1SMTPD(8) System Manager's Manual SMTPD(8)
2
6 smtpd - Postfix SMTP server
7
9 smtpd [generic Postfix daemon options]
10 sendmail -bs
12
14 The SMTP server accepts network connection requests and performs zero
15 or more SMTP transactions per connection. Each received message is
16 piped through the cleanup(8) daemon, and is placed into the incoming
17 queue as one single queue file. For this mode of operation, the pro‐
18 gram expects to be run from the master(8) process manager.
19 Alternatively, the SMTP server be can run in stand-alone mode; this is
21 traditionally obtained with "sendmail -bs". When the SMTP server runs
22 stand-alone with non $mail_owner privileges, it receives mail even
23 while the mail system is not running, deposits messages directly into
24 the maildrop queue, and disables the SMTP server's access policies. As
25 of Postfix version 2.3, the SMTP server refuses to receive mail from
26 the network when it runs with non $mail_owner privileges.
27 The SMTP server implements a variety of policies for connection
29 requests, and for parameters given to HELO, ETRN, MAIL FROM, VRFY and
30 RCPT TO commands. They are detailed below and in the main.cf configura‐
31 tion file.
32
34 The SMTP server is moderately security-sensitive. It talks to SMTP
35 clients and to DNS servers on the network. The SMTP server can be run
36 chrooted at fixed low privilege.
37
39 RFC 821 (SMTP protocol)
40 RFC 1123 (Host requirements)
41 RFC 1652 (8bit-MIME transport)
42 RFC 1869 (SMTP service extensions)
43 RFC 1870 (Message size declaration)
44 RFC 1985 (ETRN command)
45 RFC 2034 (SMTP enhanced status codes)
46 RFC 2554 (AUTH command)
47 RFC 2821 (SMTP protocol)
48 RFC 2920 (SMTP pipelining)
49 RFC 3207 (STARTTLS command)
50 RFC 3461 (SMTP DSN extension)
51 RFC 3463 (Enhanced status codes)
52 RFC 3848 (ESMTP transmission types)
53 RFC 4409 (Message submission)
54 RFC 4954 (AUTH command)
55 RFC 5321 (SMTP protocol)
56 RFC 6531 (Internationalized SMTP)
57 RFC 6533 (Internationalized Delivery Status Notifications)
58 RFC 7505 ("Null MX" No Service Resource Record)
59
61 Problems and transactions are logged to syslogd(8).
62 Depending on the setting of the notify_classes parameter, the postmas‐
64 ter is notified of bounces, protocol problems, policy violations, and
65 of other trouble.
66
68 Changes to main.cf are picked up automatically, as smtpd(8) processes
69 run for only a limited amount of time. Use the command "postfix reload"
70 to speed up a change.
71 The text below provides only a parameter summary. See postconf(5) for
73 more details including examples.
74
76 The following parameters work around implementation errors in other
77 software, and/or allow you to override standards in order to prevent
78 undesirable use.
79 broken_sasl_auth_clients (no)
81 Enable interoperability with remote SMTP clients that implement
82 an obsolete version of the AUTH command (RFC 4954).
83 disable_vrfy_command (no)
85 Disable the SMTP VRFY command.
86 smtpd_noop_commands (empty)
88 List of commands that the Postfix SMTP server replies to with
89 "250 Ok", without doing any syntax checks and without changing
90 state.
91 strict_rfc821_envelopes (no)
93 Require that addresses received in SMTP MAIL FROM and RCPT TO
94 commands are enclosed with <>, and that those addresses do not
95 contain RFC 822 style comments or phrases.
96 Available in Postfix version 2.1 and later:
98 smtpd_reject_unlisted_sender (no)
100 Request that the Postfix SMTP server rejects mail from unknown
101 sender addresses, even when no explicit reject_unlisted_sender
102 access restriction is specified.
103 smtpd_sasl_exceptions_networks (empty)
105 What remote SMTP clients the Postfix SMTP server will not offer
106 AUTH support to.
107 Available in Postfix version 2.2 and later:
109 smtpd_discard_ehlo_keyword_address_maps (empty)
111 Lookup tables, indexed by the remote SMTP client address, with
112 case insensitive lists of EHLO keywords (pipelining, starttls,
113 auth, etc.) that the Postfix SMTP server will not send in the
114 EHLO response to a remote SMTP client.
115 smtpd_discard_ehlo_keywords (empty)
117 A case insensitive list of EHLO keywords (pipelining, starttls,
118 auth, etc.) that the Postfix SMTP server will not send in the
119 EHLO response to a remote SMTP client.
120 smtpd_delay_open_until_valid_rcpt (yes)
122 Postpone the start of an SMTP mail transaction until a valid
123 RCPT TO command is received.
124 Available in Postfix version 2.3 and later:
126 smtpd_tls_always_issue_session_ids (yes)
128 Force the Postfix SMTP server to issue a TLS session id, even
129 when TLS session caching is turned off (smtpd_tls_ses‐
130 sion_cache_database is empty).
131 Available in Postfix version 2.6 and later:
133 tcp_windowsize (0)
135 An optional workaround for routers that break TCP window scal‐
136 ing.
137 Available in Postfix version 2.7 and later:
139 smtpd_command_filter (empty)
141 A mechanism to transform commands from remote SMTP clients.
142 Available in Postfix version 2.9 and later:
144 smtpd_per_record_deadline (normal: no, overload: yes)
146 Change the behavior of the smtpd_timeout and smtpd_start‐
147 tls_timeout time limits, from a time limit per read or write
148 system call, to a time limit to send or receive a complete
149 record (an SMTP command line, SMTP response line, SMTP message
150 content line, or TLS protocol message).
151 Available in Postfix version 3.0 and later:
153 smtpd_dns_reply_filter (empty)
155 Optional filter for Postfix SMTP server DNS lookup results.
156
158 See the ADDRESS_REWRITING_README document for a detailed discussion of
159 Postfix address rewriting.
160 receive_override_options (empty)
162 Enable or disable recipient validation, built-in content filter‐
163 ing, or address mapping.
164 Available in Postfix version 2.2 and later:
166 local_header_rewrite_clients (permit_inet_interfaces)
168 Rewrite message header addresses in mail from these clients and
169 update incomplete addresses with the domain name in $myorigin or
170 $mydomain; either don't rewrite message headers from other
171 clients at all, or rewrite message headers and update incomplete
172 addresses with the domain specified in the remote_header_re‐
173 write_domain parameter.
174
176 Available in Postfix version 2.10 and later:
177 smtpd_upstream_proxy_protocol (empty)
179 The name of the proxy protocol used by an optional before-smtpd
180 proxy agent.
181 smtpd_upstream_proxy_timeout (5s)
183 The time limit for the proxy protocol specified with the
184 smtpd_upstream_proxy_protocol parameter.
185
187 As of version 1.0, Postfix can be configured to send new mail to an
188 external content filter AFTER the mail is queued. This content filter
189 is expected to inject mail back into a (Postfix or other) MTA for fur‐
190 ther delivery. See the FILTER_README document for details.
191 content_filter (empty)
193 After the message is queued, send the entire message to the
194 specified transport:destination.
195
197 As of version 2.1, the Postfix SMTP server can be configured to send
198 incoming mail to a real-time SMTP-based content filter BEFORE mail is
199 queued. This content filter is expected to inject mail back into Post‐
200 fix. See the SMTPD_PROXY_README document for details on how to config‐
201 ure and operate this feature.
202 smtpd_proxy_filter (empty)
204 The hostname and TCP port of the mail filtering proxy server.
205 smtpd_proxy_ehlo ($myhostname)
207 How the Postfix SMTP server announces itself to the proxy fil‐
208 ter.
209 smtpd_proxy_options (empty)
211 List of options that control how the Postfix SMTP server commu‐
212 nicates with a before-queue content filter.
213 smtpd_proxy_timeout (100s)
215 The time limit for connecting to a proxy filter and for sending
216 or receiving information.
217
219 As of version 2.3, Postfix supports the Sendmail version 8 Milter (mail
220 filter) protocol. These content filters run outside Postfix. They can
221 inspect the SMTP command stream and the message content, and can
222 request modifications before mail is queued. For details see the MIL‐
223 TER_README document.
224 smtpd_milters (empty)
226 A list of Milter (mail filter) applications for new mail that
227 arrives via the Postfix smtpd(8) server.
228 milter_protocol (6)
230 The mail filter protocol version and optional protocol exten‐
231 sions for communication with a Milter application; prior to
232 Postfix 2.6 the default protocol is 2.
233 milter_default_action (tempfail)
235 The default action when a Milter (mail filter) application is
236 unavailable or mis-configured.
237 milter_macro_daemon_name ($myhostname)
239 The {daemon_name} macro value for Milter (mail filter) applica‐
240 tions.
241 milter_macro_v ($mail_name $mail_version)
243 The {v} macro value for Milter (mail filter) applications.
244 milter_connect_timeout (30s)
246 The time limit for connecting to a Milter (mail filter) applica‐
247 tion, and for negotiating protocol options.
248 milter_command_timeout (30s)
250 The time limit for sending an SMTP command to a Milter (mail
251 filter) application, and for receiving the response.
252 milter_content_timeout (300s)
254 The time limit for sending message content to a Milter (mail
255 filter) application, and for receiving the response.
256 milter_connect_macros (see 'postconf -d' output)
258 The macros that are sent to Milter (mail filter) applications
259 after completion of an SMTP connection.
260 milter_helo_macros (see 'postconf -d' output)
262 The macros that are sent to Milter (mail filter) applications
263 after the SMTP HELO or EHLO command.
264 milter_mail_macros (see 'postconf -d' output)
266 The macros that are sent to Milter (mail filter) applications
267 after the SMTP MAIL FROM command.
268 milter_rcpt_macros (see 'postconf -d' output)
270 The macros that are sent to Milter (mail filter) applications
271 after the SMTP RCPT TO command.
272 milter_data_macros (see 'postconf -d' output)
274 The macros that are sent to version 4 or higher Milter (mail
275 filter) applications after the SMTP DATA command.
276 milter_unknown_command_macros (see 'postconf -d' output)
278 The macros that are sent to version 3 or higher Milter (mail
279 filter) applications after an unknown SMTP command.
280 milter_end_of_header_macros (see 'postconf -d' output)
282 The macros that are sent to Milter (mail filter) applications
283 after the end of the message header.
284 milter_end_of_data_macros (see 'postconf -d' output)
286 The macros that are sent to Milter (mail filter) applications
287 after the message end-of-data.
288 Available in Postfix version 3.1 and later:
290 milter_macro_defaults (empty)
292 Optional list of name=value pairs that specify default values
293 for arbitrary macros that Postfix may send to Milter applica‐
294 tions.
295 Available in Postfix version 3.2 and later:
297 smtpd_milter_maps (empty)
299 Lookup tables with Milter settings per remote SMTP client IP
300 address.
301
303 The following parameters are applicable for both built-in and external
304 content filters.
305 Available in Postfix version 2.1 and later:
307 receive_override_options (empty)
309 Enable or disable recipient validation, built-in content filter‐
310 ing, or address mapping.
311
313 The following parameters are applicable for both before-queue and
314 after-queue content filtering.
315 Available in Postfix version 2.1 and later:
317 smtpd_authorized_xforward_hosts (empty)
319 What remote SMTP clients are allowed to use the XFORWARD fea‐
320 ture.
321
323 Postfix SASL support (RFC 4954) can be used to authenticate remote SMTP
324 clients to the Postfix SMTP server, and to authenticate the Postfix
325 SMTP client to a remote SMTP server. See the SASL_README document for
326 details.
327 broken_sasl_auth_clients (no)
329 Enable interoperability with remote SMTP clients that implement
330 an obsolete version of the AUTH command (RFC 4954).
331 smtpd_sasl_auth_enable (no)
333 Enable SASL authentication in the Postfix SMTP server.
334 smtpd_sasl_local_domain (empty)
336 The name of the Postfix SMTP server's local SASL authentication
337 realm.
338 smtpd_sasl_security_options (noanonymous)
340 Postfix SMTP server SASL security options; as of Postfix 2.3 the
341 list of available features depends on the SASL server implemen‐
342 tation that is selected with smtpd_sasl_type.
343 smtpd_sender_login_maps (empty)
345 Optional lookup table with the SASL login names that own the
346 sender (MAIL FROM) addresses.
347 Available in Postfix version 2.1 and later:
349 smtpd_sasl_exceptions_networks (empty)
351 What remote SMTP clients the Postfix SMTP server will not offer
352 AUTH support to.
353 Available in Postfix version 2.1 and 2.2:
355 smtpd_sasl_application_name (smtpd)
357 The application name that the Postfix SMTP server uses for SASL
358 server initialization.
359 Available in Postfix version 2.3 and later:
361 smtpd_sasl_authenticated_header (no)
363 Report the SASL authenticated user name in the smtpd(8) Received
364 message header.
365 smtpd_sasl_path (smtpd)
367 Implementation-specific information that the Postfix SMTP server
368 passes through to the SASL plug-in implementation that is
369 selected with smtpd_sasl_type.
370 smtpd_sasl_type (cyrus)
372 The SASL plug-in type that the Postfix SMTP server should use
373 for authentication.
374 Available in Postfix version 2.5 and later:
376 cyrus_sasl_config_path (empty)
378 Search path for Cyrus SASL application configuration files, cur‐
379 rently used only to locate the $smtpd_sasl_path.conf file.
380 Available in Postfix version 2.11 and later:
382 smtpd_sasl_service (smtp)
384 The service name that is passed to the SASL plug-in that is
385 selected with smtpd_sasl_type and smtpd_sasl_path.
386
388 Detailed information about STARTTLS configuration may be found in the
389 TLS_README document.
390 smtpd_tls_security_level (empty)
392 The SMTP TLS security level for the Postfix SMTP server; when a
393 non-empty value is specified, this overrides the obsolete param‐
394 eters smtpd_use_tls and smtpd_enforce_tls.
395 smtpd_sasl_tls_security_options ($smtpd_sasl_security_options)
397 The SASL authentication security options that the Postfix SMTP
398 server uses for TLS encrypted SMTP sessions.
399 smtpd_starttls_timeout (see 'postconf -d' output)
401 The time limit for Postfix SMTP server write and read operations
402 during TLS startup and shutdown handshake procedures.
403 smtpd_tls_CAfile (empty)
405 A file containing (PEM format) CA certificates of root CAs
406 trusted to sign either remote SMTP client certificates or inter‐
407 mediate CA certificates.
408 smtpd_tls_CApath (empty)
410 A directory containing (PEM format) CA certificates of root CAs
411 trusted to sign either remote SMTP client certificates or inter‐
412 mediate CA certificates.
413 smtpd_tls_always_issue_session_ids (yes)
415 Force the Postfix SMTP server to issue a TLS session id, even
416 when TLS session caching is turned off (smtpd_tls_ses‐
417 sion_cache_database is empty).
418 smtpd_tls_ask_ccert (no)
420 Ask a remote SMTP client for a client certificate.
421 smtpd_tls_auth_only (no)
423 When TLS encryption is optional in the Postfix SMTP server, do
424 not announce or accept SASL authentication over unencrypted con‐
425 nections.
426 smtpd_tls_ccert_verifydepth (9)
428 The verification depth for remote SMTP client certificates.
429 smtpd_tls_cert_file (empty)
431 File with the Postfix SMTP server RSA certificate in PEM format.
432 smtpd_tls_exclude_ciphers (empty)
434 List of ciphers or cipher types to exclude from the SMTP server
435 cipher list at all TLS security levels.
436 smtpd_tls_dcert_file (empty)
438 File with the Postfix SMTP server DSA certificate in PEM format.
439 smtpd_tls_dh1024_param_file (empty)
441 File with DH parameters that the Postfix SMTP server should use
442 with non-export EDH ciphers.
443 smtpd_tls_dh512_param_file (empty)
445 File with DH parameters that the Postfix SMTP server should use
446 with export-grade EDH ciphers.
447 smtpd_tls_dkey_file ($smtpd_tls_dcert_file)
449 File with the Postfix SMTP server DSA private key in PEM format.
450 smtpd_tls_key_file ($smtpd_tls_cert_file)
452 File with the Postfix SMTP server RSA private key in PEM format.
453 smtpd_tls_loglevel (0)
455 Enable additional Postfix SMTP server logging of TLS activity.
456 smtpd_tls_mandatory_ciphers (medium)
458 The minimum TLS cipher grade that the Postfix SMTP server will
459 use with mandatory TLS encryption.
460 smtpd_tls_mandatory_exclude_ciphers (empty)
462 Additional list of ciphers or cipher types to exclude from the
463 Postfix SMTP server cipher list at mandatory TLS security lev‐
464 els.
465 smtpd_tls_mandatory_protocols (!SSLv2, !SSLv3)
467 The SSL/TLS protocols accepted by the Postfix SMTP server with
468 mandatory TLS encryption.
469 smtpd_tls_received_header (no)
471 Request that the Postfix SMTP server produces Received: message
472 headers that include information about the protocol and cipher
473 used, as well as the remote SMTP client CommonName and client
474 certificate issuer CommonName.
475 smtpd_tls_req_ccert (no)
477 With mandatory TLS encryption, require a trusted remote SMTP
478 client certificate in order to allow TLS connections to proceed.
479 smtpd_tls_wrappermode (no)
481 Run the Postfix SMTP server in the non-standard "wrapper" mode,
482 instead of using the STARTTLS command.
483 tls_daemon_random_bytes (32)
485 The number of pseudo-random bytes that an smtp(8) or smtpd(8)
486 process requests from the tlsmgr(8) server in order to seed its
487 internal pseudo random number generator (PRNG).
488 tls_high_cipherlist (see 'postconf -d' output)
490 The OpenSSL cipherlist for "high" grade ciphers.
491 tls_medium_cipherlist (see 'postconf -d' output)
493 The OpenSSL cipherlist for "medium" or higher grade ciphers.
494 tls_low_cipherlist (see 'postconf -d' output)
496 The OpenSSL cipherlist for "low" or higher grade ciphers.
497 tls_export_cipherlist (see 'postconf -d' output)
499 The OpenSSL cipherlist for "export" or higher grade ciphers.
500 tls_null_cipherlist (eNULL:!aNULL)
502 The OpenSSL cipherlist for "NULL" grade ciphers that provide
503 authentication without encryption.
504 Available in Postfix version 2.5 and later:
506 smtpd_tls_fingerprint_digest (md5)
508 The message digest algorithm to construct remote SMTP
509 client-certificate fingerprints or public key fingerprints
510 (Postfix 2.9 and later) for check_ccert_access and per‐
511 mit_tls_clientcerts.
512 Available in Postfix version 2.6 and later:
514 smtpd_tls_protocols (!SSLv2, !SSLv3)
516 List of TLS protocols that the Postfix SMTP server will exclude
517 or include with opportunistic TLS encryption.
518 smtpd_tls_ciphers (medium)
520 The minimum TLS cipher grade that the Postfix SMTP server will
521 use with opportunistic TLS encryption.
522 smtpd_tls_eccert_file (empty)
524 File with the Postfix SMTP server ECDSA certificate in PEM for‐
525 mat.
526 smtpd_tls_eckey_file ($smtpd_tls_eccert_file)
528 File with the Postfix SMTP server ECDSA private key in PEM for‐
529 mat.
530 smtpd_tls_eecdh_grade (see 'postconf -d' output)
532 The Postfix SMTP server security grade for ephemeral ellip‐
533 tic-curve Diffie-Hellman (EECDH) key exchange.
534 tls_eecdh_strong_curve (prime256v1)
536 The elliptic curve used by the Postfix SMTP server for sensibly
537 strong ephemeral ECDH key exchange.
538 tls_eecdh_ultra_curve (secp384r1)
540 The elliptic curve used by the Postfix SMTP server for maximally
541 strong ephemeral ECDH key exchange.
542 Available in Postfix version 2.8 and later:
544 tls_preempt_cipherlist (no)
546 With SSLv3 and later, use the Postfix SMTP server's cipher pref‐
547 erence order instead of the remote client's cipher preference
548 order.
549 tls_disable_workarounds (see 'postconf -d' output)
551 List or bit-mask of OpenSSL bug work-arounds to disable.
552 Available in Postfix version 2.11 and later:
554 tlsmgr_service_name (tlsmgr)
556 The name of the tlsmgr(8) service entry in master.cf.
557 Available in Postfix version 3.0 and later:
559 tls_session_ticket_cipher (Postfix >= 3.0: aes-256-cbc, Postfix < 3.0:
561 aes-128-cbc)
562 Algorithm used to encrypt RFC5077 TLS session tickets.
563 Available in Postfix version 3.2 and later:
565 tls_eecdh_auto_curves (see 'postconf -d' output)
567 The prioritized list of elliptic curves supported by the Postfix
568 SMTP client and server.
569
571 The following configuration parameters exist for compatibility with
572 Postfix versions before 2.3. Support for these will be removed in a
573 future release.
574 smtpd_use_tls (no)
576 Opportunistic TLS: announce STARTTLS support to remote SMTP
577 clients, but do not require that clients use TLS encryption.
578 smtpd_enforce_tls (no)
580 Mandatory TLS: announce STARTTLS support to remote SMTP clients,
581 and require that clients use TLS encryption.
582 smtpd_tls_cipherlist (empty)
584 Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS
585 cipher list.
586
588 Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
589 smtputf8_enable (yes)
591 Enable preliminary SMTPUTF8 support for the protocols described
592 in RFC 6531..6533.
593 strict_smtputf8 (no)
595 Enable stricter enforcement of the SMTPUTF8 protocol.
596 smtputf8_autodetect_classes (sendmail, verify)
598 Detect that a message requires SMTPUTF8 support for the speci‐
599 fied mail origin classes.
600 Available in Postfix version 3.2 and later:
602 enable_idna2003_compatibility (no)
604 Enable 'transitional' compatibility between IDNA2003 and
605 IDNA2008, when converting UTF-8 domain names to/from the ASCII
606 form that is used for DNS lookups.
607
609 With VERP style delivery, each recipient of a message receives a cus‐
610 tomized copy of the message with his/her own recipient address encoded
611 in the envelope sender address. The VERP_README file describes config‐
612 uration and operation details of Postfix support for variable envelope
613 return path addresses. VERP style delivery is requested with the SMTP
614 XVERP command or with the "sendmail -V" command-line option and is
615 available in Postfix version 1.1 and later.
616 default_verp_delimiters (+=)
618 The two default VERP delimiter characters.
619 verp_delimiter_filter (-=+)
621 The characters Postfix accepts as VERP delimiter characters on
622 the Postfix sendmail(1) command line and in SMTP commands.
623 Available in Postfix version 1.1 and 2.0:
625 authorized_verp_clients ($mynetworks)
627 What remote SMTP clients are allowed to specify the XVERP com‐
628 mand.
629 Available in Postfix version 2.1 and later:
631 smtpd_authorized_verp_clients ($authorized_verp_clients)
633 What remote SMTP clients are allowed to specify the XVERP com‐
634 mand.
635
637 The DEBUG_README document describes how to debug parts of the Postfix
638 mail system. The methods vary from making the software log a lot of
639 detail, to running some daemon processes under control of a call tracer
640 or debugger.
641 debug_peer_level (2)
643 The increment in verbose logging level when a remote client or
644 server matches a pattern in the debug_peer_list parameter.
645 debug_peer_list (empty)
647 Optional list of remote client or server hostname or network
648 address patterns that cause the verbose logging level to
649 increase by the amount specified in $debug_peer_level.
650 error_notice_recipient (postmaster)
652 The recipient of postmaster notifications about mail delivery
653 problems that are caused by policy, resource, software or proto‐
654 col errors.
655 internal_mail_filter_classes (empty)
657 What categories of Postfix-generated mail are subject to
658 before-queue content inspection by non_smtpd_milters,
659 header_checks and body_checks.
660 notify_classes (resource, software)
662 The list of error classes that are reported to the postmaster.
663 smtpd_reject_footer (empty)
665 Optional information that is appended after each Postfix SMTP
666 server 4XX or 5XX response.
667 soft_bounce (no)
669 Safety net to keep mail queued that would otherwise be returned
670 to the sender.
671 Available in Postfix version 2.1 and later:
673 smtpd_authorized_xclient_hosts (empty)
675 What remote SMTP clients are allowed to use the XCLIENT feature.
676 Available in Postfix version 2.10 and later:
678 smtpd_log_access_permit_actions (empty)
680 Enable logging of the named "permit" actions in SMTP server
681 access lists (by default, the SMTP server logs "reject" actions
682 but not "permit" actions).
683
685 As of Postfix version 2.0, the SMTP server rejects mail for unknown
686 recipients. This prevents the mail queue from clogging up with undeliv‐
687 erable MAILER-DAEMON messages. Additional information on this topic is
688 in the LOCAL_RECIPIENT_README and ADDRESS_CLASS_README documents.
689 show_user_unknown_table_name (yes)
691 Display the name of the recipient table in the "User unknown"
692 responses.
693 canonical_maps (empty)
695 Optional address mapping lookup tables for message headers and
696 envelopes.
697 recipient_canonical_maps (empty)
699 Optional address mapping lookup tables for envelope and header
700 recipient addresses.
701 sender_canonical_maps (empty)
703 Optional address mapping lookup tables for envelope and header
704 sender addresses.
705 Parameters concerning known/unknown local recipients:
707 mydestination ($myhostname, localhost.$mydomain, localhost)
709 The list of domains that are delivered via the $local_transport
710 mail delivery transport.
711 inet_interfaces (all)
713 The network interface addresses that this mail system receives
714 mail on.
715 proxy_interfaces (empty)
717 The network interface addresses that this mail system receives
718 mail on by way of a proxy or network address translation unit.
719 inet_protocols (all)
721 The Internet protocols Postfix will attempt to use when making
722 or accepting connections.
723 local_recipient_maps (proxy:unix:passwd.byname $alias_maps)
725 Lookup tables with all names or addresses of local recipients: a
726 recipient address is local when its domain matches $mydestina‐
727 tion, $inet_interfaces or $proxy_interfaces.
728 unknown_local_recipient_reject_code (550)
730 The numerical Postfix SMTP server response code when a recipient
731 address is local, and $local_recipient_maps specifies a list of
732 lookup tables that does not match the recipient.
733 Parameters concerning known/unknown recipients of relay destinations:
735 relay_domains (Postfix >= 3.0: empty, Postfix < 3.0: $mydestination)
737 What destination domains (and subdomains thereof) this system
738 will relay mail to.
739 relay_recipient_maps (empty)
741 Optional lookup tables with all valid addresses in the domains
742 that match $relay_domains.
743 unknown_relay_recipient_reject_code (550)
745 The numerical Postfix SMTP server reply code when a recipient
746 address matches $relay_domains, and relay_recipient_maps speci‐
747 fies a list of lookup tables that does not match the recipient
748 address.
749 Parameters concerning known/unknown recipients in virtual alias
751 domains:
752 virtual_alias_domains ($virtual_alias_maps)
754 Postfix is final destination for the specified list of virtual
755 alias domains, that is, domains for which all addresses are
756 aliased to addresses in other local or remote domains.
757 virtual_alias_maps ($virtual_maps)
759 Optional lookup tables that alias specific mail addresses or
760 domains to other local or remote address.
761 unknown_virtual_alias_reject_code (550)
763 The Postfix SMTP server reply code when a recipient address
764 matches $virtual_alias_domains, and $virtual_alias_maps speci‐
765 fies a list of lookup tables that does not match the recipient
766 address.
767 Parameters concerning known/unknown recipients in virtual mailbox
769 domains:
770 virtual_mailbox_domains ($virtual_mailbox_maps)
772 Postfix is final destination for the specified list of domains;
773 mail is delivered via the $virtual_transport mail delivery
774 transport.
775 virtual_mailbox_maps (empty)
777 Optional lookup tables with all valid addresses in the domains
778 that match $virtual_mailbox_domains.
779 unknown_virtual_mailbox_reject_code (550)
781 The Postfix SMTP server reply code when a recipient address
782 matches $virtual_mailbox_domains, and $virtual_mailbox_maps
783 specifies a list of lookup tables that does not match the recip‐
784 ient address.
785
787 The following parameters limit resource usage by the SMTP server and/or
788 control client request rates.
789 line_length_limit (2048)
791 Upon input, long lines are chopped up into pieces of at most
792 this length; upon delivery, long lines are reconstructed.
793 queue_minfree (0)
795 The minimal amount of free space in bytes in the queue file sys‐
796 tem that is needed to receive mail.
797 message_size_limit (10240000)
799 The maximal size in bytes of a message, including envelope
800 information.
801 smtpd_recipient_limit (1000)
803 The maximal number of recipients that the Postfix SMTP server
804 accepts per message delivery request.
805 smtpd_timeout (normal: 300s, overload: 10s)
807 The time limit for sending a Postfix SMTP server response and
808 for receiving a remote SMTP client request.
809 smtpd_history_flush_threshold (100)
811 The maximal number of lines in the Postfix SMTP server command
812 history before it is flushed upon receipt of EHLO, RSET, or end
813 of DATA.
814 Available in Postfix version 2.3 and later:
816 smtpd_peername_lookup (yes)
818 Attempt to look up the remote SMTP client hostname, and verify
819 that the name matches the client IP address.
820 The per SMTP client connection count and request rate limits are imple‐
822 mented in co-operation with the anvil(8) service, and are available in
823 Postfix version 2.2 and later.
824 smtpd_client_connection_count_limit (50)
826 How many simultaneous connections any client is allowed to make
827 to this service.
828 smtpd_client_connection_rate_limit (0)
830 The maximal number of connection attempts any client is allowed
831 to make to this service per time unit.
832 smtpd_client_message_rate_limit (0)
834 The maximal number of message delivery requests that any client
835 is allowed to make to this service per time unit, regardless of
836 whether or not Postfix actually accepts those messages.
837 smtpd_client_recipient_rate_limit (0)
839 The maximal number of recipient addresses that any client is
840 allowed to send to this service per time unit, regardless of
841 whether or not Postfix actually accepts those recipients.
842 smtpd_client_event_limit_exceptions ($mynetworks)
844 Clients that are excluded from smtpd_client_*_count/rate_limit
845 restrictions.
846 Available in Postfix version 2.3 and later:
848 smtpd_client_new_tls_session_rate_limit (0)
850 The maximal number of new (i.e., uncached) TLS sessions that a
851 remote SMTP client is allowed to negotiate with this service per
852 time unit.
853 Available in Postfix version 2.9 and later:
855 smtpd_per_record_deadline (normal: no, overload: yes)
857 Change the behavior of the smtpd_timeout and smtpd_start‐
858 tls_timeout time limits, from a time limit per read or write
859 system call, to a time limit to send or receive a complete
860 record (an SMTP command line, SMTP response line, SMTP message
861 content line, or TLS protocol message).
862 Available in Postfix version 3.1 and later:
864 smtpd_client_auth_rate_limit (0)
866 The maximal number of AUTH commands that any client is allowed
867 to send to this service per time unit, regardless of whether or
868 not Postfix actually accepts those commands.
869
871 When a remote SMTP client makes errors, the Postfix SMTP server can
872 insert delays before responding. This can help to slow down run-away
873 software. The behavior is controlled by an error counter that counts
874 the number of errors within an SMTP session that a client makes without
875 delivering mail.
876 smtpd_error_sleep_time (1s)
878 With Postfix version 2.1 and later: the SMTP server response
879 delay after a client has made more than $smtpd_soft_error_limit
880 errors, and fewer than $smtpd_hard_error_limit errors, without
881 delivering mail.
882 smtpd_soft_error_limit (10)
884 The number of errors a remote SMTP client is allowed to make
885 without delivering mail before the Postfix SMTP server slows
886 down all its responses.
887 smtpd_hard_error_limit (normal: 20, overload: 1)
889 The maximal number of errors a remote SMTP client is allowed to
890 make without delivering mail.
891 smtpd_junk_command_limit (normal: 100, overload: 1)
893 The number of junk commands (NOOP, VRFY, ETRN or RSET) that a
894 remote SMTP client can send before the Postfix SMTP server
895 starts to increment the error counter with each junk command.
896 Available in Postfix version 2.1 and later:
898 smtpd_recipient_overshoot_limit (1000)
900 The number of recipients that a remote SMTP client can send in
901 excess of the limit specified with $smtpd_recipient_limit,
902 before the Postfix SMTP server increments the per-session error
903 count for each excess recipient.
904
906 As of version 2.1, Postfix can be configured to delegate access policy
907 decisions to an external server that runs outside Postfix. See the
908 file SMTPD_POLICY_README for more information.
909 smtpd_policy_service_max_idle (300s)
911 The time after which an idle SMTPD policy service connection is
912 closed.
913 smtpd_policy_service_max_ttl (1000s)
915 The time after which an active SMTPD policy service connection
916 is closed.
917 smtpd_policy_service_timeout (100s)
919 The time limit for connecting to, writing to, or receiving from
920 a delegated SMTPD policy server.
921 Available in Postfix version 3.0 and later:
923 smtpd_policy_service_default_action (451 4.3.5 Server configuration
925 problem)
926 The default action when an SMTPD policy service request fails.
927 smtpd_policy_service_request_limit (0)
929 The maximal number of requests per SMTPD policy service connec‐
930 tion, or zero (no limit).
931 smtpd_policy_service_try_limit (2)
933 The maximal number of attempts to send an SMTPD policy service
934 request before giving up.
935 smtpd_policy_service_retry_delay (1s)
937 The delay between attempts to resend a failed SMTPD policy ser‐
938 vice request.
939 Available in Postfix version 3.1 and later:
941 smtpd_policy_service_policy_context (empty)
943 Optional information that the Postfix SMTP server specifies in
944 the "policy_context" attribute of a policy service request
945 (originally, to share the same service endpoint among multiple
946 check_policy_service clients).
947
949 The SMTPD_ACCESS_README document gives an introduction to all the SMTP
950 server access control features.
951 smtpd_delay_reject (yes)
953 Wait until the RCPT TO command before evaluating
954 $smtpd_client_restrictions, $smtpd_helo_restrictions and
955 $smtpd_sender_restrictions, or wait until the ETRN command
956 before evaluating $smtpd_client_restrictions and
957 $smtpd_helo_restrictions.
958 parent_domain_matches_subdomains (see 'postconf -d' output)
960 A list of Postfix features where the pattern "example.com" also
961 matches subdomains of example.com, instead of requiring an
962 explicit ".example.com" pattern.
963 smtpd_client_restrictions (empty)
965 Optional restrictions that the Postfix SMTP server applies in
966 the context of a client connection request.
967 smtpd_helo_required (no)
969 Require that a remote SMTP client introduces itself with the
970 HELO or EHLO command before sending the MAIL command or other
971 commands that require EHLO negotiation.
972 smtpd_helo_restrictions (empty)
974 Optional restrictions that the Postfix SMTP server applies in
975 the context of a client HELO command.
976 smtpd_sender_restrictions (empty)
978 Optional restrictions that the Postfix SMTP server applies in
979 the context of a client MAIL FROM command.
980 smtpd_recipient_restrictions (see 'postconf -d' output)
982 Optional restrictions that the Postfix SMTP server applies in
983 the context of a client RCPT TO command, after
984 smtpd_relay_restrictions.
985 smtpd_etrn_restrictions (empty)
987 Optional restrictions that the Postfix SMTP server applies in
988 the context of a client ETRN command.
989 allow_untrusted_routing (no)
991 Forward mail with sender-specified routing
992 (user[@%!]remote[@%!]site) from untrusted clients to destina‐
993 tions matching $relay_domains.
994 smtpd_restriction_classes (empty)
996 User-defined aliases for groups of access restrictions.
997 smtpd_null_access_lookup_key (<>)
999 The lookup key to be used in SMTP access(5) tables instead of
1000 the null sender address.
1001 permit_mx_backup_networks (empty)
1003 Restrict the use of the permit_mx_backup SMTP access feature to
1004 only domains whose primary MX hosts match the listed networks.
1005 Available in Postfix version 2.0 and later:
1007 smtpd_data_restrictions (empty)
1009 Optional access restrictions that the Postfix SMTP server
1010 applies in the context of the SMTP DATA command.
1011 smtpd_expansion_filter (see 'postconf -d' output)
1013 What characters are allowed in $name expansions of RBL reply
1014 templates.
1015 Available in Postfix version 2.1 and later:
1017 smtpd_reject_unlisted_sender (no)
1019 Request that the Postfix SMTP server rejects mail from unknown
1020 sender addresses, even when no explicit reject_unlisted_sender
1021 access restriction is specified.
1022 smtpd_reject_unlisted_recipient (yes)
1024 Request that the Postfix SMTP server rejects mail for unknown
1025 recipient addresses, even when no explicit
1026 reject_unlisted_recipient access restriction is specified.
1027 Available in Postfix version 2.2 and later:
1029 smtpd_end_of_data_restrictions (empty)
1031 Optional access restrictions that the Postfix SMTP server
1032 applies in the context of the SMTP END-OF-DATA command.
1033 Available in Postfix version 2.10 and later:
1035 smtpd_relay_restrictions (permit_mynetworks, permit_sasl_authenticated,
1037 defer_unauth_destination)
1038 Access restrictions for mail relay control that the Postfix SMTP
1039 server applies in the context of the RCPT TO command, before
1040 smtpd_recipient_restrictions.
1041
1043 Postfix version 2.1 introduces sender and recipient address verifica‐
1044 tion. This feature is implemented by sending probe email messages that
1045 are not actually delivered. This feature is requested via the
1046 reject_unverified_sender and reject_unverified_recipient access
1047 restrictions. The status of verification probes is maintained by the
1048 verify(8) server. See the file ADDRESS_VERIFICATION_README for infor‐
1049 mation about how to configure and operate the Postfix sender/recipient
1050 address verification service.
1051 address_verify_poll_count (normal: 3, overload: 1)
1053 How many times to query the verify(8) service for the completion
1054 of an address verification request in progress.
1055 address_verify_poll_delay (3s)
1057 The delay between queries for the completion of an address veri‐
1058 fication request in progress.
1059 address_verify_sender ($double_bounce_sender)
1061 The sender address to use in address verification probes; prior
1062 to Postfix 2.5 the default was "postmaster".
1063 unverified_sender_reject_code (450)
1065 The numerical Postfix SMTP server response code when a recipient
1066 address is rejected by the reject_unverified_sender restriction.
1067 unverified_recipient_reject_code (450)
1069 The numerical Postfix SMTP server response when a recipient
1070 address is rejected by the reject_unverified_recipient restric‐
1071 tion.
1072 Available in Postfix version 2.6 and later:
1074 unverified_sender_defer_code (450)
1076 The numerical Postfix SMTP server response code when a sender
1077 address probe fails due to a temporary error condition.
1078 unverified_recipient_defer_code (450)
1080 The numerical Postfix SMTP server response when a recipient
1081 address probe fails due to a temporary error condition.
1082 unverified_sender_reject_reason (empty)
1084 The Postfix SMTP server's reply when rejecting mail with
1085 reject_unverified_sender.
1086 unverified_recipient_reject_reason (empty)
1088 The Postfix SMTP server's reply when rejecting mail with
1089 reject_unverified_recipient.
1090 unverified_sender_tempfail_action ($reject_tempfail_action)
1092 The Postfix SMTP server's action when reject_unverified_sender
1093 fails due to a temporary error condition.
1094 unverified_recipient_tempfail_action ($reject_tempfail_action)
1096 The Postfix SMTP server's action when reject_unverified_recipi‐
1097 ent fails due to a temporary error condition.
1098 Available with Postfix 2.9 and later:
1100 address_verify_sender_ttl (0s)
1102 The time between changes in the time-dependent portion of
1103 address verification probe sender addresses.
1104
1106 The following parameters control numerical SMTP reply codes and/or text
1107 responses.
1108 access_map_reject_code (554)
1110 The numerical Postfix SMTP server response code for an access(5)
1111 map "reject" action.
1112 defer_code (450)
1114 The numerical Postfix SMTP server response code when a remote
1115 SMTP client request is rejected by the "defer" restriction.
1116 invalid_hostname_reject_code (501)
1118 The numerical Postfix SMTP server response code when the client
1119 HELO or EHLO command parameter is rejected by the
1120 reject_invalid_helo_hostname restriction.
1121 maps_rbl_reject_code (554)
1123 The numerical Postfix SMTP server response code when a remote
1124 SMTP client request is blocked by the reject_rbl_client,
1125 reject_rhsbl_client, reject_rhsbl_reverse_client,
1126 reject_rhsbl_sender or reject_rhsbl_recipient restriction.
1127 non_fqdn_reject_code (504)
1129 The numerical Postfix SMTP server reply code when a client
1130 request is rejected by the reject_non_fqdn_helo_hostname,
1131 reject_non_fqdn_sender or reject_non_fqdn_recipient restriction.
1132 plaintext_reject_code (450)
1134 The numerical Postfix SMTP server response code when a request
1135 is rejected by the reject_plaintext_session restriction.
1136 reject_code (554)
1138 The numerical Postfix SMTP server response code when a remote
1139 SMTP client request is rejected by the "reject" restriction.
1140 relay_domains_reject_code (554)
1142 The numerical Postfix SMTP server response code when a client
1143 request is rejected by the reject_unauth_destination recipient
1144 restriction.
1145 unknown_address_reject_code (450)
1147 The numerical response code when the Postfix SMTP server rejects
1148 a sender or recipient address because its domain is unknown.
1149 unknown_client_reject_code (450)
1151 The numerical Postfix SMTP server response code when a client
1152 without valid address <=> name mapping is rejected by the
1153 reject_unknown_client_hostname restriction.
1154 unknown_hostname_reject_code (450)
1156 The numerical Postfix SMTP server response code when the host‐
1157 name specified with the HELO or EHLO command is rejected by the
1158 reject_unknown_helo_hostname restriction.
1159 Available in Postfix version 2.0 and later:
1161 default_rbl_reply (see 'postconf -d' output)
1163 The default Postfix SMTP server response template for a request
1164 that is rejected by an RBL-based restriction.
1165 multi_recipient_bounce_reject_code (550)
1167 The numerical Postfix SMTP server response code when a remote
1168 SMTP client request is blocked by the reject_multi_recipi‐
1169 ent_bounce restriction.
1170 rbl_reply_maps (empty)
1172 Optional lookup tables with RBL response templates.
1173 Available in Postfix version 2.6 and later:
1175 access_map_defer_code (450)
1177 The numerical Postfix SMTP server response code for an access(5)
1178 map "defer" action, including "defer_if_permit" or
1179 "defer_if_reject".
1180 reject_tempfail_action (defer_if_permit)
1182 The Postfix SMTP server's action when a reject-type restriction
1183 fails due to a temporary error condition.
1184 unknown_helo_hostname_tempfail_action ($reject_tempfail_action)
1186 The Postfix SMTP server's action when reject_unknown_helo_host‐
1187 name fails due to an temporary error condition.
1188 unknown_address_tempfail_action ($reject_tempfail_action)
1190 The Postfix SMTP server's action when
1191 reject_unknown_sender_domain or reject_unknown_recipient_domain
1192 fail due to a temporary error condition.
1193
1195 config_directory (see 'postconf -d' output)
1196 The default location of the Postfix main.cf and master.cf con‐
1197 figuration files.
1198 daemon_timeout (18000s)
1200 How much time a Postfix daemon process may take to handle a
1201 request before it is terminated by a built-in watchdog timer.
1202 command_directory (see 'postconf -d' output)
1204 The location of all postfix administrative commands.
1205 double_bounce_sender (double-bounce)
1207 The sender address of postmaster notifications that are gener‐
1208 ated by the mail system.
1209 ipc_timeout (3600s)
1211 The time limit for sending or receiving information over an
1212 internal communication channel.
1213 mail_name (Postfix)
1215 The mail system name that is displayed in Received: headers, in
1216 the SMTP greeting banner, and in bounced mail.
1217 mail_owner (postfix)
1219 The UNIX system account that owns the Postfix queue and most
1220 Postfix daemon processes.
1221 max_idle (100s)
1223 The maximum amount of time that an idle Postfix daemon process
1224 waits for an incoming connection before terminating voluntarily.
1225 max_use (100)
1227 The maximal number of incoming connections that a Postfix daemon
1228 process will service before terminating voluntarily.
1229 myhostname (see 'postconf -d' output)
1231 The internet hostname of this mail system.
1232 mynetworks (see 'postconf -d' output)
1234 The list of "trusted" remote SMTP clients that have more privi‐
1235 leges than "strangers".
1236 myorigin ($myhostname)
1238 The domain name that locally-posted mail appears to come from,
1239 and that locally posted mail is delivered to.
1240 process_id (read-only)
1242 The process ID of a Postfix command or daemon process.
1243 process_name (read-only)
1245 The process name of a Postfix command or daemon process.
1246 queue_directory (see 'postconf -d' output)
1248 The location of the Postfix top-level queue directory.
1249 recipient_delimiter (empty)
1251 The set of characters that can separate a user name from its
1252 extension (example: user+foo), or a .forward file name from its
1253 extension (example: .forward+foo).
1254 smtpd_banner ($myhostname ESMTP $mail_name)
1256 The text that follows the 220 status code in the SMTP greeting
1257 banner.
1258 syslog_facility (mail)
1260 The syslog facility of Postfix logging.
1261 syslog_name (see 'postconf -d' output)
1263 A prefix that is prepended to the process name in syslog
1264 records, so that, for example, "smtpd" becomes "prefix/smtpd".
1265 Available in Postfix version 2.2 and later:
1267 smtpd_forbidden_commands (CONNECT, GET, POST)
1269 List of commands that cause the Postfix SMTP server to immedi‐
1270 ately terminate the session with a 221 code.
1271 Available in Postfix version 2.5 and later:
1273 smtpd_client_port_logging (no)
1275 Enable logging of the remote SMTP client port in addition to the
1276 hostname and IP address.
1277 Available in Postfix 3.3 and later:
1279 service_name (read-only)
1281 The master.cf service name of a Postfix daemon process.
1282
1284 anvil(8), connection/rate limiting
1285 cleanup(8), message canonicalization
1286 tlsmgr(8), TLS session and PRNG management
1287 trivial-rewrite(8), address resolver
1288 verify(8), address verification service
1289 postconf(5), configuration parameters
1290 master(5), generic daemon options
1291 master(8), process manager
1292 syslogd(8), system logging
1293
1295 Use "postconf readme_directory" or "postconf html_directory" to locate
1296 this information.
1297 ADDRESS_CLASS_README, blocking unknown hosted or relay recipients
1298 ADDRESS_REWRITING_README Postfix address manipulation
1299 FILTER_README, external after-queue content filter
1300 LOCAL_RECIPIENT_README, blocking unknown local recipients
1301 MILTER_README, before-queue mail filter applications
1302 SMTPD_ACCESS_README, built-in access policies
1303 SMTPD_POLICY_README, external policy server
1304 SMTPD_PROXY_README, external before-queue content filter
1305 SASL_README, Postfix SASL howto
1306 TLS_README, Postfix STARTTLS howto
1307 VERP_README, Postfix XVERP extension
1308 XCLIENT_README, Postfix XCLIENT extension
1309 XFORWARD_README, Postfix XFORWARD extension
1310
1312 The Secure Mailer license must be distributed with this software.
1313
1315 Wietse Venema
1316 IBM T.J. Watson Research
1317 P.O. Box 704
1318 Yorktown Heights, NY 10598, USA
1319 Wietse Venema
1321 Google, Inc.
1322 111 8th Avenue
1323 New York, NY 10011, USA
1324 SASL support originally by:
1326 Till Franke
1327 SuSE Rhein/Main AG
1328 65760 Eschborn, Germany
1329 TLS support originally by:
1331 Lutz Jaenicke
1332 BTU Cottbus
1333 Allgemeine Elektrotechnik
1334 Universitaetsplatz 3-4
1335 D-03044 Cottbus, Germany
1336 Revised TLS support by:
1338 Victor Duchovni
1339 Morgan Stanley
1340 SMTPD(8)