              Disallow methods that use plaintext passwords.
8693
8694       noactive
8695              Disallow methods subject to active (non-dictionary) attack.
8696
8697       nodictionary
8698              Disallow methods subject to passive (dictionary) attack.
8699
8700       noanonymous
8701              Disallow methods that allow anonymous authentication.
8702
8703       forward_secrecy
8704              Only allow methods that support forward secrecy (Dovecot only).
8705
8706       mutual_auth
8707              Only allow  methods  that  provide  mutual  authentication  (not
8708              available with Cyrus SASL version 1).
8709
8710       By default, the Postfix SMTP server accepts plaintext passwords but not
8711       anonymous logins.
8712
8713       Warning: it appears that clients  try  authentication  methods  in  the
8714       order  as  advertised  by  the  server (e.g., PLAIN ANONYMOUS CRAM-MD5)
8715       which means that if you disable plaintext passwords, clients  will  log
8716       in  anonymously, even when they should be able to use CRAM-MD5.  So, if
8717       you disable plaintext logins, disable anonymous  logins  too.   Postfix
8718       treats anonymous login as no authentication.
8719
8720       Example:
8721
8722       smtpd_sasl_security_options = noanonymous, noplaintext
8723

smtpd_sasl_tls_security_options (default: $smtpd_sasl_security_options)

8725       The  SASL  authentication security options that the Postfix SMTP server
8726       uses for TLS encrypted SMTP sessions.
8727
8728       This feature is available in Postfix 2.2 and later.
8729

smtpd_sasl_type (default: cyrus)

8731       The SASL plug-in type that the  Postfix  SMTP  server  should  use  for
8732       authentication.  The  available types are listed with the "postconf -a"
8733       command.
8734
8735       This feature is available in Postfix 2.3 and later.
8736

smtpd_sender_login_maps (default: empty)

8738       Optional lookup table with the SASL login names that own  sender  (MAIL
8739       FROM) addresses.
8740
8741       Specify  zero  or  more  "type:table"  lookup tables. With lookups from
8742       indexed files such as DB or DBM, or from networked tables such as  NIS,
8743       LDAP  or  SQL,  the  following search operations are done with a sender
8744       address of user@domain:
8745
8746       1) user@domain
8747              This table lookup is always done and has the highest precedence.
8748
8749       2) user
8750              This table lookup is done only  when  the  domain  part  of  the
8751              sender  address  matches $myorigin, $mydestination, $inet_inter‐
8752              faces or $proxy_interfaces.
8753
8754       3) @domain
8755              This table lookup is done last and has the lowest precedence.
8756
8757       In all cases the result of table lookup must be either "not found" or a
8758       list of SASL login names separated by comma and/or whitespace.
8759

smtpd_sender_restrictions (default: empty)

8761       Optional  restrictions that the Postfix SMTP server applies in the con‐
8762       text of a client MAIL FROM command.  See  SMTPD_ACCESS_README,  section
8763       "Delayed  evaluation of SMTP access restriction lists" for a discussion
8764       of evaluation context and time.
8765
8766       The default is to permit everything.
8767
8768       Specify a list of restrictions, separated by commas and/or  whitespace.
8769       Continue  long  lines  by  starting  the  next  line  with  whitespace.
8770       Restrictions are applied in the order as specified; the first  restric‐
8771       tion that matches wins.
8772
8773       The  following restrictions are specific to the sender address received
8774       with the MAIL FROM command.
8775
8776       check_sender_access type:table
8777              Search the  specified  access(5)  database  for  the  MAIL  FROM
8778              address,  domain, parent domains, or localpart@, and execute the
8779              corresponding action.
8780
8781       check_sender_mx_access type:table
8782              Search the specified access(5) database for the MX hosts for the
8783              MAIL  FROM address, and execute the corresponding action.  Note:
8784              a result of "OK" is not allowed for safety reasons. Instead, use
8785              DUNNO  in order to exclude specific hosts from blacklists.  This
8786              feature is available in Postfix 2.1 and later.
8787
8788       check_sender_ns_access type:table
8789              Search the specified access(5) database for the DNS servers  for
8790              the  MAIL  FROM  address,  and execute the corresponding action.
8791              Note: a result of  "OK"  is  not  allowed  for  safety  reasons.
8792              Instead,  use  DUNNO  in  order  to  exclude specific hosts from
8793              blacklists.  This feature is available in Postfix 2.1 and later.
8794
8795       reject_authenticated_sender_login_mismatch
8796              Enforces  the   reject_sender_login_mismatch   restriction   for
8797              authenticated clients only. This feature is available in Postfix
8798              version 2.1 and later.
8799
8800       reject_non_fqdn_sender
8801              Reject the request when the MAIL FROM address is not  in  fully-
8802              qualified domain form, as required by the RFC.
8803              The  non_fqdn_reject_code  parameter specifies the response code
8804              for rejected requests (default: 504).
8805
8806       reject_rhsbl_sender rbl_domain=d.d.d.d
8807              Reject the request when the MAIL FROM domain is listed with  the
8808              A  record  "d.d.d.d"  under  rbl_domain (Postfix version 2.1 and
8809              later only).  Each "d" is a number, or  a  pattern  inside  "[]"
8810              that  contains one or more ";"-separated numbers or number..num‐
8811              ber ranges (Postfix version 2.8 and later). If no "=d.d.d.d"  is
8812              specified,  reject  the  request  when  the  MAIL FROM domain is
8813              listed with any A record under rbl_domain.
8814              The maps_rbl_reject_code parameter specifies the  response  code
8815              for  rejected  requests  (default:   554); the default_rbl_reply
8816              parameter  specifies  the  default   server   reply;   and   the
8817              rbl_reply_maps  parameter  specifies  tables with server replies
8818              indexed by rbl_domain.  This feature is available in Postfix 2.0
8819              and later.
8820
8821       reject_sender_login_mismatch
8822              Reject  the  request  when $smtpd_sender_login_maps specifies an
8823              owner for the MAIL FROM address, but the client  is  not  (SASL)
8824              logged in as that MAIL FROM address owner; or when the client is
8825              (SASL) logged in, but the client login name doesn't own the MAIL
8826              FROM address according to $smtpd_sender_login_maps.
8827
8828       reject_unauthenticated_sender_login_mismatch
8829              Enforces  the reject_sender_login_mismatch restriction for unau‐
8830              thenticated clients only. This feature is available  in  Postfix
8831              version 2.1 and later.
8832
8833       reject_unknown_sender_domain
8834              Reject the request when Postfix is not final destination for the
8835              sender address, and the MAIL FROM domain has 1) no DNS A  or  MX
8836              record,  or  2)  a  malformed  MX record such as a record with a
8837              zero-length MX hostname (Postfix version 2.3 and later).
8838              The unknown_address_reject_code parameter specifies the  numeri‐
8839              cal  response  code  for  rejected requests (default: 450).  The
8840              response is always 450 in case of a temporary DNS error.
8841              The  unknown_address_tempfail_action  parameter  specifies   the
8842              action after a temporary DNS error (default: defer_if_permit).
8843
8844       reject_unlisted_sender
8845              Reject  the  request when the MAIL FROM address is not listed in
8846              the list of valid recipients  for  its  domain  class.  See  the
8847              smtpd_reject_unlisted_sender  parameter description for details.
8848              This feature is available in Postfix 2.1 and later.
8849
8850       reject_unverified_sender
8851              Reject the request when mail to the MAIL FROM address  is  known
8852              to  bounce, or when the sender address destination is not reach‐
8853              able.  Address verification information is managed by  the  ver‐
8854              ify(8)  server;  see  the  ADDRESS_VERIFICATION_README  file for
8855              details.
8856              The unverified_sender_reject_code parameter specifies the numer‐
8857              ical  response code when an address is known to bounce (default:
8858              450, change into 550 when you are confident that it is  safe  to
8859              do so).
8860              The   unverified_sender_defer_code   specifies   the   numerical
8861              response code when an address address probe failed due to a tem‐
8862              porary problem (default: 450).
8863              The  unverified_sender_tempfail_action  parameter  specifies the
8864              action after address probe failure due to  a  temporary  problem
8865              (default: defer_if_permit).
8866              This feature is available in Postfix 2.1 and later.
8867
8868       Other restrictions that are valid in this context:
8869
8870       ·      Generic  restrictions  that can be used in any SMTP command con‐
8871              text, described under smtpd_client_restrictions.
8872
8873       ·      SMTP   command    specific    restrictions    described    under
8874              smtpd_client_restrictions and smtpd_helo_restrictions.
8875
8876       ·      SMTP command specific restrictions described under smtpd_recipi‐
8877              ent_restrictions. When recipient restrictions are  listed  under
8878              smtpd_sender_restrictions,    they   have   effect   only   with
8879              "smtpd_delay_reject = yes", so  that  $smtpd_sender_restrictions
8880              is evaluated at the time of the RCPT TO command.
8881
8882       Examples:
8883
8884       smtpd_sender_restrictions = reject_unknown_sender_domain
8885       smtpd_sender_restrictions = reject_unknown_sender_domain,
8886           check_sender_access hash:/etc/postfix/access
8887

smtpd_service_name (default: smtpd)

8889       The  internal  service that postscreen(8) hands off allowed connections
8890       to. In a future version there may be different classes of SMTP service.
8891
8892       This feature is available in Postfix 2.8.
8893

smtpd_soft_error_limit (default: 10)

8895       The number of errors a remote SMTP client is allowed  to  make  without
8896       delivering  mail  before  the  Postfix  SMTP  server slows down all its
8897       responses.
8898
8899       ·      With Postfix version 2.1 and  later,  the  Postfix  SMTP  server
8900              delays all responses by $smtpd_error_sleep_time seconds.
8901
8902       ·      With  Postfix  versions 2.0 and earlier, the Postfix SMTP server
8903              delays all responses by (number of errors) seconds.
8904

smtpd_starttls_timeout (default: see postconf -d output)

8906       The time limit for Postfix SMTP server write and read operations during
8907       TLS  startup  and  shutdown  handshake  procedures. The current default
8908       value is stress-dependent. Before Postfix version 2.8, it was fixed  at
8909       300s.
8910
8911       This feature is available in Postfix 2.2 and later.
8912

smtpd_timeout (default: normal: 300s, overload: 10s)

8914       The  time  limit  for  sending  a  Postfix SMTP server response and for
8915       receiving a remote SMTP client request. Normally the default  limit  is
8916       300s,  but  it changes under overload to just 10s. With Postfix 2.5 and
8917       earlier, the SMTP server always uses a time limit of 300s by default.
8918
8919       Note: if you set SMTP time limits to very large values you may have  to
8920       update the global ipc_timeout parameter.
8921
8922       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
8923       The default time unit is s (seconds).
8924

smtpd_tls_CAfile (default: empty)

8926       A file containing (PEM format) CA certificates of root CAs  trusted  to
8927       sign either remote SMTP client certificates or intermediate CA certifi‐
8928       cates.  These are loaded into memory before the smtpd(8) server  enters
8929       the  chroot  jail.  If  the  number of trusted roots is large, consider
8930       using smtpd_tls_CApath instead, but note that the latter directory must
8931       be  present in the chroot jail if the smtpd(8) server is chrooted. This
8932       file may also be used to augment the server  certificate  trust  chain,
8933       but it is best to include all the required certificates directly in the
8934       server certificate file.
8935
8936       Specify "smtpd_tls_CAfile = /path/to/system_CA_file" to  use  ONLY  the
8937       system-supplied default certificate authority certificates.
8938
8939       Specify  "tls_append_default_CA = no" to prevent Postfix from appending
8940       the system-supplied default CAs and trusting third-party certificates.
8941
8942       By default  (see  smtpd_tls_ask_ccert),  client  certificates  are  not
8943       requested, and smtpd_tls_CAfile should remain empty. If you do make use
8944       of client certificates, the distinguished names (DNs) of  the  certifi‐
8945       cate authorities listed in smtpd_tls_CAfile are sent to the remote SMTP
8946       client in the client certificate request message.  MUAs  with  multiple
8947       client  certificates may use the list of preferred certificate authori‐
8948       ties to select the correct client certificate.  You  may  want  to  put
8949       your  "preferred" CA or CAs in this file, and install other trusted CAs
8950       in $smtpd_tls_CApath.
8951
8952       Example:
8953
8954       smtpd_tls_CAfile = /etc/postfix/CAcert.pem
8955
8956       This feature is available in Postfix 2.2 and later.
8957

smtpd_tls_CApath (default: empty)

8959       A directory containing (PEM format) CA certificates of root CAs trusted
8960       to  sign either remote SMTP client certificates or intermediate CA cer‐
8961       tificates. Do not forget to create the necessary "hash" links with, for
8962       example,   "$OPENSSL_HOME/bin/c_rehash   /etc/postfix/certs".   To  use
8963       smtpd_tls_CApath in chroot mode, this directory (or  a  copy)  must  be
8964       inside the chroot jail.
8965
8966       Specify  "smtpd_tls_CApath  = /path/to/system_CA_directory" to use ONLY
8967       the system-supplied default certificate authority certificates.
8968
8969       Specify "tls_append_default_CA = no" to prevent Postfix from  appending
8970       the system-supplied default CAs and trusting third-party certificates.
8971
8972       By  default  (see  smtpd_tls_ask_ccert),  client  certificates  are not
8973       requested, and smtpd_tls_CApath should remain  empty.  In  contrast  to
8974       smtpd_tls_CAfile,   DNs   of   certificate   authorities  installed  in
8975       $smtpd_tls_CApath are not included in the  client  certificate  request
8976       message.  MUAs  with  multiple  client certificates may use the list of
8977       preferred certificate authorities to select the correct client certifi‐
8978       cate.    You   may   want   to  put  your  "preferred"  CA  or  CAs  in
8979       $smtpd_tls_CAfile,  and  install   the   remaining   trusted   CAs   in
8980       $smtpd_tls_CApath.
8981
8982       Example:
8983
8984       smtpd_tls_CApath = /etc/postfix/certs
8985
8986       This feature is available in Postfix 2.2 and later.
8987

smtpd_tls_always_issue_session_ids (default: yes)

8989       Force  the Postfix SMTP server to issue a TLS session id, even when TLS
8990       session caching  is  turned  off  (smtpd_tls_session_cache_database  is
8991       empty). This behavior is compatible with Postfix < 2.3.
8992
8993       With  Postfix 2.3 and later the Postfix SMTP server can disable session
8994       id generation when TLS session caching is turned off. This keeps remote
8995       SMTP  clients from caching sessions that almost certainly cannot be re-
8996       used.
8997
8998       By default, the Postfix SMTP server always generates TLS  session  ids.
8999       This works around a known defect in mail client applications such as MS
9000       Outlook, and may also prevent interoperability issues with other MTAs.
9001
9002       Example:
9003
9004       smtpd_tls_always_issue_session_ids = no
9005
9006       This feature is available in Postfix 2.3 and later.
9007

smtpd_tls_ask_ccert (default: no)

9009       Ask a remote SMTP client for a client certificate. This information  is
9010       needed  for certificate based mail relaying with, for example, the per‐
9011       mit_tls_clientcerts feature.
9012
9013       Some clients such as Netscape will either complain if no certificate is
9014       available (for the list of CAs in $smtpd_tls_CAfile) or will offer mul‐
9015       tiple client certificates to choose from. This may be annoying, so this
9016       option is "off" by default.
9017
9018       This feature is available in Postfix 2.2 and later.
9019

smtpd_tls_auth_only (default: no)

9021       When  TLS  encryption  is  optional  in the Postfix SMTP server, do not
9022       announce or accept SASL authentication over unencrypted connections.
9023
9024       This feature is available in Postfix 2.2 and later.
9025

smtpd_tls_ccert_verifydepth (default: 9)

9027       The verification depth for remote SMTP client certificates. A depth  of
9028       1 is sufficient if the issuing CA is listed in a local CA file.
9029
9030       The  default verification depth is 9 (the OpenSSL default) for compati‐
9031       bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
9032       value  was  5, but the limit was not actually enforced. If you have set
9033       this to a lower  non-default  value,  certificates  with  longer  trust
9034       chains  may  now fail to verify. Certificate chains with 1 or 2 CAs are
9035       common, deeper chains are more rare and any  number  between  5  and  9
9036       should suffice in practice. You can choose a lower number if, for exam‐
9037       ple, you trust certificates directly signed by an issuing  CA  but  not
9038       any CAs it delegates to.
9039
9040       This feature is available in Postfix 2.2 and later.
9041

smtpd_tls_cert_file (default: empty)

9043       File  with the Postfix SMTP server RSA certificate in PEM format.  This
9044       file may also contain the Postfix SMTP server private RSA key.
9045
9046       Public Internet MX hosts without certificates signed by  a  "reputable"
9047       CA  must  generate, and be prepared to present to most clients, a self-
9048       signed or private-CA signed certificate. The client will not be able to
9049       authenticate  the server, but unless it is running Postfix 2.3 or simi‐
9050       lar software, it will still insist on a server certificate.
9051
9052       For servers that are not public Internet MX hosts, Postfix 2.3 supports
9053       configurations  with  no certificates. This entails the use of just the
9054       anonymous TLS ciphers, which are not supported by typical SMTP clients.
9055       Since such clients will not, as a rule, fall back to plain text after a
9056       TLS handshake failure, the server will be unable to receive email  from
9057       TLS  enabled  clients.  To avoid accidental configurations with no cer‐
9058       tificates, Postfix 2.3 enables certificate-less operation only when the
9059       administrator   explicitly  sets  "smtpd_tls_cert_file  =  none".  This
9060       ensures that new Postfix configurations will not accidentally run  with
9061       no certificates.
9062
9063       Both  RSA  and  DSA  certificates  are  supported.  When both types are
9064       present, the cipher used determines which certificate will be presented
9065       to the client.  For Netscape and OpenSSL clients without special cipher
9066       choices the RSA certificate is preferred.
9067
9068       To enable a remote SMTP client to verify the Postfix SMTP  server  cer‐
9069       tificate,  the  issuing  CA  certificates must be made available to the
9070       client. You should include the required certificates in the server cer‐
9071       tificate  file,  the  server  certificate first, then the issuing CA(s)
9072       (bottom-up order).
9073
9074       Example: the certificate for "server.example.com" was issued by "inter‐
9075       mediate  CA"  which  itself has a certificate of "root CA".  Create the
9076       server.pem   file   with   "cat   server_cert.pem   intermediate_CA.pem
9077       root_CA.pem > server.pem".
9078
9079       If you also want to verify client certificates issued by these CAs, you
9080       can add the CA certificates to the smtpd_tls_CAfile, in which  case  it
9081       is   not   necessary   to  have  them  in  the  smtpd_tls_cert_file  or
9082       smtpd_tls_dcert_file.
9083
9084       A certificate supplied here must be usable as an SSL server certificate
9085       and hence pass the "openssl verify -purpose sslserver ..." test.
9086
9087       Example:
9088
9089       smtpd_tls_cert_file = /etc/postfix/server.pem
9090
9091       This feature is available in Postfix 2.2 and later.
9092

smtpd_tls_cipherlist (default: empty)

9094       Obsolete  Postfix  < 2.3 control for the Postfix SMTP server TLS cipher
9095       list. It is easy to create inter-operability  problems  by  choosing  a
9096       non-default cipher list. Do not use a non-default TLS cipherlist for MX
9097       hosts on the public Internet. Clients that begin the TLS handshake, but
9098       are  unable  to  agree  on a common cipher, may not be able to send any
9099       email to the SMTP server. Using a restricted cipher list  may  be  more
9100       appropriate  for  a dedicated MSA or an internal mailhub, where one can
9101       exert some control over the TLS software and settings of the connecting
9102       clients.
9103
9104       Note: do not use "" quotes around the parameter value.
9105
9106       This feature is available with Postfix version 2.2. It is not used with
9107       Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead.
9108

smtpd_tls_ciphers (default: export)

9110       The minimum TLS cipher grade that the Postfix SMTP server will use with
9111       opportunistic     TLS    encryption.    Cipher    types    listed    in
9112       smtpd_tls_exclude_ciphers are excluded from the base definition of  the
9113       selected  cipher  grade.  The  default  value  "export" ensures maximum
9114       inter-operability. Because encryption is  optional,  stronger  controls
9115       are  not appropriate, and this setting SHOULD NOT be changed unless the
9116       change is essential.
9117
9118       When  TLS  is  mandatory  the  cipher   grade   is   chosen   via   the
9119       smtpd_tls_mandatory_ciphers configuration parameter, see there for syn‐
9120       tax details.
9121
9122       Example:
9123       smtpd_tls_ciphers = export
9124
9125       This feature is available in Postfix 2.6 and later. With earlier  Post‐
9126       fix  releases  only the smtpd_tls_mandatory_ciphers parameter is imple‐
9127       mented, and opportunistic TLS always uses "export" or better (i.e. all)
9128       ciphers.
9129

smtpd_tls_dcert_file (default: empty)

9131       File  with the Postfix SMTP server DSA certificate in PEM format.  This
9132       file may also contain the Postfix SMTP server private DSA key.
9133
9134       See the discussion under smtpd_tls_cert_file for more details.
9135
9136       Example:
9137
9138       smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
9139
9140       This feature is available in Postfix 2.2 and later.
9141

smtpd_tls_dh1024_param_file (default: empty)

9143       File with DH parameters that the Postfix SMTP server  should  use  with
9144       EDH ciphers.
9145
9146       Instead  of  using  the  exact  same parameter sets as distributed with
9147       other TLS packages, it is more secure  to  generate  your  own  set  of
9148       parameters with something like the following command:
9149
9150           openssl gendh -out /etc/postfix/dh_1024.pem -2 1024
9151
9152       Your  actual source for entropy may differ. Some systems have /dev/ran‐
9153       dom; on other system you may consider using the "Entropy Gathering Dae‐
9154       mon EGD", available at http://egd.sourceforge.net/
9155
9156       Example:
9157
9158       smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
9159
9160       This feature is available with Postfix version 2.2.
9161

smtpd_tls_dh512_param_file (default: empty)

9163       File  with  DH  parameters that the Postfix SMTP server should use with
9164       EDH ciphers.
9165
9166       See also the discussion under the smtpd_tls_dh1024_param_file  configu‐
9167       ration parameter.
9168
9169       Example:
9170
9171       smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
9172
9173       This feature is available with Postfix version 2.2.
9174

smtpd_tls_dkey_file (default: $smtpd_tls_dcert_file)

9176       File  with the Postfix SMTP server DSA private key in PEM format.  This
9177       file may be combined with the Postfix SMTP server DSA certificate  file
9178       specified with $smtpd_tls_dcert_file.
9179
9180       The  private key must be accessible without a pass-phrase, i.e. it must
9181       not be encrypted. File permissions should grant read-only access to the
9182       system superuser account ("root"), and no access to anyone else.
9183
9184       This feature is available in Postfix 2.2 and later.
9185

smtpd_tls_eccert_file (default: empty)

9187       File  with  the  Postfix  SMTP  server ECDSA certificate in PEM format.
9188       This file may also contain the Postfix SMTP server private ECDSA key.
9189
9190       See the discussion under smtpd_tls_cert_file for more details.
9191
9192       Example:
9193
9194       smtpd_tls_eccert_file = /etc/postfix/ecdsa-scert.pem
9195
9196       This feature is available in Postfix 2.6 and  later,  when  Postfix  is
9197       compiled and linked with OpenSSL 1.0.0 or later.
9198

smtpd_tls_eckey_file (default: $smtpd_tls_eccert_file)

9200       File  with  the  Postfix  SMTP  server ECDSA private key in PEM format.
9201       This file may be combined with the Postfix SMTP server  ECDSA  certifi‐
9202       cate file specified with $smtpd_tls_eccert_file.
9203
9204       The  private key must be accessible without a pass-phrase, i.e. it must
9205       not be encrypted. File permissions should grant read-only access to the
9206       system superuser account ("root"), and no access to anyone else.
9207
9208       This  feature  is  available  in Postfix 2.6 and later, when Postfix is
9209       compiled and linked with OpenSSL 1.0.0 or later.
9210

smtpd_tls_eecdh_grade (default: see postconf -d output)

9212       The Postfix SMTP server security  grade  for  ephemeral  elliptic-curve
9213       Diffie-Hellman (EECDH) key exchange.
9214
9215       The available choices are:
9216
9217       none   Don't  use  EECDH.  Ciphers  based on EECDH key exchange will be
9218              disabled. This is the default in Postfix versions 2.6 and 2.7.
9219
9220       strong Use EECDH with approximately 128 bits of security at  a  reason‐
9221              able  computational  cost.  This  is  the  current best-practice
9222              trade-off between security and computational efficiency. This is
9223              the default in Postfix version 2.8 and later.
9224
9225       ultra  Use  EECDH  with  approximately 192 bits of security at computa‐
9226              tional cost that is approximately  twice  as  high  as  128  bit
9227              strength  ECC. Barring significant progress in attacks on ellip‐
9228              tic curve crypto-systems, the "strong" curve is  sufficient  for
9229              most users.
9230
9231       This feature is available in Postfix 2.6 and later, when it is compiled
9232       and linked with OpenSSL 1.0.0 or later.
9233

smtpd_tls_exclude_ciphers (default: empty)

9235       List of ciphers or cipher types to exclude from the SMTP server  cipher
9236       list  at  all  TLS  security levels. Excluding valid ciphers can create
9237       interoperability problems. DO NOT exclude ciphers unless it  is  essen‐
9238       tial  to  do so. This is not an OpenSSL cipherlist; it is a simple list
9239       separated by whitespace  and/or  commas.  The  elements  are  a  single
9240       cipher,  or  one or more "+" separated cipher properties, in which case
9241       only ciphers matching all the properties are excluded.
9242
9243       Examples (some of these will cause problems):
9244
9245           smtpd_tls_exclude_ciphers = aNULL
9246           smtpd_tls_exclude_ciphers = MD5, DES
9247           smtpd_tls_exclude_ciphers = DES+MD5
9248           smtpd_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
9249           smtpd_tls_exclude_ciphers = kEDH+aRSA
9250
9251       The first setting disables anonymous ciphers. The next setting disables
9252       ciphers  that  use the MD5 digest algorithm or the (single) DES encryp‐
9253       tion algorithm. The next setting disables ciphers that use MD5 and  DES
9254       together.   The  next setting disables the two ciphers "AES256-SHA" and
9255       "DES-CBC3-MD5". The last setting disables ciphers that  use  "EDH"  key
9256       exchange with RSA authentication.
9257
9258       This feature is available in Postfix 2.3 and later.
9259

smtpd_tls_fingerprint_digest (default: md5)

9261       The  message  digest algorithm to construct remote SMTP client-certifi‐
9262       cate fingerprints or public key fingerprints (Postfix  2.9  and  later)
9263       for  check_ccert_access  and  permit_tls_clientcerts. The default algo‐
9264       rithm is md5, for backwards compatibility with Postfix  releases  prior
9265       to 2.5.
9266
9267       Advances  in  hash  function cryptanalysis have led to md5 being depre‐
9268       cated in favor of sha1.  However, as long as there are no known "second
9269       pre-image"  attacks  against  md5, its use in this context can still be
9270       considered safe.
9271
9272       While additional digest algorithms are often available  with  OpenSSL's
9273       libcrypto, only those used by libssl in SSL cipher suites are available
9274       to Postfix.
9275
9276       To find the fingerprint of a specific certificate file, with a specific
9277       digest algorithm, run:
9278
9279           $ openssl x509 -noout -fingerprint -digest -in certfile.pem
9280
9281       The  text  to  the  right  of "=" sign is the desired fingerprint.  For
9282       example:
9283
9284           $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
9285           SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
9286
9287       To extract the public key fingerprint from an  X.509  certificate,  you
9288       need  to  extract  the  public key from the certificate and compute the
9289       appropriate digest of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
9290       key"  option  of  the  "x509" command extracts the public key always in
9291       "PEM" format. We pipe the result to another OpenSSL command  that  con‐
9292       verts the key to DER and then to the "dgst" command to compute the fin‐
9293       gerprint.
9294
9295       The actual command to transform the key to DER format  depends  on  the
9296       version  of OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" com‐
9297       mand supports all key types. With OpenSSL 0.9.8 and  earlier,  the  key
9298       type  is  always  RSA  (nobody uses DSA, and EC keys are not fully sup‐
9299       ported by 0.9.8), so the "rsa" command is used.
9300
9301           # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
9302           $ openssl x509 -in cert.pem -noout -pubkey |
9303               openssl pkey -pubin -outform DER |
9304               openssl dgst -sha1 -c
9305           (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
9306
9307           # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
9308           $ openssl x509 -in cert.pem -noout -pubkey |
9309               openssl rsa -pubin -outform DER |
9310               openssl dgst -md5 -c
9311           (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
9312
9313       The Postfix SMTP server and client log the peer (leaf) certificate fin‐
9314       gerprint  and  public  key  fingerprint  when  the TLS loglevel is 2 or
9315       higher.
9316
9317       Note: Postfix 2.9.0&ndash;2.9.5 computed  the  public  key  fingerprint
9318       incorrectly.  To  use public-key fingerprints, upgrade to Postfix 2.9.6
9319       or later.
9320
9321       Example: client-certificate access table, with sha1 fingerprints:
9322
9323           /etc/postfix/main.cf:
9324               smtpd_tls_fingerprint_digest = sha1
9325               smtpd_client_restrictions =
9326                   check_ccert_access hash:/etc/postfix/access,
9327                   reject
9328           /etc/postfix/access:
9329               # Action folded to next line...
9330               AF:88:7C:AD:51:95:6F:36:96:F6:01:FB:2E:48:CD:AB:49:25:A2:3B
9331                   OK
9332               85:16:78:FD:73:6E:CE:70:E0:31:5F:0D:3C:C8:6D:C4:2C:24:59:E1
9333                   permit_auth_destination
9334
9335       This feature is available in Postfix 2.5 and later.
9336

smtpd_tls_key_file (default: $smtpd_tls_cert_file)

9338       File with the Postfix SMTP server RSA private key in PEM format.   This
9339       file  may be combined with the Postfix SMTP server RSA certificate file
9340       specified with $smtpd_tls_cert_file.
9341
9342       The private key must be accessible without a pass-phrase, i.e. it  must
9343       not be encrypted. File permissions should grant read-only access to the
9344       system superuser account ("root"), and no access to anyone else.
9345

smtpd_tls_loglevel (default: 0)

9347       Enable additional Postfix SMTP server logging of  TLS  activity.   Each
9348       logging  level  also includes the information that is logged at a lower
9349       logging level.
9350
9351              0 Log only a summary message on TLS handshake completion &mdash;
9352              no logging of remote SMTP client certificate trust-chain verifi‐
9353              cation  errors  if  client  certificate  verification   is   not
9354              required.  With  Postfix 2.8 and earlier, disable logging of TLS
9355              activity.
9356
9357              1 Also log trust-chain verification errors and peer  certificate
9358              name and issuer. With Postfix 2.8 and earlier, log TLS handshake
9359              and certificate information.
9360
9361              2 Also log levels during TLS negotiation.
9362
9363              3 Also  log  hexadecimal  and  ASCII  dump  of  TLS  negotiation
9364              process.
9365
9366              4  Also  log hexadecimal and ASCII dump of complete transmission
9367              after STARTTLS.
9368
9369       Do not use "smtpd_tls_loglevel = 2" or higher except in case  of  prob‐
9370       lems. Use of loglevel 4 is strongly discouraged.
9371
9372       This feature is available in Postfix 2.2 and later.
9373

smtpd_tls_mandatory_ciphers (default: medium)

9375       The minimum TLS cipher grade that the Postfix SMTP server will use with
9376       mandatory TLS encryption. The default grade ("medium") is  sufficiently
9377       strong  that  any  benefit  from globally restricting TLS sessions to a
9378       more stringent grade is likely negligible, especially  given  the  fact
9379       that  many  implementations  still  do  not  offer any stronger ("high"
9380       grade) ciphers, while those that  do,  will  always  use  "high"  grade
9381       ciphers. So insisting on "high" grade ciphers is generally counter-pro‐
9382       ductive. Allowing "export" or "low" ciphers is  typically  not  a  good
9383       idea,  as  systems  limited  to  just  these  are  limited  to obsolete
9384       browsers. No known SMTP clients fail to support at least  one  "medium"
9385       or "high" grade cipher.
9386
9387       The following cipher grades are supported:
9388
9389       export Enable  "EXPORT" grade or stronger OpenSSL ciphers.  This is the
9390              most appropriate setting for public MX hosts, and is always used
9391              with  opportunistic TLS encryption. The underlying cipherlist is
9392              specified via the tls_export_cipherlist configuration parameter,
9393              which you are strongly encouraged to not change.
9394
9395       low    Enable  "LOW"  grade or stronger OpenSSL ciphers. The underlying
9396              cipherlist is specified via the tls_low_cipherlist configuration
9397              parameter, which you are strongly encouraged to not change.
9398
9399       medium Enable  "MEDIUM"  grade  or  stronger OpenSSL ciphers. These use
9400              128-bit or longer symmetric bulk-encryption keys.  This  is  the
9401              default  minimum  strength  for  mandatory  TLS  encryption. The
9402              underlying cipherlist is specified via the tls_medium_cipherlist
9403              configuration  parameter,  which  you are strongly encouraged to
9404              not change.
9405
9406       high   Enable  only  "HIGH"  grade  OpenSSL  ciphers.  The   underlying
9407              cipherlist  is  specified via the tls_high_cipherlist configura‐
9408              tion parameter, which you are strongly encouraged to not change.
9409
9410       null   Enable only the "NULL" OpenSSL ciphers, these provide  authenti‐
9411              cation  without encryption.  This setting is only appropriate in
9412              the rare case that all clients are prepared to use NULL  ciphers
9413              (not normally enabled in TLS clients). The underlying cipherlist
9414              is specified via the tls_null_cipherlist  configuration  parame‐
9415              ter, which you are strongly encouraged to not change.
9416
9417       Cipher   types   listed   in   smtpd_tls_mandatory_exclude_ciphers   or
9418       smtpd_tls_exclude_ciphers are excluded from the base definition of  the
9419       selected  cipher  grade. See smtpd_tls_ciphers for cipher controls that
9420       apply to opportunistic TLS.
9421
9422       The underlying cipherlists for grades other than "null" include  anony‐
9423       mous ciphers, but these are automatically filtered out if the server is
9424       configured to ask for remote SMTP client certificates.   You  are  very
9425       unlikely  to  need to take any steps to exclude anonymous ciphers, they
9426       are excluded automatically as required.  If you must exclude  anonymous
9427       ciphers  even  when Postfix does not need or use peer certificates, set
9428       "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers  only
9429       when   TLS  is  enforced,  set  "smtpd_tls_mandatory_exclude_ciphers  =
9430       aNULL".
9431
9432       This feature is available in Postfix 2.3 and later.
9433

smtpd_tls_mandatory_exclude_ciphers (default: empty)

9435       Additional list of ciphers or cipher types to exclude from the  Postfix
9436       SMTP  server  cipher  list at mandatory TLS security levels.  This list
9437       works    in    addition    to    the     exclusions     listed     with
9438       smtpd_tls_exclude_ciphers (see there for syntax details).
9439
9440       This feature is available in Postfix 2.3 and later.
9441

smtpd_tls_mandatory_protocols (default: !SSLv2)

9443       The  SSL/TLS  protocols accepted by the Postfix SMTP server with manda‐
9444       tory TLS encryption. If the list is  empty,  the  server  supports  all
9445       available  SSL/TLS  protocol  versions.  A non-empty value is a list of
9446       protocol names separated by whitespace, commas or colons. The supported
9447       protocol  names are "SSLv2", "SSLv3" and "TLSv1", and are not case sen‐
9448       sitive.
9449
9450       Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"  and
9451       "TLSv1.2".  If an older Postfix version is linked against OpenSSL 1.0.1
9452       or later, these, or any other new protocol versions,  are  uncondition‐
9453       ally enabled.
9454
9455       With  Postfix >= 2.5 the parameter syntax is expanded to support proto‐
9456       col exclusions.  One  can  now  explicitly  exclude  SSLv2  by  setting
9457       "smtpd_tls_mandatory_protocols  =  !SSLv2".  To  exclude both SSLv2 and
9458       SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing the
9459       protocols  to  include, rather than protocols to exclude, is supported,
9460       but not recommended. The exclusion form more closely matches the behav‐
9461       ior when the OpenSSL library is newer than Postfix.
9462
9463       Since  SSL  version  2  has known protocol weaknesses and is now depre‐
9464       cated, the default  setting  excludes  "SSLv2".   This  means  that  by
9465       default,  SSL  version  2  will  not  be used at the "encrypt" security
9466       level.
9467
9468       Example:
9469
9470       smtpd_tls_mandatory_protocols = TLSv1
9471       # Alternative form with Postfix >= 2.5:
9472       smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
9473
9474       This feature is available in Postfix 2.3 and later.
9475

smtpd_tls_protocols (default: empty)

9477       List of TLS protocols that the Postfix  SMTP  server  will  exclude  or
9478       include  with  opportunistic  TLS  encryption. This parameter SHOULD be
9479       left at its default empty value, allowing all protocols to be used with
9480       opportunistic TLS.
9481
9482       In main.cf the values are separated by whitespace, commas or colons. An
9483       empty value means allow all protocols. The valid protocol  names,  (see
9484       \fBfBSSL_get_version(3)),   are   "SSLv2",   "SSLv3"  and  "TLSv1".  In
9485       smtp_tls_policy_maps table entries, "protocols"  attribute  values  are
9486       separated by a colon.
9487
9488       Note:  As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
9489       "TLSv1.2". If an older Postfix version is linked against OpenSSL  1.0.1
9490       or  later,  these, or any other new protocol versions, are uncondition‐
9491       ally enabled.
9492
9493       To include a protocol list its name, to exclude  it,  prefix  the  name
9494       with  a  "!" character. To exclude SSLv2 even for opportunistic TLS set
9495       "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
9496       "smtpd_tls_protocols  =  !SSLv2, !SSLv3". Explicitly listing the proto‐
9497       cols to include, rather than protocols to exclude,  is  supported,  but
9498       not  recommended.  The exclusion form more closely matches the behavior
9499       when the OpenSSL library is newer than Postfix.
9500
9501       Example:
9502       smtpd_tls_protocols = !SSLv2
9503
9504       This feature is available in Postfix 2.6 and later.
9505

smtpd_tls_received_header (default: no)

9507       Request that the Postfix SMTP server produces Received:  message  head‐
9508       ers  that  include  information  about the protocol and cipher used, as
9509       well as the remote SMTP client CommonName and client certificate issuer
9510       CommonName.   This  is  disabled  by default, as the information may be
9511       modified in transit through other mail servers.  Only information  that
9512       was recorded by the final destination can be trusted.
9513
9514       This feature is available in Postfix 2.2 and later.
9515

smtpd_tls_req_ccert (default: no)

9517       With  mandatory  TLS  encryption,  require a trusted remote SMTP client
9518       certificate in order to allow TLS connections to proceed.  This  option
9519       implies "smtpd_tls_ask_ccert = yes".
9520
9521       When TLS encryption is optional, this setting is ignored with a warning
9522       written to the mail log.
9523
9524       This feature is available in Postfix 2.2 and later.
9525

smtpd_tls_security_level (default: empty)

9527       The SMTP TLS security level for the Postfix SMTP server;  when  a  non-
9528       empty  value  is  specified,  this  overrides  the  obsolete parameters
9529       smtpd_use_tls and smtpd_enforce_tls. This  parameter  is  ignored  with
9530       "smtpd_tls_wrappermode = yes".
9531
9532       Specify one of the following security levels:
9533
9534       none   TLS will not be used.
9535
9536       may    Opportunistic  TLS:  announce  STARTTLS  support  to remote SMTP
9537              clients, but do not require that clients use TLS encryption.
9538
9539       encrypt
9540              Mandatory TLS encryption: announce STARTTLS  support  to  remote
9541              SMTP  clients,  and  require  that  clients  use TLS encryption.
9542              According to RFC 2487 this MUST NOT be applied in case of a pub‐
9543              licly-referenced  SMTP  server.  Instead,  this option should be
9544              used only on dedicated servers.
9545
9546       Note 1: the "fingerprint", "verify" and "secure" levels  are  not  sup‐
9547       ported here.  The Postfix SMTP server logs a warning and uses "encrypt"
9548       instead.  To verify remote SMTP client certificates, see TLS_README for
9549       a  discussion of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and per‐
9550       mit_tls_clientcerts features.
9551
9552       Note 2: The  parameter  setting  "smtpd_tls_security_level  =  encrypt"
9553       implies "smtpd_tls_auth_only = yes".
9554
9555       Note  3:  when  invoked  via  "sendmail  -bs", Postfix will never offer
9556       STARTTLS due to insufficient privileges to access  the  server  private
9557       key. This is intended behavior.
9558
9559       This feature is available in Postfix 2.3 and later.
9560

smtpd_tls_session_cache_database (default: empty)

9562       Name  of  the file containing the optional Postfix SMTP server TLS ses‐
9563       sion cache. Specify a database type that supports enumeration, such  as
9564       btree or sdbm; there is no need to support concurrent access.  The file
9565       is created if it does not exist. The smtpd(8) daemon does not use  this
9566       parameter  directly,  rather the cache is implemented indirectly in the
9567       tlsmgr(8) daemon. This means that  per-smtpd-instance  master.cf  over‐
9568       rides of this parameter are not effective. Note, that each of the cache
9569       databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
9570       base,  $smtp_tls_session_cache_database (and with Postfix 2.3 and later
9571       $lmtp_tls_session_cache_database), needs to be stored separately. It is
9572       not  at  this  time possible to store multiple caches in a single data‐
9573       base.
9574
9575       Note: dbm databases are not  suitable.  TLS  session  objects  are  too
9576       large.
9577
9578       As  of version 2.5, Postfix no longer uses root privileges when opening
9579       this file. The file  should  now  be  stored  under  the  Postfix-owned
9580       data_directory. As a migration aid, an attempt to open the file under a
9581       non-Postfix directory is redirected to  the  Postfix-owned  data_direc‐
9582       tory, and a warning is logged.
9583
9584       Example:
9585
9586       smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
9587
9588       This feature is available in Postfix 2.2 and later.
9589

smtpd_tls_session_cache_timeout (default: 3600s)

9591       The  expiration  time of Postfix SMTP server TLS session cache informa‐
9592       tion. A cache cleanup is performed periodically  every  $smtpd_tls_ses‐
9593       sion_cache_timeout  seconds. As with $smtpd_tls_session_cache_database,
9594       this parameter is implemented in the  tlsmgr(8)  daemon  and  therefore
9595       per-smtpd-instance master.cf overrides are not possible.
9596
9597       This feature is available in Postfix 2.2 and later.
9598

smtpd_tls_wrappermode (default: no)

9600       Run the Postfix SMTP server in the non-standard "wrapper" mode, instead
9601       of using the STARTTLS command.
9602
9603       If you want to support this service, enable  a  special  port  in  mas‐
9604       ter.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP server's
9605       command line. Port 465 (smtps) was once chosen for this purpose.
9606
9607       This feature is available in Postfix 2.2 and later.
9608

smtpd_upstream_proxy_protocol (default: empty)

9610       The name of the proxy protocol used by an optional  before-smtpd  proxy
9611       agent.  When  a  proxy  agent  is used, this protocol conveys local and
9612       remote      address      and      port      information.        Specify
9613       "smtpd_upstream_proxy_protocol  = haproxy" to enable the haproxy proto‐
9614       col.
9615
9616       NOTE: To use the nginx proxy with smtpd(8), enable the XCLIENT protocol
9617       with  smtpd_authorized_xclient_hosts. This supports SASL authentication
9618       in the proxy agent (Postfix 2.9 and later).
9619
9620       This feature is available in Postfix 2.10 and later.
9621

smtpd_upstream_proxy_timeout (default: 5s)

9623       The  time  limit  for   the   proxy   protocol   specified   with   the
9624       smtpd_upstream_proxy_protocol parameter.
9625
9626       This feature is available in Postfix 2.10 and later.
9627

smtpd_use_tls (default: no)

9629       Opportunistic  TLS:  announce  STARTTLS support to remote SMTP clients,
9630       but do not require that clients use TLS encryption.
9631
9632       Note: when invoked via "sendmail -bs", Postfix will never offer  START‐
9633       TLS  due  to  insufficient privileges to access the server private key.
9634       This is intended behavior.
9635
9636       This feature is available in Postfix 2.2 and later.  With  Postfix  2.3
9637       and later use smtpd_tls_security_level instead.
9638

soft_bounce (default: no)

9640       Safety  net to keep mail queued that would otherwise be returned to the
9641       sender.  This parameter disables locally-generated bounces, changes the
9642       handling  of negative responses from remote servers, content filters or
9643       plugins, and prevents the Postfix SMTP server from rejecting mail  per‐
9644       manently by changing 5xx reply codes into 4xx.  However, soft_bounce is
9645       no cure for address rewriting mistakes or mail routing mistakes.
9646
9647       Note: "soft_bounce = yes" is in some  cases  implemented  by  modifying
9648       server  responses. Therefore, the response that Postfix logs may differ
9649       from the response that Postfix actually sends or receives.
9650
9651       Example:
9652
9653       soft_bounce = yes
9654

stale_lock_time (default: 500s)

9656       The time after which a stale exclusive  mailbox  lockfile  is  removed.
9657       This is used for delivery to file or mailbox.
9658
9659       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
9660       The default time unit is s (seconds).
9661

stress (default: empty)

9663       This feature is documented in the STRESS_README document.
9664
9665       This feature is available in Postfix 2.5 and later.
9666

strict_7bit_headers (default: no)

9668       Reject mail with 8-bit text in message headers. This blocks  mail  from
9669       poorly written applications.
9670
9671       This  feature  should  not be enabled on a general purpose mail server,
9672       because it is likely to reject legitimate email.
9673
9674       This feature is available in Postfix 2.0 and later.
9675

strict_8bitmime (default: no)

9677       Enable both strict_7bit_headers and strict_8bitmime_body.
9678
9679       This feature should not be enabled on a general  purpose  mail  server,
9680       because it is likely to reject legitimate email.
9681
9682       This feature is available in Postfix 2.0 and later.
9683

strict_8bitmime_body (default: no)

9685       Reject  8-bit  message  body  text  without 8-bit MIME content encoding
9686       information.  This blocks mail from poorly written applications.
9687
9688       Unfortunately, this also rejects majordomo approval requests  when  the
9689       included request contains valid 8-bit MIME mail, and it rejects bounces
9690       from mailers that do not MIME encapsulate 8-bit content  (for  example,
9691       bounces from qmail or from old versions of Postfix).
9692
9693       This  feature  should  not be enabled on a general purpose mail server,
9694       because it is likely to reject legitimate email.
9695
9696       This feature is available in Postfix 2.0 and later.
9697

strict_mailbox_ownership (default: yes)

9699       Defer delivery when a mailbox file is not owned by its recipient.   The
9700       default setting is not backwards compatible.
9701
9702       This feature is available in Postfix 2.5.3 and later.
9703

strict_mime_encoding_domain (default: no)

9705       Reject mail with invalid Content-Transfer-Encoding: information for the
9706       message/* or multipart/* MIME content types.   This  blocks  mail  from
9707       poorly written software.
9708
9709       This  feature  should  not be enabled on a general purpose mail server,
9710       because it will reject mail after a single violation.
9711
9712       This feature is available in Postfix 2.0 and later.
9713

strict_rfc821_envelopes (default: no)

9715       Require that addresses received in SMTP MAIL FROM and RCPT TO  commands
9716       are  enclosed  with <>, and that those addresses do not contain RFC 822
9717       style comments or phrases.  This stops mail from poorly  written  soft‐
9718       ware.
9719
9720       By default, the Postfix SMTP server accepts RFC 822 syntax in MAIL FROM
9721       and RCPT TO addresses.
9722

sun_mailtool_compatibility (default: no)

9724       Obsolete  SUN  mailtool  compatibility  feature.  Instead,  use  "mail‐
9725       box_delivery_lock = dotlock".
9726

swap_bangpath (default: yes)

9728       Enable  the  rewriting of "site!user" into "user@site".  This is neces‐
9729       sary if your machine is connected to UUCP networks.  It is  enabled  by
9730       default.
9731
9732       Note:  with  Postfix version 2.2, message header address rewriting hap‐
9733       pens only when one of the following conditions is true:
9734
9735       ·      The message is received with the Postfix sendmail(1) command,
9736
9737       ·      The message is received  from  a  network  client  that  matches
9738              $local_header_rewrite_clients,
9739
9740       ·      The   message   is   received   from   the   network,   and  the
9741              remote_header_rewrite_domain  parameter  specifies  a  non-empty
9742              value.
9743
9744       To   get   the   behavior   before   Postfix   version   2.2,   specify
9745       "local_header_rewrite_clients = static:all".
9746
9747       Example:
9748
9749       swap_bangpath = no
9750

syslog_facility (default: mail)

9752       The syslog facility of Postfix logging. Specify a facility  as  defined
9753       in syslog.conf(5). The default facility is "mail".
9754
9755       Warning:  a non-default syslog_facility setting takes effect only after
9756       a Postfix process has completed initialization.  Errors during  process
9757       initialization  will be logged with the default facility.  Examples are
9758       errors while parsing the  command  line  arguments,  and  errors  while
9759       accessing the Postfix main.cf configuration file.
9760

syslog_name (default: see postconf -d output)

9762       The  mail  system  name that is prepended to the process name in syslog
9763       records, so that "smtpd" becomes, for example, "postfix/smtpd".
9764
9765       Warning: a non-default syslog_name setting takes effect  only  after  a
9766       Postfix  process  has  completed  initialization. Errors during process
9767       initialization will be logged  with  the  default  name.  Examples  are
9768       errors  while  parsing  the  command  line  arguments, and errors while
9769       accessing the Postfix main.cf configuration file.
9770

tcp_windowsize (default: 0)

9772       An optional workaround for  routers  that  break  TCP  window  scaling.
9773       Specify  a  value > 0 and < 65536 to enable this feature.  With Postfix
9774       TCP servers (smtpd(8), qmqpd(8)), this feature is  implemented  by  the
9775       Postfix master(8) daemon.
9776
9777       To  change  this  parameter without stopping Postfix, you need to first
9778       terminate all Postfix TCP servers:
9779
9780           # postconf -e master_service_disable=inet
9781           # postfix reload
9782
9783       This immediately terminates all processes that accept  network  connec‐
9784       tions.   Next, you enable Postfix TCP servers with the updated tcp_win‐
9785       dowsize setting:
9786
9787           # postconf -e tcp_windowsize=65535 master_service_disable=
9788           # postfix reload
9789
9790       If you skip these  steps  with  a  running  Postfix  system,  then  the
9791       tcp_windowsize  change will work only for Postfix TCP clients (smtp(8),
9792       lmtp(8)).
9793
9794       This feature is available in Postfix 2.6 and later.
9795

tls_append_default_CA (default: no)

9797       Append the system-supplied default certificate  authority  certificates
9798       to  the  ones specified with *_tls_CApath or *_tls_CAfile.  The default
9799       is "no"; this prevents Postfix from trusting  third-party  certificates
9800       and giving them relay permission with permit_tls_all_clientcerts.
9801
9802       This  feature  is available in Postfix 2.4.15, 2.5.11, 2.6.8, 2.7.2 and
9803       later versions. Specify "tls_append_default_CA  =  yes"  for  backwards
9804       compatibility,  to  avoid  breaking certificate verification with sites
9805       that don't use permit_tls_all_clientcerts.
9806

tls_daemon_random_bytes (default: 32)

9808       The number of pseudo-random bytes that an smtp(8) or  smtpd(8)  process
9809       requests from the tlsmgr(8) server in order to seed its internal pseudo
9810       random number generator (PRNG).  The default of 32 bytes (equivalent to
9811       256 bits) is sufficient to generate a 128bit (or 168bit) session key.
9812
9813       This feature is available in Postfix 2.2 and later.
9814

tls_disable_workarounds (default: see postconf -d output)

9816       List or bit-mask of OpenSSL bug work-arounds to disable.
9817
9818       The  OpenSSL  toolkit  includes a set of work-arounds for buggy SSL/TLS
9819       implementations. Applications, such as Postfix, that want  to  maximize
9820       interoperability ask the OpenSSL library to enable the full set of rec‐
9821       ommended work-arounds.
9822
9823       From time to time, it is discovered that a work-around creates a  secu‐
9824       rity  issue,  and  should  no longer be used. If upgrading OpenSSL to a
9825       fixed version is not an option or an upgrade  is  not  available  in  a
9826       timely  manner,  or  in  closed  environments where no buggy clients or
9827       servers exist, it may be appropriate to disable  some  or  all  of  the
9828       OpenSSL  interoperability  work-arounds. This parameter specifies which
9829       bug work-arounds to disable.
9830
9831       If the value of the parameter is a hexadecimal  long  integer  starting
9832       with  "0x", the bug work-arounds corresponding to the bits specified in
9833       its value are removed from the  SSL_OP_ALL  work-around  bit-mask  (see
9834       openssl/ssl.h  and  SSL_CTX_set_options(3)).  You can specify more bits
9835       than are present in SSL_OP_ALL, excess  bits  are  ignored.  Specifying
9836       0xFFFFFFFF disables all bug-workarounds on a 32-bit system. This should
9837       also be sufficient on 64-bit systems, until  OpenSSL  abandons  support
9838       for  32-bit  systems and starts using the high 32 bits of a 64-bit bug-
9839       workaround mask.
9840
9841       Otherwise, the parameter is a white-space or comma  separated  list  of
9842       specific  named bug work-arounds chosen from the list below. It is pos‐
9843       sible that your OpenSSL version includes  new  bug  work-arounds  added
9844       after  your  Postfix source code was last updated, in that case you can
9845       only disable one of these via the hexadecimal syntax above.
9846
9847       MICROSOFT_SESS_ID_BUG
9848              See SSL_CTX_set_options(3)
9849
9850       NETSCAPE_CHALLENGE_BUG
9851              See SSL_CTX_set_options(3)
9852
9853       LEGACY_SERVER_CONNECT
9854              See SSL_CTX_set_options(3)
9855
9856       NETSCAPE_REUSE_CIPHER_CHANGE_BUG
9857              also aliased as CVE-2010-4180. Postfix 2.8 disables  this  work-
9858              around  by  default  with  OpenSSL versions that may predate the
9859              fix. Fixed in OpenSSL 0.9.8q and OpenSSL 1.0.0c.
9860
9861       SSLREF2_REUSE_CERT_TYPE_BUG
9862              See SSL_CTX_set_options(3)
9863
9864       MICROSOFT_BIG_SSLV3_BUFFER
9865              See SSL_CTX_set_options(3)
9866
9867       MSIE_SSLV2_RSA_PADDING
9868              also aliased as CVE-2005-2969. Postfix 2.8 disables  this  work-
9869              around  by  default  with  OpenSSL versions that may predate the
9870              fix. Fixed in OpenSSL 0.9.7h and OpenSSL 0.9.8a.
9871
9872       SSLEAY_080_CLIENT_DH_BUG
9873              See SSL_CTX_set_options(3)
9874
9875       TLS_D5_BUG
9876              See SSL_CTX_set_options(3)
9877
9878       TLS_BLOCK_PADDING_BUG
9879              See SSL_CTX_set_options(3)
9880
9881       TLS_ROLLBACK_BUG
9882              See SSL_CTX_set_options(3).  This is disabled in  OpenSSL  0.9.7
9883              and later. Nobody should still be using 0.9.6!
9884
9885       DONT_INSERT_EMPTY_FRAGMENTS
9886              See SSL_CTX_set_options(3)
9887
9888       CRYPTOPRO_TLSEXT_BUG
9889              New with GOST support in OpenSSL 1.0.0.
9890
9891       This feature is available in Postfix 2.8 and later.
9892

tls_eecdh_strong_curve (default: prime256v1)

9894       The  elliptic curve used by the Postfix SMTP server for sensibly strong
9895       ephemeral ECDH key exchange. This curve is used  by  the  Postfix  SMTP
9896       server  when  "smtpd_tls_eecdh_grade  =  strong".  The phrase "sensibly
9897       strong" means  approximately  128-bit  security  based  on  best  known
9898       attacks. The selected curve must be implemented by OpenSSL (as reported
9899       by ecparam(1) with the "-list_curves" option) and be one of the  curves
9900       listed  in  Section  5.1.1 of RFC 4492. You should not generally change
9901       this setting.
9902
9903       This default curve is specified in  NSA  "Suite  B"  Cryptography  (see
9904       http://www.nsa.gov/ia/industry/crypto_suite_b.cfm)    for   information
9905       classified as SECRET.
9906
9907       Note: elliptic curve names are poorly standardized; different standards
9908       groups  are  assigning  different  names to the same underlying curves.
9909       The curve with the X9.62 name "prime256v1" is also known under the SECG
9910       name "secp256r1", but OpenSSL does not recognize the latter name.
9911
9912       This feature is available in Postfix 2.6 and later, when it is compiled
9913       and linked with OpenSSL 1.0.0 or later.
9914

tls_eecdh_ultra_curve (default: secp384r1)

9916       The elliptic curve used by the Postfix SMTP server for maximally strong
9917       ephemeral  ECDH  key  exchange.  This curve is used by the Postfix SMTP
9918       server when "smtpd_tls_eecdh_grade  =  ultra".  The  phrase  "maximally
9919       strong"  means  approximately  192-bit  security  based  on  best known
9920       attacks.  This additional strength comes at a significant computational
9921       cost,  most  users should instead set "smtpd_tls_eecdh_grade = strong".
9922       The selected curve must be  implemented  by  OpenSSL  (as  reported  by
9923       ecparam(1)  with  the  "-list_curves"  option) and be one of the curves
9924       listed in Section 5.1.1 of RFC 4492. You should  not  generally  change
9925       this setting.
9926
9927       This  default  "ultra" curve is specified in NSA "Suite B" Cryptography
9928       (see http://www.nsa.gov/ia/industry/crypto_suite_b.cfm) for information
9929       classified as TOP SECRET.
9930
9931       This feature is available in Postfix 2.6 and later, when it is compiled
9932       and linked with OpenSSL 1.0.0 or later.
9933

tls_export_cipherlist (default: ALL:+RC4:@STRENGTH)

9935       The OpenSSL cipherlist for  "EXPORT"  or  higher  grade  ciphers.  This
9936       defines  the  meaning  of  the  "export"  setting  in  smtpd_tls_manda‐
9937       tory_ciphers,    smtp_tls_mandatory_ciphers     and     lmtp_tls_manda‐
9938       tory_ciphers.  This is the cipherlist for the opportunistic ("may") TLS
9939       client security level and  is  the  default  cipherlist  for  the  SMTP
9940       server.  You  are  strongly encouraged to not change this setting. With
9941       OpenSSL 1.0.0 and later the cipherlist may start with an "aNULL:"  pre‐
9942       fix,  which restores the 0.9.8-compatible ordering of the aNULL ciphers
9943       to the top of the list when they are enabled. This prefix is not needed
9944       with previous OpenSSL releases.
9945
9946       This feature is available in Postfix 2.3 and later.
9947

tls_high_cipherlist (default: ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)

9949       The OpenSSL cipherlist for "HIGH" grade ciphers. This defines the mean‐
9950       ing   of   the   "high"   setting    in    smtpd_tls_mandatory_ciphers,
9951       smtp_tls_mandatory_ciphers   and  lmtp_tls_mandatory_ciphers.  You  are
9952       strongly encouraged to not change this setting. With OpenSSL 1.0.0  and
9953       later  the cipherlist may start with an "aNULL:" prefix, which restores
9954       the 0.9.8-compatible ordering of the aNULL ciphers to the  top  of  the
9955       list  when  they  are  enabled. This prefix is not needed with previous
9956       OpenSSL releases.
9957
9958       This feature is available in Postfix 2.3 and later.
9959

tls_legacy_public_key_fingerprints (default: no)

9961       A temporary migration aid for sites  that  use  certificate  public-key
9962       fingerprints  with  Postfix  2.9.0..2.9.5, which use an incorrect algo‐
9963       rithm. This parameter has no effect on the certificate fingerprint sup‐
9964       port that is available since Postfix 2.2.
9965
9966       Specify "tls_legacy_public_key_fingerprints = yes" temporarily, pending
9967       a  migration  from   configuration   files   with   incorrect   Postfix
9968       2.9.0..2.9.5  certificate public-key finger prints, to the correct fin‐
9969       gerprints used by Postfix 2.9.6 and later.  To compute the correct cer‐
9970       tificate public-key fingerprints, see TLS_README.
9971
9972       This feature is available in Postfix 2.9.6 and later.
9973

tls_low_cipherlist (default: ALL:!EXPORT:+RC4:@STRENGTH)

9975       The  OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines
9976       the  meaning  of  the  "low"  setting  in  smtpd_tls_mandatory_ciphers,
9977       smtp_tls_mandatory_ciphers   and  lmtp_tls_mandatory_ciphers.  You  are
9978       strongly encouraged to not change this setting.  With OpenSSL 1.0.0 and
9979       later  the cipherlist may start with an "aNULL:" prefix, which restores
9980       the 0.9.8-compatible ordering of the aNULL ciphers to the  top  of  the
9981       list  when  they  are  enabled. This prefix is not needed with previous
9982       OpenSSL releases.
9983
9984       This feature is available in Postfix 2.3 and later.
9985

tls_medium_cipherlist (default: ALL:!EXPORT:!LOW:+RC4:@STRENGTH)

9987       The OpenSSL cipherlist for  "MEDIUM"  or  higher  grade  ciphers.  This
9988       defines  the  meaning  of  the  "medium"  setting  in  smtpd_tls_manda‐
9989       tory_ciphers,    smtp_tls_mandatory_ciphers     and     lmtp_tls_manda‐
9990       tory_ciphers.  This is the default cipherlist for mandatory TLS encryp‐
9991       tion in the TLS client (with anonymous ciphers disabled when  verifying
9992       server  certificates).  You  are strongly encouraged to not change this
9993       setting.  With OpenSSL 1.0.0 and later the cipherlist may start with an
9994       "aNULL:"  prefix,  which  restores the 0.9.8-compatible ordering of the
9995       aNULL ciphers to the top of the list when they are enabled. This prefix
9996       is not needed with previous OpenSSL releases.
9997
9998       This feature is available in Postfix 2.3 and later.
9999

tls_null_cipherlist (default: eNULL:!aNULL)

10001       The  OpenSSL cipherlist for "NULL" grade ciphers that provide authenti‐
10002       cation without encryption. This defines the meaning of the "null"  set‐
10003       ting  in  smtpd_mandatory_tls_ciphers,  smtp_tls_mandatory_ciphers  and
10004       lmtp_tls_mandatory_ciphers.  You are strongly encouraged to not  change
10005       this setting.
10006
10007       This feature is available in Postfix 2.3 and later.
10008

tls_preempt_cipherlist (default: no)

10010       With  SSLv3  and later, use the Postfix SMTP server's cipher preference
10011       order instead of the remote client's cipher preference order.
10012
10013       By default, the OpenSSL server  selects  the  client's  most  preferred
10014       cipher  that  the server supports. With SSLv3 and later, the server may
10015       choose its own most preferred cipher that is supported (offered) by the
10016       client.  Setting  "tls_preempt_cipherlist  = yes" enables server cipher
10017       preferences.
10018
10019       While server cipher selection may in some cases lead to a  more  secure
10020       or  performant  cipher  choice,  there is some risk of interoperability
10021       issues. In the past,  some  SSL  clients  have  listed  lower  priority
10022       ciphers  that they did not implement correctly. If the server chooses a
10023       cipher that the client prefers less,  it  may  select  a  cipher  whose
10024       client implementation is flawed.
10025
10026       This feature is available in Postfix 2.8 and later, in combination with
10027       OpenSSL 0.9.7 and later.
10028

tls_random_bytes (default: 32)

10030       The number of bytes that tlsmgr(8) reads from  $tls_random_source  when
10031       (re)seeding  the  in-memory pseudo random number generator (PRNG) pool.
10032       The default of 32 bytes (256 bits) is good enough for 128bit  symmetric
10033       keys.  If using EGD or a device file, a maximum of 255 bytes is read.
10034
10035       This feature is available in Postfix 2.2 and later.
10036

tls_random_exchange_name (default: see postconf -d output)

10038       Name  of  the  pseudo random number generator (PRNG) state file that is
10039       maintained by tlsmgr(8). The file is created when it  does  not  exist,
10040       and its length is fixed at 1024 bytes.
10041
10042       As  of version 2.5, Postfix no longer uses root privileges when opening
10043       this file, and the  default  file  location  was  changed  from  ${con‐
10044       fig_directory}/prng_exch  to  ${data_directory}/prng_exch.  As a migra‐
10045       tion aid, an attempt to open the file under a non-Postfix directory  is
10046       redirected  to  the  Postfix-owned  data_directory,  and  a  warning is
10047       logged.
10048
10049       This feature is available in Postfix 2.2 and later.
10050

tls_random_prng_update_period (default: 3600s)

10052       The time between attempts by tlsmgr(8) to save the state of the  pseudo
10053       random  number  generator  (PRNG)  to the file specified with $tls_ran‐
10054       dom_exchange_name.
10055
10056       This feature is available in Postfix 2.2 and later.
10057

tls_random_reseed_period (default: 3600s)

10059       The maximal time between attempts by tlsmgr(8) to re-seed the in-memory
10060       pseudo  random number generator (PRNG) pool from external sources.  The
10061       actual time between re-seeding attempts is calculated using  the  PRNG,
10062       and is between 0 and the time specified.
10063
10064       This feature is available in Postfix 2.2 and later.
10065

tls_random_source (default: see postconf -d output)

10067       The  external  entropy source for the in-memory tlsmgr(8) pseudo random
10068       number generator (PRNG) pool. Be sure to specify a non-blocking source.
10069       If  this  source is not a regular file, the entropy source type must be
10070       prepended:  egd:/path/to/egd_socket for a source  with  EGD  compatible
10071       socket interface, or dev:/path/to/device for a device file.
10072
10073       Note:  on  OpenBSD systems specify /dev/arandom when /dev/urandom gives
10074       timeout errors.
10075
10076       This feature is available in Postfix 2.2 and later.
10077

tlsproxy_enforce_tls (default: $smtpd_enforce_tls)

10079       Mandatory TLS: announce STARTTLS support to remote  SMTP  clients,  and
10080       require that clients use TLS encryption. See smtpd_enforce_tls for fur‐
10081       ther details.
10082
10083       This feature is available in Postfix 2.8 and later.
10084

tlsproxy_service_name (default: tlsproxy)

10086       The name of the tlsproxy(8) service entry in  master.cf.  This  service
10087       performs plaintext <=> TLS ciphertext conversion.
10088
10089       This feature is available in Postfix 2.8 and later.
10090

tlsproxy_tls_CAfile (default: $smtpd_tls_CAfile)

10092       A  file  containing (PEM format) CA certificates of root CAs trusted to
10093       sign either remote SMTP client certificates or intermediate CA certifi‐
10094       cates.  See smtpd_tls_CAfile for further details.
10095
10096       This feature is available in Postfix 2.8 and later.
10097

tlsproxy_tls_CApath (default: $smtpd_tls_CApath)

10099       A directory containing (PEM format) CA certificates of root CAs trusted
10100       to sign either remote SMTP client certificates or intermediate CA  cer‐
10101       tificates. See smtpd_tls_CApath for further details.
10102
10103       This feature is available in Postfix 2.8 and later.
10104

tlsproxy_tls_always_issue_session_ids (default: $smtpd_tls_always_issue_ses‐

10106       sion_ids)
10107       Force the Postfix tlsproxy(8) server to issue a TLS  session  id,  even
10108       when TLS session caching is turned off. See smtpd_tls_always_issue_ses‐
10109       sion_ids for further details.
10110
10111       This feature is available in Postfix 2.8 and later.
10112

tlsproxy_tls_ask_ccert (default: $smtpd_tls_ask_ccert)

10114       Ask  a   remote   SMTP   client   for   a   client   certificate.   See
10115       smtpd_tls_ask_ccert for further details.
10116
10117       This feature is available in Postfix 2.8 and later.
10118

tlsproxy_tls_ccert_verifydepth (default: $smtpd_tls_ccert_verifydepth)

10120       The  verification depth for remote SMTP client certificates. A depth of
10121       1 is sufficient if the issuing CA is listed in a  local  CA  file.  See
10122       smtpd_tls_ccert_verifydepth for further details.
10123
10124       This feature is available in Postfix 2.8 and later.
10125

tlsproxy_tls_cert_file (default: $smtpd_tls_cert_file)

10127       File with the Postfix tlsproxy(8) server RSA certificate in PEM format.
10128       This file may also contain the Postfix tlsproxy(8) server  private  RSA
10129       key.  See smtpd_tls_cert_file for further details.
10130
10131       This feature is available in Postfix 2.8 and later.
10132

tlsproxy_tls_ciphers (default: $smtpd_tls_ciphers)

10134       The  minimum  TLS cipher grade that the Postfix tlsproxy(8) server will
10135       use with opportunistic TLS encryption. See smtpd_tls_ciphers  for  fur‐
10136       ther details.
10137
10138       This feature is available in Postfix 2.8 and later.
10139

tlsproxy_tls_dcert_file (default: $smtpd_tls_dcert_file)

10141       File with the Postfix tlsproxy(8) server DSA certificate in PEM format.
10142       This file may also contain the Postfix tlsproxy(8) server  private  DSA
10143       key.  See smtpd_tls_dcert_file for further details.
10144
10145       This feature is available in Postfix 2.8 and later.
10146

tlsproxy_tls_dh1024_param_file (default: $smtpd_tls_dh1024_param_file)

10148       File  with DH parameters that the Postfix tlsproxy(8) server should use
10149       with EDH ciphers. See smtpd_tls_dh1024_param_file for further details.
10150
10151       This feature is available in Postfix 2.8 and later.
10152

tlsproxy_tls_dh512_param_file (default: $smtpd_tls_dh512_param_file)

10154       File with DH parameters that the Postfix tlsproxy(8) server should  use
10155       with EDH ciphers. See smtpd_tls_dh512_param_file for further details.
10156
10157       This feature is available in Postfix 2.8 and later.
10158

tlsproxy_tls_dkey_file (default: $smtpd_tls_dkey_file)

10160       File with the Postfix tlsproxy(8) server DSA private key in PEM format.
10161       This file may be combined with the Postfix tlsproxy(8) server DSA  cer‐
10162       tificate    file    specified    with    $smtpd_tls_dcert_file.     See
10163       smtpd_tls_dkey_file for further details.
10164
10165       This feature is available in Postfix 2.8 and later.
10166

tlsproxy_tls_eccert_file (default: $smtpd_tls_eccert_file)

10168       File with the Postfix tlsproxy(8) server ECDSA certificate in PEM  for‐
10169       mat.  This file may also contain the Postfix tlsproxy(8) server private
10170       ECDSA key.  See smtpd_tls_eccert_file for further details.
10171
10172       This feature is available in Postfix 2.8 and later.
10173

tlsproxy_tls_eckey_file (default: $smtpd_tls_eckey_file)

10175       File with the Postfix tlsproxy(8) server ECDSA private key in PEM  for‐
10176       mat.   This  file  may  be combined with the Postfix tlsproxy(8) server
10177       ECDSA certificate  file  specified  with  $smtpd_tls_eccert_file.   See
10178       smtpd_tls_eckey_file for further details.
10179
10180       This feature is available in Postfix 2.8 and later.
10181

tlsproxy_tls_eecdh_grade (default: $smtpd_tls_eecdh_grade)

10183       The  Postfix  tlsproxy(8) server security grade for ephemeral elliptic-
10184       curve Diffie-Hellman (EECDH) key  exchange.  See  smtpd_tls_eecdh_grade
10185       for further details.
10186
10187       This feature is available in Postfix 2.8 and later.
10188

tlsproxy_tls_exclude_ciphers (default: $smtpd_tls_exclude_ciphers)

10190       List  of ciphers or cipher types to exclude from the tlsproxy(8) server
10191       cipher list at all TLS security levels.  See  smtpd_tls_exclude_ciphers
10192       for further details.
10193
10194       This feature is available in Postfix 2.8 and later.
10195

tlsproxy_tls_fingerprint_digest (default: $smtpd_tls_fingerprint_digest)

10197       The  message  digest algorithm to construct remote SMTP client-certifi‐
10198       cate  fingerprints.  See   smtpd_tls_fingerprint_digest   for   further
10199       details.
10200
10201       This feature is available in Postfix 2.8 and later.
10202

tlsproxy_tls_key_file (default: $smtpd_tls_key_file)

10204       File with the Postfix tlsproxy(8) server RSA private key in PEM format.
10205       This file may be combined with the Postfix tlsproxy(8) server RSA  cer‐
10206       tificate     file    specified    with    $smtpd_tls_cert_file.     See
10207       smtpd_tls_key_file for further details.
10208
10209       This feature is available in Postfix 2.8 and later.
10210

tlsproxy_tls_loglevel (default: $smtpd_tls_loglevel)

10212       Enable additional Postfix tlsproxy(8) server logging of  TLS  activity.
10213       Each  logging  level  also includes the information that is logged at a
10214       lower logging level. See smtpd_tls_loglevel for further details.
10215
10216       This feature is available in Postfix 2.8 and later.
10217

tlsproxy_tls_mandatory_ciphers (default: $smtpd_tls_mandatory_ciphers)

10219       The minimum TLS cipher grade that the Postfix tlsproxy(8)  server  will
10220       use  with mandatory TLS encryption. See smtpd_tls_mandatory_ciphers for
10221       further details.
10222
10223       This feature is available in Postfix 2.8 and later.
10224

tlsproxy_tls_mandatory_exclude_ciphers (default: $smtpd_tls_manda‐

10226       tory_exclude_ciphers)
10227       Additional  list  of  ciphers  or  cipher  types  to  exclude  from the
10228       tlsproxy(8) server cipher list at mandatory TLS security  levels.   See
10229       smtpd_tls_mandatory_exclude_ciphers for further details.
10230
10231       This feature is available in Postfix 2.8 and later.
10232

tlsproxy_tls_mandatory_protocols (default: $smtpd_tls_mandatory_protocols)

10234       The  SSL/TLS  protocols accepted by the Postfix tlsproxy(8) server with
10235       mandatory TLS encryption. If the list is empty, the server supports all
10236       available SSL/TLS protocol versions.  See smtpd_tls_mandatory_protocols
10237       for further details.
10238
10239       This feature is available in Postfix 2.8 and later.
10240

tlsproxy_tls_protocols (default: $smtpd_tls_protocols)

10242       List of TLS protocols that the Postfix tlsproxy(8) server will  exclude
10243       or  include  with opportunistic TLS encryption. See smtpd_tls_protocols
10244       for further details.
10245
10246       This feature is available in Postfix 2.8 and later.
10247

tlsproxy_tls_req_ccert (default: $smtpd_tls_req_ccert)

10249       With mandatory TLS encryption, require a  trusted  remote  SMTP  client
10250       certificate  in  order  to  allow  TLS  connections  to  proceed.   See
10251       smtpd_tls_req_ccert for further details.
10252
10253       This feature is available in Postfix 2.8 and later.
10254

tlsproxy_tls_security_level (default: $smtpd_tls_security_level)

10256       The SMTP TLS security level for the Postfix tlsproxy(8) server; when  a
10257       non-empty  value  is  specified, this overrides the obsolete parameters
10258       smtpd_use_tls and smtpd_enforce_tls. See  smtpd_tls_security_level  for
10259       further details.
10260
10261       This feature is available in Postfix 2.8 and later.
10262

tlsproxy_tls_session_cache_timeout (default: $smtpd_tls_session_cache_timeout)

10264
10265       The expiration time of Postfix tlsproxy(8)  server  TLS  session  cache
10266       information.   A   cache   cleanup   is  performed  periodically  every
10267       $smtpd_tls_session_cache_timeout    seconds.     See     smtpd_tls_ses‐
10268       sion_cache_timeout for further details.
10269
10270       This feature is available in Postfix 2.8 and later.
10271

tlsproxy_use_tls (default: $smtpd_use_tls)

10273       Opportunistic  TLS:  announce  STARTTLS support to remote SMTP clients,
10274       but do not require that clients use TLS encryption.  See  smtpd_use_tls
10275       for further details.
10276
10277       This feature is available in Postfix 2.8 and later.
10278

tlsproxy_watchdog_timeout (default: 10s)

10280       How much time a tlsproxy(8) process may take to process local or remote
10281       I/O before it is terminated by a built-in watchdog timer.   This  is  a
10282       safety mechanism that prevents tlsproxy(8) from becoming non-responsive
10283       due to a bug in Postfix itself or in system software.  To  avoid  false
10284       alarms  and unnecessary cache corruption this limit cannot be set under
10285       10s.
10286
10287       Specify a non-zero time value (an integral value plus an optional  one-
10288       letter  suffix that specifies the time unit).  Time units: s (seconds),
10289       m (minutes), h (hours), d (days), w (weeks).
10290
10291       This feature is available in Postfix 2.8.
10292

trace_service_name (default: trace)

10294       The name of the trace service.  This  service  is  implemented  by  the
10295       bounce(8) daemon and maintains a record of mail deliveries and produces
10296       a mail delivery report when verbose delivery is requested  with  "send‐
10297       mail -v".
10298
10299       This feature is available in Postfix 2.1 and later.
10300

transport_delivery_slot_cost (default: $default_delivery_slot_cost)

10302       A transport-specific override for the default_delivery_slot_cost param‐
10303       eter value, where transport is the master.cf name of the message deliv‐
10304       ery transport.
10305
10306       Note:  transport_delivery_slot_cost  parameters  will  not  show  up in
10307       "postconf" command output before Postfix version 2.9.  This  limitation
10308       applies  to  many parameters whose name is a combination of a master.cf
10309       service  name  and  a  built-in  suffix   (in   this   case:   "_deliv‐
10310       ery_slot_cost").
10311

transport_delivery_slot_discount (default: $default_delivery_slot_discount)

10313       A  transport-specific  override  for the default_delivery_slot_discount
10314       parameter value, where transport is the master.cf name of  the  message
10315       delivery transport.
10316
10317       Note:  transport_delivery_slot_discount  parameters will not show up in
10318       "postconf" command output before Postfix version 2.9.  This  limitation
10319       applies  to  many parameters whose name is a combination of a master.cf
10320       service name and a built-in suffix (in this case:  "_delivery_slot_dis‐
10321       count").
10322

transport_delivery_slot_loan (default: $default_delivery_slot_loan)

10324       A transport-specific override for the default_delivery_slot_loan param‐
10325       eter value, where transport is the master.cf name of the message deliv‐
10326       ery transport.
10327
10328       Note:  transport_delivery_slot_loan  parameters  will  not  show  up in
10329       "postconf" command output before Postfix version 2.9.  This  limitation
10330       applies  to  many parameters whose name is a combination of a master.cf
10331       service  name  and  a  built-in  suffix   (in   this   case:   "_deliv‐
10332       ery_slot_loan").
10333

transport_destination_concurrency_failed_cohort_limit (default: $default_des‐

10335       tination_concurrency_failed_cohort_limit)
10336       A  transport-specific  override  for  the   default_destination_concur‐
10337       rency_failed_cohort_limit  parameter value, where transport is the mas‐
10338       ter.cf name of the message delivery transport.
10339
10340       Note: some transport_destination_concurrency_failed_cohort_limit param‐
10341       eters will not show up in "postconf" command output before Postfix ver‐
10342       sion 2.9.  This limitation applies to many parameters whose name  is  a
10343       combination  of a master.cf service name and a built-in suffix (in this
10344       case: "_destination_concurrency_failed_cohort_limit").
10345
10346       This feature is available in Postfix 2.5 and later.
10347

transport_destination_concurrency_limit (default: $default_destination_concur‐

10349       rency_limit)
10350       A   transport-specific  override  for  the  default_destination_concur‐
10351       rency_limit parameter value, where transport is the master.cf  name  of
10352       the message delivery transport.
10353
10354       Note:  some transport_destination_concurrency_limit parameters will not
10355       show up in "postconf" command output before Postfix version 2.9.   This
10356       limitation  applies to many parameters whose name is a combination of a
10357       master.cf service name and a built-in suffix (in this case:  "_destina‐
10358       tion_concurrency_limit").
10359

transport_destination_concurrency_negative_feedback (default: $default_desti‐

10361       nation_concurrency_negative_feedback)
10362       A  transport-specific  override  for  the   default_destination_concur‐
10363       rency_negative_feedback  parameter  value,  where transport is the mas‐
10364       ter.cf name of the message delivery transport.
10365
10366       Note: some transport_destination_concurrency_negative_feedback  parame‐
10367       ters  will not show up in "postconf" command output before Postfix ver‐
10368       sion 2.9.  This limitation applies to many parameters whose name  is  a
10369       combination  of a master.cf service name and a built-in suffix (in this
10370       case: "_destination_concurrency_negative_feedback").
10371
10372       This feature is available in Postfix 2.5 and later.
10373

transport_destination_concurrency_positive_feedback (default: $default_desti‐

10375       nation_concurrency_positive_feedback)
10376       A   transport-specific  override  for  the  default_destination_concur‐
10377       rency_positive_feedback parameter value, where transport  is  the  mas‐
10378       ter.cf name of the message delivery transport.
10379
10380       Note:  some transport_destination_concurrency_positive_feedback parame‐
10381       ters will not show up in "postconf" command output before Postfix  ver‐
10382       sion  2.9.   This limitation applies to many parameters whose name is a
10383       combination of a master.cf service name and a built-in suffix (in  this
10384       case: "_destination_concurrency_positive_feedback").
10385
10386       This feature is available in Postfix 2.5 and later.
10387

transport_destination_rate_delay (default: $default_destination_rate_delay)

10389       A  transport-specific  override  for the default_destination_rate_delay
10390       parameter value, where transport is the master.cf name of  the  message
10391       delivery transport.
10392
10393       Note: some transport_destination_rate_delay parameters will not show up
10394       in "postconf" command output before Postfix version 2.9.  This  limita‐
10395       tion  applies  to many parameters whose name is a combination of a mas‐
10396       ter.cf service name and a built-in suffix  (in  this  case:  "_destina‐
10397       tion_rate_delay").
10398
10399       This feature is available in Postfix 2.5 and later.
10400

transport_destination_recipient_limit (default: $default_destination_recipi‐

10402       ent_limit)
10403       A  transport-specific  override  for  the   default_destination_recipi‐
10404       ent_limit parameter value, where transport is the master.cf name of the
10405       message delivery transport.
10406
10407       Note: some transport_destination_recipient_limit  parameters  will  not
10408       show  up in "postconf" command output before Postfix version 2.9.  This
10409       limitation applies to many parameters whose name is a combination of  a
10410       master.cf  service name and a built-in suffix (in this case: "_destina‐
10411       tion_recipient_limit").
10412

transport_extra_recipient_limit (default: $default_extra_recipient_limit)

10414       A transport-specific  override  for  the  default_extra_recipient_limit
10415       parameter  value,  where transport is the master.cf name of the message
10416       delivery transport.
10417
10418       Note: transport_extra_recipient_limit parameters will not  show  up  in
10419       "postconf"  command output before Postfix version 2.9.  This limitation
10420       applies to many parameters whose name is a combination of  a  master.cf
10421       service  name  and  a  built-in  suffix  (in this case: "_extra_recipi‐
10422       ent_limit").
10423

transport_initial_destination_concurrency (default: $initial_destination_con‐

10425       currency)
10426       A  transport-specific  override for the initial_destination_concurrency
10427       parameter value, where transport is the master.cf name of  the  message
10428       delivery transport.
10429
10430       Note:  some  transport_initial_destination_concurrency  parameters will
10431       not show up in "postconf" command output before  Postfix  version  2.9.
10432       This  limitation applies to many parameters whose name is a combination
10433       of a master.cf service name and a built-in suffix (in this case: "_ini‐
10434       tial_destination_concurrency").
10435
10436       This feature is available in Postfix 2.5 and later.
10437

transport_maps (default: empty)

10439       Optional lookup tables with mappings from recipient address to (message
10440       delivery  transport,  next-hop  destination).   See  transport(5)   for
10441       details.
10442
10443       Specify  zero or more "type:table" lookup tables.  If you use this fea‐
10444       ture with local files, run "postmap /etc/postfix/transport" after  mak‐
10445       ing a change.
10446
10447       For safety reasons, as of Postfix 2.3 this feature does not allow $num‐
10448       ber substitutions in regular expression maps.
10449
10450       Examples:
10451
10452       transport_maps = dbm:/etc/postfix/transport
10453       transport_maps = hash:/etc/postfix/transport
10454

transport_minimum_delivery_slots (default: $default_minimum_delivery_slots)

10456       A transport-specific override  for  the  default_minimum_delivery_slots
10457       parameter  value,  where transport is the master.cf name of the message
10458       delivery transport.
10459
10460       Note: transport_minimum_delivery_slots parameters will not show  up  in
10461       "postconf"  command output before Postfix version 2.9.  This limitation
10462       applies to many parameters whose name is a combination of  a  master.cf
10463       service  name  and  a  built-in  suffix (in this case: "_minimum_deliv‐
10464       ery_slots").
10465

transport_recipient_limit (default: $default_recipient_limit)

10467       A transport-specific override for the default_recipient_limit parameter
10468       value,  where  transport  is the master.cf name of the message delivery
10469       transport.
10470
10471       Note: some transport_recipient_limit parameters will  not  show  up  in
10472       "postconf"  command output before Postfix version 2.9.  This limitation
10473       applies to many parameters whose name is a combination of  a  master.cf
10474       service name and a built-in suffix (in this case: "_recipient_limit").
10475

transport_recipient_refill_delay (default: $default_recipient_refill_delay)

10477       A  transport-specific  override  for the default_recipient_refill_delay
10478       parameter value, where transport is the master.cf name of  the  message
10479       delivery transport.
10480
10481       Note:  transport_recipient_refill_delay  parameters will not show up in
10482       "postconf" command output before Postfix version 2.9.  This  limitation
10483       applies  to  many parameters whose name is a combination of a master.cf
10484       service  name  and  a  built-in  suffix  (in   this   case:   "_recipi‐
10485       ent_refill_delay").
10486
10487       This feature is available in Postfix 2.4 and later.
10488

transport_recipient_refill_limit (default: $default_recipient_refill_limit)

10490       A  transport-specific  override  for the default_recipient_refill_limit
10491       parameter value, where transport is the master.cf name of  the  message
10492       delivery transport.
10493
10494       Note:  transport_recipient_refill_limit  parameters will not show up in
10495       "postconf" command output before Postfix version 2.9.  This  limitation
10496       applies  to  many parameters whose name is a combination of a master.cf
10497       service  name  and  a  built-in  suffix  (in   this   case:   "_recipi‐
10498       ent_refill_limit").
10499
10500       This feature is available in Postfix 2.4 and later.
10501

transport_retry_time (default: 60s)

10503       The  time  between  attempts  by the Postfix queue manager to contact a
10504       malfunctioning message delivery transport.
10505
10506       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
10507       The default time unit is s (seconds).
10508

transport_time_limit (default: $command_time_limit)

10510       A  transport-specific  override  for  the  command_time_limit parameter
10511       value, where transport is the master.cf name of  the  message  delivery
10512       transport.
10513
10514       Note:  transport_time_limit  parameters  will not show up in "postconf"
10515       command output before Postfix version 2.9.  This limitation applies  to
10516       many parameters whose name is a combination of a master.cf service name
10517       and a built-in suffix (in this case: "_time_limit").
10518

trigger_timeout (default: 10s)

10520       The time limit for sending a trigger to a Postfix daemon (for  example,
10521       the  pickup(8)  or  qmgr(8)  daemon). This time limit prevents programs
10522       from getting stuck when the mail system is under heavy load.
10523
10524       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
10525       The default time unit is s (seconds).
10526

undisclosed_recipients_header (default: see postconf -d output)

10528       Message  header  that the Postfix cleanup(8) server inserts when a mes‐
10529       sage contains no To: or Cc: message header. With Postfix 2.8 and later,
10530       the  default  value  is  empty.  With Postfix 2.4-2.7, specify an empty
10531       value to disable this feature.
10532
10533       Example:
10534
10535       # Default value before Postfix 2.8.
10536       # Note: the ":" and ";" are both required.
10537       undisclosed_recipients_header = To: undisclosed-recipients:;
10538

unknown_address_reject_code (default: 450)

10540       The numerical Postfix SMTP server response code when a sender or recip‐
10541       ient   address  is  rejected  by  the  reject_unknown_sender_domain  or
10542       reject_unknown_recipient_domain restriction.  The  response  is  always
10543       450 in case of a temporary DNS error.
10544
10545       Do  not  change  this  unless  you have a complete understanding of RFC
10546       5321.
10547

unknown_address_tempfail_action (default: $reject_tempfail_action)

10549       The Postfix SMTP server's action when  reject_unknown_sender_domain  or
10550       reject_unknown_recipient_domain  fail  due  to a temporary error condi‐
10551       tion. Specify "defer" to defer the remote SMTP client  request  immedi‐
10552       ately.  With  the  default  "defer_if_permit"  action, the Postfix SMTP
10553       server continues to look for opportunities to reject mail,  and  defers
10554       the client request only if it would otherwise be accepted.
10555
10556       This feature is available in Postfix 2.6 and later.
10557

unknown_client_reject_code (default: 450)

10559       The  numerical  Postfix SMTP server response code when a client without
10560       valid   address   <=>    name    mapping    is    rejected    by    the
10561       reject_unknown_client_hostname  restriction.  The  SMTP  server  always
10562       replies with 450 when the mapping failed due to a temporary error  con‐
10563       dition.
10564
10565       Do  not  change  this  unless  you have a complete understanding of RFC
10566       5321.
10567

unknown_helo_hostname_tempfail_action (default: $reject_tempfail_action)

10569       The Postfix  SMTP  server's  action  when  reject_unknown_helo_hostname
10570       fails due to an temporary error condition. Specify "defer" to defer the
10571       remote SMTP client request immediately. With the default "defer_if_per‐
10572       mit"  action,  the Postfix SMTP server continues to look for opportuni‐
10573       ties to reject mail, and defers the client request  only  if  it  would
10574       otherwise be accepted.
10575
10576       This feature is available in Postfix 2.6 and later.
10577

unknown_hostname_reject_code (default: 450)

10579       The numerical Postfix SMTP server response code when the hostname spec‐
10580       ified  with  the  HELO   or   EHLO   command   is   rejected   by   the
10581       reject_unknown_helo_hostname restriction.
10582
10583       Do  not  change  this  unless  you have a complete understanding of RFC
10584       5321.
10585

unknown_local_recipient_reject_code (default: 550)

10587       The numerical Postfix  SMTP  server  response  code  when  a  recipient
10588       address  is local, and $local_recipient_maps specifies a list of lookup
10589       tables that does not match the recipient.  A recipient address is local
10590       when   its   domain   matches   $mydestination,   $proxy_interfaces  or
10591       $inet_interfaces.
10592
10593       The default setting is 550 (reject mail) but it is safer  to  initially
10594       use  450  (try  again  later)  so  you  have  time  to find out if your
10595       local_recipient_maps settings are OK.
10596
10597       Example:
10598
10599       unknown_local_recipient_reject_code = 450
10600
10601       This feature is available in Postfix 2.0 and later.
10602

unknown_relay_recipient_reject_code (default: 550)

10604       The numerical Postfix SMTP server reply code when a  recipient  address
10605       matches  $relay_domains,  and  relay_recipient_maps specifies a list of
10606       lookup tables that does not match the recipient address.
10607
10608       This feature is available in Postfix 2.0 and later.
10609

unknown_virtual_alias_reject_code (default: 550)

10611       The Postfix SMTP server reply code when  a  recipient  address  matches
10612       $virtual_alias_domains,  and  $virtual_alias_maps  specifies  a list of
10613       lookup tables that does not match the recipient address.
10614
10615       This feature is available in Postfix 2.0 and later.
10616

unknown_virtual_mailbox_reject_code (default: 550)

10618       The Postfix SMTP server reply code when  a  recipient  address  matches
10619       $virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list of
10620       lookup tables that does not match the recipient address.
10621
10622       This feature is available in Postfix 2.0 and later.
10623

unverified_recipient_defer_code (default: 450)

10625       The numerical Postfix SMTP server response  when  a  recipient  address
10626       probe fails due to a temporary error condition.
10627
10628       Unlike elsewhere in Postfix, you can specify 250 in order to accept the
10629       address anyway.
10630
10631       Do not change this unless you have  a  complete  understanding  of  RFC
10632       5321.
10633
10634       This feature is available in Postfix 2.6 and later.
10635

unverified_recipient_reject_code (default: 450)

10637       The  numerical Postfix SMTP server response when a recipient address is
10638       rejected by the reject_unverified_recipient restriction.
10639
10640       Unlike elsewhere in Postfix, you can specify 250 in order to accept the
10641       address anyway.
10642
10643       Do  not  change  this  unless  you have a complete understanding of RFC
10644       5321.
10645
10646       This feature is available in Postfix 2.1 and later.
10647

unverified_recipient_reject_reason (default: empty)

10649       The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
10650       fied_recipient.  Do  not  include  the  numeric  SMTP reply code or the
10651       enhanced status code. By default, the response includes actual  address
10652       verification details.
10653
10654       Example:
10655
10656       unverified_recipient_reject_reason = Recipient address lookup failed
10657
10658       This feature is available in Postfix 2.6 and later.
10659

unverified_recipient_tempfail_action (default: $reject_tempfail_action)

10661       The Postfix SMTP server's action when reject_unverified_recipient fails
10662       due to a temporary error condition. Specify "defer" to defer the remote
10663       SMTP  client  request  immediately.  With the default "defer_if_permit"
10664       action, the Postfix SMTP server continues to look for opportunities  to
10665       reject  mail,  and defers the client request only if it would otherwise
10666       be accepted.
10667
10668       This feature is available in Postfix 2.6 and later.
10669

unverified_sender_defer_code (default: 450)

10671       The numerical Postfix SMTP server response code when a  sender  address
10672       probe fails due to a temporary error condition.
10673
10674       Unlike elsewhere in Postfix, you can specify 250 in order to accept the
10675       address anyway.
10676
10677       Do not change this unless you have  a  complete  understanding  of  RFC
10678       5321.
10679
10680       This feature is available in Postfix 2.6 and later.
10681

unverified_sender_reject_code (default: 450)

10683       The  numerical  Postfix  SMTP  server  response  code  when a recipient
10684       address is rejected by the reject_unverified_sender restriction.
10685
10686       Unlike elsewhere in Postfix, you can specify 250 in order to accept the
10687       address anyway.
10688
10689       Do  not  change  this  unless  you have a complete understanding of RFC
10690       5321.
10691
10692       This feature is available in Postfix 2.1 and later.
10693

unverified_sender_reject_reason (default: empty)

10695       The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
10696       fied_sender. Do not include the numeric SMTP reply code or the enhanced
10697       status code. By default, the response includes actual address verifica‐
10698       tion details.
10699
10700       Example:
10701
10702       unverified_sender_reject_reason = Sender address lookup failed
10703
10704       This feature is available in Postfix 2.6 and later.
10705

unverified_sender_tempfail_action (default: $reject_tempfail_action)

10707       The  Postfix  SMTP  server's action when reject_unverified_sender fails
10708       due to a temporary error condition. Specify "defer" to defer the remote
10709       SMTP  client  request  immediately.  With the default "defer_if_permit"
10710       action, the Postfix SMTP server continues to look for opportunities  to
10711       reject  mail,  and defers the client request only if it would otherwise
10712       be accepted.
10713
10714       This feature is available in Postfix 2.6 and later.
10715

verp_delimiter_filter (default: -=+)

10717       The characters Postfix accepts as  VERP  delimiter  characters  on  the
10718       Postfix sendmail(1) command line and in SMTP commands.
10719
10720       This feature is available in Postfix 1.1 and later.
10721

virtual_alias_domains (default: $virtual_alias_maps)

10723       Postfix  is  final  destination for the specified list of virtual alias
10724       domains, that is, domains  for  which  all  addresses  are  aliased  to
10725       addresses  in  other local or remote domains. The SMTP server validates
10726       recipient addresses with $virtual_alias_maps and  rejects  non-existent
10727       recipients.   See   also   the   virtual  alias  domain  class  in  the
10728       ADDRESS_CLASS_README file
10729
10730       This feature is available in Postfix 2.0 and later. The  default  value
10731       is backwards compatible with Postfix version 1.1.
10732
10733       The  default  value  is  $virtual_alias_maps  so  that you can keep all
10734       information about virtual alias domains in one place.  If you have many
10735       users,  it  is  better  to  separate information that changes more fre‐
10736       quently (virtual address ->  local  or  remote  address  mapping)  from
10737       information  that  changes  less frequently (the list of virtual domain
10738       names).
10739
10740       Specify a list of host or domain names,  "/file/name"  or  "type:table"
10741       patterns, separated by commas and/or whitespace. A "/file/name" pattern
10742       is replaced by its contents; a "type:table"  lookup  table  is  matched
10743       when  a  table  entry  matches  a  lookup  string (the lookup result is
10744       ignored).  Continue long lines by starting the next  line  with  white‐
10745       space.  Specify  "!pattern"  to  exclude a host or domain name from the
10746       list. The form "!/file/name" is supported only in Postfix  version  2.4
10747       and later.
10748
10749       See also the VIRTUAL_README and ADDRESS_CLASS_README documents for fur‐
10750       ther information.
10751
10752       Example:
10753
10754       virtual_alias_domains = virtual1.tld virtual2.tld
10755

virtual_alias_expansion_limit (default: 1000)

10757       The maximal number of addresses that virtual alias  expansion  produces
10758       from each original recipient.
10759
10760       This feature is available in Postfix 2.1 and later.
10761

virtual_alias_maps (default: $virtual_maps)

10763       Optional lookup tables that alias specific mail addresses or domains to
10764       other local or remote address.  The table format and lookups are  docu‐
10765       mented  in virtual(5). For an overview of Postfix address manipulations
10766       see the ADDRESS_REWRITING_README document.
10767
10768       This feature is available in Postfix 2.0 and later. The  default  value
10769       is backwards compatible with Postfix version 1.1.
10770
10771       If  you  use  this  feature with indexed files, run "postmap /etc/post‐
10772       fix/virtual" after changing the file.
10773
10774       Examples:
10775
10776       virtual_alias_maps = dbm:/etc/postfix/virtual
10777       virtual_alias_maps = hash:/etc/postfix/virtual
10778

virtual_alias_recursion_limit (default: 1000)

10780       The maximal nesting depth of virtual alias  expansion.   Currently  the
10781       recursion  limit  is  applied  only to the left branch of the expansion
10782       graph, so the depth of the tree can in the worst case reach the sum  of
10783       the expansion and recursion limits.  This may change in the future.
10784
10785       This feature is available in Postfix 2.1 and later.
10786

virtual_destination_concurrency_limit (default: $default_destination_concur‐

10788       rency_limit)
10789       The maximal number of parallel deliveries to the same  destination  via
10790       the  virtual  message delivery transport. This limit is enforced by the
10791       queue manager. The message delivery transport name is the  first  field
10792       in the entry in the master.cf file.
10793

virtual_destination_recipient_limit (default: $default_destination_recipi‐

10795       ent_limit)
10796       The maximal number of recipients per message for  the  virtual  message
10797       delivery  transport.  This  limit is enforced by the queue manager. The
10798       message delivery transport name is the first field in the entry in  the
10799       master.cf file.
10800
10801       Setting  this  parameter  to  a  value of 1 changes the meaning of vir‐
10802       tual_destination_concurrency_limit from  concurrency  per  domain  into
10803       concurrency per recipient.
10804

virtual_gid_maps (default: empty)

10806       Lookup  tables  with  the per-recipient group ID for virtual(8) mailbox
10807       delivery.
10808
10809       This parameter is specific to the virtual(8) delivery agent.   It  does
10810       not  apply  when  mail is delivered with a different mail delivery pro‐
10811       gram.
10812
10813       In a lookup table, specify a left-hand side of "@domain.tld"  to  match
10814       any  user  in  the  specified  domain  that  does  not  have a specific
10815       "user@domain.tld" entry.
10816
10817       When  a  recipient  address   has   an   optional   address   extension
10818       (user+foo@domain.tld),  the virtual(8) delivery agent looks up the full
10819       address first, and when the lookup fails, it looks  up  the  unextended
10820       address (user@domain.tld).
10821
10822       Note  1:  for security reasons, the virtual(8) delivery agent disallows
10823       regular expression substitution of $1 etc. in regular expression lookup
10824       tables, because that would open a security hole.
10825
10826       Note  2:  for  security  reasons,  the  virtual(8)  delivery agent will
10827       silently ignore requests to use the proxymap(8) server. Instead it will
10828       open  the  table  directly.  Before Postfix version 2.2, the virtual(8)
10829       delivery agent will terminate with a fatal error.
10830

virtual_mailbox_base (default: empty)

10832       A prefix that the virtual(8) delivery agent prepends  to  all  pathname
10833       results  from  $virtual_mailbox_maps  table  lookups.  This is a safety
10834       measure to ensure that an out of control map doesn't  litter  the  file
10835       system with mailboxes.  While virtual_mailbox_base could be set to "/",
10836       this setting isn't recommended.
10837
10838       This parameter is specific to the virtual(8) delivery agent.   It  does
10839       not  apply  when  mail is delivered with a different mail delivery pro‐
10840       gram.
10841
10842       Example:
10843
10844       virtual_mailbox_base = /var/mail
10845

virtual_mailbox_domains (default: $virtual_mailbox_maps)

10847       Postfix is final destination for the specified list of domains; mail is
10848       delivered  via  the  $virtual_transport  mail  delivery  transport.  By
10849       default this is the Postfix virtual(8) delivery agent.  The SMTP server
10850       validates  recipient  addresses  with $virtual_mailbox_maps and rejects
10851       mail for non-existent recipients.  See also the virtual mailbox  domain
10852       class in the ADDRESS_CLASS_README file.
10853
10854       This  parameter expects the same syntax as the mydestination configura‐
10855       tion parameter.
10856
10857       This feature is available in Postfix 2.0 and later. The  default  value
10858       is backwards compatible with Postfix version 1.1.
10859

virtual_mailbox_limit (default: 51200000)

10861       The  maximal  size  in  bytes  of  an  individual virtual(8) mailbox or
10862       maildir file, or zero (no limit).
10863
10864       This parameter is specific to the virtual(8) delivery agent.   It  does
10865       not  apply  when  mail is delivered with a different mail delivery pro‐
10866       gram.
10867

virtual_mailbox_lock (default: see postconf -d output)

10869       How to lock a UNIX-style virtual(8) mailbox before attempting delivery.
10870       For  a  list  of  available file locking methods, use the "postconf -l"
10871       command.
10872
10873       This parameter is specific to the virtual(8) delivery agent.   It  does
10874       not  apply  when  mail is delivered with a different mail delivery pro‐
10875       gram.
10876
10877       This setting is ignored  with  maildir  style  delivery,  because  such
10878       deliveries are safe without application-level locks.
10879
10880       Note  1:  the dotlock method requires that the recipient UID or GID has
10881       write access to the parent directory of the recipient's mailbox file.
10882
10883       Note 2: the default setting of this parameter is system dependent.
10884

virtual_mailbox_maps (default: empty)

10886       Optional lookup tables with all valid addresses  in  the  domains  that
10887       match $virtual_mailbox_domains.
10888
10889       In  a  lookup table, specify a left-hand side of "@domain.tld" to match
10890       any user in  the  specified  domain  that  does  not  have  a  specific
10891       "user@domain.tld" entry.
10892
10893       The  remainder  of  this  text  is  specific to the virtual(8) delivery
10894       agent.  It does not apply when mail is delivered with a different  mail
10895       delivery program.
10896
10897       The virtual(8) delivery agent uses this table to look up the per-recip‐
10898       ient mailbox or maildir pathname.  If the lookup result ends in a slash
10899       ("/"),  maildir-style  delivery  is  carried out, otherwise the path is
10900       assumed to specify a UNIX-style mailbox file.  Note that $virtual_mail‐
10901       box_base is unconditionally prepended to this path.
10902
10903       When   a   recipient   address   has   an  optional  address  extension
10904       (user+foo@domain.tld), the virtual(8) delivery agent looks up the  full
10905       address  first,  and  when the lookup fails, it looks up the unextended
10906       address (user@domain.tld).
10907
10908       Note 1: for security reasons, the virtual(8) delivery  agent  disallows
10909       regular expression substitution of $1 etc. in regular expression lookup
10910       tables, because that would open a security hole.
10911
10912       Note 2: for  security  reasons,  the  virtual(8)  delivery  agent  will
10913       silently ignore requests to use the proxymap(8) server. Instead it will
10914       open the table directly. Before Postfix  version  2.2,  the  virtual(8)
10915       delivery agent will terminate with a fatal error.
10916

virtual_maps (default: empty)

10918       Optional lookup tables with a) names of domains for which all addresses
10919       are aliased to addresses in other  local  or  remote  domains,  and  b)
10920       addresses  that  are  aliased  to  addresses  in  other local or remote
10921       domains.  Available before Postfix version 2.0.  With  Postfix  version
10922       2.0   and   later,   this   is  replaced  by  separate  controls:  vir‐
10923       tual_alias_domains and virtual_alias_maps.
10924

virtual_minimum_uid (default: 100)

10926       The minimum user ID value that the virtual(8) delivery agent accepts as
10927       a  result  from  $virtual_uid_maps  table lookup.  Returned values less
10928       than this will be rejected, and the message will be deferred.
10929
10930       This parameter is specific to the virtual(8) delivery agent.   It  does
10931       not  apply  when  mail is delivered with a different mail delivery pro‐
10932       gram.
10933

virtual_transport (default: virtual)

10935       The default mail delivery transport and next-hop destination for  final
10936       delivery  to domains listed with $virtual_mailbox_domains.  This infor‐
10937       mation can be overruled with the transport(5) table.
10938
10939       Specify a string of the form transport:nexthop, where transport is  the
10940       name  of  a mail delivery transport defined in master.cf.  The :nexthop
10941       destination is optional; its syntax is documented in the manual page of
10942       the corresponding delivery agent.
10943
10944       This feature is available in Postfix 2.0 and later.
10945

virtual_uid_maps (default: empty)

10947       Lookup tables with the per-recipient user ID that the virtual(8) deliv‐
10948       ery agent uses while writing to the recipient's mailbox.
10949
10950       This parameter is specific to the virtual(8) delivery agent.   It  does
10951       not  apply  when  mail is delivered with a different mail delivery pro‐
10952       gram.
10953
10954       In a lookup table, specify a left-hand side of "@domain.tld"  to  match
10955       any  user  in  the  specified  domain  that  does  not  have a specific
10956       "user@domain.tld" entry.
10957
10958       When  a  recipient  address   has   an   optional   address   extension
10959       (user+foo@domain.tld),  the virtual(8) delivery agent looks up the full
10960       address first, and when the lookup fails, it looks  up  the  unextended
10961       address (user@domain.tld).
10962
10963       Note  1:  for security reasons, the virtual(8) delivery agent disallows
10964       regular expression substitution of $1 etc. in regular expression lookup
10965       tables, because that would open a security hole.
10966
10967       Note  2:  for  security  reasons,  the  virtual(8)  delivery agent will
10968       silently ignore requests to use the proxymap(8) server. Instead it will
10969       open  the  table  directly.  Before Postfix version 2.2, the virtual(8)
10970       delivery agent will terminate with a fatal error.
10971

SEE ALSO

10973       postconf(1), Postfix configuration parameter maintenance
10974       master(5), Postfix daemon configuration maintenance
10975

LICENSE

10977       The Secure Mailer license must be distributed with this software.
10978

AUTHOR(S)

10980       Wietse Venema
10981       IBM T.J. Watson Research
10982       P.O. Box 704
10983       Yorktown Heights, NY 10598, USA
10984
10985
10986
10987                                                                   POSTCONF(5)
Impressum