1POSTCONF(5)                   File Formats Manual                  POSTCONF(5)
2
3
4

NAME

6       postconf - Postfix configuration parameters
7

SYNOPSIS

9       postconf parameter ...
10
11       postconf -e "parameter=value" ...
12

DESCRIPTION

14       The  Postfix  main.cf configuration file specifies parameters that con‐
15       trol the operation of the Postfix mail system. Typically the file  con‐
16       tains  only  a small subset of all parameters; parameters not specified
17       are left at their default values.
18
19       The general format of the main.cf file is as follows:
20
21       ·      Each logical line has the form "parameter = value".   Whitespace
22              around the "=" is ignored, as is whitespace at the end of a log‐
23              ical line.
24
25       ·      Empty lines and whitespace-only lines are ignored, as are  lines
26              whose first non-whitespace character is a `#'.
27
28       ·      A  logical  line  starts  with  non-whitespace text. A line that
29              starts with whitespace continues a logical line.
30
31       ·      A parameter value may refer to other parameters.
32
33              ·      The expressions "$name"  and  "${name}"  are  recursively
34                     replaced  with  the  value  of  the  named parameter. The
35                     parameter name must contain only characters from the  set
36                     [a-zA-Z0-9_].  An  undefined  parameter value is replaced
37                     with the empty value.
38
39              ·      The expressions "${name?value}" and "${name?{value}}" are
40                     replaced  with  "value"  when  "$name"  is non-empty. The
41                     parameter name must contain only characters from the  set
42                     [a-zA-Z0-9_]. These forms are supported with Postfix ver‐
43                     sions >= 2.2 and >= 3.0, respectively.
44
45              ·      The expressions "${name:value}" and "${name:{value}}" are
46                     replaced  with "value" when "$name" is empty. The parame‐
47                     ter name must contain only characters from the set [a-zA-
48                     Z0-9_].  These  forms are supported with Postfix versions
49                     >= 2.2 and >= 3.0, respectively.
50
51              ·      The expression  "${name?{value1}:{value2}}"  is  replaced
52                     with   "value1"  when  "$name"  is  non-empty,  and  with
53                     "value2" when "$name" is empty.  The "{}" is required for
54                     "value1",  optional for "value2". The parameter name must
55                     contain only characters from the set [a-zA-Z0-9_].   This
56                     form is supported with Postfix versions >= 3.0.
57
58              ·      The  first  item  inside  "${...}"  may  be  a relational
59                     expression of the form: "{value3} ==  {value4}".  Besides
60                     the   "=="  (equality)  operator  Postfix  supports  "!="
61                     (inequality), "<", "<=", ">=", and ">". The comparison is
62                     numerical  when  both  operands are all digits, otherwise
63                     the comparison is lexicographical. These forms  are  sup‐
64                     ported with Postfix versions >= 3.0.
65
66              ·      Each  "value" is subject to recursive named parameter and
67                     relational expression evaluation, except where noted.
68
69              ·      Whitespace before or after each "{value}" is ignored.
70
71              ·      Specify "$$" to produce a single "$" character.
72
73              ·      The legacy form "$(...)" is equivalent to  the  preferred
74                     form "${...}".
75
76       ·      When the same parameter is defined multiple times, only the last
77              instance is remembered.
78
79       ·      Otherwise, the order of main.cf parameter definitions  does  not
80              matter.
81
82       The remainder of this document is a description of all Postfix configu‐
83       ration parameters. Default values are shown after the parameter name in
84       parentheses, and can be looked up with the "postconf -d" command.
85
86       Note:  this  is not an invitation to make changes to Postfix configura‐
87       tion parameters. Unnecessary changes can impair the  operation  of  the
88       mail system.
89

2bounce_notice_recipient (default: postmaster)

91       The  recipient  of  undeliverable  mail  that cannot be returned to the
92       sender.  This feature is enabled with the notify_classes parameter.
93

access_map_defer_code (default: 450)

95       The numerical Postfix SMTP server response code for  an  access(5)  map
96       "defer" action, including "defer_if_permit" or "defer_if_reject". Prior
97       to Postfix 2.6, the response is hard-coded as "450".
98
99       Do not change this unless you have  a  complete  understanding  of  RFC
100       5321.
101
102       This feature is available in Postfix 2.6 and later.
103

access_map_reject_code (default: 554)

105       The  numerical  Postfix  SMTP server response code for an access(5) map
106       "reject" action.
107
108       Do not change this unless you have  a  complete  understanding  of  RFC
109       5321.
110

address_verify_cache_cleanup_interval (default: 12h)

112       The  amount  of  time  between  verify(8) address verification database
113       cleanup runs. This feature requires  that  the  database  supports  the
114       "delete"  and "sequence" operators.  Specify a zero interval to disable
115       database cleanup.
116
117       After each database cleanup run, the verify(8) daemon logs  the  number
118       of  entries  that were retained and dropped. A cleanup run is logged as
119       "partial" when the daemon  terminates  early  after  "postfix  reload",
120       "postfix stop", or no requests for $max_idle seconds.
121
122       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
123
124       This feature is available in Postfix 2.7.
125

address_verify_default_transport (default: $default_transport)

127       Overrides the default_transport parameter setting for address verifica‐
128       tion probes.
129
130       This feature is available in Postfix 2.1 and later.
131

address_verify_local_transport (default: $local_transport)

133       Overrides the local_transport parameter setting for  address  verifica‐
134       tion probes.
135
136       This feature is available in Postfix 2.1 and later.
137

address_verify_map (default: see postconf -d output)

139       Lookup  table  for persistent address verification status storage.  The
140       table is maintained by the verify(8) service, and is opened before  the
141       process releases privileges.
142
143       The  lookup  table  is  persistent  by default (Postfix 2.7 and later).
144       Specify an empty table name to keep the information in volatile  memory
145       which  is  lost  after  "postfix reload" or "postfix stop". This is the
146       default with Postfix version 2.6 and earlier.
147
148       Specify a location in a file system that will not fill up. If the data‐
149       base  becomes  corrupted,  the world comes to an end. To recover delete
150       (NOT: truncate) the file and do "postfix reload".
151
152       Postfix daemon processes do not use root privileges when  opening  this
153       file  (Postfix 2.5 and later).  The file must therefore be stored under
154       a Postfix-owned directory such as the data_directory.  As  a  migration
155       aid, an attempt to open the file under a non-Postfix directory is redi‐
156       rected to the Postfix-owned data_directory, and a warning is logged.
157
158       Examples:
159
160       address_verify_map = hash:/var/lib/postfix/verify
161       address_verify_map = btree:/var/lib/postfix/verify
162
163       This feature is available in Postfix 2.1 and later.
164

address_verify_negative_cache (default: yes)

166       Enable caching of failed address verification probe results.  When this
167       feature  is  enabled, the cache may pollute quickly with garbage.  When
168       this feature is disabled, Postfix will generate an  address  probe  for
169       every lookup.
170
171       This feature is available in Postfix 2.1 and later.
172

address_verify_negative_expire_time (default: 3d)

174       The  time after which a failed probe expires from the address verifica‐
175       tion cache.
176
177       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
178
179       This feature is available in Postfix 2.1 and later.
180

address_verify_negative_refresh_time (default: 3h)

182       The time after which a failed address verification probe  needs  to  be
183       refreshed.
184
185       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
186
187       This feature is available in Postfix 2.1 and later.
188

address_verify_pending_request_limit (default: see postconf -d output)

190       A  safety  limit that prevents address verification requests from over‐
191       whelming the Postfix queue. By default, the number of pending  requests
192       is  limited  to  1/4  of  the  active  queue  maximum  size  (qmgr_mes‐
193       sage_active_limit). The queue manager enforces the limit by tempfailing
194       requests that exceed the limit. This affects only unknown addresses and
195       inactive addresses that have  expired,  because  the  verify(8)  daemon
196       automatically refreshes an active address before it expires.
197
198       This feature is available in Postfix 3.1 and later.
199

address_verify_poll_count (default: normal: 3, overload: 1)

201       How  many times to query the verify(8) service for the completion of an
202       address verification request in progress.
203
204       By default, the Postfix SMTP server polls the verify(8) service  up  to
205       three  times  under  non-overload  conditions, and only once when under
206       overload.  With Postfix version 2.5 and earlier, the SMTP server always
207       polls the verify(8) service up to three times by default.
208
209       Specify  1  to  implement  a crude form of greylisting, that is, always
210       defer the first delivery request for a new address.
211
212       Examples:
213
214       # Postfix <= 2.6 default
215       address_verify_poll_count = 3
216       # Poor man's greylisting
217       address_verify_poll_count = 1
218
219       This feature is available in Postfix 2.1 and later.
220

address_verify_poll_delay (default: 3s)

222       The delay between queries for the completion of an address verification
223       request in progress.
224
225       The default polling delay is 3 seconds.
226
227       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
228
229       This feature is available in Postfix 2.1 and later.
230

address_verify_positive_expire_time (default: 31d)

232       The  time after which a successful probe expires from the address veri‐
233       fication cache.
234
235       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
236
237       This feature is available in Postfix 2.1 and later.
238

address_verify_positive_refresh_time (default: 7d)

240       The time after which a successful address verification probe  needs  to
241       be  refreshed.  The address verification status is not updated when the
242       probe fails (optimistic caching).
243
244       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
245
246       This feature is available in Postfix 2.1 and later.
247

address_verify_relay_transport (default: $relay_transport)

249       Overrides the relay_transport parameter setting for  address  verifica‐
250       tion probes.
251
252       This feature is available in Postfix 2.1 and later.
253

address_verify_relayhost (default: $relayhost)

255       Overrides  the  relayhost  parameter  setting  for address verification
256       probes. This information can be overruled with the transport(5) table.
257
258       This feature is available in Postfix 2.1 and later.
259

address_verify_sender (default: $double_bounce_sender)

261       The sender address to use in  address  verification  probes;  prior  to
262       Postfix  2.5  the  default  was  "postmaster".  To  avoid problems with
263       address probes that are sent in response to address probes, the Postfix
264       SMTP  server  excludes  the  probe sender address from all SMTPD access
265       blocks.
266
267       Specify an empty value (address_verify_sender =) or <> if you  want  to
268       use  the  null  sender address. Beware, some sites reject mail from <>,
269       even though RFCs require that such addresses be accepted.
270
271       Examples:
272
273       address_verify_sender = <>
274       address_verify_sender = postmaster@my.domain
275
276       This feature is available in Postfix 2.1 and later.
277

address_verify_sender_dependent_default_transport_maps (default:

279       $sender_dependent_default_transport_maps)
280       Overrides the sender_dependent_default_transport_maps parameter setting
281       for address verification probes.
282
283       This feature is available in Postfix 2.7 and later.
284

address_verify_sender_dependent_relayhost_maps (default: $sender_depen‐

286       dent_relayhost_maps)
287       Overrides  the  sender_dependent_relayhost_maps  parameter  setting for
288       address verification probes.
289
290       This feature is available in Postfix 2.3 and later.
291

address_verify_sender_ttl (default: 0s)

293       The time between changes in the time-dependent portion of address veri‐
294       fication probe sender addresses. The time-dependent portion is appended
295       to the  localpart  of  the  address  specified  with  the  address_ver‐
296       ify_sender  parameter.  This  feature  is ignored when the probe sender
297       addresses is the null sender, i.e. the address_verify_sender  value  is
298       empty or <>.
299
300       Historically,  the probe sender address was fixed. This has caused such
301       addresses to end up on spammer  mailing  lists,  and  has  resulted  in
302       wasted network and processing resources.
303
304       To  enable  time-dependent  probe  sender addresses, specify a non-zero
305       time value (an integral value plus an optional one-letter  suffix  that
306       specifies  the  time unit).  Specify a value of at least several hours,
307       to avoid problems with senders that use greylisting.   Avoid  nice  TTL
308       values,  to  make the result less predictable.  Time units are: s (sec‐
309       onds), m (minutes), h (hours), d (days), w (weeks).
310
311       This feature is available in Postfix 2.9 and later.
312

address_verify_service_name (default: verify)

314       The name of the verify(8) address verification  service.  This  service
315       maintains  the  status  of sender and/or recipient address verification
316       probes, and generates probes on request by other Postfix processes.
317

address_verify_transport_maps (default: $transport_maps)

319       Overrides the transport_maps parameter setting for address verification
320       probes.
321
322       This feature is available in Postfix 2.1 and later.
323

address_verify_virtual_transport (default: $virtual_transport)

325       Overrides the virtual_transport parameter setting for address verifica‐
326       tion probes.
327
328       This feature is available in Postfix 2.1 and later.
329

alias_database (default: see postconf -d output)

331       The alias  databases  for  local(8)  delivery  that  are  updated  with
332       "newaliases" or with "sendmail -bi".
333
334       This  is  a separate configuration parameter because not all the tables
335       specified with $alias_maps have to be local files.
336
337       Examples:
338
339       alias_database = hash:/etc/aliases
340       alias_database = hash:/etc/mail/aliases
341

alias_maps (default: see postconf -d output)

343       The alias databases that are used for local(8) delivery. See aliases(5)
344       for  syntax  details.   Specify zero or more "type:name" lookup tables,
345       separated by whitespace or comma. Tables will be searched in the speci‐
346       fied order until a match is found.  Note: these lookups are recursive.
347
348       The default list is system dependent.  On systems with NIS, the default
349       is to search the local alias database, then the NIS alias database.
350
351       If you change the alias  database,  run  "postalias  /etc/aliases"  (or
352       wherever  your  system  stores  the  mail  alias  file),  or simply run
353       "newaliases" to build the necessary DBM or DB file.
354
355       The local(8) delivery agent disallows regular  expression  substitution
356       of $1 etc. in alias_maps, because that would open a security hole.
357
358       The  local(8)  delivery  agent will silently ignore requests to use the
359       proxymap(8) server within alias_maps. Instead it will  open  the  table
360       directly.  Before Postfix version 2.2, the local(8) delivery agent will
361       terminate with a fatal error.
362
363       Examples:
364
365       alias_maps = hash:/etc/aliases, nis:mail.aliases
366       alias_maps = hash:/etc/aliases
367

allow_mail_to_commands (default: alias, forward)

369       Restrict local(8) mail delivery to external commands.  The  default  is
370       to  disallow delivery to "|command" in :include:  files (see aliases(5)
371       for the text that defines this terminology).
372
373       Specify zero or more of: alias, forward or include, in order  to  allow
374       commands  in aliases(5), .forward files or in :include:  files, respec‐
375       tively.
376
377       Example:
378
379       allow_mail_to_commands = alias,forward,include
380

allow_mail_to_files (default: alias, forward)

382       Restrict local(8) mail delivery to external files. The  default  is  to
383       disallow  "/file/name" destinations in :include:  files (see aliases(5)
384       for the text that defines this terminology).
385
386       Specify zero or more of: alias, forward or include, in order  to  allow
387       "/file/name"   destinations   in  aliases(5),  .forward  files  and  in
388       :include:  files, respectively.
389
390       Example:
391
392       allow_mail_to_files = alias,forward,include
393

allow_min_user (default: no)

395       Allow a sender or recipient address to have `-' as the first character.
396       By  default, this is not allowed, to avoid accidents with software that
397       passes email addresses via the command line. Such software would not be
398       able  to  distinguish a malicious address from a bona fide command-line
399       option. Although this can be prevented by inserting a "--" option  ter‐
400       minator  into  the  command  line, this is difficult to enforce consis‐
401       tently and globally.
402
403       As of Postfix version 2.5, this feature is implemented  by  trivial-re‐
404       write(8).   With  earlier  versions  this  feature  was  implemented by
405       qmgr(8) and was limited to recipient addresses only.
406

allow_percent_hack (default: yes)

408       Enable the rewriting of the form "user%domain" to "user@domain".   This
409       is enabled by default.
410
411       Note:  as of Postfix version 2.2, message header address rewriting hap‐
412       pens only when one of the following conditions is true:
413
414       ·      The message is received with the Postfix sendmail(1) command,
415
416       ·      The message is received  from  a  network  client  that  matches
417              $local_header_rewrite_clients,
418
419       ·      The   message   is   received   from   the   network,   and  the
420              remote_header_rewrite_domain  parameter  specifies  a  non-empty
421              value.
422
423       To   get   the   behavior   before   Postfix   version   2.2,   specify
424       "local_header_rewrite_clients = static:all".
425
426       Example:
427
428       allow_percent_hack = no
429

allow_untrusted_routing (default: no)

431       Forward mail with sender-specified  routing  (user[@%!]remote[@%!]site)
432       from untrusted clients to destinations matching $relay_domains.
433
434       By default, this feature is turned off.  This closes a nasty open relay
435       loophole where a backup MX host can be  tricked  into  forwarding  junk
436       mail to a primary MX host which then spams it out to the world.
437
438       This  parameter also controls if non-local addresses with sender-speci‐
439       fied  routing  can  match  Postfix  access  tables.  By  default,  such
440       addresses  cannot  match  Postfix access tables, because the address is
441       ambiguous.
442

alternate_config_directories (default: empty)

444       A list of non-default Postfix configuration  directories  that  may  be
445       specified  with  "-c config_directory" on the command line (in the case
446       of sendmail(1), with the "-C" option), or via the MAIL_CONFIG  environ‐
447       ment parameter.
448
449       This  list  must  be specified in the default Postfix main.cf file, and
450       will be used by set-gid Postfix commands such as postqueue(1) and post‐
451       drop(1).
452
453       Specify  absolute  pathnames,  separated by comma or space. Note: $name
454       expansion is not supported.
455

always_add_missing_headers (default: no)

457       Always add (Resent-) From:, To:, Date: or Message-ID: headers when  not
458       present.   Postfix  2.6  and  later add these headers only when clients
459       match  the  local_header_rewrite_clients  parameter  setting.   Earlier
460       Postfix  versions  always add these headers; this may break DKIM signa‐
461       tures  that  cover  non-existent  headers.    The   undisclosed_recipi‐
462       ents_header  parameter  setting determines whether a To: header will be
463       added.
464

always_bcc (default: empty)

466       Optional address that receives a "blind carbon copy"  of  each  message
467       that is received by the Postfix mail system.
468
469       Note:  with Postfix 2.3 and later the BCC address is added as if it was
470       specified with NOTIFY=NONE. The sender will not be  notified  when  the
471       BCC  address  is  undeliverable,  as  long  as all down-stream software
472       implements RFC 3461.
473
474       Note: with Postfix 2.2 and earlier the sender will be notified when the
475       BCC address is undeliverable.
476
477       Note:  automatic  BCC  recipients  are  produced only for new mail.  To
478       avoid mailer loops, automatic BCC recipients are  not  generated  after
479       Postfix  forwards  mail  internally,  or  after  Postfix generates mail
480       itself.
481

anvil_rate_time_unit (default: 60s)

483       The time unit over which client connection rates and  other  rates  are
484       calculated.
485
486       This  feature is implemented by the anvil(8) service which is available
487       in Postfix version 2.2 and later.
488
489       The default interval is relatively short. Because of the high frequency
490       of updates, the anvil(8) server uses volatile memory only. Thus, infor‐
491       mation is lost whenever the process terminates.
492
493       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
494       The default time unit is s (seconds).
495

anvil_status_update_time (default: 600s)

497       How  frequently  the  anvil(8) connection and rate limiting server logs
498       peak usage information.
499
500       This feature is available in Postfix 2.2 and later.
501
502       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
503       The default time unit is s (seconds).
504

append_at_myorigin (default: yes)

506       With  locally  submitted  mail,  append the string "@$myorigin" to mail
507       addresses without domain information.  With  remotely  submitted  mail,
508       append the string "@$remote_header_rewrite_domain" instead.
509
510       Note  1: this feature is enabled by default and must not be turned off.
511       Postfix does not support domain-less addresses.
512
513       Note 2: with Postfix version 2.2, message header address rewriting hap‐
514       pens only when one of the following conditions is true:
515
516       ·      The message is received with the Postfix sendmail(1) command,
517
518       ·      The  message  is  received  from  a  network client that matches
519              $local_header_rewrite_clients,
520
521       ·      The  message   is   received   from   the   network,   and   the
522              remote_header_rewrite_domain  parameter  specifies  a  non-empty
523              value.
524
525       To   get   the   behavior   before   Postfix   version   2.2,   specify
526       "local_header_rewrite_clients = static:all".
527

append_dot_mydomain (default: Postfix >= 3.0: no, Postfix < 3.0: yes)

529       With   locally  submitted  mail,  append  the  string  ".$mydomain"  to
530       addresses that have no ".domain" information. With  remotely  submitted
531       mail, append the string ".$remote_header_rewrite_domain" instead.
532
533       Note 1: this feature is enabled by default. If disabled, users will not
534       be able to send mail to "user@partialdomainname" but will have to spec‐
535       ify full domain names instead.
536
537       Note 2: with Postfix version 2.2, message header address rewriting hap‐
538       pens only when one of the following conditions is true:
539
540       ·      The message is received with the Postfix sendmail(1) command,
541
542       ·      The message is received  from  a  network  client  that  matches
543              $local_header_rewrite_clients,
544
545       ·      The   message   is   received   from   the   network,   and  the
546              remote_header_rewrite_domain  parameter  specifies  a  non-empty
547              value.
548
549       To   get   the   behavior   before   Postfix   version   2.2,   specify
550       "local_header_rewrite_clients = static:all".
551

application_event_drain_time (default: 100s)

553       How long the postkick(1) command waits for a request to enter the Post‐
554       fix daemon process input buffer before giving up.
555
556       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
557       The default time unit is s (seconds).
558
559       This feature is available in Postfix 2.1 and later.
560

authorized_flush_users (default: static:anyone)

562       List of users who are authorized to flush the queue.
563
564       By default, all users are allowed to flush the queue.  Access is always
565       granted if the invoking user is the super-user or the $mail_owner user.
566       Otherwise, the real UID of the process is looked up in the system pass‐
567       word  file,  and access is granted only if the corresponding login name
568       is on the access list.  The username "unknown" is  used  for  processes
569       whose real UID is not found in the password file.
570
571       Specify  a  list  of user names, "/file/name" or "type:table" patterns,
572       separated by commas and/or whitespace. The  list  is  matched  left  to
573       right,  and the search stops on the first match. A "/file/name" pattern
574       is replaced by its contents; a "type:table"  lookup  table  is  matched
575       when  a name matches a lookup key (the lookup result is ignored).  Con‐
576       tinue long lines by starting the next  line  with  whitespace.  Specify
577       "!pattern"  to  exclude a name from the list. The form "!/file/name" is
578       supported only in Postfix version 2.4 and later.
579
580       This feature is available in Postfix 2.2 and later.
581

authorized_mailq_users (default: static:anyone)

583       List of users who are authorized to view the queue.
584
585       By default, all users are allowed to view the queue.  Access is  always
586       granted if the invoking user is the super-user or the $mail_owner user.
587       Otherwise, the real UID of the process is looked up in the system pass‐
588       word  file,  and access is granted only if the corresponding login name
589       is on the access list.  The username "unknown" is  used  for  processes
590       whose real UID is not found in the password file.
591
592       Specify  a  list  of user names, "/file/name" or "type:table" patterns,
593       separated by commas and/or whitespace. The  list  is  matched  left  to
594       right,  and the search stops on the first match. A "/file/name" pattern
595       is replaced by its contents; a "type:table"  lookup  table  is  matched
596       when  a name matches a lookup key (the lookup result is ignored).  Con‐
597       tinue long lines by starting the next  line  with  whitespace.  Specify
598       "!pattern" to exclude a user name from the list. The form "!/file/name"
599       is supported only in Postfix version 2.4 and later.
600
601       This feature is available in Postfix 2.2 and later.
602

authorized_submit_users (default: static:anyone)

604       List of users who are authorized to submit mail  with  the  sendmail(1)
605       command (and with the privileged postdrop(1) helper command).
606
607       By  default, all users are allowed to submit mail.  Otherwise, the real
608       UID of the process is looked up in the system password file, and access
609       is  granted only if the corresponding login name is on the access list.
610       The username "unknown" is used for processes  whose  real  UID  is  not
611       found in the password file. To deny mail submission access to all users
612       specify an empty list.
613
614       Specify a list of user names, "/file/name"  or  "type:table"  patterns,
615       separated  by  commas  and/or  whitespace.  The list is matched left to
616       right, and the search stops on the first match. A "/file/name"  pattern
617       is  replaced  by  its  contents; a "type:table" lookup table is matched
618       when a name matches a lookup key (the lookup result is ignored).   Con‐
619       tinue  long  lines  by  starting the next line with whitespace. Specify
620       "!pattern" to exclude a user name from the list. The form "!/file/name"
621       is supported only in Postfix version 2.4 and later.
622
623       Example:
624
625       authorized_submit_users = !www, static:all
626
627       This feature is available in Postfix 2.2 and later.
628

authorized_verp_clients (default: $mynetworks)

630       What  remote  SMTP  clients  are  allowed to specify the XVERP command.
631       This command requests that mail be delivered one recipient  at  a  time
632       with a per recipient return address.
633
634       By default, only trusted clients are allowed to specify XVERP.
635
636       This  parameter  was introduced with Postfix version 1.1.  Postfix ver‐
637       sion 2.1 renamed this parameter  to  smtpd_authorized_verp_clients  and
638       changed the default to none.
639
640       Specify  a list of network/netmask patterns, separated by commas and/or
641       whitespace. The mask specifies the number of bits in the  network  part
642       of a host address. You can also specify hostnames or .domain names (the
643       initial  dot  causes  the  domain  to  match  any   name   below   it),
644       "/file/name"  or  "type:table"  patterns.   A  "/file/name"  pattern is
645       replaced by its contents; a "type:table" lookup table is matched when a
646       table  entry  matches  a  lookup string (the lookup result is ignored).
647       Continue long lines by starting the next line with whitespace.  Specify
648       "!pattern"  to  exclude  an address or network block from the list. The
649       form "!/file/name" is supported only in Postfix version 2.4 and later.
650
651       Note: IP version 6 address information must be specified inside  []  in
652       the   authorized_verp_clients   value,  and  in  files  specified  with
653       "/file/name".  IP version 6 addresses contain the  ":"  character,  and
654       would otherwise be confused with a "type:table" pattern.
655

backwards_bounce_logfile_compatibility (default: yes)

657       Produce  additional bounce(8) logfile records that can be read by Post‐
658       fix versions before 2.0. The current and more extensible "name = value"
659       format  is  needed in order to implement more sophisticated functional‐
660       ity.
661
662       This feature is available in Postfix 2.1 and later.
663

berkeley_db_create_buffer_size (default: 16777216)

665       The per-table I/O buffer size for programs that create Berkeley DB hash
666       or btree tables.  Specify a byte count.
667
668       This feature is available in Postfix 2.0 and later.
669

berkeley_db_read_buffer_size (default: 131072)

671       The  per-table  I/O buffer size for programs that read Berkeley DB hash
672       or btree tables.  Specify a byte count.
673
674       This feature is available in Postfix 2.0 and later.
675

best_mx_transport (default: empty)

677       Where the Postfix SMTP client should deliver mail  when  it  detects  a
678       "mail  loops  back  to  myself"  error condition. This happens when the
679       local MTA is the best SMTP mail exchanger for a destination not  listed
680       in    $mydestination,    $inet_interfaces,   $proxy_interfaces,   $vir‐
681       tual_alias_domains, or $virtual_mailbox_domains.  By default, the Post‐
682       fix SMTP client returns such mail as undeliverable.
683
684       Specify, for example, "best_mx_transport = local" to pass the mail from
685       the Postfix SMTP client to the local(8) delivery agent. You can specify
686       any message delivery "transport" or "transport:nexthop" that is defined
687       in the master.cf file. See the transport(5) manual page for the  syntax
688       and meaning of "transport" or "transport:nexthop".
689
690       However,  this  feature  is expensive because it ties up a Postfix SMTP
691       client process while the local(8) delivery agent is doing its work.  It
692       is  more  efficient (for Postfix) to list all hosted domains in a table
693       or database.
694

biff (default: yes)

696       Whether or not to use the local biff service.  This service sends  "new
697       mail"  notifications  to users who have requested new mail notification
698       with the UNIX command "biff y".
699
700       For compatibility reasons this feature is on by  default.   On  systems
701       with  lots  of interactive users, the biff service can be a performance
702       drain.  Specify "biff = no" in main.cf to disable.
703

body_checks (default: empty)

705       Optional lookup tables for  content  inspection  as  specified  in  the
706       body_checks(5) manual page.
707
708       Note: with Postfix versions before 2.0, these rules inspect all content
709       after the primary message headers.
710

body_checks_size_limit (default: 51200)

712       How much text in a message body segment (or attachment, if  you  prefer
713       to  use  that term) is subjected to body_checks inspection.  The amount
714       of text is limited to avoid scanning huge attachments.
715
716       This feature is available in Postfix 2.0 and later.
717

bounce_notice_recipient (default: postmaster)

719       The recipient of postmaster notifications with the message  headers  of
720       mail  that Postfix did not deliver and of SMTP conversation transcripts
721       of mail that Postfix did not receive.  This feature is enabled with the
722       notify_classes parameter.
723

bounce_queue_lifetime (default: 5d)

725       Consider  a bounce message as undeliverable, when delivery fails with a
726       temporary  error,  and  the  time  in  the  queue   has   reached   the
727       bounce_queue_lifetime limit.  By default, this limit is the same as for
728       regular mail.
729
730       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
731       The default time unit is d (days).
732
733       Specify 0 when mail delivery should be tried only once.
734
735       This feature is available in Postfix 2.1 and later.
736

bounce_service_name (default: bounce)

738       The  name  of the bounce(8) service. This service maintains a record of
739       failed delivery attempts and generates non-delivery notifications.
740
741       This feature is available in Postfix 2.0 and later.
742

bounce_size_limit (default: 50000)

744       The maximal  amount  of  original  message  text  that  is  sent  in  a
745       non-delivery notification. Specify a byte count.  A message is returned
746       as   either   message/rfc822   (the   complete    original)    or    as
747       text/rfc822-headers  (the  headers only).  With Postfix version 2.4 and
748       earlier, a message is always returned as message/rfc822  and  is  trun‐
749       cated when it exceeds the size limit.
750
751       Notes:
752
753       ·      If  you  increase  this  limit,  then  you  should  increase the
754              mime_nesting_limit value proportionally.
755
756       ·      Be careful when making changes.  Excessively large  values  will
757              result  in the loss of non-delivery notifications, when a bounce
758              message size exceeds a local or remote MTA's message size limit.
759

bounce_template_file (default: empty)

761       Pathname of a configuration file with bounce message templates.   These
762       override  the  built-in templates of delivery status notification (DSN)
763       messages for undeliverable mail, for delayed mail, successful delivery,
764       or  delivery  verification.  The bounce(5) manual page describes how to
765       edit and test template files.
766
767       Template message body text may contain $name references to Postfix con‐
768       figuration  parameters.  The result of $name expansion can be previewed
769       with "postconf -b file_name" before the file is placed into the Postfix
770       configuration directory.
771
772       This feature is available in Postfix 2.3 and later.
773

broken_sasl_auth_clients (default: no)

775       Enable  interoperability  with  remote  SMTP  clients that implement an
776       obsolete version of the AUTH  command  (RFC  4954).  Examples  of  such
777       clients  are MicroSoft Outlook Express version 4 and MicroSoft Exchange
778       version 5.0.
779
780       Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH
781       support in a non-standard way.
782

canonical_classes (default: envelope_sender, envelope_recipient,

784       header_sender, header_recipient)
785       What addresses are  subject  to  canonical_maps  address  mapping.   By
786       default,  canonical_maps  address mapping is applied to envelope sender
787       and recipient addresses, and to  header  sender  and  header  recipient
788       addresses.
789
790       Specify   one   or   more   of:   envelope_sender,  envelope_recipient,
791       header_sender, header_recipient
792
793       This feature is available in Postfix 2.2 and later.
794

canonical_maps (default: empty)

796       Optional  address  mapping  lookup  tables  for  message  headers   and
797       envelopes.  The  mapping  is  applied  to  both  sender  and  recipient
798       addresses, in both envelopes and in headers,  as  controlled  with  the
799       canonical_classes  parameter.  This is typically used to clean up dirty
800       addresses from legacy mail systems, or to replace login names by First‐
801       name.Lastname.   The table format and lookups are documented in canoni‐
802       cal(5). For an  overview  of  Postfix  address  manipulations  see  the
803       ADDRESS_REWRITING_README document.
804
805       Specify zero or more "type:name" lookup tables, separated by whitespace
806       or comma. Tables will be searched in the specified order until a  match
807       is found.  Note: these lookups are recursive.
808
809       If  you use this feature, run "postmap /etc/postfix/canonical" to build
810       the necessary DBM or DB file  after  every  change.  The  changes  will
811       become visible after a minute or so.  Use "postfix reload" to eliminate
812       the delay.
813
814       Note: with Postfix version 2.2, message header address mapping  happens
815       only when message header address rewriting is enabled:
816
817       ·      The message is received with the Postfix sendmail(1) command,
818
819       ·      The  message  is  received  from  a  network client that matches
820              $local_header_rewrite_clients,
821
822       ·      The  message   is   received   from   the   network,   and   the
823              remote_header_rewrite_domain  parameter  specifies  a  non-empty
824              value.
825
826       To   get   the   behavior   before   Postfix   version   2.2,   specify
827       "local_header_rewrite_clients = static:all".
828
829       Examples:
830
831       canonical_maps = dbm:/etc/postfix/canonical
832       canonical_maps = hash:/etc/postfix/canonical
833

cleanup_service_name (default: cleanup)

835       The  name  of  the  cleanup(8) service. This service rewrites addresses
836       into the standard form, and performs canonical(5) address  mapping  and
837       virtual(5) aliasing.
838
839       This feature is available in Postfix 2.0 and later.
840

command_directory (default: see postconf -d output)

842       The location of all postfix administrative commands.
843

command_execution_directory (default: empty)

845       The  local(8) delivery agent working directory for delivery to external
846       command.  Failure  to  change  directory  causes  the  delivery  to  be
847       deferred.
848
849       The  following $name expansions are done on command_execution_directory
850       before the directory is changed. Expansion happens in  the  context  of
851       the  delivery  request.  The result of $name expansion is filtered with
852       the character set that is specified with the execution_directory_expan‐
853       sion_filter parameter.
854
855       $user  The recipient's username.
856
857       $shell The recipient's login shell pathname.
858
859       $home  The recipient's home directory.
860
861       $recipient
862              The full recipient address.
863
864       $extension
865              The optional recipient address extension.
866
867       $domain
868              The recipient domain.
869
870       $local The entire recipient localpart.
871
872       $recipient_delimiter
873              The  address extension delimiter that was found in the recipient
874              address (Postfix 2.11 and later), or the  system-wide  recipient
875              address extension delimiter (Postfix 2.10 and earlier).
876
877       ${name?value}
878              Expands to value when $name is non-empty.
879
880       ${name:value}
881              Expands to value when $name is empty.
882
883       Instead of $name you can also specify ${name} or $(name).
884
885       This feature is available in Postfix 2.2 and later.
886

command_expansion_filter (default: see postconf -d output)

888       Restrict  the  characters  that  the  local(8) delivery agent allows in
889       $name expansions of $mailbox_command and  $command_execution_directory.
890       Characters outside the allowed set are replaced by underscores.
891

command_time_limit (default: 1000s)

893       Time limit for delivery to external commands. This limit is used by the
894       local(8) delivery agent, and is the default time limit for delivery  by
895       the pipe(8) delivery agent.
896
897       Note:  if  you set this time limit to a large value you must update the
898       global ipc_timeout parameter as well.
899

compatibility_level (default: 0)

901       A safety net that  causes  Postfix  to  run  with  backwards-compatible
902       default settings after an upgrade to a newer Postfix version.
903
904       With backwards compatibility turned on (the main.cf compatibility_level
905       value is less than the Postfix built-in value), Postfix looks for  set‐
906       tings that are left at their implicit default value, and logs a message
907       when a backwards-compatible default setting is required.
908
909           using backwards-compatible default setting name=value
910               to [accept a specific client request]
911
912           using backwards-compatible default setting name=value
913               to [enable specific Postfix behavior]
914
915       See COMPATIBILITY_README for specific message details. If such  a  mes‐
916       sage  is  logged  in  the  context  of a legitimate request, the system
917       administrator should make the backwards-compatible setting permanent in
918       main.cf or master.cf, for example:
919
920           # postconf name=value
921           # postfix reload
922
923       When  no  more backwards-compatible settings need to be made permanent,
924       the administrator should turn off backwards compatibility  by  updating
925       the compatibility_level setting in main.cf:
926
927           # postconf compatibility_level=N
928           # postfix reload
929
930       For N specify the number that is logged in your postfix(1) warning mes‐
931       sage:
932
933           warning: To disable backwards compatibility use "postconf
934               compatibility_level=N" and "postfix reload"
935
936       This feature is available in Postfix 3.0 and later.
937

config_directory (default: see postconf -d output)

939       The default location of the Postfix main.cf and master.cf configuration
940       files. This can be overruled via the following mechanisms:
941
942       ·      The  MAIL_CONFIG environment variable (daemon processes and com‐
943              mands).
944
945       ·      The "-c" command-line option (commands only).
946
947       With Postfix command that run with set-gid privileges, a  config_direc‐
948       tory  override requires either root privileges, or it requires that the
949       directory is listed with the alternate_config_directories parameter  in
950       the default main.cf file.
951

confirm_delay_cleared (default: no)

953       After  sending  a  "your  message  is delayed" notification, inform the
954       sender when the delay clears up. This can result in a sudden  burst  of
955       notifications  at  the end of a prolonged network outage, and is there‐
956       fore disabled by default.
957
958       See also: delay_warning_time.
959
960       This feature is available in Postfix 3.0 and later.
961

connection_cache_protocol_timeout (default: 5s)

963       Time limit for connection cache connect, send  or  receive  operations.
964       The time limit is enforced in the client.
965
966       This feature is available in Postfix 2.3 and later.
967

connection_cache_service_name (default: scache)

969       The name of the scache(8) connection cache service.  This service main‐
970       tains a limited pool of cached sessions.
971
972       This feature is available in Postfix 2.2 and later.
973

connection_cache_status_update_time (default: 600s)

975       How frequently the scache(8) server logs usage statistics with  connec‐
976       tion cache hit and miss rates for logical destinations and for physical
977       endpoints.
978

connection_cache_ttl_limit (default: 2s)

980       The maximal time-to-live value  that  the  scache(8)  connection  cache
981       server  allows.  Requests that specify a larger TTL will be stored with
982       the maximum allowed TTL. The purpose of this additional control  is  to
983       protect  the  infrastructure  against careless people. The cache TTL is
984       already bounded by $max_idle.
985

content_filter (default: empty)

987       After the message is queued, send the entire message to  the  specified
988       transport:destination.  The transport name specifies the first field of
989       a mail delivery agent  definition  in  master.cf;  the  syntax  of  the
990       next-hop destination is described in the manual page of the correspond‐
991       ing delivery agent.  More information about external content filters is
992       in the Postfix FILTER_README file.
993
994       Notes:
995
996       ·      This  setting  has lower precedence than a FILTER action that is
997              specified in an access(5),  header_checks(5)  or  body_checks(5)
998              table.
999
1000       ·      The  meaning  of an empty next-hop filter destination is version
1001              dependent.  Postfix 2.7 and later will use the recipient domain;
1002              earlier  versions  will  use $myhostname.  Specify "default_fil‐
1003              ter_nexthop = $myhostname" for compatibility with Postfix 2.6 or
1004              earlier,  or  specify  a  content_filter  value with an explicit
1005              next-hop destination.
1006

cyrus_sasl_config_path (default: empty)

1008       Search path for Cyrus SASL application configuration  files,  currently
1009       used  only  to  locate the $smtpd_sasl_path.conf file.  Specify zero or
1010       more directories separated by a colon character, or an empty  value  to
1011       use Cyrus SASL's built-in search path.
1012
1013       This  feature  is available in Postfix 2.5 and later when compiled with
1014       Cyrus SASL 2.1.22 or later.
1015

daemon_directory (default: see postconf -d output)

1017       The directory with Postfix support programs and daemon programs.  These
1018       should  not  be invoked directly by humans. The directory must be owned
1019       by root.
1020

daemon_table_open_error_is_fatal (default: no)

1022       How a Postfix  daemon  process  handles  errors  while  opening  lookup
1023       tables: gradual degradation or immediate termination.
1024
1025        no  (default)
1026              Gradual  degradation:  a  daemon  process logs a message of type
1027              "error" and continues execution with reduced functionality. Fea‐
1028              tures that do not depend on the unavailable table will work nor‐
1029              mally, while features that depend on the table will result in  a
1030              type "warning" message.
1031              When  the  notify_classes  parameter  value  contains the "data"
1032              class, the Postfix SMTP server  and  client  will  report  tran‐
1033              scripts  of  sessions  with an error because a table is unavail‐
1034              able.
1035
1036        yes  (historical behavior)
1037              Immediate termination: a daemon process logs a type "fatal" mes‐
1038              sage and terminates immediately.  This option reduces the number
1039              of possible code paths through Postfix,  and  may  therefore  be
1040              slightly more secure than the default.
1041
1042       For  the sake of sanity, the number of type "error" messages is limited
1043       to 13 over the lifetime of a daemon process.
1044
1045       This feature is available in Postfix 2.9 and later.
1046

daemon_timeout (default: 18000s)

1048       How much time a Postfix daemon process may take  to  handle  a  request
1049       before it is terminated by a built-in watchdog timer.
1050
1051       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
1052       The default time unit is s (seconds).
1053

data_directory (default: see postconf -d output)

1055       The directory with Postfix-writable data files  (for  example:  caches,
1056       pseudo-random numbers).  This directory must be owned by the mail_owner
1057       account, and must not be shared with non-Postfix software.
1058
1059       This feature is available in Postfix 2.5 and later.
1060

debug_peer_level (default: 2)

1062       The increment in verbose logging level when a remote client  or  server
1063       matches a pattern in the debug_peer_list parameter.
1064

debug_peer_list (default: empty)

1066       Optional  list  of  remote client or server hostname or network address
1067       patterns that cause the verbose logging level to increase by the amount
1068       specified in $debug_peer_level.
1069
1070       Specify  domain  names, network/netmask patterns, "/file/name" patterns
1071       or  "type:table"  lookup  tables.  The  right-hand  side  result   from
1072       "type:table" lookups is ignored.
1073
1074       Pattern  matching  of  domain  names  is  controlled by the presence or
1075       absence of "debug_peer_list"  in  the  parent_domain_matches_subdomains
1076       parameter value.
1077
1078       Examples:
1079
1080       debug_peer_list = 127.0.0.1
1081       debug_peer_list = example.com
1082

debugger_command (default: empty)

1084       The  external  command  to  execute  when  a  Postfix daemon program is
1085       invoked with the -D option.
1086
1087       Use "command .. & sleep 5" so that the debugger can attach  before  the
1088       process  marches  on. If you use an X-based debugger, be sure to set up
1089       your XAUTHORITY environment variable before starting Postfix.
1090
1091       Note: the command is subject to $name expansion, before it is passed to
1092       the  default  command interpreter. Specify "$$" to produce a single "$"
1093       character.
1094
1095       Example:
1096
1097       debugger_command =
1098           PATH=/usr/bin:/usr/X11R6/bin
1099           ddd $daemon_directory/$process_name $process_id & sleep 5
1100

default_database_type (default: see postconf -d output)

1102       The default database type for use in  newaliases(1),  postalias(1)  and
1103       postmap(1)  commands.  On  many UNIX systems the default type is either
1104       dbm or hash. The default setting is frozen when the Postfix  system  is
1105       built.
1106
1107       Examples:
1108
1109       default_database_type = hash
1110       default_database_type = dbm
1111

default_delivery_slot_cost (default: 5)

1113       How  often  the Postfix queue manager's scheduler is allowed to preempt
1114       delivery of one message with another.
1115
1116       Each transport maintains a so-called "available delivery slot  counter"
1117       for  each message. One message can be preempted by another one when the
1118       other message can be delivered using  no  more  delivery  slots  (i.e.,
1119       invocations  of  delivery  agents) than the current message counter has
1120       accumulated (or will eventually  accumulate  -  see  about  slot  loans
1121       below).  This parameter controls how often is the counter incremented -
1122       it happens after each default_delivery_slot_cost recipients  have  been
1123       delivered.
1124
1125       The  cost of 0 is used to disable the preempting scheduling completely.
1126       The minimum value the scheduling algorithm can use is 2 - use it if you
1127       want to maximize the message throughput rate. Although there is no max‐
1128       imum, it doesn't make much sense to use values above say 50.
1129
1130       The only reason why the value of 2 is not the default is the  way  this
1131       parameter affects the delivery of mailing-list mail. In the worst case,
1132       their  delivery  can   take   somewhere   between   (cost+1/cost)   and
1133       (cost/cost-1) times more than if the preemptive scheduler was disabled.
1134       The default value of 5 turns out to provide reasonable message response
1135       times while making sure the mailing-list deliveries are not extended by
1136       more than 20-25 percent even in the worst case.
1137
1138       Use transport_delivery_slot_cost to specify a transport-specific  over‐
1139       ride,  where  transport  is  the master.cf name of the message delivery
1140       transport.
1141
1142       Examples:
1143
1144       default_delivery_slot_cost = 0
1145       default_delivery_slot_cost = 2
1146

default_delivery_slot_discount (default: 50)

1148       The default value for transport-specific  _delivery_slot_discount  set‐
1149       tings.
1150
1151       This  parameter speeds up the moment when a message preemption can hap‐
1152       pen. Instead of  waiting  until  the  full  amount  of  delivery  slots
1153       required  is available, the preemption can happen when transport_deliv‐
1154       ery_slot_discount percent of the required amount plus  transport_deliv‐
1155       ery_slot_loan  still  remains  to  be  accumulated.  Note that the full
1156       amount will still have to be accumulated before another preemption  can
1157       take place later.
1158
1159       Use  transport_delivery_slot_discount  to  specify a transport-specific
1160       override, where transport is the master.cf name of the message delivery
1161       transport.
1162

default_delivery_slot_loan (default: 3)

1164       The default value for transport-specific _delivery_slot_loan settings.
1165
1166       This  parameter speeds up the moment when a message preemption can hap‐
1167       pen. Instead of  waiting  until  the  full  amount  of  delivery  slots
1168       required  is available, the preemption can happen when transport_deliv‐
1169       ery_slot_discount percent of the required amount plus  transport_deliv‐
1170       ery_slot_loan  still  remains  to  be  accumulated.  Note that the full
1171       amount will still have to be accumulated before another preemption  can
1172       take place later.
1173
1174       Use  transport_delivery_slot_loan to specify a transport-specific over‐
1175       ride, where transport is the master.cf name  of  the  message  delivery
1176       transport.
1177

default_delivery_status_filter (default: empty)

1179       Optional filter to replace the delivery status code or explanatory text
1180       of successful or unsuccessful deliveries.   This  does  not  allow  the
1181       replacement  of  a  successful status code (2.X.X) with an unsuccessful
1182       status code (4.X.X or 5.X.X) or vice versa.
1183
1184       Note: the (smtp|lmtp)_delivery_status_filter is applied only  once  per
1185       recipient:  when delivery is successful, when delivery is rejected with
1186       5XX, or when there are no more alternate  MX  or  A  destinations.  Use
1187       smtp_reply_filter  or  lmtp_reply_filter  to  inspect responses for all
1188       delivery attempts.
1189
1190       The following parameters can be used to implement a filter for specific
1191       delivery   agents:   lmtp_delivery_status_filter,   local_delivery_sta‐
1192       tus_filter, pipe_delivery_status_filter, smtp_delivery_status_filter or
1193       virtual_delivery_status_filter.  These parameters support the same fil‐
1194       ter syntax as described here.
1195
1196       Specify zero or more "type:table"  lookup  table  names,  separated  by
1197       comma  or whitespace. For each successful or unsuccessful delivery to a
1198       recipient, the tables are queried in the specified order with one  line
1199       of text that is structured as follows:
1200
1201           enhanced-status-code SPACE explanatory-text
1202
1203       The first table match wins. The lookup result must have the same struc‐
1204       ture as the query, a successful status code (2.X.X)  must  be  replaced
1205       with  a  successful  status code, an unsuccessful status code (4.X.X or
1206       5.X.X) must be replaced with  an  unsuccessful  status  code,  and  the
1207       explanatory  text field must be non-empty. Other results will result in
1208       a warning.
1209
1210       Example 1: convert specific soft TLS errors into hard errors, by  over‐
1211       riding the first number in the enhanced status code.
1212
1213           /etc/postfix/main.cf:
1214               smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter
1215
1216           /etc/postfix/smtp_dsn_filter:
1217               /^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/
1218                   5$1
1219               /^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/
1220                   5$1
1221               # Do not change the following into hard bounces. They may
1222               # result from a local configuration problem.
1223               # 4.\d+.\d+ TLS is required, but our TLS engine is unavailable
1224               # 4.\d+.\d+ TLS is required, but unavailable
1225               # 4.\d+.\d+ Cannot start TLS: handshake failure
1226
1227       Example  2:  censor  the  per-recipient delivery status text so that it
1228       does not reveal the destination  command  or  filename  when  a  remote
1229       sender requests confirmation of successful delivery.
1230
1231           /etc/postfix/main.cf:
1232               local_delivery_status_filter = pcre:/etc/postfix/local_dsn_filter
1233
1234           /etc/postfix/local_dsn_filter:
1235               /^(2\S+ delivered to file).+/    $1
1236               /^(2\S+ delivered to command).+/ $1
1237
1238       Notes:
1239
1240       ·      This feature will NOT override the soft_bounce safety net.
1241
1242       ·      This  feature will change the enhanced status code and text that
1243              is logged to the maillog file,  and  that  is  reported  to  the
1244              sender in delivery confirmation or non-delivery notifications.
1245
1246       This feature is available in Postfix 3.0 and later.
1247

default_destination_concurrency_failed_cohort_limit (default: 1)

1249       How  many  pseudo-cohorts  must  suffer connection or handshake failure
1250       before a specific destination is considered  unavailable  (and  further
1251       delivery  is suspended). Specify zero to disable this feature. A desti‐
1252       nation's pseudo-cohort failure count is reset each time a delivery com‐
1253       pletes without connection or handshake failure for that specific desti‐
1254       nation.
1255
1256       A pseudo-cohort is the number of deliveries equal  to  a  destination's
1257       delivery concurrency.
1258
1259       Use  transport_destination_concurrency_failed_cohort_limit to specify a
1260       transport-specific override, where transport is the master.cf  name  of
1261       the message delivery transport.
1262
1263       This  feature  is available in Postfix 2.5. The default setting is com‐
1264       patible with earlier Postfix versions.
1265

default_destination_concurrency_limit (default: 20)

1267       The default maximal number of parallel deliveries to the same  destina‐
1268       tion.  This is the default limit for delivery via the lmtp(8), pipe(8),
1269       smtp(8) and virtual(8) delivery agents.  With per-destination recipient
1270       limit > 1, a destination is a domain, otherwise it is a recipient.
1271
1272       Use transport_destination_concurrency_limit to specify a transport-spe‐
1273       cific override, where transport is the master.cf name  of  the  message
1274       delivery transport.
1275

default_destination_concurrency_negative_feedback (default: 1)

1277       The  per-destination  amount of delivery concurrency negative feedback,
1278       after a delivery completes with  a  connection  or  handshake  failure.
1279       Feedback  values  are  in the range 0..1 inclusive. With negative feed‐
1280       back, concurrency is decremented at the  beginning  of  a  sequence  of
1281       length  1/feedback. This is unlike positive feedback, where concurrency
1282       is incremented at the end of a sequence of length 1/feedback.
1283
1284       As of Postfix version 2.5, negative  feedback  cannot  reduce  delivery
1285       concurrency  to  zero.   Instead, a destination is marked dead (further
1286       delivery  suspended)  after  the  failed  pseudo-cohort  count  reaches
1287       $default_destination_concurrency_failed_cohort_limit     (or    $trans‐
1288       port_destination_concurrency_failed_cohort_limit).  To make the  sched‐
1289       uler  completely  immune to connection or handshake failures, specify a
1290       zero feedback value and a zero failed pseudo-cohort limit.
1291
1292       Specify one of the following forms:
1293
1294       number
1295
1296       number / number
1297              Constant feedback. The value must be in the  range  0..1  inclu‐
1298              sive.   The  default  setting  of "1" is compatible with Postfix
1299              versions before 2.5, where a destination's delivery  concurrency
1300              is throttled down to zero (and further delivery suspended) after
1301              a single failed pseudo-cohort.
1302
1303       number / concurrency
1304              Variable feedback of "number  /  (delivery  concurrency)".   The
1305              number must be in the range 0..1 inclusive. With number equal to
1306              "1", a destination's delivery concurrency is  decremented  by  1
1307              after each failed pseudo-cohort.
1308
1309       A  pseudo-cohort  is  the number of deliveries equal to a destination's
1310       delivery concurrency.
1311
1312       Use transport_destination_concurrency_negative_feedback  to  specify  a
1313       transport-specific  override,  where transport is the master.cf name of
1314       the message delivery transport.
1315
1316       This feature is available in Postfix 2.5. The default setting  is  com‐
1317       patible with earlier Postfix versions.
1318

default_destination_concurrency_positive_feedback (default: 1)

1320       The  per-destination  amount of delivery concurrency positive feedback,
1321       after a delivery completes without  connection  or  handshake  failure.
1322       Feedback  values  are  in  the  range  0..1 inclusive.  The concurrency
1323       increases until it  reaches  the  per-destination  maximal  concurrency
1324       limit. With positive feedback, concurrency is incremented at the end of
1325       a sequence with length 1/feedback. This is  unlike  negative  feedback,
1326       where  concurrency  is decremented at the start of a sequence of length
1327       1/feedback.
1328
1329       Specify one of the following forms:
1330
1331       number
1332
1333       number / number
1334              Constant feedback.  The value must be in the range  0..1  inclu‐
1335              sive. The default setting of "1" is compatible with Postfix ver‐
1336              sions before 2.5, where  a  destination's  delivery  concurrency
1337              doubles after each successful pseudo-cohort.
1338
1339       number / concurrency
1340              Variable  feedback  of  "number  / (delivery concurrency)".  The
1341              number must be in the range 0..1 inclusive. With number equal to
1342              "1",  a  destination's  delivery concurrency is incremented by 1
1343              after each successful pseudo-cohort.
1344
1345       A pseudo-cohort is the number of deliveries equal  to  a  destination's
1346       delivery concurrency.
1347
1348       Use  transport_destination_concurrency_positive_feedback  to  specify a
1349       transport-specific override, where transport is the master.cf  name  of
1350       the message delivery transport.
1351
1352       This feature is available in Postfix 2.5 and later.
1353

default_destination_rate_delay (default: 0s)

1355       The  default amount of delay that is inserted between individual deliv‐
1356       eries to the same destination; the resulting behavior  depends  on  the
1357       value of the corresponding per-destination recipient limit.
1358
1359       ·      With  a  corresponding  per-destination recipient limit > 1, the
1360              rate delay specifies the time between  deliveries  to  the  same
1361              domain.  Different domains are delivered in parallel, subject to
1362              the process limits specified in master.cf.
1363
1364       ·      With a corresponding per-destination recipient limit equal to 1,
1365              the rate delay specifies the time between deliveries to the same
1366              recipient. Different recipients are delivered in parallel,  sub‐
1367              ject to the process limits specified in master.cf.
1368
1369       To  enable  the delay, specify a non-zero time value (an integral value
1370       plus an optional one-letter suffix that specifies the time unit).
1371
1372       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
1373       The default time unit is s (seconds).
1374
1375       NOTE: the delay is enforced by the queue manager. The delay timer state
1376       does not survive "postfix reload" or "postfix stop".
1377
1378       Use transport_destination_rate_delay to  specify  a  transport-specific
1379       override, where transport is the master.cf name of the message delivery
1380       transport.
1381
1382       NOTE: with a non-zero _destination_rate_delay, specify a transport_des‐
1383       tination_concurrency_failed_cohort_limit of 10 or more to prevent Post‐
1384       fix from deferring all mail for the same  destination  after  only  one
1385       connection or handshake error.
1386
1387       This feature is available in Postfix 2.5 and later.
1388

default_destination_recipient_limit (default: 50)

1390       The default maximal number of recipients per message delivery.  This is
1391       the default limit for delivery via the lmtp(8),  pipe(8),  smtp(8)  and
1392       virtual(8) delivery agents.
1393
1394       Setting this parameter to a value of 1 affects email deliveries as fol‐
1395       lows:
1396
1397       ·      It changes the meaning of the corresponding per-destination con‐
1398              currency  limit,  from  concurrency  of  deliveries  to the same
1399              domain into concurrency of deliveries  to  the  same  recipient.
1400              Different  recipients  are delivered in parallel, subject to the
1401              process limits specified in master.cf.
1402
1403       ·      It changes the meaning of the corresponding per-destination rate
1404              delay, from the delay between deliveries to the same domain into
1405              the delay between deliveries to the same recipient.  Again, dif‐
1406              ferent  recipients  are  delivered  in  parallel, subject to the
1407              process limits specified in master.cf.
1408
1409       ·      It changes the meaning of  other  corresponding  per-destination
1410              settings  in a similar manner, from settings for delivery to the
1411              same domain into settings for delivery to the same recipient.
1412
1413       Use transport_destination_recipient_limit to specify  a  transport-spe‐
1414       cific  override,  where  transport is the master.cf name of the message
1415       delivery transport.
1416

default_extra_recipient_limit (default: 1000)

1418       The default value for the extra per-transport limit imposed on the num‐
1419       ber  of  in-memory  recipients.  This extra recipient space is reserved
1420       for the cases when the Postfix queue manager's scheduler  preempts  one
1421       message with another and suddenly needs some extra recipients slots for
1422       the chosen message in order to avoid performance degradation.
1423
1424       Use transport_extra_recipient_limit  to  specify  a  transport-specific
1425       override, where transport is the master.cf name of the message delivery
1426       transport.
1427

default_filter_nexthop (default: empty)

1429       When a content_filter or FILTER request specifies no explicit  next-hop
1430       destination,  use  $default_filter_nexthop  instead; when that value is
1431       empty, use the domain in the recipient address.  Specify  "default_fil‐
1432       ter_nexthop  =  $myhostname" for compatibility with Postfix version 2.6
1433       and earlier, or specify an explicit next-hop destination with each con‐
1434       tent_filter value or FILTER action.
1435
1436       This feature is available in Postfix 2.7 and later.
1437

default_minimum_delivery_slots (default: 3)

1439       How  many recipients a message must have in order to invoke the Postfix
1440       queue manager's scheduling algorithm  at  all.   Messages  which  would
1441       never  accumulate  at  least  this many delivery slots (subject to slot
1442       cost parameter as well) are never preempted.
1443
1444       Use transport_minimum_delivery_slots to  specify  a  transport-specific
1445       override, where transport is the master.cf name of the message delivery
1446       transport.
1447

default_privs (default: nobody)

1449       The default rights used by the local(8) delivery agent for delivery  to
1450       external  file  or  command.   These  rights  are used when delivery is
1451       requested from an aliases(5) file that is owned by root, or when deliv‐
1452       ery  is done on behalf of root. DO NOT SPECIFY A PRIVILEGED USER OR THE
1453       POSTFIX OWNER.
1454

default_process_limit (default: 100)

1456       The default maximal number of Postfix child processes  that  provide  a
1457       given service. This limit can be overruled for specific services in the
1458       master.cf file.
1459

default_rbl_reply (default: see postconf -d output)

1461       The default Postfix SMTP server response template for a request that is
1462       rejected by an RBL-based restriction. This template can be overruled by
1463       specific entries in the optional rbl_reply_maps lookup table.
1464
1465       This feature is available in Postfix 2.0 and later.
1466
1467       The template is subject to exactly one level of $name substitution:
1468
1469       $client
1470              The client hostname and IP address, formatted as name[address].
1471
1472       $client_address
1473              The client IP address.
1474
1475       $client_name
1476              The      client      hostname      or       "unknown".       See
1477              reject_unknown_client_hostname for more details.
1478
1479       $reverse_client_name
1480              The  client  hostname  from  address->name lookup, or "unknown".
1481              See reject_unknown_reverse_client_hostname for more details.
1482
1483       $helo_name
1484              The hostname given in HELO or EHLO command or empty string.
1485
1486       $rbl_class
1487              The blacklisted entity type: Client host, Helo  command,  Sender
1488              address, or Recipient address.
1489
1490       $rbl_code
1491              The   numerical  SMTP  response  code,  as  specified  with  the
1492              maps_rbl_reject_code configuration parameter. Note: The  numeri‐
1493              cal SMTP response code is required, and must appear at the start
1494              of the reply. With Postfix version 2.3 and later  this  informa‐
1495              tion may be followed by an RFC 3463 enhanced status code.
1496
1497       $rbl_domain
1498              The RBL domain where $rbl_what is blacklisted.
1499
1500       $rbl_reason
1501              The reason why $rbl_what is blacklisted, or an empty string.
1502
1503       $rbl_what
1504              The  entity  that  is  blacklisted (an IP address, a hostname, a
1505              domain name, or an email address whose domain was blacklisted).
1506
1507       $recipient
1508              The recipient address or <> in case of the null address.
1509
1510       $recipient_domain
1511              The recipient domain or empty string.
1512
1513       $recipient_name
1514              The recipient address localpart or <> in case of null address.
1515
1516       $sender
1517              The sender address or <> in case of the null address.
1518
1519       $sender_domain
1520              The sender domain or empty string.
1521
1522       $sender_name
1523              The sender address localpart or <> in case of the null address.
1524
1525       ${name?text}
1526              Expands to `text' if $name is not empty.
1527
1528       ${name:text}
1529              Expands to `text' if $name is empty.
1530
1531       Instead of $name you can also specify ${name} or $(name).
1532
1533       Note: when an enhanced status code is specified in an  RBL  reply  tem‐
1534       plate,  it  is  subject to modification.  The following transformations
1535       are needed when the same RBL reply template is used for  client,  helo,
1536       sender, or recipient access restrictions.
1537
1538       ·      When  rejecting  a  sender address, the Postfix SMTP server will
1539              transform a recipient DSN status (e.g.,  4.1.1-4.1.6)  into  the
1540              corresponding sender DSN status, and vice versa.
1541
1542       ·      When rejecting non-address information (such as the HELO command
1543              argument or  the  client  hostname/address),  the  Postfix  SMTP
1544              server  will  transform  a sender or recipient DSN status into a
1545              generic non-address DSN status (e.g., 4.0.0).
1546

default_recipient_limit (default: 20000)

1548       The default per-transport upper limit on the number of in-memory recip‐
1549       ients.  These limits take priority over the global qmgr_message_recipi‐
1550       ent_limit after the message has been assigned to the respective  trans‐
1551       ports.  See also default_extra_recipient_limit and qmgr_message_recipi‐
1552       ent_minimum.
1553
1554       Use transport_recipient_limit to specify a transport-specific override,
1555       where  transport  is  the master.cf name of the message delivery trans‐
1556       port.
1557

default_recipient_refill_delay (default: 5s)

1559       The default per-transport maximum  delay  between  recipients  refills.
1560       When not all message recipients fit into the memory at once, keep load‐
1561       ing more of them at least once every this many seconds.  This  is  used
1562       to  make  sure  the  recipients are refilled in timely manner even when
1563       $default_recipient_refill_limit is too high for too slow deliveries.
1564
1565       Use transport_recipient_refill_delay to  specify  a  transport-specific
1566       override, where transport is the master.cf name of the message delivery
1567       transport.
1568
1569       This feature is available in Postfix 2.4 and later.
1570

default_recipient_refill_limit (default: 100)

1572       The default per-transport limit on the number of recipients refilled at
1573       once.   When  not  all  message recipients fit into the memory at once,
1574       keep loading more of them in batches of at least this many at  a  time.
1575       See also $default_recipient_refill_delay, which may result in recipient
1576       batches lower than this when this limit is too high for too slow deliv‐
1577       eries.
1578
1579       Use  transport_recipient_refill_limit  to  specify a transport-specific
1580       override, where transport is the master.cf name of the message delivery
1581       transport.
1582
1583       This feature is available in Postfix 2.4 and later.
1584

default_transport (default: smtp)

1586       The default mail delivery transport and next-hop destination for desti‐
1587       nations   that   do   not   match   $mydestination,   $inet_interfaces,
1588       $proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, or
1589       $relay_domains.   This  information   can   be   overruled   with   the
1590       sender_dependent_default_transport_maps  parameter  and with the trans‐
1591       port(5) table.
1592
1593       In order of decreasing precedence, the  nexthop  destination  is  taken
1594       from    $sender_dependent_default_transport_maps,   $default_transport,
1595       $sender_dependent_relayhost_maps, $relayhost,  or  from  the  recipient
1596       domain.
1597
1598       Specify  a string of the form transport:nexthop, where transport is the
1599       name of a mail delivery transport defined in master.cf.   The  :nexthop
1600       destination is optional; its syntax is documented in the manual page of
1601       the corresponding delivery agent.
1602
1603       Example:
1604
1605       default_transport = uucp:relayhostname
1606

default_transport_rate_delay (default: 0s)

1608       The default amount of delay that is inserted between individual  deliv‐
1609       eries  over the same message delivery transport, regardless of destina‐
1610       tion. If non-zero, all deliveries over the same message delivery trans‐
1611       port will happen one at a time.
1612
1613       Use  transport_transport_rate_delay  to  specify  a  transport-specific
1614       override, where the initial transport is the master.cf name of the mes‐
1615       sage delivery transport.
1616
1617       Example:  throttle  outbound  SMTP  mail  to  at  most 3 deliveries per
1618       minute.
1619
1620       /etc/postfix/main.cf:
1621           smtp_transport_rate_delay = 20s
1622
1623       To enable the delay, specify a non-zero time value (an  integral  value
1624       plus an optional one-letter suffix that specifies the time unit).
1625
1626       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
1627       The default time unit is s (seconds).
1628
1629       NOTE: the delay is enforced by the queue manager.
1630
1631       This feature is available in Postfix 3.1 and later.
1632

default_verp_delimiters (default: +=)

1634       The two default VERP delimiter  characters.  These  are  used  when  no
1635       explicit  delimiters  are specified with the SMTP XVERP command or with
1636       the "sendmail -V" command-line  option.  Specify  characters  that  are
1637       allowed by the verp_delimiter_filter setting.
1638
1639       This feature is available in Postfix 1.1 and later.
1640

defer_code (default: 450)

1642       The  numerical  Postfix  SMTP  server  response code when a remote SMTP
1643       client request is rejected by the "defer" restriction.
1644
1645       Do not change this unless you have  a  complete  understanding  of  RFC
1646       5321.
1647

defer_service_name (default: defer)

1649       The  name  of  the  defer  service.  This service is implemented by the
1650       bounce(8) daemon and maintains a record of failed delivery attempts and
1651       generates non-delivery notifications.
1652
1653       This feature is available in Postfix 2.0 and later.
1654

defer_transports (default: empty)

1656       The  names  of message delivery transports that should not deliver mail
1657       unless someone issues "sendmail -q" or equivalent. Specify zero or more
1658       names  of mail delivery transports names that appear in the first field
1659       of master.cf.
1660
1661       Example:
1662
1663       defer_transports = smtp
1664

delay_logging_resolution_limit (default: 2)

1666       The maximal number of digits  after  the  decimal  point  when  logging
1667       sub-second delay values.  Specify a number in the range 0..6.
1668
1669       Large delay values are rounded off to an integral number seconds; delay
1670       values below the delay_logging_resolution_limit are logged as "0",  and
1671       delay values under 100s are logged with at most two-digit precision.
1672
1673       The format of the "delays=a/b/c/d" logging is as follows:
1674
1675       ·      a = time from message arrival to last active queue entry
1676
1677       ·      b = time from last active queue entry to connection setup
1678
1679       ·      c = time in connection setup, including DNS, EHLO and STARTTLS
1680
1681       ·      d = time in message transmission
1682
1683       This feature is available in Postfix 2.3 and later.
1684

delay_notice_recipient (default: postmaster)

1686       The  recipient  of postmaster notifications with the message headers of
1687       mail that cannot be delivered within $delay_warning_time time units.
1688
1689       See also: delay_warning_time, notify_classes.
1690

delay_warning_time (default: 0h)

1692       The time after which the sender receives a copy of the message  headers
1693       of  mail that is still queued. The confirm_delay_cleared parameter con‐
1694       trols sender notification when the delay clears up.
1695
1696       To enable this feature, specify a  non-zero  time  value  (an  integral
1697       value plus an optional one-letter suffix that specifies the time unit).
1698
1699       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
1700       The default time unit is h (hours).
1701
1702       See     also:     delay_notice_recipient,     notify_classes,      con‐
1703       firm_delay_cleared.
1704

deliver_lock_attempts (default: 20)

1706       The  maximal number of attempts to acquire an exclusive lock on a mail‐
1707       box file or bounce(8) logfile.
1708

deliver_lock_delay (default: 1s)

1710       The time between attempts to acquire an exclusive  lock  on  a  mailbox
1711       file or bounce(8) logfile.
1712
1713       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
1714       The default time unit is s (seconds).
1715

destination_concurrency_feedback_debug (default: no)

1717       Make the queue manager's feedback  algorithm  verbose  for  performance
1718       analysis purposes.
1719
1720       This feature is available in Postfix 2.5 and later.
1721

detect_8bit_encoding_header (default: yes)

1723       Automatically detect 8BITMIME body content by looking at Content-Trans‐
1724       fer-Encoding:  message  headers;  historically,   this   behavior   was
1725       hard-coded to be "always on".
1726
1727       This feature is available in Postfix 2.5 and later.
1728

disable_dns_lookups (default: no)

1730       Disable  DNS  lookups  in  the Postfix SMTP and LMTP clients. When dis‐
1731       abled, hosts are looked up with the getaddrinfo() system  library  rou‐
1732       tine which normally also looks in /etc/hosts.  As of Postfix 2.11, this
1733       parameter is deprecated; use smtp_dns_support_level instead.
1734
1735       DNS lookups are enabled by default.
1736

disable_mime_input_processing (default: no)

1738       Turn off MIME processing while receiving mail. This means that no  spe‐
1739       cial  treatment is given to Content-Type: message headers, and that all
1740       text after the initial message headers is considered to be part of  the
1741       message body.
1742
1743       This feature is available in Postfix 2.0 and later.
1744
1745       Mime  input processing is enabled by default, and is needed in order to
1746       recognize MIME headers in message content.
1747

disable_mime_output_conversion (default: no)

1749       Disable the conversion of 8BITMIME format to 7BIT format.  Mime  output
1750       conversion  is  needed when the destination does not advertise 8BITMIME
1751       support.
1752
1753       This feature is available in Postfix 2.0 and later.
1754

disable_verp_bounces (default: no)

1756       Disable sending one bounce report per recipient.
1757
1758       The default, one per recipient, is what ezmlm needs.
1759
1760       This feature is available in Postfix 1.1 and later.
1761

disable_vrfy_command (default: no)

1763       Disable the SMTP VRFY command. This stops some techniques used to  har‐
1764       vest email addresses.
1765
1766       Example:
1767
1768       disable_vrfy_command = no
1769

dns_ncache_ttl_fix_enable (default: no)

1771       Enable a workaround for future libc incompatibility. The Postfix imple‐
1772       mentation of RFC 2308 negative reply caching relies on the promise that
1773       res_query()  and  res_search()  invoke  res_send(),  which  returns the
1774       server response in an application buffer even if the  requested  record
1775       does  not  exist.  If this promise is broken, specify "yes" to enable a
1776       workaround for DNS reputation lookups.
1777
1778       This feature is available in Postfix 3.1 and later.
1779

dnsblog_reply_delay (default: 0s)

1781       A debugging aid to artificially delay DNS responses.
1782
1783       This feature is available in Postfix 2.8.
1784

dnsblog_service_name (default: dnsblog)

1786       The name of the dnsblog(8) service entry  in  master.cf.  This  service
1787       performs DNS white/blacklist lookups.
1788
1789       This feature is available in Postfix 2.8 and later.
1790

dont_remove (default: 0)

1792       Don't remove queue files and save them to the "saved" mail queue.  This
1793       is a debugging aid.  To inspect the envelope information and content of
1794       a Postfix queue file, use the postcat(1) command.
1795

double_bounce_sender (default: double-bounce)

1797       The  sender  address  of postmaster notifications that are generated by
1798       the mail system. All mail to this address  is  silently  discarded,  in
1799       order to terminate mail bounce loops.
1800

duplicate_filter_limit (default: 1000)

1802       The  maximal  number  of  addresses remembered by the address duplicate
1803       filter for aliases(5) or virtual(5) alias expansion,  or  for  showq(8)
1804       queue displays.
1805

empty_address_default_transport_maps_lookup_key (default: <>)

1807       The  sender_dependent_default_transport_maps search string that will be
1808       used instead of the null sender address.
1809
1810       This feature is available in Postfix 2.7 and later.
1811

empty_address_recipient (default: MAILER-DAEMON)

1813       The recipient of mail addressed to the null address.  Postfix does  not
1814       accept  such  addresses in SMTP commands, but they may still be created
1815       locally as the result of configuration or software error.
1816

empty_address_relayhost_maps_lookup_key (default: <>)

1818       The sender_dependent_relayhost_maps search string  that  will  be  used
1819       instead of the null sender address.
1820
1821       This  feature  is available in Postfix 2.5 and later. With earlier ver‐
1822       sions, sender_dependent_relayhost_maps lookups  were  skipped  for  the
1823       null sender address.
1824

enable_errors_to (default: no)

1826       Report mail delivery errors to the address specified with the non-stan‐
1827       dard Errors-To: message header, instead of the envelope sender  address
1828       (this  feature  is  removed  with Postfix version 2.2, is turned off by
1829       default with Postfix version 2.1, and is always turned  on  with  older
1830       Postfix versions).
1831

enable_idna2003_compatibility (default: no)

1833       Enable 'transitional' compatibility between IDNA2003 and IDNA2008, when
1834       converting UTF-8 domain names to/from the ASCII form that is  used  for
1835       DNS  lookups.  Specify "yes" for compatibility with Postfix <= 3.1 (not
1836       recommended). This affects the conversion of domain names that  contain
1837       for  example  the  German  sz  and  the  Greek  zeta.   See http://uni
1838       code.org/cldr/utility/idna.jsp for more examples.
1839
1840       This feature is available in Postfix 3.2 and later.
1841

enable_long_queue_ids (default: no)

1843       Enable long, non-repeating, queue IDs (queue file names).  The  benefit
1844       of  non-repeating  names  is  simpler logfile analysis and easier queue
1845       migration (there is no need to run "postsuper"  to  change  queue  file
1846       names that don't match their message file inode number).
1847
1848       Note:  see below for how to convert long queue file names to Postfix <=
1849       2.8.
1850
1851       Changing the parameter value to "yes" has the following effects:
1852
1853       ·      Existing queue file names are not affected.
1854
1855       ·      New queue files are created with names such as  3Pt2mN2VXxznjll.
1856              These  are encoded in a 52-character alphabet that contains dig‐
1857              its (0-9),  upper-case  letters  (B-Z)  and  lower-case  letters
1858              (b-z).  For  safety reasons the vowels (AEIOUaeiou) are excluded
1859              from the alphabet.  The name format is: 6 or more characters for
1860              the  time in seconds, 4 characters for the time in microseconds,
1861              the 'z'; the remainder is the file inode number encoded  in  the
1862              first 51 characters of the 52-character alphabet.
1863
1864       ·      New messages have a Message-ID header with queueID@myhostname.
1865
1866       ·      The  mailq  (postqueue  -p)  output has a wider Queue ID column.
1867              The number of whitespace-separated fields is not changed.
1868
1869       ·      The hash_queue_depth algorithm uses the first characters of  the
1870              queue  file creation time in microseconds, after conversion into
1871              hexadecimal representation. This produces the same queue hashing
1872              behavior   as   if   the   queue  file  name  was  created  with
1873              "enable_long_queue_ids = no".
1874
1875       Changing the parameter value to "no" has the following effects:
1876
1877       ·      Existing long queue file names are renamed  to  the  short  form
1878              (while running "postfix reload" or "postsuper").
1879
1880       ·      New  queue files are created with names such as C3CD21F3E90 from
1881              a hexadecimal alphabet that contains digits (0-9) and upper-case
1882              letters  (A-F). The name format is: 5 characters for the time in
1883              microseconds; the remainder is the file inode number.
1884
1885       ·      New  messages  have  a  Message-ID   header   with   YYYYMMDDHH‐
1886              MMSS.queueid@myhostname,  where  YYYYMMDDHHMMSS  are  the  year,
1887              month, day, hour, minute and second.
1888
1889       ·      The mailq (postqueue -p) output has  the  same  format  as  with
1890              Postfix <= 2.8.
1891
1892       ·      The  hash_queue_depth algorithm uses the first characters of the
1893              queue file name, with the hexadecimal representation of the file
1894              creation time in microseconds.
1895
1896       Before migration to Postfix <= 2.8, the following commands are required
1897       to convert long queue file names into short names:
1898
1899       # postfix stop
1900       # postconf enable_long_queue_ids=no
1901       # postsuper
1902
1903       Repeat the postsuper command until it reports no more queue  file  name
1904       changes.
1905
1906       This feature is available in Postfix 2.9 and later.
1907

enable_original_recipient (default: yes)

1909       Enable  support  for the original recipient address after an address is
1910       rewritten to a different address (for example  with  aliasing  or  with
1911       canonical mapping).
1912
1913       The original recipient address is used as follows:
1914
1915       Final delivery
1916              With  "enable_original_recipient  = yes", the original recipient
1917              address is stored in  the  X-Original-To  message  header.  This
1918              header  may  be used to distinguish between different recipients
1919              that share the same mailbox.
1920
1921       Recipient deduplication
1922              With "enable_original_recipient = yes",  the  cleanup(8)  daemon
1923              performs duplicate recipient elimination based on the content of
1924              (original recipient, maybe-rewritten recipient)  pairs.   Other‐
1925              wise,  the cleanup(8) daemon performs duplicate recipient elimi‐
1926              nation based only on the maybe-rewritten recipient address.
1927
1928       Note: with Postfix <= 3.2 the "setting enable_original_recipient =  no"
1929       breaks address verification for addresses that are aliased or otherwise
1930       rewritten (Postfix is unable to store the address  verification  result
1931       under the original probe destination address; instead, it can store the
1932       result only under the rewritten address).
1933
1934       This feature is available in Postfix 2.1 and later. Postfix version 2.0
1935       behaves  as  if  this parameter is always set to yes.  Postfix versions
1936       before 2.0 have no support for the original recipient address.
1937

error_notice_recipient (default: postmaster)

1939       The recipient of postmaster notifications about mail delivery  problems
1940       that  are  caused  by  policy,  resource,  software or protocol errors.
1941       These notifications are enabled with the notify_classes parameter.
1942

error_service_name (default: error)

1944       The name of the error(8) pseudo delivery  agent.  This  service  always
1945       returns mail as undeliverable.
1946
1947       This feature is available in Postfix 2.0 and later.
1948

execution_directory_expansion_filter (default: see postconf -d output)

1950       Restrict  the  characters  that  the  local(8) delivery agent allows in
1951       $name expansions of $command_execution_directory.   Characters  outside
1952       the allowed set are replaced by underscores.
1953
1954       This feature is available in Postfix 2.2 and later.
1955

expand_owner_alias (default: no)

1957       When  delivering  to an alias "aliasname" that has an "owner-aliasname"
1958       companion alias, set the envelope sender address to  the  expansion  of
1959       the  "owner-aliasname"  alias.   Normally,  Postfix  sets  the envelope
1960       sender address to the name of the "owner-aliasname" alias.
1961

export_environment (default: see postconf -d output)

1963       The list of environment variables that a Postfix process will export to
1964       non-Postfix  processes. The TZ variable is needed for sane time keeping
1965       on System-V-ish systems.
1966
1967       Specify a list of names and/or name=value pairs,  separated  by  white‐
1968       space or comma. Specify "{ name=value }" to protect whitespace or comma
1969       in parameter values (whitespace after "{" and before "}"  is  ignored).
1970       The  form  name=value  is supported with Postfix version 2.1 and later;
1971       the use of {} is supported with Postfix 3.0 and later.
1972
1973       Example:
1974
1975       export_environment = TZ PATH=/bin:/usr/bin
1976

extract_recipient_limit (default: 10240)

1978       The maximal number of recipient addresses  that  Postfix  will  extract
1979       from message headers when mail is submitted with "sendmail -t".
1980
1981       This feature was removed in Postfix version 2.1.
1982

fallback_relay (default: empty)

1984       Optional  list of relay hosts for SMTP destinations that can't be found
1985       or that are unreachable. With Postfix 2.3 this parameter is renamed  to
1986       smtp_fallback_relay.
1987
1988       By  default,  mail  is returned to the sender when a destination is not
1989       found, and delivery is deferred when a destination is unreachable.
1990
1991       The fallback relays must be SMTP destinations. Specify a domain,  host,
1992       host:port,  [host]:port,  [address]  or [address]:port; the form [host]
1993       turns off MX lookups.  If you specify multiple SMTP destinations, Post‐
1994       fix will try them in the specified order.
1995
1996       Note:  before  Postfix  2.2, do not use the fallback_relay feature when
1997       relaying mail for a backup  or  primary  MX  domain.  Mail  would  loop
1998       between  the Postfix MX host and the fallback_relay host when the final
1999       destination is unavailable.
2000
2001       ·      In main.cf specify "relay_transport = relay",
2002
2003       ·      In master.cf specify "-o fallback_relay =" (i.e., empty) at  the
2004              end of the relay entry.
2005
2006       ·      In transport maps, specify "relay:nexthop..."  as the right-hand
2007              side for backup or primary MX domain entries.
2008
2009       Postfix version 2.2 and later will not use the  fallback_relay  feature
2010       for destinations that it is MX host for.
2011

fallback_transport (default: empty)

2013       Optional  message  delivery  transport that the local(8) delivery agent
2014       should use for names that are not found in the aliases(5) or UNIX pass‐
2015       word database.
2016
2017       The  precedence  of  local(8)  delivery  features  from high to low is:
2018       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
2019       mailbox_command_maps,  mailbox_command, home_mailbox, mail_spool_direc‐
2020       tory, fallback_transport_maps, fallback_transport and luser_relay.
2021

fallback_transport_maps (default: empty)

2023       Optional lookup tables with per-recipient message  delivery  transports
2024       for  recipients  that the local(8) delivery agent could not find in the
2025       aliases(5) or UNIX password database.
2026
2027       The precedence of local(8) delivery  features  from  high  to  low  is:
2028       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
2029       mailbox_command_maps, mailbox_command, home_mailbox,  mail_spool_direc‐
2030       tory, fallback_transport_maps, fallback_transport and luser_relay.
2031
2032       For  safety  reasons, this feature does not allow $number substitutions
2033       in regular expression maps.
2034
2035       This feature is available in Postfix 2.3 and later.
2036

fast_flush_domains (default: $relay_domains)

2038       Optional list of destinations that  are  eligible  for  per-destination
2039       logfiles with mail that is queued to those destinations.
2040
2041       By  default,  Postfix maintains "fast flush" logfiles only for destina‐
2042       tions that the Postfix SMTP server is willing to  relay  to  (i.e.  the
2043       default    is:   "fast_flush_domains   =   $relay_domains";   see   the
2044       relay_domains parameter in the postconf(5) manual).
2045
2046       Specify a list of hosts or domains, "/file/name" patterns or  "type:ta‐
2047       ble"  lookup  tables,  separated by commas and/or whitespace.  Continue
2048       long lines by starting the next line with  whitespace.  A  "/file/name"
2049       pattern  is  replaced  by  its contents; a "type:table" lookup table is
2050       matched when the domain or its parent domain appears as lookup key.
2051
2052       Pattern matching of domain names  is  controlled  by  the  presence  or
2053       absence of "fast_flush_domains" in the parent_domain_matches_subdomains
2054       parameter value.
2055
2056       Specify "fast_flush_domains =" (i.e., empty)  to  disable  the  feature
2057       altogether.
2058

fast_flush_purge_time (default: 7d)

2060       The  time  after which an empty per-destination "fast flush" logfile is
2061       deleted.
2062
2063       You can specify the time as a number, or as a number followed by a let‐
2064       ter  that  indicates  the  time  unit:  s=seconds,  m=minutes, h=hours,
2065       d=days, w=weeks.  The default time unit is days.
2066

fast_flush_refresh_time (default: 12h)

2068       The time after which  a  non-empty  but  unread  per-destination  "fast
2069       flush"  logfile  needs  to be refreshed.  The contents of a logfile are
2070       refreshed by requesting delivery of all messages listed in the logfile.
2071
2072       You can specify the time as a number, or as a number followed by a let‐
2073       ter  that  indicates  the  time  unit:  s=seconds,  m=minutes, h=hours,
2074       d=days, w=weeks.  The default time unit is hours.
2075

fault_injection_code (default: 0)

2077       Force specific internal tests to fail, to test the handling  of  errors
2078       that are difficult to reproduce otherwise.
2079

flush_service_name (default: flush)

2081       The  name  of the flush(8) service. This service maintains per-destina‐
2082       tion logfiles with the queue file names of  mail  that  is  queued  for
2083       those destinations.
2084
2085       This feature is available in Postfix 2.0 and later.
2086

fork_attempts (default: 5)

2088       The maximal number of attempts to fork() a child process.
2089

fork_delay (default: 1s)

2091       The delay between attempts to fork() a child process.
2092
2093       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2094       The default time unit is s (seconds).
2095

forward_expansion_filter (default: see postconf -d output)

2097       Restrict the characters that the  local(8)  delivery  agent  allows  in
2098       $name  expansions of $forward_path.  Characters outside the allowed set
2099       are replaced by underscores.
2100

forward_path (default: see postconf -d output)

2102       The local(8) delivery agent search list for  finding  a  .forward  file
2103       with  user-specified  delivery methods. The first file that is found is
2104       used.
2105
2106       The following $name expansions are  done  on  forward_path  before  the
2107       search actually happens. The result of $name expansion is filtered with
2108       the character set that is specified with  the  forward_expansion_filter
2109       parameter.
2110
2111       $user  The recipient's username.
2112
2113       $shell The recipient's login shell pathname.
2114
2115       $home  The recipient's home directory.
2116
2117       $recipient
2118              The full recipient address.
2119
2120       $extension
2121              The optional recipient address extension.
2122
2123       $domain
2124              The recipient domain.
2125
2126       $local The entire recipient localpart.
2127
2128       $recipient_delimiter
2129              The  address extension delimiter that was found in the recipient
2130              address (Postfix 2.11 and later), or the  system-wide  recipient
2131              address extension delimiter (Postfix 2.10 and earlier).
2132
2133       ${name?value}
2134              Expands to value when $name is non-empty.
2135
2136       ${name:value}
2137              Expands to value when $name is empty.
2138
2139       Instead of $name you can also specify ${name} or $(name).
2140
2141       Examples:
2142
2143       forward_path = /var/forward/$user
2144       forward_path =
2145           /var/forward/$user/.forward$recipient_delimiter$extension,
2146           /var/forward/$user/.forward
2147

frozen_delivered_to (default: yes)

2149       Update  the local(8) delivery agent's idea of the Delivered-To: address
2150       (see prepend_delivered_header) only once, at the start  of  a  delivery
2151       attempt;  do  not  update  the  Delivered-To:  address  while expanding
2152       aliases or .forward files.
2153
2154       This feature is available in Postfix 2.3 and later. With older  Postfix
2155       releases,  the behavior is as if this parameter is set to "no". The old
2156       setting can be expensive with deeply nested aliases or .forward  files.
2157       When  an  alias  or .forward file changes the Delivered-To: address, it
2158       ties up one queue file and one cleanup process instance while  mail  is
2159       being forwarded.
2160

hash_queue_depth (default: 1)

2162       The number of subdirectory levels for queue directories listed with the
2163       hash_queue_names parameter. Queue hashing is  implemented  by  creating
2164       one  or  more  levels  of directories with one-character names.  Origi‐
2165       nally, these directory names were equal to the first characters of  the
2166       queue  file  name, with the hexadecimal representation of the file cre‐
2167       ation time in microseconds.
2168
2169       With long queue file names, queue hashing produces the same results  as
2170       with  short  names. The file creation time in microseconds is converted
2171       into hexadecimal form before the result is used for queue hashing.  The
2172       base  16 encoding gives finer control over the number of subdirectories
2173       than is possible with the base 52 encoding of long queue file names.
2174
2175       After changing the hash_queue_names or hash_queue_depth parameter, exe‐
2176       cute the command "postfix reload".
2177

hash_queue_names (default: deferred, defer)

2179       The names of queue directories that are split across multiple subdirec‐
2180       tory levels.
2181
2182       Before Postfix version 2.2, the default list of hashed queues was  sig‐
2183       nificantly  larger. Claims about improvements in file system technology
2184       suggest that hashing of the incoming and active  queues  is  no  longer
2185       needed.  Fewer  hashed  directories speed up the time needed to restart
2186       Postfix.
2187
2188       After changing the hash_queue_names or hash_queue_depth parameter, exe‐
2189       cute the command "postfix reload".
2190

header_address_token_limit (default: 10240)

2192       The  maximal number of address tokens are allowed in an address message
2193       header. Information that exceeds the limit is discarded.  The limit  is
2194       enforced by the cleanup(8) server.
2195

header_checks (default: empty)

2197       Optional  lookup tables for content inspection of primary non-MIME mes‐
2198       sage headers, as specified in the header_checks(5) manual page.
2199

header_from_format (default: standard)

2201       The format of the Postfix-generated From: header. This setting  affects
2202       the  appearance of 'full name' information when a local program such as
2203       /bin/mail submits a message without From: header  through  the  Postfix
2204       sendmail(1) command.
2205
2206       Specify one of the following:
2207
2208       standard (default)
2209              Produce  a  header formatted as "From: name <address>".  This is
2210              the default as of Postfix 3.3.
2211
2212       obsolete
2213              Produce a header formatted as "From: address  (name)".  This  is
2214              the behavior prior to Postfix 3.3.
2215
2216       Notes:
2217
2218       ·      Postfix  generates the format "From: address" when name informa‐
2219              tion is unavailable or the envelope  sender  address  is  empty.
2220              This is the same behavior as prior to Postfix 3.3.
2221
2222       ·      In  the  standard  form,  the name will be quoted if it contains
2223              specials as defined in RFC 5322, or the "!%" address operators.
2224
2225       ·      The Postfix sendmail(1) command gets name information  from  the
2226              -F  command-line  option, from the NAME environment variable, or
2227              from the UNIX password file.
2228
2229       This feature is available in Postfix 3.3 and later.
2230

header_size_limit (default: 102400)

2232       The maximal amount of memory in bytes for storing a message header.  If
2233       a  header is larger, the excess is discarded.  The limit is enforced by
2234       the cleanup(8) server.
2235

helpful_warnings (default: yes)

2237       Log warnings about  problematic  configuration  settings,  and  provide
2238       helpful suggestions.
2239
2240       This feature is available in Postfix 2.0 and later.
2241

home_mailbox (default: empty)

2243       Optional  pathname of a mailbox file relative to a local(8) user's home
2244       directory.
2245
2246       Specify a pathname ending in "/" for qmail-style delivery.
2247
2248       The precedence of local(8) delivery  features  from  high  to  low  is:
2249       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
2250       mailbox_command_maps, mailbox_command, home_mailbox,  mail_spool_direc‐
2251       tory, fallback_transport_maps, fallback_transport and luser_relay.
2252
2253       Examples:
2254
2255       home_mailbox = Mailbox
2256       home_mailbox = Maildir/
2257

hopcount_limit (default: 50)

2259       The maximal number of Received:  message headers that is allowed in the
2260       primary message headers. A message that exceeds the limit  is  bounced,
2261       in order to stop a mailer loop.
2262

html_directory (default: see postconf -d output)

2264       The  location of Postfix HTML files that describe how to build, config‐
2265       ure or operate a specific Postfix subsystem or feature.
2266

ignore_mx_lookup_error (default: no)

2268       Ignore DNS MX lookups that produce no response.  By default, the  Post‐
2269       fix SMTP client defers delivery and tries again after some delay.  This
2270       behavior is required by the SMTP standard.
2271
2272       Specify "ignore_mx_lookup_error = yes" to force a DNS A  record  lookup
2273       instead. This violates the SMTP standard and can result in mis-delivery
2274       of mail.
2275

import_environment (default: see postconf -d output)

2277       The list of environment parameters that a  privileged  Postfix  process
2278       will  import  from a non-Postfix parent process, or name=value environ‐
2279       ment overrides.  Unprivileged utilities  will  enforce  the  name=value
2280       overrides,  but  otherwise  will  not change their process environment.
2281       Examples of relevant parameters:
2282
2283       TZ     May be needed for sane time keeping on  most  System-V-ish  sys‐
2284              tems.
2285
2286       DISPLAY
2287              Needed for debugging Postfix daemons with an X-windows debugger.
2288
2289       XAUTHORITY
2290              Needed for debugging Postfix daemons with an X-windows debugger.
2291
2292       MAIL_CONFIG
2293              Needed to make "postfix -c" work.
2294
2295       Specify  a  list  of names and/or name=value pairs, separated by white‐
2296       space or comma. Specify "{ name=value }" to protect whitespace or comma
2297       in  parameter  values (whitespace after "{" and before "}" is ignored).
2298       The form name=value is supported with Postfix version  2.1  and  later;
2299       the use of {} is supported with Postfix 3.0 and later.
2300

in_flow_delay (default: 1s)

2302       Time  to pause before accepting a new message, when the message arrival
2303       rate exceeds the message delivery rate. This feature is  turned  on  by
2304       default (it's disabled on SCO UNIX due to an SCO bug).
2305
2306       With  the default 100 Postfix SMTP server process limit, "in_flow_delay
2307       = 1s" limits the mail inflow to 100 messages per second above the  num‐
2308       ber of messages delivered per second.
2309
2310       Specify 0 to disable the feature. Valid delays are 0..10.
2311

inet_interfaces (default: all)

2313       The network interface addresses that this mail system receives mail on.
2314       Specify "all" to receive mail on all network interfaces (default),  and
2315       "loopback-only"  to  receive  mail  on loopback network interfaces only
2316       (Postfix version 2.2 and later).  The parameter also controls  delivery
2317       of mail to user@[ip.address].
2318
2319       Note 1: you need to stop and start Postfix when this parameter changes.
2320
2321       Note 2: address information may be enclosed inside [], but this form is
2322       not required here.
2323
2324       When inet_interfaces specifies just one IPv4 and/or IPv6  address  that
2325       is  not  a  loopback  address,  the  Postfix  SMTP client will use this
2326       address as the IP source address for outbound mail. Support for IPv6 is
2327       available in Postfix version 2.2 and later.
2328
2329       On  a multi-homed firewall with separate Postfix instances listening on
2330       the "inside" and "outside" interfaces, this can prevent  each  instance
2331       from being able to reach remote SMTP servers on the "other side" of the
2332       firewall. Setting smtp_bind_address to  0.0.0.0  avoids  the  potential
2333       problem for IPv4, and setting smtp_bind_address6 to :: solves the prob‐
2334       lem for IPv6.
2335
2336       A better solution for multi-homed firewalls is to leave inet_interfaces
2337       at  the default value and instead use explicit IP addresses in the mas‐
2338       ter.cf SMTP  server  definitions.   This  preserves  the  Postfix  SMTP
2339       client's  loop  detection,  by  ensuring that each side of the firewall
2340       knows that the other  IP  address  is  still  the  same  host.  Setting
2341       $inet_interfaces to a single IPv4 and/or IPV6 address is primarily use‐
2342       ful with virtual hosting of domains on  secondary  IP  addresses,  when
2343       each IP address serves a different domain (and has a different $myhost‐
2344       name setting).
2345
2346       See also the proxy_interfaces parameter, for network addresses that are
2347       forwarded to Postfix by way of a proxy or address translator.
2348
2349       Examples:
2350
2351       inet_interfaces = all (DEFAULT)
2352       inet_interfaces = loopback-only (Postfix version 2.2 and later)
2353       inet_interfaces = 127.0.0.1
2354       inet_interfaces = 127.0.0.1, [::1] (Postfix version 2.2 and later)
2355       inet_interfaces = 192.168.1.2, 127.0.0.1
2356

inet_protocols (default: all)

2358       The  Internet  protocols  Postfix  will  attempt  to use when making or
2359       accepting connections. Specify one or more of "ipv4" or  "ipv6",  sepa‐
2360       rated  by  whitespace or commas. The form "all" is equivalent to "ipv4,
2361       ipv6" or "ipv4", depending on whether the operating  system  implements
2362       IPv6.
2363
2364       With  Postfix 2.8 and earlier the default is "ipv4". For backwards com‐
2365       patibility with these releases, the Postfix 2.9 and later upgrade  pro‐
2366       cedure  appends  an explicit "inet_protocols = ipv4" setting to main.cf
2367       when no explicit setting is present. This compatibility workaround will
2368       be phased out as IPv6 deployment becomes more common.
2369
2370       This feature is available in Postfix 2.2 and later.
2371
2372       Note: you MUST stop and start Postfix after changing this parameter.
2373
2374       On systems that pre-date IPV6_V6ONLY support (RFC 3493), an IPv6 server
2375       will also accept IPv4 connections, even when IPv4 is  turned  off  with
2376       the  inet_protocols  parameter.   On  systems with IPV6_V6ONLY support,
2377       Postfix will use separate server sockets for IPv6 and  IPv4,  and  each
2378       will accept only connections for the corresponding protocol.
2379
2380       When  IPv4 support is enabled via the inet_protocols parameter, Postfix
2381       will look up DNS type A records, and will convert  IPv4-in-IPv6  client
2382       IP  addresses  (::ffff:1.2.3.4)  to their original IPv4 form (1.2.3.4).
2383       The latter is needed on hosts that pre-date  IPV6_V6ONLY  support  (RFC
2384       3493).
2385
2386       When  IPv6 support is enabled via the inet_protocols parameter, Postfix
2387       will do DNS type AAAA record lookups.
2388
2389       When both IPv4 and IPv6 support are enabled, the  Postfix  SMTP  client
2390       will  choose the protocol as specified with the smtp_address_preference
2391       parameter. Postfix versions before 2.8  attempt  to  connect  via  IPv6
2392       before attempting to use IPv4.
2393
2394       Examples:
2395
2396       inet_protocols = ipv4
2397       inet_protocols = all (DEFAULT)
2398       inet_protocols = ipv6
2399       inet_protocols = ipv4, ipv6
2400

initial_destination_concurrency (default: 5)

2402       The  initial per-destination concurrency level for parallel delivery to
2403       the same destination.  With per-destination recipient limit > 1, a des‐
2404       tination is a domain, otherwise it is a recipient.
2405
2406       Use   transport_initial_destination_concurrency  to  specify  a  trans‐
2407       port-specific override, where transport is the master.cf  name  of  the
2408       message delivery transport (Postfix 2.5 and later).
2409
2410       Warning:  with concurrency of 1, one bad message can be enough to block
2411       all mail to a site.
2412

internal_mail_filter_classes (default: empty)

2414       What categories of Postfix-generated mail are subject  to  before-queue
2415       content inspection by non_smtpd_milters, header_checks and body_checks.
2416       Specify zero or more of  the  following,  separated  by  whitespace  or
2417       comma.
2418
2419       bounce Inspect the content of delivery status notifications.
2420
2421       notify Inspect  the  content of postmaster notifications by the smtp(8)
2422              and smtpd(8) processes.
2423
2424       NOTE: It's generally not safe to enable  content  inspection  of  Post‐
2425       fix-generated email messages. The user is warned.
2426
2427       This feature is available in Postfix 2.3 and later.
2428

invalid_hostname_reject_code (default: 501)

2430       The numerical Postfix SMTP server response code when the client HELO or
2431       EHLO command parameter is rejected by the  reject_invalid_helo_hostname
2432       restriction.
2433
2434       Do  not  change  this  unless  you have a complete understanding of RFC
2435       5321.
2436

ipc_idle (default: version dependent)

2438       The time after which a client closes  an  idle  internal  communication
2439       channel.  The purpose is to allow Postfix daemon processes to terminate
2440       voluntarily after they become idle. This is used, for example,  by  the
2441       Postfix address resolving and rewriting clients.
2442
2443       With Postfix 2.4 the default value was reduced from 100s to 5s.
2444
2445       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2446       The default time unit is s (seconds).
2447

ipc_timeout (default: 3600s)

2449       The time limit for sending or receiving information  over  an  internal
2450       communication  channel.  The purpose is to break out of deadlock situa‐
2451       tions. If the time limit is exceeded the software aborts with  a  fatal
2452       error.
2453
2454       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2455       The default time unit is s (seconds).
2456

ipc_ttl (default: 1000s)

2458       The time after which a client closes an active  internal  communication
2459       channel.  The purpose is to allow Postfix daemon processes to terminate
2460       voluntarily after reaching their client limit.  This is used, for exam‐
2461       ple, by the Postfix address resolving and rewriting clients.
2462
2463       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2464       The default time unit is s (seconds).
2465
2466       This feature is available in Postfix 2.1 and later.
2467

line_length_limit (default: 2048)

2469       Upon input, long lines are chopped up  into  pieces  of  at  most  this
2470       length; upon delivery, long lines are reconstructed.
2471

lmdb_map_size (default: 16777216)

2473       The  initial  OpenLDAP  LMDB database size limit in bytes.  Each time a
2474       database becomes full, its size limit is doubled.
2475
2476       This feature is available in Postfix 2.11 and later.
2477

lmtp_address_preference (default: ipv6)

2479       The LMTP-specific version of the smtp_address_preference  configuration
2480       parameter.  See there for details.
2481
2482       This feature is available in Postfix 2.8 and later.
2483

lmtp_address_verify_target (default: rcpt)

2485       The  LMTP-specific version of the smtp_address_verify_target configura‐
2486       tion parameter.  See there for details.
2487
2488       This feature is available in Postfix 3.0 and later.
2489

lmtp_assume_final (default: no)

2491       When a remote LMTP server announces no DSN  support,  assume  that  the
2492       server  performs  final  delivery, and send "delivered" delivery status
2493       notifications instead of "relayed". The default  setting  is  backwards
2494       compatible  to avoid the infinitesimal possibility of breaking existing
2495       LMTP-based content filters.
2496

lmtp_balance_inet_protocols (default: yes)

2498       The LMTP-specific version of the smtp_balance_inet_protocols configura‐
2499       tion parameter. See there for details.
2500
2501       This feature is available in Postfix 3.3 and later.
2502

lmtp_bind_address (default: empty)

2504       The LMTP-specific version of the smtp_bind_address configuration param‐
2505       eter.  See there for details.
2506
2507       This feature is available in Postfix 2.3 and later.
2508

lmtp_bind_address6 (default: empty)

2510       The  LMTP-specific  version  of  the  smtp_bind_address6  configuration
2511       parameter.  See there for details.
2512
2513       This feature is available in Postfix 2.3 and later.
2514

lmtp_body_checks (default: empty)

2516       The LMTP-specific version of the smtp_body_checks configuration parame‐
2517       ter. See there for details.
2518
2519       This feature is available in Postfix 2.5 and later.
2520

lmtp_cache_connection (default: yes)

2522       Keep Postfix LMTP client connections open for up to $max_idle  seconds.
2523       When  the  LMTP  client  receives a request for the same connection the
2524       connection is reused.
2525
2526       This parameter is available in Postfix version 2.2 and  earlier.   With
2527       Postfix  version  2.3  and  later, see lmtp_connection_cache_on_demand,
2528       lmtp_connection_cache_destinations,       or        lmtp_connection_re‐
2529       use_time_limit.
2530
2531       The  effectiveness of cached connections will be determined by the num‐
2532       ber of remote LMTP servers in use, and the concurrency limit  specified
2533       for the Postfix LMTP client. Cached connections are closed under any of
2534       the following conditions:
2535
2536       ·      The Postfix LMTP client idle time limit is reached.  This  limit
2537              is specified with the Postfix max_idle configuration parameter.
2538
2539       ·      A  delivery  request  specifies a different destination than the
2540              one currently cached.
2541
2542       ·      The per-process limit on the  number  of  delivery  requests  is
2543              reached.   This limit is specified with the Postfix max_use con‐
2544              figuration parameter.
2545
2546       ·      Upon the onset of another  delivery  request,  the  remote  LMTP
2547              server  associated  with the current session does not respond to
2548              the RSET command.
2549
2550       Most of these limitations have been with the Postfix a connection cache
2551       that is shared among multiple LMTP client programs.
2552

lmtp_cname_overrides_servername (default: yes)

2554       The  LMTP-specific  version of the smtp_cname_overrides_servername con‐
2555       figuration parameter.  See there for details.
2556
2557       This feature is available in Postfix 2.3 and later.
2558

lmtp_connect_timeout (default: 0s)

2560       The Postfix LMTP client time limit for completing a TCP connection,  or
2561       zero  (use  the operating system built-in time limit).  When no connec‐
2562       tion can be made within the deadline, the LMTP client  tries  the  next
2563       address on the mail exchanger list.
2564
2565       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2566       The default time unit is s (seconds).
2567
2568       Example:
2569
2570       lmtp_connect_timeout = 30s
2571

lmtp_connection_cache_destinations (default: empty)

2573       The LMTP-specific  version  of  the  smtp_connection_cache_destinations
2574       configuration parameter.  See there for details.
2575
2576       This feature is available in Postfix 2.3 and later.
2577

lmtp_connection_cache_on_demand (default: yes)

2579       The  LMTP-specific  version of the smtp_connection_cache_on_demand con‐
2580       figuration parameter.  See there for details.
2581
2582       This feature is available in Postfix 2.3 and later.
2583

lmtp_connection_cache_time_limit (default: 2s)

2585       The LMTP-specific version of the smtp_connection_cache_time_limit  con‐
2586       figuration parameter.  See there for details.
2587
2588       This feature is available in Postfix 2.3 and later.
2589

lmtp_connection_reuse_count_limit (default: 0)

2591       The LMTP-specific version of the smtp_connection_reuse_count_limit con‐
2592       figuration parameter.  See there for details.
2593
2594       This feature is available in Postfix 2.11 and later.
2595

lmtp_connection_reuse_time_limit (default: 300s)

2597       The LMTP-specific version of the smtp_connection_reuse_time_limit  con‐
2598       figuration parameter.  See there for details.
2599
2600       This feature is available in Postfix 2.3 and later.
2601

lmtp_data_done_timeout (default: 600s)

2603       The  Postfix  LMTP  client time limit for sending the LMTP ".", and for
2604       receiving the  remote  LMTP  server  response.   When  no  response  is
2605       received  within the deadline, a warning is logged that the mail may be
2606       delivered multiple times.
2607
2608       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2609       The default time unit is s (seconds).
2610

lmtp_data_init_timeout (default: 120s)

2612       The  Postfix  LMTP client time limit for sending the LMTP DATA command,
2613       and for receiving the remote LMTP server response.
2614
2615       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2616       The default time unit is s (seconds).
2617

lmtp_data_xfer_timeout (default: 180s)

2619       The  Postfix  LMTP  client time limit for sending the LMTP message con‐
2620       tent.  When the connection stalls for more than $lmtp_data_xfer_timeout
2621       the LMTP client terminates the transfer.
2622
2623       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2624       The default time unit is s (seconds).
2625

lmtp_defer_if_no_mx_address_found (default: no)

2627       The LMTP-specific version of the smtp_defer_if_no_mx_address_found con‐
2628       figuration parameter.  See there for details.
2629
2630       This feature is available in Postfix 2.3 and later.
2631

lmtp_delivery_status_filter (default: empty)

2633       The LMTP-specific version of the smtp_delivery_status_filter configura‐
2634       tion parameter.  See there for details.
2635
2636       This feature is available in Postfix 3.0 and later.
2637

lmtp_destination_concurrency_limit (default: $default_destination_concur‐

2639       rency_limit)
2640       The  maximal  number of parallel deliveries to the same destination via
2641       the lmtp message delivery transport. This  limit  is  enforced  by  the
2642       queue  manager.  The message delivery transport name is the first field
2643       in the entry in the master.cf file.
2644

lmtp_destination_recipient_limit (default: $default_destination_recipi‐

2646       ent_limit)
2647       The  maximal  number  of  recipients  per  message for the lmtp message
2648       delivery transport. This limit is enforced by the  queue  manager.  The
2649       message  delivery transport name is the first field in the entry in the
2650       master.cf file.
2651
2652       Setting this parameter to a value of 1 changes the meaning of lmtp_des‐
2653       tination_concurrency_limit from concurrency per domain into concurrency
2654       per recipient.
2655

lmtp_discard_lhlo_keyword_address_maps (default: empty)

2657       Lookup tables, indexed by the remote LMTP  server  address,  with  case
2658       insensitive  lists  of LHLO keywords (pipelining, starttls, auth, etc.)
2659       that the Postfix LMTP client will ignore in the LHLO  response  from  a
2660       remote LMTP server. See lmtp_discard_lhlo_keywords for details. The ta‐
2661       ble  is  not  indexed  by  hostname  for  consistency  with  smtpd_dis‐
2662       card_ehlo_keyword_address_maps.
2663
2664       This feature is available in Postfix 2.3 and later.
2665

lmtp_discard_lhlo_keywords (default: empty)

2667       A  case  insensitive list of LHLO keywords (pipelining, starttls, auth,
2668       etc.) that the Postfix LMTP client will ignore  in  the  LHLO  response
2669       from a remote LMTP server.
2670
2671       This feature is available in Postfix 2.3 and later.
2672
2673       Notes:
2674
2675       ·      Specify the silent-discard pseudo keyword to prevent this action
2676              from being logged.
2677
2678       ·      Use the lmtp_discard_lhlo_keyword_address_maps feature  to  dis‐
2679              card LHLO keywords selectively.
2680

lmtp_dns_reply_filter (default: empty)

2682       Optional  filter  for  Postfix  LMTP  client  DNS  lookup results.  See
2683       smtp_dns_reply_filter for details including an example.
2684
2685       This feature is available in Postfix 3.0 and later.
2686

lmtp_dns_resolver_options (default: empty)

2688       The LMTP-specific version of the  smtp_dns_resolver_options  configura‐
2689       tion parameter.  See there for details.
2690
2691       This feature is available in Postfix 2.8 and later.
2692

lmtp_dns_support_level (default: empty)

2694       The  LMTP-specific  version of the smtp_dns_support_level configuration
2695       parameter.  See there for details.
2696
2697       This feature is available in Postfix 2.11 and later.
2698

lmtp_enforce_tls (default: no)

2700       The LMTP-specific version of the smtp_enforce_tls configuration parame‐
2701       ter.  See there for details.
2702
2703       This feature is available in Postfix 2.3 and later.
2704

lmtp_fallback_relay (default: empty)

2706       Optional  list of relay hosts for LMTP destinations that can't be found
2707       or that are unreachable.  In main.cf elements are separated  by  white‐
2708       space or commas.
2709
2710       By  default,  mail  is returned to the sender when a destination is not
2711       found, and delivery is deferred when a destination is unreachable.
2712
2713       The fallback relays must be TCP destinations, specified without a lead‐
2714       ing  "inet:" prefix.  Specify a host or host:port.  Since MX lookups do
2715       not apply  with  LMTP,  there  is  no  need  to  use  the  "[host]"  or
2716       "[host]:port"  forms.  If you specify multiple LMTP destinations, Post‐
2717       fix will try them in the specified order.
2718
2719       This feature is available in Postfix 3.1 and later.
2720

lmtp_generic_maps (default: empty)

2722       The LMTP-specific version of the smtp_generic_maps configuration param‐
2723       eter.  See there for details.
2724
2725       This feature is available in Postfix 2.3 and later.
2726

lmtp_header_checks (default: empty)

2728       The  LMTP-specific  version  of  the  smtp_header_checks  configuration
2729       parameter. See there for details.
2730
2731       This feature is available in Postfix 2.5 and later.
2732

lmtp_host_lookup (default: dns)

2734       The LMTP-specific version of the smtp_host_lookup configuration parame‐
2735       ter.  See there for details.
2736
2737       This feature is available in Postfix 2.3 and later.
2738

lmtp_lhlo_name (default: $myhostname)

2740       The hostname to send in the LMTP LHLO command.
2741
2742       The  default  value  is  the  machine  hostname.  Specify a hostname or
2743       [ip.add.re.ss].
2744
2745       This information can be specified in the  main.cf  file  for  all  LMTP
2746       clients,  or  it  can be specified in the master.cf file for a specific
2747       client, for example:
2748
2749           /etc/postfix/master.cf:
2750               mylmtp ... lmtp -o lmtp_lhlo_name=foo.bar.com
2751
2752       This feature is available in Postfix 2.3 and later.
2753

lmtp_lhlo_timeout (default: 300s)

2755       The Postfix LMTP client time limit for sending the  LHLO  command,  and
2756       for receiving the initial remote LMTP server response.
2757
2758       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2759       The default time unit is s (seconds).
2760

lmtp_line_length_limit (default: 990)

2762       The LMTP-specific version of the  smtp_line_length_limit  configuration
2763       parameter.  See there for details.
2764
2765       This feature is available in Postfix 2.3 and later.
2766

lmtp_mail_timeout (default: 300s)

2768       The  Postfix  LMTP client time limit for sending the MAIL FROM command,
2769       and for receiving the remote LMTP server response.
2770
2771       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2772       The default time unit is s (seconds).
2773

lmtp_mime_header_checks (default: empty)

2775       The  LMTP-specific version of the smtp_mime_header_checks configuration
2776       parameter. See there for details.
2777
2778       This feature is available in Postfix 2.5 and later.
2779

lmtp_mx_address_limit (default: 5)

2781       The LMTP-specific version of  the  smtp_mx_address_limit  configuration
2782       parameter.  See there for details.
2783
2784       This feature is available in Postfix 2.3 and later.
2785

lmtp_mx_session_limit (default: 2)

2787       The  LMTP-specific  version  of the smtp_mx_session_limit configuration
2788       parameter.  See there for details.
2789
2790       This feature is available in Postfix 2.3 and later.
2791

lmtp_nested_header_checks (default: empty)

2793       The LMTP-specific version of the  smtp_nested_header_checks  configura‐
2794       tion parameter. See there for details.
2795
2796       This feature is available in Postfix 2.5 and later.
2797

lmtp_per_record_deadline (default: no)

2799       The LMTP-specific version of the smtp_per_record_deadline configuration
2800       parameter.  See there for details.
2801
2802       This feature is available in Postfix 2.9 and later.
2803

lmtp_pix_workaround_delay_time (default: 10s)

2805       The LMTP-specific version of the smtp_pix_workaround_delay_time config‐
2806       uration parameter.  See there for details.
2807
2808       This feature is available in Postfix 2.3 and later.
2809

lmtp_pix_workaround_maps (default: empty)

2811       The LMTP-specific version of the smtp_pix_workaround_maps configuration
2812       parameter.  See there for details.
2813
2814       This feature is available in Postfix 2.4 and later.
2815

lmtp_pix_workaround_threshold_time (default: 500s)

2817       The LMTP-specific  version  of  the  smtp_pix_workaround_threshold_time
2818       configuration parameter.  See there for details.
2819
2820       This feature is available in Postfix 2.3 and later.
2821

lmtp_pix_workarounds (default: empty)

2823       The  LMTP-specific  version  of  the  smtp_pix_workaround configuration
2824       parameter.  See there for details.
2825
2826       This feature is available in Postfix 2.4 and later.
2827

lmtp_quit_timeout (default: 300s)

2829       The Postfix LMTP client time limit for sending the  QUIT  command,  and
2830       for receiving the remote LMTP server response.
2831
2832       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2833       The default time unit is s (seconds).
2834

lmtp_quote_rfc821_envelope (default: yes)

2836       The LMTP-specific version of the smtp_quote_rfc821_envelope  configura‐
2837       tion parameter.  See there for details.
2838
2839       This feature is available in Postfix 2.3 and later.
2840

lmtp_randomize_addresses (default: yes)

2842       The LMTP-specific version of the smtp_randomize_addresses configuration
2843       parameter.  See there for details.
2844
2845       This feature is available in Postfix 2.3 and later.
2846

lmtp_rcpt_timeout (default: 300s)

2848       The Postfix LMTP client time limit for sending the RCPT TO command, and
2849       for receiving the remote LMTP server response.
2850
2851       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2852       The default time unit is s (seconds).
2853

lmtp_reply_filter (default: empty)

2855       The LMTP-specific version of the smtp_reply_filter configuration param‐
2856       eter.  See there for details.
2857
2858       This feature is available in Postfix 2.7 and later.
2859

lmtp_rset_timeout (default: 20s)

2861       The  Postfix  LMTP  client time limit for sending the RSET command, and
2862       for receiving the remote LMTP server response. The  LMTP  client  sends
2863       RSET  in order to finish a recipient address probe, or to verify that a
2864       cached connection is still alive.
2865
2866       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2867       The default time unit is s (seconds).
2868

lmtp_sasl_auth_cache_name (default: empty)

2870       The  LMTP-specific  version of the smtp_sasl_auth_cache_name configura‐
2871       tion parameter.  See there for details.
2872
2873       This feature is available in Postfix 2.5 and later.
2874

lmtp_sasl_auth_cache_time (default: 90d)

2876       The LMTP-specific version of the  smtp_sasl_auth_cache_time  configura‐
2877       tion parameter.  See there for details.
2878
2879       This feature is available in Postfix 2.5 and later.
2880

lmtp_sasl_auth_enable (default: no)

2882       Enable SASL authentication in the Postfix LMTP client.
2883

lmtp_sasl_auth_soft_bounce (default: yes)

2885       The  LMTP-specific version of the smtp_sasl_auth_soft_bounce configura‐
2886       tion parameter.  See there for details.
2887
2888       This feature is available in Postfix 2.5 and later.
2889

lmtp_sasl_mechanism_filter (default: empty)

2891       The LMTP-specific version of the smtp_sasl_mechanism_filter  configura‐
2892       tion parameter.  See there for details.
2893
2894       This feature is available in Postfix 2.3 and later.
2895

lmtp_sasl_password_maps (default: empty)

2897       Optional  Postfix  LMTP client lookup tables with one username:password
2898       entry per host or domain.  If a remote host  or  domain  has  no  user‐
2899       name:password  entry,  then the Postfix LMTP client will not attempt to
2900       authenticate to the remote host.
2901

lmtp_sasl_path (default: empty)

2903       Implementation-specific information that is passed through to the  SASL
2904       plug-in implementation that is selected with lmtp_sasl_type.  Typically
2905       this specifies the name of a configuration file or rendezvous point.
2906
2907       This feature is available in Postfix 2.3 and later.
2908

lmtp_sasl_security_options (default: noplaintext, noanonymous)

2910       SASL security options; as of Postfix 2.3 the list of available features
2911       depends  on  the  SASL  client  implementation  that  is  selected with
2912       lmtp_sasl_type.
2913
2914       The following security features are defined for the cyrus  client  SASL
2915       implementation:
2916
2917       noplaintext
2918              Disallow authentication methods that use plaintext passwords.
2919
2920       noactive
2921              Disallow  authentication methods that are vulnerable to non-dic‐
2922              tionary active attacks.
2923
2924       nodictionary
2925              Disallow authentication methods that are vulnerable  to  passive
2926              dictionary attack.
2927
2928       noanonymous
2929              Disallow anonymous logins.
2930
2931       Example:
2932
2933       lmtp_sasl_security_options = noplaintext
2934

lmtp_sasl_tls_security_options (default: $lmtp_sasl_security_options)

2936       The LMTP-specific version of the smtp_sasl_tls_security_options config‐
2937       uration parameter.  See there for details.
2938
2939       This feature is available in Postfix 2.3 and later.
2940

lmtp_sasl_tls_verified_security_options (default: $lmtp_sasl_tls_secu‐

2942       rity_options)
2943       The   LMTP-specific   version   of   the   smtp_sasl_tls_verified_secu‐
2944       rity_options configuration parameter.  See there for details.
2945
2946       This feature is available in Postfix 2.3 and later.
2947

lmtp_sasl_type (default: cyrus)

2949       The SASL plug-in type that the  Postfix  LMTP  client  should  use  for
2950       authentication.   The available types are listed with the "postconf -A"
2951       command.
2952
2953       This feature is available in Postfix 2.3 and later.
2954

lmtp_send_dummy_mail_auth (default: no)

2956       The LMTP-specific version of the  smtp_send_dummy_mail_auth  configura‐
2957       tion parameter.  See there for details.
2958
2959       This feature is available in Postfix 2.9 and later.
2960

lmtp_send_xforward_command (default: no)

2962       Send  an  XFORWARD command to the remote LMTP server when the LMTP LHLO
2963       server response announces XFORWARD support.   This  allows  an  lmtp(8)
2964       delivery  agent,  used for content filter message injection, to forward
2965       the name, address, protocol and HELO name of the original client to the
2966       content  filter  and downstream queuing LMTP server.  Before you change
2967       the value to yes, it is best to make sure that your content filter sup‐
2968       ports this command.
2969
2970       This feature is available in Postfix 2.1 and later.
2971

lmtp_sender_dependent_authentication (default: no)

2973       The  LMTP-specific  version of the smtp_sender_dependent_authentication
2974       configuration parameter.  See there for details.
2975
2976       This feature is available in Postfix 2.3 and later.
2977

lmtp_skip_5xx_greeting (default: yes)

2979       The LMTP-specific version of the  smtp_skip_5xx_greeting  configuration
2980       parameter.  See there for details.
2981
2982       This feature is available in Postfix 2.3 and later.
2983

lmtp_skip_quit_response (default: no)

2985       Wait for the response to the LMTP QUIT command.
2986

lmtp_starttls_timeout (default: 300s)

2988       The  LMTP-specific  version  of the smtp_starttls_timeout configuration
2989       parameter.  See there for details.
2990
2991       This feature is available in Postfix 2.3 and later.
2992

lmtp_tcp_port (default: 24)

2994       The default TCP port that the Postfix LMTP client connects to.  Specify
2995       a symbolic name (see services(5)) or a numeric port.
2996

lmtp_tls_CAfile (default: empty)

2998       The  LMTP-specific version of the smtp_tls_CAfile configuration parame‐
2999       ter.  See there for details.
3000
3001       This feature is available in Postfix 2.3 and later.
3002

lmtp_tls_CApath (default: empty)

3004       The LMTP-specific version of the smtp_tls_CApath configuration  parame‐
3005       ter.  See there for details.
3006
3007       This feature is available in Postfix 2.3 and later.
3008

lmtp_tls_block_early_mail_reply (default: empty)

3010       The  LMTP-specific  version of the smtp_tls_block_early_mail_reply con‐
3011       figuration parameter.  See there for details.
3012
3013       This feature is available in Postfix 2.7 and later.
3014

lmtp_tls_cert_file (default: empty)

3016       The  LMTP-specific  version  of  the  smtp_tls_cert_file  configuration
3017       parameter.  See there for details.
3018
3019       This feature is available in Postfix 2.3 and later.
3020

lmtp_tls_ciphers (default: medium)

3022       The LMTP-specific version of the smtp_tls_ciphers configuration parame‐
3023       ter. See there for details.
3024
3025       This feature is available in Postfix 2.6 and later.
3026

lmtp_tls_dcert_file (default: empty)

3028       The LMTP-specific  version  of  the  smtp_tls_dcert_file  configuration
3029       parameter.  See there for details.
3030
3031       This feature is available in Postfix 2.3 and later.
3032

lmtp_tls_dkey_file (default: $lmtp_tls_dcert_file)

3034       The  LMTP-specific  version  of  the  smtp_tls_dkey_file  configuration
3035       parameter.  See there for details.
3036
3037       This feature is available in Postfix 2.3 and later.
3038

lmtp_tls_eccert_file (default: empty)

3040       The LMTP-specific version  of  the  smtp_tls_eccert_file  configuration
3041       parameter.  See there for details.
3042
3043       This  feature  is  available  in Postfix 2.6 and later, when Postfix is
3044       compiled and linked with OpenSSL 1.0.0 or later.
3045

lmtp_tls_eckey_file (default: empty)

3047       The LMTP-specific  version  of  the  smtp_tls_eckey_file  configuration
3048       parameter.  See there for details.
3049
3050       This  feature  is  available  in Postfix 2.6 and later, when Postfix is
3051       compiled and linked with OpenSSL 1.0.0 or later.
3052

lmtp_tls_enforce_peername (default: yes)

3054       The LMTP-specific version of the  smtp_tls_enforce_peername  configura‐
3055       tion parameter.  See there for details.
3056
3057       This feature is available in Postfix 2.3 and later.
3058

lmtp_tls_exclude_ciphers (default: empty)

3060       The LMTP-specific version of the smtp_tls_exclude_ciphers configuration
3061       parameter.  See there for details.
3062
3063       This feature is available in Postfix 2.3 and later.
3064

lmtp_tls_fingerprint_cert_match (default: empty)

3066       The LMTP-specific version of the  smtp_tls_fingerprint_cert_match  con‐
3067       figuration parameter.  See there for details.
3068
3069       This feature is available in Postfix 2.5 and later.
3070

lmtp_tls_fingerprint_digest (default: md5)

3072       The LMTP-specific version of the smtp_tls_fingerprint_digest configura‐
3073       tion parameter.  See there for details.
3074
3075       This feature is available in Postfix 2.5 and later.
3076

lmtp_tls_force_insecure_host_tlsa_lookup (default: no)

3078       The    LMTP-specific    version     of     the     smtp_tls_force_inse‐
3079       cure_host_tlsa_lookup configuration parameter.  See there for details.
3080
3081       This feature is available in Postfix 2.11 and later.
3082

lmtp_tls_key_file (default: $lmtp_tls_cert_file)

3084       The LMTP-specific version of the smtp_tls_key_file configuration param‐
3085       eter.  See there for details.
3086
3087       This feature is available in Postfix 2.3 and later.
3088

lmtp_tls_loglevel (default: 0)

3090       The LMTP-specific version of the smtp_tls_loglevel configuration param‐
3091       eter.  See there for details.
3092
3093       This feature is available in Postfix 2.3 and later.
3094

lmtp_tls_mandatory_ciphers (default: medium)

3096       The  LMTP-specific version of the smtp_tls_mandatory_ciphers configura‐
3097       tion parameter.  See there for details.
3098
3099       This feature is available in Postfix 2.3 and later.
3100

lmtp_tls_mandatory_exclude_ciphers (default: empty)

3102       The LMTP-specific  version  of  the  smtp_tls_mandatory_exclude_ciphers
3103       configuration parameter.  See there for details.
3104
3105       This feature is available in Postfix 2.3 and later.
3106

lmtp_tls_mandatory_protocols (default: !SSLv2, !SSLv3)

3108       The  LMTP-specific version of the smtp_tls_mandatory_protocols configu‐
3109       ration parameter. See there for details.
3110
3111       This feature is available in Postfix 2.3 and later.
3112

lmtp_tls_note_starttls_offer (default: no)

3114       The LMTP-specific version of the smtp_tls_note_starttls_offer  configu‐
3115       ration parameter.  See there for details.
3116
3117       This feature is available in Postfix 2.3 and later.
3118

lmtp_tls_per_site (default: empty)

3120       The LMTP-specific version of the smtp_tls_per_site configuration param‐
3121       eter.  See there for details.
3122
3123       This feature is available in Postfix 2.3 and later.
3124

lmtp_tls_policy_maps (default: empty)

3126       The LMTP-specific version  of  the  smtp_tls_policy_maps  configuration
3127       parameter. See there for details.
3128
3129       This feature is available in Postfix 2.3 and later.
3130

lmtp_tls_protocols (default: !SSLv2, !SSLv3)

3132       The  LMTP-specific  version  of  the  smtp_tls_protocols  configuration
3133       parameter. See there for details.
3134
3135       This feature is available in Postfix 2.6 and later.
3136

lmtp_tls_scert_verifydepth (default: 9)

3138       The LMTP-specific version of the smtp_tls_scert_verifydepth  configura‐
3139       tion parameter.  See there for details.
3140
3141       This feature is available in Postfix 2.3 and later.
3142

lmtp_tls_secure_cert_match (default: nexthop)

3144       The  LMTP-specific version of the smtp_tls_secure_cert_match configura‐
3145       tion parameter. See there for details.
3146
3147       This feature is available in Postfix 2.3 and later.
3148

lmtp_tls_security_level (default: empty)

3150       The LMTP-specific version of the smtp_tls_security_level  configuration
3151       parameter.  See there for details.
3152
3153       This feature is available in Postfix 2.3 and later.
3154

lmtp_tls_session_cache_database (default: empty)

3156       The  LMTP-specific  version of the smtp_tls_session_cache_database con‐
3157       figuration parameter. See there for details.
3158
3159       This feature is available in Postfix 2.3 and later.
3160

lmtp_tls_session_cache_timeout (default: 3600s)

3162       The LMTP-specific version of the smtp_tls_session_cache_timeout config‐
3163       uration parameter.  See there for details.
3164
3165       This feature is available in Postfix 2.3 and later.
3166

lmtp_tls_trust_anchor_file (default: empty)

3168       The  LMTP-specific version of the smtp_tls_trust_anchor_file configura‐
3169       tion parameter.  See there for details.
3170
3171       This feature is available in Postfix 2.11 and later.
3172

lmtp_tls_verify_cert_match (default: hostname)

3174       The LMTP-specific version of the smtp_tls_verify_cert_match  configura‐
3175       tion parameter. See there for details.
3176
3177       This feature is available in Postfix 2.3 and later.
3178

lmtp_use_tls (default: no)

3180       The  LMTP-specific version of the smtp_use_tls configuration parameter.
3181       See there for details.
3182
3183       This feature is available in Postfix 2.3 and later.
3184

lmtp_xforward_timeout (default: 300s)

3186       The Postfix LMTP client time limit for sending  the  XFORWARD  command,
3187       and for receiving the remote LMTP server response.
3188
3189       In  case  of  problems  the client does NOT try the next address on the
3190       mail exchanger list.
3191
3192       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
3193       The default time unit is s (seconds).
3194
3195       This feature is available in Postfix 2.1 and later.
3196

local_command_shell (default: empty)

3198       Optional  shell  program  for local(8) delivery to non-Postfix command.
3199       By default, non-Postfix commands are executed  directly;  commands  are
3200       given to given to the default shell (typically, /bin/sh) only when they
3201       contain shell meta characters or shell built-in commands.
3202
3203       "sendmail's restricted shell" (smrsh) is what most people will  use  in
3204       order  to  restrict  what  programs can be run from e.g. .forward files
3205       (smrsh is part of the Sendmail distribution).
3206
3207       Note: when a shell program is specified, it is invoked  even  when  the
3208       command contains no shell built-in commands or meta characters.
3209
3210       Example:
3211
3212       local_command_shell = /some/where/smrsh -c
3213       local_command_shell = /bin/bash -c
3214

local_delivery_status_filter (default: $default_delivery_status_filter)

3216       Optional  filter  for  the local(8) delivery agent to change the status
3217       code or explanatory text of successful or unsuccessful deliveries.  See
3218       default_delivery_status_filter for details.
3219
3220       This feature is available in Postfix 3.0 and later.
3221

local_destination_concurrency_limit (default: 2)

3223       The  maximal  number of parallel deliveries via the local mail delivery
3224       transport  to  the  same  recipient  (when   "local_destination_recipi‐
3225       ent_limit  =  1")  or  the maximal number of parallel deliveries to the
3226       same local domain (when "local_destination_recipient_limit > 1").  This
3227       limit  is enforced by the queue manager. The message delivery transport
3228       name is the first field in the entry in the master.cf file.
3229
3230       A low limit of 2 is recommended, just in case someone has an  expensive
3231       shell  command  in a .forward file or in an alias (e.g., a mailing list
3232       manager).  You don't want to run lots of those at the same time.
3233

local_destination_recipient_limit (default: 1)

3235       The maximal number of recipients per message  delivery  via  the  local
3236       mail  delivery  transport. This limit is enforced by the queue manager.
3237       The message delivery transport name is the first field in the entry  in
3238       the master.cf file.
3239
3240       Setting this parameter to a value > 1 changes the meaning of local_des‐
3241       tination_concurrency_limit from concurrency per recipient into  concur‐
3242       rency per domain.
3243

local_header_rewrite_clients (default: permit_inet_interfaces)

3245       Rewrite  message header addresses in mail from these clients and update
3246       incomplete addresses with the domain name in  $myorigin  or  $mydomain;
3247       either  don't rewrite message headers from other clients at all, or re‐
3248       write message headers and update incomplete addresses with  the  domain
3249       specified in the remote_header_rewrite_domain parameter.
3250
3251       See  the  append_at_myorigin  and  append_dot_mydomain  parameters  for
3252       details of how domain names are appended to incomplete addresses.
3253
3254       Specify a list of zero or more of the following:
3255
3256       permit_inet_interfaces
3257              Append the domain name in $myorigin or $mydomain when the client
3258              IP address matches $inet_interfaces. This is enabled by default.
3259
3260       permit_mynetworks
3261              Append the domain name in $myorigin or $mydomain when the client
3262              IP address matches any network  or  network  address  listed  in
3263              $mynetworks.  This  setting  will not prevent remote mail header
3264              address rewriting when mail from a remote client is forwarded by
3265              a neighboring system.
3266
3267       permit_sasl_authenticated
3268              Append the domain name in $myorigin or $mydomain when the client
3269              is successfully authenticated via the RFC 4954 (AUTH) protocol.
3270
3271       permit_tls_clientcerts
3272              Append the domain name in $myorigin or $mydomain when the remote
3273              SMTP  client  TLS  certificate fingerprint or public key finger‐
3274              print (Postfix 2.9 and later) is listed  in  $relay_clientcerts.
3275              The   fingerprint  digest  algorithm  is  configurable  via  the
3276              smtpd_tls_fingerprint_digest parameter (hard-coded as md5  prior
3277              to Postfix version 2.5).
3278
3279       permit_tls_all_clientcerts
3280              Append the domain name in $myorigin or $mydomain when the remote
3281              SMTP client TLS certificate is successfully verified, regardless
3282              of  whether  it  is  listed on the server, and regardless of the
3283              certifying authority.
3284
3285       check_address_map type:table
3286
3287       type:table
3288              Append the domain name in $myorigin or $mydomain when the client
3289              IP  address  matches  the  specified  lookup  table.  The lookup
3290              result is ignored, and no subnet lookup is done. This  is  suit‐
3291              able for, e.g., pop-before-smtp lookup tables.
3292
3293       Examples:
3294
3295       The  Postfix < 2.2 backwards compatible setting: always rewrite message
3296       headers,  and  always  append  my  own  domain  to  incomplete   header
3297       addresses.
3298
3299           local_header_rewrite_clients = static:all
3300
3301       The  purist  (and  default)  setting: rewrite headers only in mail from
3302       Postfix sendmail and in SMTP mail from this machine.
3303
3304           local_header_rewrite_clients = permit_inet_interfaces
3305
3306       The intermediate setting: rewrite header addresses and append $myorigin
3307       or  $mydomain  information  only  with mail from Postfix sendmail, from
3308       local clients, or from authorized SMTP clients.
3309
3310       Note: this setting will not prevent remote mail header address  rewrit‐
3311       ing  when  mail from a remote client is forwarded by a neighboring sys‐
3312       tem.
3313
3314           local_header_rewrite_clients = permit_mynetworks,
3315               permit_sasl_authenticated permit_tls_clientcerts
3316               check_address_map hash:/etc/postfix/pop-before-smtp
3317

local_recipient_maps (default: proxy:unix:passwd.byname $alias_maps)

3319       Lookup tables with all names or addresses of local recipients: a recip‐
3320       ient   address   is  local  when  its  domain  matches  $mydestination,
3321       $inet_interfaces or $proxy_interfaces.  Specify @domain as a  wild-card
3322       for  domains  that  do  not  have a valid recipient list.  Technically,
3323       tables listed with $local_recipient_maps are  used  as  lists:  Postfix
3324       needs  to know only if a lookup string is found or not, but it does not
3325       use the result from table lookup.
3326
3327       Specify zero or more "type:name" lookup tables, separated by whitespace
3328       or  comma. Tables will be searched in the specified order until a match
3329       is found.
3330
3331       If this parameter is non-empty (the default),  then  the  Postfix  SMTP
3332       server will reject mail for unknown local users.
3333
3334       To  turn off local recipient checking in the Postfix SMTP server, spec‐
3335       ify "local_recipient_maps =" (i.e. empty).
3336
3337       The default setting assumes that you  use  the  default  Postfix  local
3338       delivery agent for local delivery. You need to update the local_recipi‐
3339       ent_maps setting if:
3340
3341       ·      You redefine the local delivery agent in master.cf.
3342
3343       ·      You redefine the "local_transport" setting in main.cf.
3344
3345       ·      You  use  the  "luser_relay",  "mailbox_transport",  or   "fall‐
3346              back_transport" feature of the Postfix local(8) delivery agent.
3347
3348       Details are described in the LOCAL_RECIPIENT_README file.
3349
3350       Beware:  if  the  Postfix SMTP server runs chrooted, you need to access
3351       the passwd file via the  proxymap(8)  service,  in  order  to  overcome
3352       chroot  access restrictions. The alternative, maintaining a copy of the
3353       system password file in the chroot jail is not practical.
3354
3355       Examples:
3356
3357       local_recipient_maps =
3358

local_transport (default: local:$myhostname)

3360       The default mail delivery transport and next-hop destination for  final
3361       delivery to domains listed with mydestination, and for [ipaddress] des‐
3362       tinations  that  match  $inet_interfaces  or  $proxy_interfaces.   This
3363       information can be overruled with the transport(5) table.
3364
3365       By  default,  local  mail is delivered to the transport called "local",
3366       which is just the name of a service that is defined the master.cf file.
3367
3368       Specify a string of the form transport:nexthop, where transport is  the
3369       name  of  a mail delivery transport defined in master.cf.  The :nexthop
3370       destination is optional; its syntax is documented in the manual page of
3371       the corresponding delivery agent.
3372
3373       Beware:  if you override the default local delivery agent then you need
3374       to review  the  LOCAL_RECIPIENT_README  document,  otherwise  the  SMTP
3375       server may reject mail for local recipients.
3376

luser_relay (default: empty)

3378       Optional  catch-all  destination  for  unknown local(8) recipients.  By
3379       default, mail for unknown recipients in domains that match  $mydestina‐
3380       tion,  $inet_interfaces  or $proxy_interfaces is returned as undeliver‐
3381       able.
3382
3383       The following $name expansions are done on luser_relay:
3384
3385       $domain
3386              The recipient domain.
3387
3388       $extension
3389              The recipient address extension.
3390
3391       $home  The recipient's home directory.
3392
3393       $local The entire recipient address localpart.
3394
3395       $recipient
3396              The full recipient address.
3397
3398       $recipient_delimiter
3399              The address extension delimiter that was found in the  recipient
3400              address  (Postfix  2.11 and later), or the system-wide recipient
3401              address extension delimiter (Postfix 2.10 and earlier).
3402
3403       $shell The recipient's login shell.
3404
3405       $user  The recipient username.
3406
3407       ${name?value}
3408              Expands to value when $name has a non-empty value.
3409
3410       ${name:value}
3411              Expands to value when $name has an empty value.
3412
3413       Instead of $name you can also specify ${name} or $(name).
3414
3415       Note: luser_relay works only for the Postfix local(8) delivery agent.
3416
3417       Note: if you use this feature for accounts not  in  the  UNIX  password
3418       file,  then  you  must specify "local_recipient_maps =" (i.e. empty) in
3419       the main.cf file, otherwise the Postfix SMTP server  will  reject  mail
3420       for non-UNIX accounts with "User unknown in local recipient table".
3421
3422       Examples:
3423
3424       luser_relay = $user@other.host
3425       luser_relay = $local@other.host
3426       luser_relay = admin+$local
3427

mail_name (default: Postfix)

3429       The  mail  system  name  that is displayed in Received: headers, in the
3430       SMTP greeting banner, and in bounced mail.
3431

mail_owner (default: postfix)

3433       The UNIX system account that owns the Postfix queue  and  most  Postfix
3434       daemon  processes.   Specify  the  name of an unprivileged user account
3435       that does not share a user or group ID with other  accounts,  and  that
3436       owns  no  other files or processes on the system.  In particular, don't
3437       specify nobody or daemon.  PLEASE USE A DEDICATED USER ID AND GROUP ID.
3438
3439       When this parameter value  is  changed  you  need  to  re-run  "postfix
3440       set-permissions"  (with  Postfix  version  2.0 and earlier: "/etc/post‐
3441       fix/post-install set-permissions".
3442

mail_release_date (default: see postconf -d output)

3444       The Postfix release date, in "YYYYMMDD" format.
3445

mail_spool_directory (default: see postconf -d output)

3447       The directory where local(8) UNIX-style mailboxes are kept. The default
3448       setting  depends  on  the  system  type. Specify a name ending in / for
3449       maildir-style delivery.
3450
3451       Note: maildir delivery is done with the privileges  of  the  recipient.
3452       If you use the mail_spool_directory setting for maildir style delivery,
3453       then you must create the top-level maildir directory in advance.  Post‐
3454       fix will not create it.
3455
3456       Examples:
3457
3458       mail_spool_directory = /var/mail
3459       mail_spool_directory = /var/spool/mail
3460

mail_version (default: see postconf -d output)

3462       The   version   of   the   mail   system.  Stable  releases  are  named
3463       major.minor.patchlevel. Experimental releases also include the  release
3464       date. The version string can be used in, for example, the SMTP greeting
3465       banner.
3466

mailbox_command (default: empty)

3468       Optional external command that the local(8) delivery agent  should  use
3469       for mailbox delivery.  The command is run with the user ID and the pri‐
3470       mary group ID privileges of the recipient.  Exception: command delivery
3471       for  root executes with $default_privs privileges.  This is not a prob‐
3472       lem, because 1) mail for root should always be aliased to a  real  user
3473       and 2) don't log in as root, use "su" instead.
3474
3475       The following environment variables are exported to the command:
3476
3477       CLIENT_ADDRESS
3478              Remote  client network address. Available in Postfix version 2.2
3479              and later.
3480
3481       CLIENT_HELO
3482              Remote client EHLO command parameter. Available in Postfix  ver‐
3483              sion 2.2 and later.
3484
3485       CLIENT_HOSTNAME
3486              Remote  client  hostname.  Available  in Postfix version 2.2 and
3487              later.
3488
3489       CLIENT_PROTOCOL
3490              Remote client protocol. Available in  Postfix  version  2.2  and
3491              later.
3492
3493       DOMAIN The domain part of the recipient address.
3494
3495       EXTENSION
3496              The optional address extension.
3497
3498       HOME   The recipient home directory.
3499
3500       LOCAL  The recipient address localpart.
3501
3502       LOGNAME
3503              The recipient's username.
3504
3505       ORIGINAL_RECIPIENT
3506              The  entire  recipient  address, before any address rewriting or
3507              aliasing.
3508
3509       RECIPIENT
3510              The full recipient address.
3511
3512       SASL_METHOD
3513              SASL authentication method specified in the remote  client  AUTH
3514              command. Available in Postfix version 2.2 and later.
3515
3516       SASL_SENDER
3517              SASL  sender  address  specified  in the remote client MAIL FROM
3518              command. Available in Postfix version 2.2 and later.
3519
3520       SASL_USER
3521              SASL username specified  in  the  remote  client  AUTH  command.
3522              Available in Postfix version 2.2 and later.
3523
3524       SENDER The full sender address.
3525
3526       SHELL  The recipient's login shell.
3527
3528       USER   The recipient username.
3529
3530       Unlike  other  Postfix  configuration  parameters,  the mailbox_command
3531       parameter is not subjected to $name substitutions. This is to  make  it
3532       easier to specify shell syntax (see example below).
3533
3534       If you can, avoid shell meta characters because they will force Postfix
3535       to run an expensive shell process. If you're  delivering  via  Procmail
3536       then  running  a  shell won't make a noticeable difference in the total
3537       cost.
3538
3539       Note: if you use the  mailbox_command  feature  to  deliver  mail  sys‐
3540       tem-wide,  you  must  set  up an alias that forwards mail for root to a
3541       real user.
3542
3543       The precedence of local(8) delivery  features  from  high  to  low  is:
3544       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3545       mailbox_command_maps, mailbox_command, home_mailbox,  mail_spool_direc‐
3546       tory, fallback_transport_maps, fallback_transport and luser_relay.
3547
3548       Examples:
3549
3550       mailbox_command = /some/where/procmail
3551       mailbox_command = /some/where/procmail -a "$EXTENSION"
3552       mailbox_command = /some/where/maildrop -d "$USER"
3553               -f "$SENDER" "$EXTENSION"
3554

mailbox_command_maps (default: empty)

3556       Optional  lookup tables with per-recipient external commands to use for
3557       local(8) mailbox delivery.  Behavior is as with mailbox_command.
3558
3559       The precedence of local(8) delivery  features  from  high  to  low  is:
3560       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3561       mailbox_command_maps, mailbox_command, home_mailbox,  mail_spool_direc‐
3562       tory, fallback_transport_maps, fallback_transport and luser_relay.
3563
3564       Specify zero or more "type:name" lookup tables, separated by whitespace
3565       or comma. Tables will be searched in the specified order until a  match
3566       is found.
3567

mailbox_delivery_lock (default: see postconf -d output)

3569       How  to  lock a UNIX-style local(8) mailbox before attempting delivery.
3570       For a list of available file locking methods,  use  the  "postconf  -l"
3571       command.
3572
3573       This  setting  is  ignored  with  maildir  style delivery, because such
3574       deliveries are safe without explicit locks.
3575
3576       Note: The dotlock method requires that the recipient  UID  or  GID  has
3577       write access to the parent directory of the mailbox file.
3578
3579       Note: the default setting of this parameter is system dependent.
3580

mailbox_size_limit (default: 51200000)

3582       The maximal size of any local(8) individual mailbox or maildir file, or
3583       zero (no limit).  In fact, this limits the size of  any  file  that  is
3584       written  to  upon  local  delivery, including files written by external
3585       commands that are executed by the local(8) delivery agent.
3586
3587       This limit must not be smaller than the message size limit.
3588

mailbox_transport (default: empty)

3590       Optional message delivery transport that the  local(8)  delivery  agent
3591       should use for mailbox delivery to all local recipients, whether or not
3592       they are found in the UNIX passwd database.
3593
3594       The precedence of local(8) delivery  features  from  high  to  low  is:
3595       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3596       mailbox_command_maps, mailbox_command, home_mailbox,  mail_spool_direc‐
3597       tory, fallback_transport_maps, fallback_transport and luser_relay.
3598

mailbox_transport_maps (default: empty)

3600       Optional  lookup  tables with per-recipient message delivery transports
3601       to use for local(8) mailbox delivery, whether or not the recipients are
3602       found in the UNIX passwd database.
3603
3604       The  precedence  of  local(8)  delivery  features  from high to low is:
3605       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3606       mailbox_command_maps,  mailbox_command, home_mailbox, mail_spool_direc‐
3607       tory, fallback_transport_maps, fallback_transport and luser_relay.
3608
3609       Specify zero or more "type:name" lookup tables, separated by whitespace
3610       or  comma. Tables will be searched in the specified order until a match
3611       is found.
3612
3613       For safety reasons, this feature does not allow  $number  substitutions
3614       in regular expression maps.
3615
3616       This feature is available in Postfix 2.3 and later.
3617

mailq_path (default: see postconf -d output)

3619       Sendmail   compatibility  feature  that  specifies  where  the  Postfix
3620       mailq(1) command is installed. This command can be  used  to  list  the
3621       Postfix mail queue.
3622

manpage_directory (default: see postconf -d output)

3624       Where the Postfix manual pages are installed.
3625

maps_rbl_domains (default: empty)

3627       Obsolete feature: use the reject_rbl_client feature instead.
3628

maps_rbl_reject_code (default: 554)

3630       The  numerical  Postfix  SMTP  server  response code when a remote SMTP
3631       client    request    is    blocked    by     the     reject_rbl_client,
3632       reject_rhsbl_client,  reject_rhsbl_reverse_client,  reject_rhsbl_sender
3633       or reject_rhsbl_recipient restriction.
3634
3635       Do not change this unless you have  a  complete  understanding  of  RFC
3636       5321.
3637

masquerade_classes (default: envelope_sender, header_sender, header_recipient)

3639
3640       What addresses are subject to address masquerading.
3641
3642       By  default,  address  masquerading  is  limited  to  envelope   sender
3643       addresses,  and  to header sender and header recipient addresses.  This
3644       allows you to use address masquerading on a mail  gateway  while  still
3645       being able to forward mail to users on individual machines.
3646
3647       Specify   zero   or   more   of:  envelope_sender,  envelope_recipient,
3648       header_sender, header_recipient
3649

masquerade_domains (default: empty)

3651       Optional list of domains whose subdomain structure will be stripped off
3652       in email addresses.
3653
3654       The  list is processed left to right, and processing stops at the first
3655       match.  Thus,
3656
3657           masquerade_domains = foo.example.com example.com
3658
3659       strips "user@any.thing.foo.example.com" to "user@foo.example.com",  but
3660       strips "user@any.thing.else.example.com" to "user@example.com".
3661
3662       A  domain  name  prefixed with ! means do not masquerade this domain or
3663       its subdomains. Thus,
3664
3665           masquerade_domains = !foo.example.com example.com
3666
3667       does not  change  "user@any.thing.foo.example.com"  or  "user@foo.exam‐
3668       ple.com",  but  strips "user@any.thing.else.example.com" to "user@exam‐
3669       ple.com".
3670
3671       Note: with Postfix version 2.2,  message  header  address  masquerading
3672       happens only when message header address rewriting is enabled:
3673
3674       ·      The message is received with the Postfix sendmail(1) command,
3675
3676       ·      The  message  is  received  from  a  network client that matches
3677              $local_header_rewrite_clients,
3678
3679       ·      The  message   is   received   from   the   network,   and   the
3680              remote_header_rewrite_domain  parameter  specifies  a  non-empty
3681              value.
3682
3683       To   get   the   behavior   before   Postfix   version   2.2,   specify
3684       "local_header_rewrite_clients = static:all".
3685
3686       Example:
3687
3688       masquerade_domains = $mydomain
3689

masquerade_exceptions (default: empty)

3691       Optional  list  of  user  names  that are not subjected to address mas‐
3692       querading, even when their address matches $masquerade_domains.
3693
3694       By default, address masquerading makes no exceptions.
3695
3696       Specify a list of user names, "/file/name"  or  "type:table"  patterns,
3697       separated  by  commas  and/or  whitespace.  The list is matched left to
3698       right, and the search stops on the first match. A "/file/name"  pattern
3699       is  replaced  by  its  contents; a "type:table" lookup table is matched
3700       when a name matches a lookup key (the lookup result is ignored).   Con‐
3701       tinue  long  lines  by  starting the next line with whitespace. Specify
3702       "!pattern" to exclude a name from the list. The form  "!/file/name"  is
3703       supported only in Postfix version 2.4 and later.
3704
3705       Examples:
3706
3707       masquerade_exceptions = root, mailer-daemon
3708       masquerade_exceptions = root
3709

master_service_disable (default: empty)

3711       Selectively disable master(8) listener ports by service type or by ser‐
3712       vice name and type.  Specify a list of service types  ("inet",  "unix",
3713       "fifo",  or  "pass")  or  "name/type" tuples, where "name" is the first
3714       field of a master.cf entry and "type" is a service type. As with  other
3715       Postfix  matchlists, a search stops at the first match.  Specify "!pat‐
3716       tern" to exclude a service from the list.  By  default,  all  master(8)
3717       listener ports are enabled.
3718
3719       Note:  this  feature does not support "/file/name" or "type:table" pat‐
3720       terns, nor does it support wildcards such as  "*"  or  "all".  This  is
3721       intentional.
3722
3723       Examples:
3724
3725       # With Postfix 2.6..2.10 use '.' instead of '/'.
3726       # Turn on all master(8) listener ports (the default).
3727       master_service_disable =
3728       # Turn off only the main SMTP listener port.
3729       master_service_disable = smtp/inet
3730       # Turn off all TCP/IP listener ports.
3731       master_service_disable = inet
3732       # Turn off all TCP/IP listener ports except "foo".
3733       master_service_disable = !foo/inet, inet
3734
3735       This feature is available in Postfix 2.6 and later.
3736

max_idle (default: 100s)

3738       The  maximum  amount  of time that an idle Postfix daemon process waits
3739       for an incoming connection before terminating voluntarily.  This param‐
3740       eter  is  ignored  by the Postfix queue manager and by other long-lived
3741       Postfix daemon processes.
3742
3743       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
3744       The default time unit is s (seconds).
3745

max_use (default: 100)

3747       The  maximal  number  of  incoming  connections  that  a Postfix daemon
3748       process will service before terminating voluntarily.  This parameter is
3749       ignored  by  the  Postfix queue manager and by other long-lived Postfix
3750       daemon processes.
3751

maximal_backoff_time (default: 4000s)

3753       The maximal time between attempts to deliver a deferred message.
3754
3755       This parameter should be set to a value greater than or equal to $mini‐
3756       mal_backoff_time. See also $queue_run_delay.
3757
3758       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
3759       The default time unit is s (seconds).
3760

maximal_queue_lifetime (default: 5d)

3762       Consider a message as undeliverable, when delivery fails with a  tempo‐
3763       rary   error,  and  the  time  in  the  queue  has  reached  the  maxi‐
3764       mal_queue_lifetime limit.
3765
3766       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
3767       The default time unit is d (days).
3768
3769       Specify 0 when mail delivery should be tried only once.
3770

message_drop_headers (default: bcc, content-length, resent-bcc, return-path)

3772       Names  of  message headers that the cleanup(8) daemon will remove after
3773       applying header_checks(5) and before invoking Milter applications.  The
3774       default setting is compatible with Postfix < 3.0.
3775
3776       Specify a list of header names, separated by comma or space.  Names are
3777       matched in a case-insensitive manner.  The  list  of  supported  header
3778       names is limited only by available memory.
3779
3780       This feature is available in Postfix 3.0 and later.
3781

message_reject_characters (default: empty)

3783       The set of characters that Postfix will reject in message content.  The
3784       usual C-like escape sequences are recognized: \a \b \f \n \r \t \v \ddd
3785       (up to three octal digits) and \\.
3786
3787       Note  1: this feature does not recognize text that requires MIME decod‐
3788       ing. It inspects raw  message  content,  just  like  header_checks  and
3789       body_checks.
3790
3791       Note  2:  this  feature  is  disabled  with "receive_override_options =
3792       no_header_body_checks".
3793
3794       Example:
3795
3796       message_reject_characters = \0
3797
3798       This feature is available in Postfix 2.3 and later.
3799

message_size_limit (default: 10240000)

3801       The maximal size in bytes of a message, including envelope information.
3802
3803       Note: be careful when making changes.  Excessively  small  values  will
3804       result in the loss of non-delivery notifications, when a bounce message
3805       size exceeds the local or remote MTA's message size limit.
3806

message_strip_characters (default: empty)

3808       The set of characters that Postfix will remove  from  message  content.
3809       The  usual C-like escape sequences are recognized: \a \b \f \n \r \t \v
3810       \ddd (up to three octal digits) and \\.
3811
3812       Note 1: this feature does not recognize text that requires MIME  decod‐
3813       ing.  It  inspects  raw  message  content,  just like header_checks and
3814       body_checks.
3815
3816       Note 2: this  feature  is  disabled  with  "receive_override_options  =
3817       no_header_body_checks".
3818
3819       Example:
3820
3821       message_strip_characters = \0
3822
3823       This feature is available in Postfix 2.3 and later.
3824

meta_directory (default: see 'postconf -d' output)

3826       The  location  of  non-executable  files that are shared among multiple
3827       Postfix instances,  such  as  postfix-files,  dynamicmaps.cf,  and  the
3828       multi-instance  template files main.cf.proto and master.cf.proto.  This
3829       directory should contain only Postfix-related  files.   Typically,  the
3830       meta_directory  parameter  has the same default as the config_directory
3831       parameter (/etc/postfix or /usr/local/etc/postfix).
3832
3833       For backwards compatibility with Postfix  versions  2.6..2.11,  specify
3834       "meta_directory  =  $daemon_directory"  in main.cf before installing or
3835       upgrading Postfix, or specify  "meta_directory  =  /path/name"  on  the
3836       "make makefiles", "make install" or "make upgrade" command line.
3837
3838       This feature is available in Postfix 3.0 and later.
3839

milter_command_timeout (default: 30s)

3841       The  time  limit  for sending an SMTP command to a Milter (mail filter)
3842       application, and for receiving the response.
3843
3844       Specify a non-zero time value  (an  integral  value  plus  an  optional
3845       one-letter suffix that specifies the time unit).
3846
3847       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
3848       The default time unit is s (seconds).
3849
3850       This feature is available in Postfix 2.3 and later.
3851

milter_connect_macros (default: see postconf -d output)

3853       The macros that are sent to Milter  (mail  filter)  applications  after
3854       completion  of  an  SMTP  connection.  See  MILTER_README for a list of
3855       available macro names and their meanings.
3856
3857       This feature is available in Postfix 2.3 and later.
3858

milter_connect_timeout (default: 30s)

3860       The time limit for connecting to a Milter  (mail  filter)  application,
3861       and for negotiating protocol options.
3862
3863       Specify  a  non-zero  time  value  (an  integral value plus an optional
3864       one-letter suffix that specifies the time unit).
3865
3866       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
3867       The default time unit is s (seconds).
3868
3869       This feature is available in Postfix 2.3 and later.
3870

milter_content_timeout (default: 300s)

3872       The  time  limit  for sending message content to a Milter (mail filter)
3873       application, and for receiving the response.
3874
3875       Specify a non-zero time value  (an  integral  value  plus  an  optional
3876       one-letter suffix that specifies the time unit).
3877
3878       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
3879       The default time unit is s (seconds).
3880
3881       This feature is available in Postfix 2.3 and later.
3882

milter_data_macros (default: see postconf -d output)

3884       The macros that are sent to version 4 or higher  Milter  (mail  filter)
3885       applications  after the SMTP DATA command. See MILTER_README for a list
3886       of available macro names and their meanings.
3887
3888       This feature is available in Postfix 2.3 and later.
3889

milter_default_action (default: tempfail)

3891       The default action when a Milter (mail filter) application is  unavail‐
3892       able or mis-configured. Specify one of the following:
3893
3894       accept Proceed as if the mail filter was not present.
3895
3896       reject Reject  all  further  commands  in this session with a permanent
3897              status code.
3898
3899       tempfail
3900              Reject all further commands in this  session  with  a  temporary
3901              status code.
3902
3903       quarantine
3904              Like  "accept",  but  freeze  the  message  in the "hold" queue.
3905              Available with Postfix 2.6 and later.
3906
3907       This feature is available in Postfix 2.3 and later.
3908

milter_end_of_data_macros (default: see postconf -d output)

3910       The macros that are sent to Milter (mail filter) applications after the
3911       message  end-of-data.  See  MILTER_README for a list of available macro
3912       names and their meanings.
3913
3914       This feature is available in Postfix 2.3 and later.
3915

milter_end_of_header_macros (default: see postconf -d output)

3917       The macros that are sent to Milter (mail filter) applications after the
3918       end  of  the  message header. See MILTER_README for a list of available
3919       macro names and their meanings.
3920
3921       This feature is available in Postfix 2.5 and later.
3922

milter_header_checks (default: empty)

3924       Optional lookup tables for content inspection of message  headers  that
3925       are  produced  by Milter applications.  See the header_checks(5) manual
3926       page available actions. Currently, PREPEND is not implemented.
3927
3928       The following example sends all mail that is marked as SPAM to  a  spam
3929       handling machine. Note that matches are case-insensitive by default.
3930
3931       /etc/postfix/main.cf:
3932           milter_header_checks = pcre:/etc/postfix/milter_header_checks
3933
3934       /etc/postfix/milter_header_checks:
3935           /^X-SPAM-FLAG:\s+YES/ FILTER mysmtp:sanitizer.example.com:25
3936
3937       The milter_header_checks mechanism could also be used for whitelisting.
3938       For example it could be used  to  skip  heavy  content  inspection  for
3939       DKIM-signed mail from known friendly domains.
3940
3941       This  feature is available in Postfix 2.7, and as an optional patch for
3942       Postfix 2.6.
3943

milter_helo_macros (default: see postconf -d output)

3945       The macros that are sent to Milter (mail filter) applications after the
3946       SMTP  HELO  or  EHLO command. See MILTER_README for a list of available
3947       macro names and their meanings.
3948
3949       This feature is available in Postfix 2.3 and later.
3950

milter_macro_daemon_name (default: $myhostname)

3952       The {daemon_name} macro value for Milter  (mail  filter)  applications.
3953       See  MILTER_README  for a list of available macro names and their mean‐
3954       ings.
3955
3956       This feature is available in Postfix 2.3 and later.
3957

milter_macro_defaults (default: empty)

3959       Optional list of name=value pairs that specify default values for arbi‐
3960       trary  macros  that  Postfix  may  send  to Milter applications.  These
3961       defaults are used when there is no corresponding information  from  the
3962       message delivery context.
3963
3964       Specify  name=value  or {name}=value pairs separated by comma or white‐
3965       space.  Enclose a pair in "{}" when a value contains  comma  or  white‐
3966       space (this form ignores whitespace after the enclosing "{", around the
3967       "=", and before the enclosing "}").
3968
3969       This feature is available in Postfix 3.1 and later.
3970

milter_macro_v (default: $mail_name $mail_version)

3972       The {v} macro value for Milter (mail filter)  applications.   See  MIL‐
3973       TER_README for a list of available macro names and their meanings.
3974
3975       This feature is available in Postfix 2.3 and later.
3976

milter_mail_macros (default: see postconf -d output)

3978       The macros that are sent to Milter (mail filter) applications after the
3979       SMTP MAIL FROM command. See MILTER_README for a list of available macro
3980       names and their meanings.
3981
3982       This feature is available in Postfix 2.3 and later.
3983

milter_protocol (default: 6)

3985       The  mail  filter protocol version and optional protocol extensions for
3986       communication with a Milter  application;  prior  to  Postfix  2.6  the
3987       default  protocol  is  2.  Postfix sends this version number during the
3988       initial protocol handshake.  It should match the version number that is
3989       expected by the mail filter application (or by its Milter library).
3990
3991       Protocol versions:
3992
3993       2      Use  Sendmail  8  mail  filter  protocol version 2 (default with
3994              Sendmail version 8.11 .. 8.13 and Postfix version 2.3 ..  2.5).
3995
3996       3      Use Sendmail 8 mail filter protocol version 3.
3997
3998       4      Use Sendmail 8 mail filter protocol version 4.
3999
4000       6      Use Sendmail 8 mail filter  protocol  version  6  (default  with
4001              Sendmail version 8.14 and Postfix version 2.6).
4002
4003       Protocol extensions:
4004
4005       no_header_reply
4006              Specify this when the Milter application will not reply for each
4007              individual message header.
4008
4009       This feature is available in Postfix 2.3 and later.
4010

milter_rcpt_macros (default: see postconf -d output)

4012       The macros that are sent to Milter (mail filter) applications after the
4013       SMTP  RCPT  TO command. See MILTER_README for a list of available macro
4014       names and their meanings.
4015
4016       This feature is available in Postfix 2.3 and later.
4017

milter_unknown_command_macros (default: see postconf -d output)

4019       The macros that are sent to version 3 or higher  Milter  (mail  filter)
4020       applications  after  an  unknown SMTP command.  See MILTER_README for a
4021       list of available macro names and their meanings.
4022
4023       This feature is available in Postfix 2.3 and later.
4024

mime_boundary_length_limit (default: 2048)

4026       The maximal length of MIME multipart boundary strings. The MIME proces‐
4027       sor  is unable to distinguish between boundary strings that do not dif‐
4028       fer in the first $mime_boundary_length_limit characters.
4029
4030       This feature is available in Postfix 2.0 and later.
4031

mime_header_checks (default: $header_checks)

4033       Optional lookup tables for content inspection of MIME  related  message
4034       headers, as described in the header_checks(5) manual page.
4035
4036       This feature is available in Postfix 2.0 and later.
4037

mime_nesting_limit (default: 100)

4039       The maximal recursion level that the MIME processor will handle.  Post‐
4040       fix refuses mail that is nested deeper than the specified limit.
4041
4042       This feature is available in Postfix 2.0 and later.
4043

minimal_backoff_time (default: 300s)

4045       The minimal time between attempts to deliver a deferred message;  prior
4046       to Postfix 2.4 the default value was 1000s.
4047
4048       This  parameter also limits the time an unreachable destination is kept
4049       in the short-term, in-memory, destination status cache.
4050
4051       This parameter should be set greater than or equal to $queue_run_delay.
4052       See also $maximal_backoff_time.
4053
4054       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
4055       The default time unit is s (seconds).
4056

multi_instance_directories (default: empty)

4058       An optional list  of  non-default  Postfix  configuration  directories;
4059       these directories belong to additional Postfix instances that share the
4060       Postfix executable files and documentation  with  the  default  Postfix
4061       instance,  and  that  are  started,  stopped,  etc.,  together with the
4062       default Postfix instance.  Specify a list  of  pathnames  separated  by
4063       comma or whitespace.
4064
4065       When  $multi_instance_directories is empty, the postfix(1) command runs
4066       in single-instance mode and operates on a single Postfix instance only.
4067       Otherwise,  the  postfix(1)  command  runs  in  multi-instance mode and
4068       invokes    the    multi-instance    manager    specified    with    the
4069       multi_instance_wrapper  parameter.  The  multi-instance manager in turn
4070       executes postfix(1) commands for the default instance and for all Post‐
4071       fix instances in $multi_instance_directories.
4072
4073       Currently,  this  parameter  setting  is ignored except for the default
4074       main.cf file.
4075
4076       This feature is available in Postfix 2.6 and later.
4077

multi_instance_enable (default: no)

4079       Allow this  Postfix  instance  to  be  started,  stopped,  etc.,  by  a
4080       multi-instance  manager.   By  default,  new instances are created in a
4081       safe state that prevents them from being started  inadvertently.   This
4082       parameter is reserved for the multi-instance manager.
4083
4084       This feature is available in Postfix 2.6 and later.
4085

multi_instance_group (default: empty)

4087       The  optional  instance  group  name  of this Postfix instance. A group
4088       identifies closely-related Postfix instances  that  the  multi-instance
4089       manager  can  start, stop, etc., as a unit.  This parameter is reserved
4090       for the multi-instance manager.
4091
4092       This feature is available in Postfix 2.6 and later.
4093

multi_instance_name (default: empty)

4095       The optional instance name of this Postfix instance. This name  becomes
4096       also the default value for the syslog_name parameter.
4097
4098       This feature is available in Postfix 2.6 and later.
4099

multi_instance_wrapper (default: empty)

4101       The  pathname  of  a multi-instance manager command that the postfix(1)
4102       command invokes when the multi_instance_directories parameter value  is
4103       non-empty.  The  pathname  may be followed by initial command arguments
4104       separated by whitespace; shell metacharacters such as  quotes  are  not
4105       supported in this context.
4106
4107       The  postfix(1) command invokes the manager command with the postfix(1)
4108       non-option command arguments on the manager command line, and with  all
4109       installation configuration parameters exported into the manager command
4110       process environment. The manager command in turn invokes the postfix(1)
4111       command  for  individual Postfix instances as "postfix -c config_direc‐
4112       tory command".
4113
4114       This feature is available in Postfix 2.6 and later.
4115

multi_recipient_bounce_reject_code (default: 550)

4117       The numerical Postfix SMTP server response  code  when  a  remote  SMTP
4118       client request is blocked by the reject_multi_recipient_bounce restric‐
4119       tion.
4120
4121       Do not change this unless you have  a  complete  understanding  of  RFC
4122       5321.
4123
4124       This feature is available in Postfix 2.1 and later.
4125

mydestination (default: $myhostname, localhost.$mydomain, localhost)

4127       The  list  of  domains that are delivered via the $local_transport mail
4128       delivery transport. By default this is the  Postfix  local(8)  delivery
4129       agent  which  looks  up all recipients in /etc/passwd and /etc/aliases.
4130       The SMTP  server  validates  recipient  addresses  with  $local_recipi‐
4131       ent_maps and rejects non-existent recipients. See also the local domain
4132       class in the ADDRESS_CLASS_README file.
4133
4134       The default mydestination value specifies names for the  local  machine
4135       only.  On a mail domain gateway, you should also include $mydomain.
4136
4137       The   $local_transport  delivery  method  is  also  selected  for  mail
4138       addressed to user@[the.net.work.address] of the  mail  system  (the  IP
4139       addresses  specified  with  the  inet_interfaces  and  proxy_interfaces
4140       parameters).
4141
4142       Warnings:
4143
4144       ·      Do not specify the names of virtual domains - those domains  are
4145              specified elsewhere. See VIRTUAL_README for more information.
4146
4147       ·      Do  not specify the names of domains that this machine is backup
4148              MX host for. See STANDARD_CONFIGURATION_README for how to set up
4149              backup MX hosts.
4150
4151       ·      By  default, the Postfix SMTP server rejects mail for recipients
4152              not listed with the  local_recipient_maps  parameter.   See  the
4153              postconf(5) manual for a description of the local_recipient_maps
4154              and unknown_local_recipient_reject_code parameters.
4155
4156       Specify a list of host or domain names,  "/file/name"  or  "type:table"
4157       patterns, separated by commas and/or whitespace. A "/file/name" pattern
4158       is replaced by its contents; a "type:table"  lookup  table  is  matched
4159       when  a name matches a lookup key (the lookup result is ignored).  Con‐
4160       tinue long lines by starting the next line with whitespace.
4161
4162       Examples:
4163
4164       mydestination = $myhostname, localhost.$mydomain $mydomain
4165       mydestination = $myhostname, localhost.$mydomain www.$mydomain, ftp.$mydomain
4166

mydomain (default: see postconf -d output)

4168       The internet domain name of this mail system.  The default  is  to  use
4169       $myhostname  minus  the  first component, or "localdomain" (Postfix 2.3
4170       and later).  $mydomain is used as a default value for many  other  con‐
4171       figuration parameters.
4172
4173       Example:
4174
4175       mydomain = domain.tld
4176

myhostname (default: see postconf -d output)

4178       The  internet  hostname  of this mail system. The default is to use the
4179       fully-qualified domain name (FQDN) from gethostname(), or  to  use  the
4180       non-FQDN  result  from gethostname() and append ".$mydomain".  $myhost‐
4181       name is used as a default value for many  other  configuration  parame‐
4182       ters.
4183
4184       Example:
4185
4186       myhostname = host.example.com
4187

mynetworks (default: see postconf -d output)

4189       The  list  of  "trusted"  remote SMTP clients that have more privileges
4190       than "strangers".
4191
4192       In particular, "trusted" SMTP clients are allowed to relay mail through
4193       Postfix.  See the smtpd_relay_restrictions parameter description in the
4194       postconf(5) manual.
4195
4196       You can specify the list of "trusted" network addresses by hand or  you
4197       can let Postfix do it for you (which is the default).  See the descrip‐
4198       tion of the mynetworks_style parameter for more information.
4199
4200       If you specify the mynetworks list by hand, Postfix ignores the  mynet‐
4201       works_style setting.
4202
4203       Specify  a list of network addresses or network/netmask patterns, sepa‐
4204       rated by commas and/or whitespace. Continue long lines by starting  the
4205       next line with whitespace.
4206
4207       The  netmask specifies the number of bits in the network part of a host
4208       address.  You can also specify "/file/name" or  "type:table"  patterns.
4209       A  "/file/name"  pattern  is  replaced  by its contents; a "type:table"
4210       lookup table is matched when a table entry matches a lookup string (the
4211       lookup result is ignored).
4212
4213       The  list  is  matched left to right, and the search stops on the first
4214       match.  Specify "!pattern" to exclude an address or network block  from
4215       the  list.  The form "!/file/name" is supported only in Postfix version
4216       2.4 and later.
4217
4218       Note 1: Pattern matching of  domain  names  is  controlled  by  the  or
4219       absence of "mynetworks" in the parent_domain_matches_subdomains parame‐
4220       ter value.
4221
4222       Note 2: IP version 6 address information must be specified inside [] in
4223       the  mynetworks  value,  and  in files specified with "/file/name".  IP
4224       version 6 addresses contain the ":" character, and would  otherwise  be
4225       confused with a "type:table" pattern.
4226
4227       Examples:
4228
4229       mynetworks = 127.0.0.0/8 168.100.189.0/28
4230       mynetworks = !192.168.0.1, 192.168.0.0/28
4231       mynetworks = 127.0.0.0/8 168.100.189.0/28 [::1]/128 [2001:240:587::]/64
4232       mynetworks = $config_directory/mynetworks
4233       mynetworks = hash:/etc/postfix/network_table
4234

mynetworks_style (default: Postfix >= 3.0: host, Postfix < 3.0: subnet)

4236       The  method to generate the default value for the mynetworks parameter.
4237       This is the list of trusted networks for relay access control etc.
4238
4239       ·      Specify "mynetworks_style = host" when  Postfix  should  "trust"
4240              only the local machine.
4241
4242       ·      Specify  "mynetworks_style = subnet" when Postfix should "trust"
4243              remote SMTP clients in the same  IP  subnetworks  as  the  local
4244              machine.   On  Linux,  this works correctly only with interfaces
4245              specified with the "ifconfig" command.
4246
4247       ·      Specify "mynetworks_style = class" when Postfix  should  "trust"
4248              remote  SMTP  clients in the same IP class A/B/C networks as the
4249              local machine.  Caution: this may cause Postfix to "trust"  your
4250              entire  provider's network.  Instead, specify an explicit mynet‐
4251              works list by hand, as described with the mynetworks  configura‐
4252              tion parameter.
4253

myorigin (default: $myhostname)

4255       The domain name that locally-posted mail appears to come from, and that
4256       locally posted mail is delivered to. The default, $myhostname, is  ade‐
4257       quate for small sites.  If you run a domain with multiple machines, you
4258       should (1) change this to $mydomain and (2) set up a domain-wide  alias
4259       database that aliases each user to user@that.users.mailhost.
4260
4261       Example:
4262
4263       myorigin = $mydomain
4264

nested_header_checks (default: $header_checks)

4266       Optional lookup tables for content inspection of non-MIME message head‐
4267       ers in attached messages, as described in the  header_checks(5)  manual
4268       page.
4269
4270       This feature is available in Postfix 2.0 and later.
4271

newaliases_path (default: see postconf -d output)

4273       Sendmail  compatibility  feature  that  specifies  the  location of the
4274       newaliases(1) command. This command can be used to rebuild the local(8)
4275       aliases(5) database.
4276

non_fqdn_reject_code (default: 504)

4278       The  numerical  Postfix SMTP server reply code when a client request is
4279       rejected by the  reject_non_fqdn_helo_hostname,  reject_non_fqdn_sender
4280       or reject_non_fqdn_recipient restriction.
4281

non_smtpd_milters (default: empty)

4283       A  list of Milter (mail filter) applications for new mail that does not
4284       arrive via the Postfix smtpd(8) server. This includes local  submission
4285       via the sendmail(1) command line, new mail that arrives via the Postfix
4286       qmqpd(8) server, and old mail that is re-injected into the  queue  with
4287       "postsuper  -r".   Specify  space  or  comma as separator. See the MIL‐
4288       TER_README document for details.
4289
4290       This feature is available in Postfix 2.3 and later.
4291

notify_classes (default: resource, software)

4293       The list of error classes that are  reported  to  the  postmaster.  The
4294       default  is  to report only the most serious problems. The paranoid may
4295       wish to turn on the policy (UCE and mail relaying) and  protocol  error
4296       (broken mail software) reports.
4297
4298       NOTE:  postmaster  notifications  may  contain confidential information
4299       such as SASL passwords or message content.  It is the  system  adminis‐
4300       trator's responsibility to treat such information with care.
4301
4302       The error classes are:
4303
4304       bounce (also implies 2bounce)
4305              Send  the  postmaster copies of the headers of bounced mail, and
4306              send transcripts of SMTP sessions when Postfix rejects mail. The
4307              notification   is   sent  to  the  address  specified  with  the
4308              bounce_notice_recipient configuration parameter (default:  post‐
4309              master).
4310
4311       2bounce
4312              Send undeliverable bounced mail to the postmaster. The notifica‐
4313              tion   is   sent   to   the   address   specified    with    the
4314              2bounce_notice_recipient configuration parameter (default: post‐
4315              master).
4316
4317       data   Send the postmaster a transcript of the  SMTP  session  with  an
4318              error  because a critical data file was unavailable. The notifi‐
4319              cation   is   sent   to   the   address   specified   with   the
4320              error_notice_recipient  configuration  parameter (default: post‐
4321              master).
4322              This feature is available in Postfix 2.9 and later.
4323
4324       delay  Send the postmaster copies of the headers of delayed  mail  (see
4325              delay_warning_time).  The  notification  is  sent to the address
4326              specified with the delay_notice_recipient configuration  parame‐
4327              ter (default: postmaster).
4328
4329       policy Send  the  postmaster  a  transcript  of the SMTP session when a
4330              client request was rejected because of (UCE) policy. The notifi‐
4331              cation   is   sent   to   the   address   specified   with   the
4332              error_notice_recipient configuration parameter  (default:  post‐
4333              master).
4334
4335       protocol
4336              Send  the postmaster a transcript of the SMTP session in case of
4337              client or server protocol errors. The notification  is  sent  to
4338              the address specified with the error_notice_recipient configura‐
4339              tion parameter (default: postmaster).
4340
4341       resource
4342              Inform the postmaster of mail  not  delivered  due  to  resource
4343              problems.   The  notification  is  sent to the address specified
4344              with   the   error_notice_recipient   configuration    parameter
4345              (default: postmaster).
4346
4347       software
4348              Inform  the  postmaster  of  mail  not delivered due to software
4349              problems.  The notification is sent  to  the  address  specified
4350              with    the   error_notice_recipient   configuration   parameter
4351              (default: postmaster).
4352
4353       Examples:
4354
4355       notify_classes = bounce, delay, policy, protocol, resource, software
4356       notify_classes = 2bounce, resource, software
4357

nullmx_reject_code (default: 556)

4359       The numerical reply code when the Postfix SMTP server rejects a  sender
4360       or  recipient address because its domain has a nullmx DNS record (an MX
4361       record with an empty hostname). This is one  of  the  possible  replies
4362       from      the     restrictions     reject_unknown_sender_domain     and
4363       reject_unknown_recipient_domain.
4364
4365       This feature is available in Postfix 3.0 and later.
4366

openssl_path (default: openssl)

4368       The location of the OpenSSL command line program openssl(1).   This  is
4369       used  by  the "postfix tls" command to create private keys, certificate
4370       signing requests, self-signed certificates, and to compute  public  key
4371       digests  for  DANE  TLSA records.  In multi-instance environments, this
4372       parameter is always determined from the configuration  of  the  default
4373       Postfix instance.
4374
4375       Example:
4376
4377           /etc/postfix/main.cf:
4378               # NetBSD pkgsrc:
4379               openssl_path = /usr/pkg/bin/openssl
4380               # Local build:
4381               openssl_path = /usr/local/bin/openssl
4382
4383       This feature is available in Postfix 3.1 and later.
4384

owner_request_special (default: yes)

4386       Enable  special  treatment for owner-listname entries in the aliases(5)
4387       file, and  don't  split  owner-listname  and  listname-request  address
4388       localparts when the recipient_delimiter is set to "-".  This feature is
4389       useful for mailing lists.
4390

parent_domain_matches_subdomains (default: see postconf -d output)

4392       A list of Postfix features where the pattern "example.com" also matches
4393       subdomains  of  example.com,  instead  of requiring an explicit ".exam‐
4394       ple.com" pattern.  This is planned  backwards  compatibility:   eventu‐
4395       ally,  all  Postfix  features  are expected to require explicit ".exam‐
4396       ple.com" style patterns when you really want to match subdomains.
4397
4398       The following Postfix feature names are supported.
4399
4400       Postfix version 1.0 and later
4401              debug_peer_list,    fast_flush_domains,     mynetworks,     per‐
4402              mit_mx_backup_networks, relay_domains, transport_maps
4403
4404       Postfix version 1.1 and later
4405              qmqpd_authorized_clients, smtpd_access_maps,
4406
4407       Postfix version 2.8 and later
4408              postscreen_access_list
4409
4410       Postfix version 3.0 and later
4411              smtpd_client_event_limit_exceptions
4412

permit_mx_backup_networks (default: empty)

4414       Restrict  the  use  of the permit_mx_backup SMTP access feature to only
4415       domains whose primary MX hosts match the listed networks.  The  parame‐
4416       ter  value  syntax  is the same as with the mynetworks parameter; note,
4417       however, that the default value is empty.
4418
4419       Pattern matching of domain names  is  controlled  by  the  presence  or
4420       absence      of     "permit_mx_backup_networks"     in     the     par‐
4421       ent_domain_matches_subdomains parameter value.
4422

pickup_service_name (default: pickup)

4424       The name of the pickup(8) service. This service  picks  up  local  mail
4425       submissions from the Postfix maildrop queue.
4426
4427       This feature is available in Postfix 2.0 and later.
4428

pipe_delivery_status_filter (default: $default_delivery_status_filter)

4430       Optional  filter  for the pipe(8) delivery agent to change the delivery
4431       status code or explanatory text of successful or unsuccessful  deliver‐
4432       ies.  See default_delivery_status_filter for details.
4433
4434       This feature is available in Postfix 3.0 and later.
4435

plaintext_reject_code (default: 450)

4437       The  numerical  Postfix  SMTP  server  response  code when a request is
4438       rejected by the reject_plaintext_session restriction.
4439
4440       This feature is available in Postfix 2.3 and later.
4441

postmulti_control_commands (default: reload flush)

4443       The postfix(1) commands that the postmulti(1) instance  manager  treats
4444       as  "control"  commands,  that  operate on running instances. For these
4445       commands, disabled instances are skipped.
4446
4447       This feature is available in Postfix 2.6 and later.
4448

postmulti_start_commands (default: start)

4450       The postfix(1) commands that the postmulti(1) instance  manager  treats
4451       as  "start"  commands.  For  these  commands,  disabled  instances  are
4452       "checked" rather than  "started",  and  failure  to  "start"  a  member
4453       instance  of  an  instance  group  will  abort  the  start-up  of later
4454       instances.
4455
4456       This feature is available in Postfix 2.6 and later.
4457

postmulti_stop_commands (default: see postconf -d output)

4459       The postfix(1) commands that the postmulti(1) instance  manager  treats
4460       as "stop" commands. For these commands, disabled instances are skipped,
4461       and enabled instances are processed in reverse order.
4462
4463       This feature is available in Postfix 2.6 and later.
4464

postscreen_access_list (default: permit_mynetworks)

4466       Permanent  white/blacklist  for  remote  SMTP  client   IP   addresses.
4467       postscreen(8) searches this list immediately after a remote SMTP client
4468       connects.  Specify a comma- or whitespace-separated  list  of  commands
4469       (in  upper  or  lower case) or lookup tables. The search stops upon the
4470       first command that fires for the client IP address.
4471
4472        permit_mynetworks
4473              Whitelist the client and terminate the search if the  client  IP
4474              address  matches  $mynetworks.  Do not subject the client to any
4475              before/after 220 greeting tests.  Pass  the  connection  immedi‐
4476              ately to a Postfix SMTP server process.
4477              Pattern  matching  of domain names is controlled by the presence
4478              or   absence   of   "postscreen_access_list"   in    the    par‐
4479              ent_domain_matches_subdomains parameter value.
4480
4481        type:table
4482              Query the specified lookup table. Each table lookup result is an
4483              access list, except that access  lists  inside  a  table  cannot
4484              specify type:table entries.
4485              To  discourage  the use of hash, btree, etc. tables, there is no
4486              support for substring matching like smtpd(8).  Use  CIDR  tables
4487              instead.
4488
4489        permit
4490              Whitelist  the  client  and terminate the search. Do not subject
4491              the client to any before/after 220 greeting tests. Pass the con‐
4492              nection immediately to a Postfix SMTP server process.
4493
4494        reject
4495              Blacklist  the  client  and  terminate  the  search. Subject the
4496              client to  the  action  configured  with  the  postscreen_black‐
4497              list_action configuration parameter.
4498
4499        dunno All  postscreen(8)  access lists implicitly have this command at
4500              the end.
4501              When  dunno is executed inside a lookup table, return  from  the
4502              lookup table and evaluate the next command.
4503              When   dunno   is executed outside a lookup table, terminate the
4504              search, and subject the client to  the  configured  before/after
4505              220 greeting tests.
4506
4507       Example:
4508
4509       /etc/postfix/main.cf:
4510           postscreen_access_list = permit_mynetworks,
4511                       cidr:/etc/postfix/postscreen_access.cidr
4512           postscreen_blacklist_action = enforce
4513
4514       /etc/postfix/postscreen_access.cidr:
4515           # Rules are evaluated in the order as specified.
4516           # Blacklist 192.168.* except 192.168.0.1.
4517           192.168.0.1         dunno
4518           192.168.0.0/16      reject
4519
4520       This feature is available in Postfix 2.8.
4521

postscreen_bare_newline_action (default: ignore)

4523       The  action  that postscreen(8) takes when a remote SMTP client sends a
4524       bare newline character, that is, a newline  not  preceded  by  carriage
4525       return.  Specify one of the following:
4526
4527       ignore Ignore  the failure of this test. Allow other tests to complete.
4528              Do not repeat this test before some the result from  some  other
4529              test  expires.  This option is useful for testing and collecting
4530              statistics without blocking mail permanently.
4531
4532       enforce
4533              Allow other tests to complete. Reject attempts to  deliver  mail
4534              with  a 550 SMTP reply, and log the helo/sender/recipient infor‐
4535              mation.  Repeat this test the next time the client connects.
4536
4537       drop   Drop the connection immediately with a 521  SMTP  reply.  Repeat
4538              this test the next time the client connects.
4539
4540       This feature is available in Postfix 2.8.
4541

postscreen_bare_newline_enable (default: no)

4543       Enable  "bare newline" SMTP protocol tests in the postscreen(8) server.
4544       These tests are expensive: a remote SMTP client must  disconnect  after
4545       it passes the test, before it can talk to a real Postfix SMTP server.
4546
4547       This feature is available in Postfix 2.8.
4548

postscreen_bare_newline_ttl (default: 30d)

4550       The  amount  of time that postscreen(8) will use the result from a suc‐
4551       cessful "bare newline" SMTP protocol test. During this time, the client
4552       IP  address  is  excluded from this test. The default is long because a
4553       remote SMTP client must disconnect after it passes the test, before  it
4554       can talk to a real Postfix SMTP server.
4555
4556       Specify  a  non-zero  time  value  (an  integral value plus an optional
4557       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
4558       onds), m (minutes), h (hours), d (days), w (weeks).
4559
4560       This feature is available in Postfix 2.8.
4561

postscreen_blacklist_action (default: ignore)

4563       The action that postscreen(8) takes when a remote SMTP client is perma‐
4564       nently blacklisted with the postscreen_access_list parameter.   Specify
4565       one of the following:
4566
4567       ignore (default)
4568              Ignore  this result. Allow other tests to complete.  Repeat this
4569              test the next time the client connects.  This option  is  useful
4570              for testing and collecting statistics without blocking mail.
4571
4572       enforce
4573              Allow  other  tests to complete. Reject attempts to deliver mail
4574              with a 550 SMTP reply, and log the helo/sender/recipient  infor‐
4575              mation.  Repeat this test the next time the client connects.
4576
4577       drop   Drop  the  connection  immediately with a 521 SMTP reply. Repeat
4578              this test the next time the client connects.
4579
4580       This feature is available in Postfix 2.8.
4581

postscreen_cache_cleanup_interval (default: 12h)

4583       The amount of time between postscreen(8)  cache  cleanup  runs.   Cache
4584       cleanup  increases  the load on the cache database and should therefore
4585       not be run frequently. This feature requires that  the  cache  database
4586       supports  the "delete" and "sequence" operators.  Specify a zero inter‐
4587       val to disable cache cleanup.
4588
4589       After each cache cleanup run, the postscreen(8) daemon logs the  number
4590       of  entries  that were retained and dropped. A cleanup run is logged as
4591       "partial" when the daemon  terminates  early  after  "postfix  reload",
4592       "postfix stop", or no requests for $max_idle seconds.
4593
4594       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4595
4596       This feature is available in Postfix 2.8.
4597

postscreen_cache_map (default: btree:$data_directory/postscreen_cache)

4599       Persistent storage for the postscreen(8) server decisions.
4600
4601       To   share   a   postscreen(8)  cache  between  multiple  postscreen(8)
4602       instances,  use  "postscreen_cache_map  =   proxy:btree:/path/to/file".
4603       This  requires Postfix version 2.9 or later; earlier proxymap(8) imple‐
4604       mentations don't support cache cleanup. For an alternative approach see
4605       the memcache_table(5) manpage.
4606
4607       This feature is available in Postfix 2.8.
4608

postscreen_cache_retention_time (default: 7d)

4610       The  amount  of time that postscreen(8) will cache an expired temporary
4611       whitelist entry before it is removed. This prevents clients from  being
4612       logged  as "NEW" just because their cache entry expired an hour ago. It
4613       also prevents the cache from filling up with clients that  passed  some
4614       deep protocol test once and never came back.
4615
4616       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4617
4618       This feature is available in Postfix 2.8.
4619

postscreen_client_connection_count_limit (default: $smtpd_client_connec‐

4621       tion_count_limit)
4622       How many simultaneous connections any remote SMTP client is allowed  to
4623       have  with the postscreen(8) daemon. By default, this limit is the same
4624       as with the Postfix SMTP server. Note that the triage process can  take
4625       several  seconds,  with  the time spent in postscreen_greet_wait delay,
4626       and with the time spent talking to  the  postscreen(8)  built-in  dummy
4627       SMTP protocol engine.
4628
4629       This feature is available in Postfix 2.8.
4630

postscreen_command_count_limit (default: 20)

4632       The  limit  on  the  total  number  of  commands  per  SMTP session for
4633       postscreen(8)'s built-in SMTP protocol engine.  This SMTP engine defers
4634       or  rejects all attempts to deliver mail, therefore there is no need to
4635       enforce separate limits on the number of junk commands and  error  com‐
4636       mands.
4637
4638       This feature is available in Postfix 2.8.
4639

postscreen_command_filter (default: $smtpd_command_filter)

4641       A  mechanism  to  transform  commands  from  remote  SMTP clients.  See
4642       smtpd_command_filter for further details.
4643
4644       This feature is available in Postfix 2.8 and later.
4645

postscreen_command_time_limit (default: normal: 300s, overload: 10s)

4647       The time limit to read an  entire  command  line  with  postscreen(8)'s
4648       built-in SMTP protocol engine.
4649
4650       This feature is available in Postfix 2.8.
4651

postscreen_disable_vrfy_command (default: $disable_vrfy_command)

4653       Disable  the  SMTP  VRFY command in the postscreen(8) daemon.  See dis‐
4654       able_vrfy_command for details.
4655
4656       This feature is available in Postfix 2.8.
4657

postscreen_discard_ehlo_keyword_address_maps (default: $smtpd_dis‐

4659       card_ehlo_keyword_address_maps)
4660       Lookup  tables,  indexed  by  the remote SMTP client address, with case
4661       insensitive lists of EHLO keywords (pipelining, starttls,  auth,  etc.)
4662       that  the  postscreen(8) server will not send in the EHLO response to a
4663       remote SMTP client. See smtpd_discard_ehlo_keywords for  details.   The
4664       table is not searched by hostname for robustness reasons.
4665
4666       This feature is available in Postfix 2.8 and later.
4667

postscreen_discard_ehlo_keywords (default: $smtpd_discard_ehlo_keywords)

4669       A  case  insensitive list of EHLO keywords (pipelining, starttls, auth,
4670       etc.) that the postscreen(8) server will not send in the EHLO  response
4671       to a remote SMTP client. See smtpd_discard_ehlo_keywords for details.
4672
4673       This feature is available in Postfix 2.8 and later.
4674

postscreen_dnsbl_action (default: ignore)

4676       The  action  that  postscreen(8) takes when a remote SMTP client's com‐
4677       bined DNSBL score is equal to or greater than a threshold  (as  defined
4678       with  the postscreen_dnsbl_sites and postscreen_dnsbl_threshold parame‐
4679       ters).  Specify one of the following:
4680
4681       ignore (default)
4682              Ignore the failure of this test. Allow other tests to  complete.
4683              Repeat this test the next time the client connects.  This option
4684              is useful for testing and collecting statistics without blocking
4685              mail.
4686
4687       enforce
4688              Allow  other  tests to complete. Reject attempts to deliver mail
4689              with a 550 SMTP reply, and log the helo/sender/recipient  infor‐
4690              mation.  Repeat this test the next time the client connects.
4691
4692       drop   Drop  the  connection  immediately with a 521 SMTP reply. Repeat
4693              this test the next time the client connects.
4694
4695       This feature is available in Postfix 2.8.
4696

postscreen_dnsbl_max_ttl (default:

4698       ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h)
4699       The  maximum amount of time that postscreen(8) will use the result from
4700       a successful DNS-based reputation test before a client  IP  address  is
4701       required  to pass that test again. If the DNS reply specifies a shorter
4702       TTL value, that value will be used unless  it  would  be  smaller  than
4703       postscreen_dnsbl_min_ttl.
4704
4705       Specify  a  non-zero  time  value  (an  integral value plus an optional
4706       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
4707       onds), m (minutes), h (hours), d (days), w (weeks).
4708
4709       This  feature is available in Postfix 3.1. The default setting is back‐
4710       wards-compatible with older Postfix versions.
4711

postscreen_dnsbl_min_ttl (default: 60s)

4713       The minimum amount of time that postscreen(8) will use the result  from
4714       a  successful  DNS-based  reputation test before a client IP address is
4715       required to pass that test again. If the DNS reply specifies  a  larger
4716       TTL  value,  that  value  will  be  used unless it would be larger than
4717       postscreen_dnsbl_max_ttl.
4718
4719       Specify a non-zero time value  (an  integral  value  plus  an  optional
4720       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
4721       onds), m (minutes), h (hours), d (days), w (weeks).
4722
4723       This feature is available in Postfix 3.1.
4724

postscreen_dnsbl_reply_map (default: empty)

4726       A mapping from actual DNSBL domain name which includes a  secret  pass‐
4727       word,  to the DNSBL domain name that postscreen will reply with when it
4728       rejects mail.  When no mapping is found, the actual DNSBL  domain  will
4729       be used.
4730
4731       For maximal stability it is best to use a file that is read into memory
4732       such as pcre:, regexp: or texthash: (texthash:  is  similar  to  hash:,
4733       except  a)  there  is  no need to run postmap(1) before the file can be
4734       used, and b) texthash: does not detect changes after the file is read).
4735
4736       Example:
4737
4738       /etc/postfix/main.cf:
4739           postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
4740
4741       /etc/postfix/dnsbl_reply:
4742          secret.zen.spamhaus.org      zen.spamhaus.org
4743
4744       This feature is available in Postfix 2.8.
4745

postscreen_dnsbl_sites (default: empty)

4747       Optional list of DNS white/blacklist domains, filters and  weight  fac‐
4748       tors.  When  the  list  is  non-empty, the dnsblog(8) daemon will query
4749       these domains with  the  IP  addresses  of  remote  SMTP  clients,  and
4750       postscreen(8)  will  update  an  SMTP  client's  DNSBL  score with each
4751       non-error reply.
4752
4753       Caution: when postscreen rejects mail, it replies with the DNSBL domain
4754       name.  Use  the  postscreen_dnsbl_reply_map  feature to hide "password"
4755       information in DNSBL domain names.
4756
4757       When a client's score is equal to or greater than the threshold  speci‐
4758       fied  with  postscreen_dnsbl_threshold, postscreen(8) can drop the con‐
4759       nection with the remote SMTP client.
4760
4761       Specify a list of domain=filter*weight entries, separated by  comma  or
4762       whitespace.
4763
4764       ·      When  no  "=filter"  is  specified,  postscreen(8)  will use any
4765              non-error DNSBL reply.  Otherwise, postscreen(8) uses only DNSBL
4766              replies  that match the filter. The filter has the form d.d.d.d,
4767              where each d is a number, or a pattern inside []  that  contains
4768              one or more ";"-separated numbers or number..number ranges.
4769
4770       ·      When  no  "*weight"  is  specified, postscreen(8) increments the
4771              remote SMTP client's DNSBL score by 1.   Otherwise,  the  weight
4772              must be an integral number, and postscreen(8) adds the specified
4773              weight to the remote SMTP client's DNSBL score.  Specify a nega‐
4774              tive number for whitelisting.
4775
4776       ·      When  one  postscreen_dnsbl_sites  entry produces multiple DNSBL
4777              responses, postscreen(8) applies the weight at most once.
4778
4779       Examples:
4780
4781       To use example.com as a high-confidence blocklist, and  to  block  mail
4782       with example.net and example.org only when both agree:
4783
4784       postscreen_dnsbl_threshold = 2
4785       postscreen_dnsbl_sites = example.com*2, example.net, example.org
4786
4787       To filter only DNSBL replies containing 127.0.0.4:
4788
4789       postscreen_dnsbl_sites = example.com=127.0.0.4
4790
4791       This feature is available in Postfix 2.8.
4792

postscreen_dnsbl_threshold (default: 1)

4794       The  inclusive  lower bound for blocking a remote SMTP client, based on
4795       its combined DNSBL score as  defined  with  the  postscreen_dnsbl_sites
4796       parameter.
4797
4798       This feature is available in Postfix 2.8.
4799

postscreen_dnsbl_timeout (default: 10s)

4801       The  time  limit  for DNSBL or DNSWL lookups. This is separate from the
4802       timeouts  in  the  dnsblog(8)  daemon  which  are  defined  by   system
4803       resolver(3) routines.
4804
4805       This feature is available in Postfix 3.0.
4806

postscreen_dnsbl_ttl (default: 1h)

4808       The  amount  of time that postscreen(8) will use the result from a suc‐
4809       cessful DNS-based  reputation  test  before  a  client  IP  address  is
4810       required to pass that test again.
4811
4812       Specify  a  non-zero  time  value  (an  integral value plus an optional
4813       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
4814       onds), m (minutes), h (hours), d (days), w (weeks).
4815
4816       This  feature  is  available  in  Postfix  2.8-3.0.  It was replaced by
4817       postscreen_dnsbl_max_ttl in Postfix 3.1.
4818

postscreen_dnsbl_whitelist_threshold (default: 0)

4820       Allow a remote SMTP client to skip "before" and  "after  220  greeting"
4821       protocol  tests,  based on its combined DNSBL score as defined with the
4822       postscreen_dnsbl_sites parameter.
4823
4824       Specify a negative value to enable this feature. When a  client  passes
4825       the  postscreen_dnsbl_whitelist_threshold  without  having failed other
4826       tests, all pending or disabled tests are flagged as  completed  with  a
4827       time-to-live  value  equal  to  postscreen_dnsbl_ttl.   When a test was
4828       already completed, its time-to-live value is updated  if  it  was  less
4829       than postscreen_dnsbl_ttl.
4830
4831       This feature is available in Postfix 2.11.
4832

postscreen_enforce_tls (default: $smtpd_enforce_tls)

4834       Mandatory  TLS:  announce  STARTTLS support to remote SMTP clients, and
4835       require     that     clients     use     TLS      encryption.       See
4836       smtpd_postscreen_enforce_tls for details.
4837
4838       This  feature  is  available in Postfix 2.8 and later.  Preferably, use
4839       postscreen_tls_security_level instead.
4840

postscreen_expansion_filter (default: see postconf -d output)

4842       List of  characters  that  are  permitted  in  postscreen_reject_footer
4843       attribute expansions.  See smtpd_expansion_filter for further details.
4844
4845       This feature is available in Postfix 2.8 and later.
4846

postscreen_forbidden_commands (default: $smtpd_forbidden_commands)

4848       List  of  commands that the postscreen(8) server considers in violation
4849       of the SMTP protocol.  See  smtpd_forbidden_commands  for  syntax,  and
4850       postscreen_non_smtp_command_action for possible actions.
4851
4852       This feature is available in Postfix 2.8.
4853

postscreen_greet_action (default: ignore)

4855       The  action  that  postscreen(8) takes when a remote SMTP client speaks
4856       before   its   turn   within    the    time    specified    with    the
4857       postscreen_greet_wait parameter.  Specify one of the following:
4858
4859       ignore (default)
4860              Ignore  the failure of this test. Allow other tests to complete.
4861              Repeat this test the next time the client connects.  This option
4862              is useful for testing and collecting statistics without blocking
4863              mail.
4864
4865       enforce
4866              Allow other tests to complete. Reject attempts to  deliver  mail
4867              with  a 550 SMTP reply, and log the helo/sender/recipient infor‐
4868              mation.  Repeat this test the next time the client connects.
4869
4870       drop   Drop the connection immediately with a 521  SMTP  reply.  Repeat
4871              this test the next time the client connects.
4872
4873       In either case, postscreen(8) will not whitelist the remote SMTP client
4874       IP address.
4875
4876       This feature is available in Postfix 2.8.
4877

postscreen_greet_banner (default: $smtpd_banner)

4879       The  text  in  the  optional   "220-text..."   server   response   that
4880       postscreen(8)  sends  ahead  of  the  real  Postfix  SMTP server's "220
4881       text..." response, in an attempt to confuse bad SMTP  clients  so  that
4882       they  speak  before  their turn (pre-greet).  Specify an empty value to
4883       disable this feature.
4884
4885       This feature is available in Postfix 2.8.
4886

postscreen_greet_ttl (default: 1d)

4888       The amount of time that postscreen(8) will use the result from  a  suc‐
4889       cessful  PREGREET  test.  During  this  time,  the client IP address is
4890       excluded from this test. The default is  relatively  short,  because  a
4891       good client can immediately talk to a real Postfix SMTP server.
4892
4893       Specify  a  non-zero  time  value  (an  integral value plus an optional
4894       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
4895       onds), m (minutes), h (hours), d (days), w (weeks).
4896
4897       This feature is available in Postfix 2.8.
4898

postscreen_greet_wait (default: normal: 6s, overload: 2s)

4900       The  amount  of time that postscreen(8) will wait for an SMTP client to
4901       send a command before its turn, and for DNS blocklist lookup results to
4902       arrive  (default:  up to 2 seconds under stress, up to 6 seconds other‐
4903       wise).
4904
4905       Specify a non-zero time value  (an  integral  value  plus  an  optional
4906       one-letter suffix that specifies the time unit).
4907
4908       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4909
4910       This feature is available in Postfix 2.8.
4911

postscreen_helo_required (default: $smtpd_helo_required)

4913       Require  that a remote SMTP client sends HELO or EHLO before commencing
4914       a MAIL transaction.
4915
4916       This feature is available in Postfix 2.8.
4917

postscreen_non_smtp_command_action (default: drop)

4919       The action that postscreen(8) takes when a  remote  SMTP  client  sends
4920       non-SMTP  commands  as specified with the postscreen_forbidden_commands
4921       parameter.  Specify one of the following:
4922
4923       ignore Ignore the failure of this test. Allow other tests to  complete.
4924              Do  not  repeat this test before some the result from some other
4925              test expires.  This option is useful for testing and  collecting
4926              statistics without blocking mail permanently.
4927
4928       enforce
4929              Allow  other  tests to complete. Reject attempts to deliver mail
4930              with a 550 SMTP reply, and log the helo/sender/recipient  infor‐
4931              mation.  Repeat this test the next time the client connects.
4932
4933       drop   Drop  the  connection  immediately with a 521 SMTP reply. Repeat
4934              this test the next time the client connects. This action is  the
4935              same  as with the Postfix SMTP server's smtpd_forbidden_commands
4936              feature.
4937
4938       This feature is available in Postfix 2.8.
4939

postscreen_non_smtp_command_enable (default: no)

4941       Enable "non-SMTP command" tests  in  the  postscreen(8)  server.  These
4942       tests are expensive: a client must disconnect after it passes the test,
4943       before it can talk to a real Postfix SMTP server.
4944
4945       This feature is available in Postfix 2.8.
4946

postscreen_non_smtp_command_ttl (default: 30d)

4948       The amount of time that postscreen(8) will use the result from  a  suc‐
4949       cessful  "non_smtp_command"  SMTP  protocol test. During this time, the
4950       client IP address is excluded from  this  test.  The  default  is  long
4951       because  a  client  must disconnect after it passes the test, before it
4952       can talk to a real Postfix SMTP server.
4953
4954       Specify a non-zero time value  (an  integral  value  plus  an  optional
4955       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
4956       onds), m (minutes), h (hours), d (days), w (weeks).
4957
4958       This feature is available in Postfix 2.8.
4959

postscreen_pipelining_action (default: enforce)

4961       The action that postscreen(8) takes when a  remote  SMTP  client  sends
4962       multiple  commands  instead  of sending one command and waiting for the
4963       server to respond.  Specify one of the following:
4964
4965       ignore Ignore the failure of this test. Allow other tests to  complete.
4966              Do  not  repeat this test before some the result from some other
4967              test expires.  This option is useful for testing and  collecting
4968              statistics without blocking mail permanently.
4969
4970       enforce
4971              Allow  other  tests to complete. Reject attempts to deliver mail
4972              with a 550 SMTP reply, and log the helo/sender/recipient  infor‐
4973              mation.  Repeat this test the next time the client connects.
4974
4975       drop   Drop  the  connection  immediately with a 521 SMTP reply. Repeat
4976              this test the next time the client connects.
4977
4978       This feature is available in Postfix 2.8.
4979

postscreen_pipelining_enable (default: no)

4981       Enable "pipelining" SMTP protocol tests in  the  postscreen(8)  server.
4982       These  tests  are  expensive:  a  good  client must disconnect after it
4983       passes the test, before it can talk to a real Postfix SMTP server.
4984
4985       This feature is available in Postfix 2.8.
4986

postscreen_pipelining_ttl (default: 30d)

4988       The amount of time that postscreen(8) will use the result from  a  suc‐
4989       cessful  "pipelining"  SMTP protocol test. During this time, the client
4990       IP address is excluded from this test. The default is  long  because  a
4991       good  client  must  disconnect  after it passes the test, before it can
4992       talk to a real Postfix SMTP server.
4993
4994       Specify a non-zero time value  (an  integral  value  plus  an  optional
4995       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
4996       onds), m (minutes), h (hours), d (days), w (weeks).
4997
4998       This feature is available in Postfix 2.8.
4999

postscreen_post_queue_limit (default: $default_process_limit)

5001       The number of clients that can be waiting for service from a real Post‐
5002       fix  SMTP  server  process.  When  this queue is full, all clients will
5003       receive a 421 response.
5004
5005       This feature is available in Postfix 2.8.
5006

postscreen_pre_queue_limit (default: $default_process_limit)

5008       The number of non-whitelisted clients that can be waiting for  a  deci‐
5009       sion  whether they will receive service from a real Postfix SMTP server
5010       process. When this queue is  full,  all  non-whitelisted  clients  will
5011       receive a 421 response.
5012
5013       This feature is available in Postfix 2.8.
5014
5016       Optional  information that is appended after a 4XX or 5XX postscreen(8)
5017       server response. See smtpd_reject_footer for further details.
5018
5019       This feature is available in Postfix 2.8 and later.
5020

postscreen_tls_security_level (default: $smtpd_tls_security_level)

5022       The SMTP TLS security  level  for  the  postscreen(8)  server;  when  a
5023       non-empty  value  is  specified, this overrides the obsolete parameters
5024       postscreen_use_tls  and  postscreen_enforce_tls.  See   smtpd_tls_secu‐
5025       rity_level for details.
5026
5027       This feature is available in Postfix 2.8 and later.
5028

postscreen_upstream_proxy_protocol (default: empty)

5030       The  name  of  the proxy protocol used by an optional before-postscreen
5031       proxy agent. When a proxy agent is used, this  protocol  conveys  local
5032       and     remote     address     and     port     information.    Specify
5033       "postscreen_upstream_proxy_protocol = haproxy" to  enable  the  haproxy
5034       protocol.
5035
5036       This feature is available in Postfix 2.10 and later.
5037

postscreen_upstream_proxy_timeout (default: 5s)

5039       The   time   limit   for   the   proxy   protocol  specified  with  the
5040       postscreen_upstream_proxy_protocol parameter.
5041
5042       This feature is available in Postfix 2.10 and later.
5043

postscreen_use_tls (default: $smtpd_use_tls)

5045       Opportunistic TLS: announce STARTTLS support to  remote  SMTP  clients,
5046       but do not require that clients use TLS encryption.
5047
5048       This  feature  is  available in Postfix 2.8 and later.  Preferably, use
5049       postscreen_tls_security_level instead.
5050

postscreen_watchdog_timeout (default: 10s)

5052       How much time a postscreen(8) process may take to respond to  a  remote
5053       SMTP client command or to perform a cache operation before it is termi‐
5054       nated by a built-in watchdog timer.  This is a  safety  mechanism  that
5055       prevents  postscreen(8)  from  becoming  non-responsive due to a bug in
5056       Postfix itself or in system software.  To avoid false alarms and unnec‐
5057       essary cache corruption this limit cannot be set under 10s.
5058
5059       Specify  a  non-zero  time  value  (an  integral value plus an optional
5060       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
5061       onds), m (minutes), h (hours), d (days), w (weeks).
5062
5063       This feature is available in Postfix 2.8.
5064

postscreen_whitelist_interfaces (default: static:all)

5066       A   list   of   local   postscreen(8)   server  IP  addresses  where  a
5067       non-whitelisted remote SMTP client can obtain postscreen(8)'s temporary
5068       whitelist status. This status is required before the client can talk to
5069       a Postfix SMTP  server  process.   By  default,  a  client  can  obtain
5070       postscreen(8)'s  whitelist  status on any local postscreen(8) server IP
5071       address.
5072
5073       When postscreen(8) listens on both primary and backup MX addresses, the
5074       postscreen_whitelist_interfaces parameter can be configured to give the
5075       temporary whitelist status only when a client connects to a primary  MX
5076       address.  Once  a  client  is whitelisted it can talk to a Postfix SMTP
5077       server on any address. Thus, clients that connect  only  to  backup  MX
5078       addresses  will  never become whitelisted, and will never be allowed to
5079       talk to a Postfix SMTP server process.
5080
5081       Specify a list of network addresses or network/netmask patterns,  sepa‐
5082       rated  by commas and/or whitespace. The netmask specifies the number of
5083       bits in the network part of a host  address.  Continue  long  lines  by
5084       starting the next line with whitespace.
5085
5086       You   can  also  specify  "/file/name"  or  "type:table"  patterns.   A
5087       "/file/name" pattern is replaced by its contents; a "type:table" lookup
5088       table is matched when a table entry matches a lookup string (the lookup
5089       result is ignored).
5090
5091       The list is matched left to right, and the search stops  on  the  first
5092       match.  Specify  "!pattern" to exclude an address or network block from
5093       the list.
5094
5095       Note: IP version 6 address information must be specified inside  []  in
5096       the  postscreen_whitelist_interfaces value, and in files specified with
5097       "/file/name".  IP version 6 addresses contain the  ":"  character,  and
5098       would otherwise be confused with a "type:table" pattern.
5099
5100       Example:
5101
5102       /etc/postfix/main.cf:
5103           # Don't whitelist connections to the backup IP address.
5104           postscreen_whitelist_interfaces = !168.100.189.8, static:all
5105
5106       This feature is available in Postfix 2.9 and later.
5107

prepend_delivered_header (default: command, file, forward)

5109       The message delivery contexts where the Postfix local(8) delivery agent
5110       prepends a Delivered-To:  message header with the address that the mail
5111       was  delivered  to.  This  information  is  used for mail delivery loop
5112       detection.
5113
5114       By default, the Postfix local delivery agent prepends  a  Delivered-To:
5115       header  when  forwarding mail and when delivering to file (mailbox) and
5116       command. Turning off the Delivered-To: header when forwarding  mail  is
5117       not recommended.
5118
5119       Specify zero or more of forward, file, or command.
5120
5121       Example:
5122
5123       prepend_delivered_header = forward
5124

process_id (read-only)

5126       The process ID of a Postfix command or daemon process.
5127

process_id_directory (default: pid)

5129       The  location  of Postfix PID files relative to $queue_directory.  This
5130       is a read-only parameter.
5131

process_name (read-only)

5133       The process name of a Postfix command or daemon process.
5134

propagate_unmatched_extensions (default: canonical, virtual)

5136       What address lookup tables copy an address extension  from  the  lookup
5137       key to the lookup result.
5138
5139       For   example,   with  a  virtual(5)  mapping  of  "joe@example.com  =>
5140       joe.user@example.net", the address "joe+foo@example.com" would  rewrite
5141       to "joe.user+foo@example.net".
5142
5143       Specify  zero or more of canonical, virtual, alias, forward, include or
5144       generic. These cause address extension propagation  with  canonical(5),
5145       virtual(5),  and  aliases(5) maps, with local(8) .forward and :include:
5146       file lookups, and with smtp(8) generic maps, respectively.
5147
5148       Note: enabling this feature for types other than canonical and  virtual
5149       is  likely  to  cause  problems  when mail is forwarded to other sites,
5150       especially with mail that is sent to a mailing list exploder address.
5151
5152       Examples:
5153
5154       propagate_unmatched_extensions = canonical, virtual, alias,
5155               forward, include
5156       propagate_unmatched_extensions = canonical, virtual
5157

proxy_interfaces (default: empty)

5159       The network interface addresses that this mail system receives mail  on
5160       by way of a proxy or network address translation unit.
5161
5162       This feature is available in Postfix 2.0 and later.
5163
5164       You must specify your "outside" proxy/NAT addresses when your system is
5165       a backup MX host for other domains, otherwise mail delivery loops  will
5166       happen when the primary MX host is down.
5167
5168       Example:
5169
5170       proxy_interfaces = 1.2.3.4
5171

proxy_read_maps (default: see postconf -d output)

5173       The  lookup tables that the proxymap(8) server is allowed to access for
5174       the read-only service.
5175
5176       Specify zero or more "type:name" lookup tables, separated by whitespace
5177       or comma.  Table references that don't begin with proxy: are ignored.
5178
5179       This feature is available in Postfix 2.0 and later.
5180

proxy_write_maps (default: see postconf -d output)

5182       The  lookup tables that the proxymap(8) server is allowed to access for
5183       the read-write service. Postfix-owned local database  files  should  be
5184       stored  under  the Postfix-owned data_directory.  Table references that
5185       don't begin with proxy: are ignored.
5186
5187       This feature is available in Postfix 2.5 and later.
5188

proxymap_service_name (default: proxymap)

5190       The name of the proxymap read-only table lookup service.  This  service
5191       is normally implemented by the proxymap(8) daemon.
5192
5193       This feature is available in Postfix 2.6 and later.
5194

proxywrite_service_name (default: proxywrite)

5196       The  name of the proxywrite read-write table lookup service.  This ser‐
5197       vice is normally implemented by the proxymap(8) daemon.
5198
5199       This feature is available in Postfix 2.6 and later.
5200

qmgr_clog_warn_time (default: 300s)

5202       The minimal delay between warnings that a specific destination is clog‐
5203       ging up the Postfix active queue. Specify 0 to disable.
5204
5205       This feature is enabled with the helpful_warnings parameter.
5206
5207       This feature is available in Postfix 2.0 and later.
5208

qmgr_daemon_timeout (default: 1000s)

5210       How  much  time  a  Postfix  queue manager process may take to handle a
5211       request before it is terminated by a built-in watchdog timer.
5212
5213       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
5214       The default time unit is s (seconds).
5215
5216       This feature is available in Postfix 2.8 and later.
5217

qmgr_fudge_factor (default: 100)

5219       Obsolete feature: the percentage of delivery resources that a busy mail
5220       system will use up for delivery of a large mailing  list message.
5221
5222       This feature exists only in the oqmgr(8) old queue manager. The current
5223       queue manager solves the problem in a better way.
5224

qmgr_ipc_timeout (default: 60s)

5226       The  time  limit  for  the queue manager to send or receive information
5227       over an internal communication channel.  The purpose is to break out of
5228       deadlock  situations. If the time limit is exceeded the software either
5229       retries or aborts the operation.
5230
5231       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
5232       The default time unit is s (seconds).
5233
5234       This feature is available in Postfix 2.8 and later.
5235

qmgr_message_active_limit (default: 20000)

5237       The maximal number of messages in the active queue.
5238

qmgr_message_recipient_limit (default: 20000)

5240       The  maximal  number  of recipients held in memory by the Postfix queue
5241       manager, and the maximal size of the short-term, in-memory "dead"  des‐
5242       tination status cache.
5243

qmgr_message_recipient_minimum (default: 10)

5245       The  minimal number of in-memory recipients for any message. This takes
5246       priority over any other in-memory recipient limits  (i.e.,  the  global
5247       qmgr_message_recipient_limit and the per transport _recipient_limit) if
5248       necessary. The minimum value allowed for this parameter is 1.
5249

qmqpd_authorized_clients (default: empty)

5251       What remote QMQP clients are allowed to connect  to  the  Postfix  QMQP
5252       server port.
5253
5254       By  default,  no  client is allowed to use the service. This is because
5255       the QMQP server will relay mail to any destination.
5256
5257       Specify a list of client patterns. A  list  pattern  specifies  a  host
5258       name,  a  domain  name, an internet address, or a network/mask pattern,
5259       where the mask specifies the number of bits in the network part.   When
5260       a  pattern  specifies a file name, its contents are substituted for the
5261       file name; when a pattern is a "type:table" table specification,  table
5262       lookup is used instead.
5263
5264       Patterns are separated by whitespace and/or commas. In order to reverse
5265       the result, precede a pattern with an exclamation point (!).  The  form
5266       "!/file/name" is supported only in Postfix version 2.4 and later.
5267
5268       Pattern  matching  of  domain  names  is  controlled by the presence or
5269       absence of "qmqpd_authorized_clients" in the parent_domain_matches_sub‐
5270       domains parameter value.
5271
5272       Example:
5273
5274       qmqpd_authorized_clients = !192.168.0.1, 192.168.0.0/24
5275

qmqpd_client_port_logging (default: no)

5277       Enable  logging of the remote QMQP client port in addition to the host‐
5278       name and IP address. The logging format is "host[address]:port".
5279
5280       This feature is available in Postfix 2.5 and later.
5281

qmqpd_error_delay (default: 1s)

5283       How long the Postfix QMQP server will pause before sending  a  negative
5284       reply  to  the remote QMQP client. The purpose is to slow down confused
5285       or malicious clients.
5286
5287       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
5288       The default time unit is s (seconds).
5289

qmqpd_timeout (default: 300s)

5291       The  time  limit for sending or receiving information over the network.
5292       If a read or write operation blocks for more than  $qmqpd_timeout  sec‐
5293       onds the Postfix QMQP server gives up and disconnects.
5294
5295       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
5296       The default time unit is s (seconds).
5297

queue_directory (default: see postconf -d output)

5299       The location of the Postfix top-level queue directory. This is the root
5300       directory of Postfix daemon processes that run chrooted.
5301

queue_file_attribute_count_limit (default: 100)

5303       The  maximal  number of (name=value) attributes that may be stored in a
5304       Postfix queue file. The limit is enforced by the cleanup(8) server.
5305
5306       This feature is available in Postfix 2.0 and later.
5307

queue_minfree (default: 0)

5309       The minimal amount of free space in bytes in the queue file system that
5310       is  needed to receive mail.  This is currently used by the Postfix SMTP
5311       server to decide if it will accept any mail at all.
5312
5313       By default, the Postfix SMTP server rejects MAIL FROM commands when the
5314       amount of free space is less than 1.5*$message_size_limit (Postfix ver‐
5315       sion 2.1 and later).  To specify a higher  minimum  free  space  limit,
5316       specify a queue_minfree value that is at least 1.5*$message_size_limit.
5317
5318       With  Postfix  versions  2.0 and earlier, a queue_minfree value of zero
5319       means there is no minimum required amount of free space.
5320

queue_run_delay (default: 300s)

5322       The time between deferred queue scans by the queue  manager;  prior  to
5323       Postfix 2.4 the default value was 1000s.
5324
5325       This  parameter  should  be  set  less  than or equal to $minimal_back‐
5326       off_time. See also $maximal_backoff_time.
5327
5328       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
5329       The default time unit is s (seconds).
5330

queue_service_name (default: qmgr)

5332       The name of the qmgr(8) service. This service manages the Postfix queue
5333       and schedules delivery requests.
5334
5335       This feature is available in Postfix 2.0 and later.
5336

rbl_reply_maps (default: empty)

5338       Optional lookup tables with RBL  response  templates.  The  tables  are
5339       indexed  by  the  RBL domain name. By default, Postfix uses the default
5340       template as specified with the default_rbl_reply configuration  parame‐
5341       ter. See there for a discussion of the syntax of RBL reply templates.
5342
5343       This feature is available in Postfix 2.0 and later.
5344

readme_directory (default: see postconf -d output)

5346       The  location  of Postfix README files that describe how to build, con‐
5347       figure or operate a specific Postfix subsystem or feature.
5348

receive_override_options (default: empty)

5350       Enable or disable recipient validation, built-in content filtering,  or
5351       address  mapping.  Typically,  these are specified in master.cf as com‐
5352       mand-line arguments for the smtpd(8), qmqpd(8) or pickup(8) daemons.
5353
5354       Specify zero or more of the following options.   The  options  override
5355       main.cf  settings  and are either implemented by smtpd(8), qmqpd(8), or
5356       pickup(8) themselves, or they are forwarded to the cleanup server.
5357
5358       no_unknown_recipient_checks
5359              Do not try to reject  unknown  recipients  (SMTP  server  only).
5360              This is typically specified AFTER an external content filter.
5361
5362       no_address_mappings
5363              Disable  canonical address mapping, virtual alias map expansion,
5364              address masquerading,  and  automatic  BCC  (blind  carbon-copy)
5365              recipients.  This is typically specified BEFORE an external con‐
5366              tent filter.
5367
5368       no_header_body_checks
5369              Disable header/body_checks. This is typically specified AFTER an
5370              external content filter.
5371
5372       no_milters
5373              Disable  Milter  (mail  filter)  applications. This is typically
5374              specified AFTER an external content filter.
5375
5376       Note: when the "BEFORE content filter" receive_override_options setting
5377       is  specified  in  the main.cf file, specify the "AFTER content filter"
5378       receive_override_options setting in master.cf (and vice versa).
5379
5380       Examples:
5381
5382       receive_override_options =
5383           no_unknown_recipient_checks, no_header_body_checks
5384       receive_override_options = no_address_mappings
5385
5386       This feature is available in Postfix 2.1 and later.
5387

recipient_bcc_maps (default: empty)

5389       Optional BCC (blind carbon-copy)  address  lookup  tables,  indexed  by
5390       recipient  address.   The  BCC  address  (multiple results are not sup‐
5391       ported) is added when mail enters from outside of Postfix.
5392
5393       Specify zero or more "type:name" lookup tables, separated by whitespace
5394       or  comma. Tables will be searched in the specified order until a match
5395       is found.
5396
5397       The table search order is as follows:
5398
5399       ·      Look up the "user+extension@domain.tld"  address  including  the
5400              optional address extension.
5401
5402       ·      Look  up  the  "user@domain.tld"  address  without  the optional
5403              address extension.
5404
5405       ·      Look up the "user+extension" address local part when the recipi‐
5406              ent domain equals $myorigin, $mydestination, $inet_interfaces or
5407              $proxy_interfaces.
5408
5409       ·      Look up the "user" address local part when the recipient  domain
5410              equals    $myorigin,    $mydestination,    $inet_interfaces   or
5411              $proxy_interfaces.
5412
5413       ·      Look up the "@domain.tld" part.
5414
5415       Note: with Postfix 2.3 and later the BCC address is added as if it  was
5416       specified  with  NOTIFY=NONE.  The sender will not be notified when the
5417       BCC address is undeliverable,  as  long  as  all  down-stream  software
5418       implements RFC 3461.
5419
5420       Note:  with  Postfix 2.2 and earlier the sender will unconditionally be
5421       notified when the BCC address is undeliverable.
5422
5423       Note: automatic BCC recipients are produced  only  for  new  mail.   To
5424       avoid  mailer  loops,  automatic BCC recipients are not generated after
5425       Postfix forwards mail  internally,  or  after  Postfix  generates  mail
5426       itself.
5427
5428       Example:
5429
5430       recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
5431
5432       After a change, run "postmap /etc/postfix/recipient_bcc".
5433
5434       This feature is available in Postfix 2.1 and later.
5435

recipient_canonical_classes (default: envelope_recipient, header_recipient)

5437       What addresses are subject to recipient_canonical_maps address mapping.
5438       By default, recipient_canonical_maps  address  mapping  is  applied  to
5439       envelope recipient addresses, and to header recipient addresses.
5440
5441       Specify one or more of: envelope_recipient, header_recipient
5442
5443       This feature is available in Postfix 2.2 and later.
5444

recipient_canonical_maps (default: empty)

5446       Optional  address mapping lookup tables for envelope and header recipi‐
5447       ent addresses.  The table format and lookups are documented in  canoni‐
5448       cal(5).
5449
5450       Note: $recipient_canonical_maps is processed before $canonical_maps.
5451
5452       Example:
5453
5454       recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
5455

recipient_delimiter (default: empty)

5457       The  set of characters that can separate a user name from its extension
5458       (example: user+foo), or a .forward file name from its extension  (exam‐
5459       ple:  .forward+foo).   Basically, the software tries user+foo and .for‐
5460       ward+foo before trying user and .forward.  This  implementation  recog‐
5461       nizes  one  delimiter  character and one extension per email address or
5462       .forward file name.
5463
5464       When the recipient_delimiter set contains multiple characters  (Postfix
5465       2.11  and  later),  a user name or .forward file name is separated from
5466       its extension by the first character that matches the  recipient_delim‐
5467       iter set.
5468
5469       See canonical(5), local(8), relocated(5) and virtual(5) for the effects
5470       of recipient_delimiter on lookups in aliases, canonical,  virtual,  and
5471       relocated  maps,  and  see the propagate_unmatched_extensions parameter
5472       for propagating an extension from one email address to another.
5473
5474       When used in command_execution_directory, forward_path, or luser_relay,
5475       ${recipient_delimiter}  is replaced with the actual recipient delimiter
5476       that was found in the recipient email address (Postfix 2.11 and later),
5477       or  it is replaced with the main.cf recipient_delimiter parameter value
5478       (Postfix 2.10 and earlier).
5479
5480       The recipient_delimiter is not applied to  the  mailer-daemon  address,
5481       the  postmaster address, or the double-bounce address. With the default
5482       "owner_request_special = yes" setting, the recipient_delimiter is  also
5483       not  applied  to addresses with the special "owner-" prefix or the spe‐
5484       cial "-request" suffix.
5485
5486       Examples:
5487
5488       # Handle Postfix-style extensions.
5489       recipient_delimiter = +
5490
5491       # Handle both Postfix and qmail extensions (Postfix 2.11 and later).
5492       recipient_delimiter = +-
5493
5494       # Use .forward for mail without address extension, and for mail with
5495       # an unrecognized address extension.
5496       forward_path = $home/.forward${recipient_delimiter}${extension},
5497           $home/.forward
5498

reject_code (default: 554)

5500       The numerical Postfix SMTP server response  code  when  a  remote  SMTP
5501       client request is rejected by the "reject" restriction.
5502
5503       Do  not  change  this  unless  you have a complete understanding of RFC
5504       5321.
5505

reject_tempfail_action (default: defer_if_permit)

5507       The Postfix SMTP server's action when a reject-type  restriction  fails
5508       due to a temporary error condition. Specify "defer" to defer the remote
5509       SMTP client request immediately.  With  the  default  "defer_if_permit"
5510       action,  the Postfix SMTP server continues to look for opportunities to
5511       reject mail, and defers the client request only if it  would  otherwise
5512       be accepted.
5513
5514       For  finer  control, see: unverified_recipient_tempfail_action, unveri‐
5515       fied_sender_tempfail_action,    unknown_address_tempfail_action,    and
5516       unknown_helo_hostname_tempfail_action.
5517
5518       This feature is available in Postfix 2.6 and later.
5519

relay_clientcerts (default: empty)

5521       List of tables with remote SMTP client-certificate fingerprints or pub‐
5522       lic key fingerprints (Postfix 2.9 and later) for which the Postfix SMTP
5523       server  will allow access with the permit_tls_clientcerts feature.  The
5524       fingerprint digest algorithm is configurable via the  smtpd_tls_finger‐
5525       print_digest  parameter  (hard-coded  as  md5  prior to Postfix version
5526       2.5).
5527
5528       Postfix lookup tables are in the form of (key, value) pairs.  Since  we
5529       only  need  the  key, the value can be chosen freely, e.g.  the name of
5530       the  user  or   host:   D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80
5531       lutzpc.at.home
5532
5533       Example:
5534
5535       relay_clientcerts = hash:/etc/postfix/relay_clientcerts
5536
5537       For  more  fine-grained  control,  use  check_ccert_access to select an
5538       appropriate  access(5)  policy   for   each   client.    See   RESTRIC‐
5539       TION_CLASS_README.
5540
5541       Note:  Postfix  2.9.0-2.9.5  computed the public key fingerprint incor‐
5542       rectly. To use public-key fingerprints, upgrade  to  Postfix  2.9.6  or
5543       later.
5544
5545       This feature is available with Postfix version 2.2.
5546

relay_destination_concurrency_limit (default: $default_destination_concur‐

5548       rency_limit)
5549       The maximal number of parallel deliveries to the same  destination  via
5550       the  relay  message  delivery  transport. This limit is enforced by the
5551       queue manager. The message delivery transport name is the  first  field
5552       in the entry in the master.cf file.
5553
5554       This feature is available in Postfix 2.0 and later.
5555

relay_destination_recipient_limit (default: $default_destination_recipi‐

5557       ent_limit)
5558       The maximal number of recipients per  message  for  the  relay  message
5559       delivery  transport.  This  limit is enforced by the queue manager. The
5560       message delivery transport name is the first field in the entry in  the
5561       master.cf file.
5562
5563       Setting  this  parameter  to  a  value  of  1  changes  the  meaning of
5564       relay_destination_concurrency_limit from concurrency  per  domain  into
5565       concurrency per recipient.
5566
5567       This feature is available in Postfix 2.0 and later.
5568

relay_domains (default: Postfix >= 3.0: empty, Postfix < 3.0: $mydestination)

5570       What  destination  domains  (and  subdomains  thereof) this system will
5571       relay mail to. For details about how the relay_domains value  is  used,
5572       see    the    description    of    the    permit_auth_destination   and
5573       reject_unauth_destination SMTP recipient restrictions.
5574
5575       Domains that match $relay_domains are delivered with the  $relay_trans‐
5576       port  mail  delivery  transport.  The  SMTP  server validates recipient
5577       addresses with $relay_recipient_maps and rejects  non-existent  recipi‐
5578       ents.   See   also   the   relay   domains   address   class   in   the
5579       ADDRESS_CLASS_README file.
5580
5581       Note: Postfix will not automatically forward mail for domains that list
5582       this  system  as  their  primary  or  backup  MX  host.  See  the  per‐
5583       mit_mx_backup restriction in the postconf(5) manual page.
5584
5585       Specify a list of  host  or  domain  names,  "/file/name"  patterns  or
5586       "type:table"  lookup  tables,  separated  by  commas and/or whitespace.
5587       Continue long lines by  starting  the  next  line  with  whitespace.  A
5588       "/file/name" pattern is replaced by its contents; a "type:table" lookup
5589       table is matched when a (parent) domain appears as lookup key.  Specify
5590       "!pattern" to exclude a domain from the list. The form "!/file/name" is
5591       supported only in Postfix version 2.4 and later.
5592
5593       Pattern matching of domain names  is  controlled  by  the  presence  or
5594       absence  of  "relay_domains"  in  the  parent_domain_matches_subdomains
5595       parameter value.
5596

relay_domains_reject_code (default: 554)

5598       The numerical Postfix SMTP server response code when a  client  request
5599       is rejected by the reject_unauth_destination recipient restriction.
5600
5601       Do  not  change  this  unless  you have a complete understanding of RFC
5602       5321.
5603

relay_recipient_maps (default: empty)

5605       Optional lookup tables with all valid addresses  in  the  domains  that
5606       match  $relay_domains.  Specify @domain as a wild-card for domains that
5607       have no valid recipient list, and become a source of backscatter  mail:
5608       Postfix  accepts spam for non-existent recipients and then floods inno‐
5609       cent people with undeliverable mail.  Technically, tables  listed  with
5610       $relay_recipient_maps  are used as lists: Postfix needs to know only if
5611       a lookup string is found or not, but it does not use  the  result  from
5612       table lookup.
5613
5614       Specify zero or more "type:name" lookup tables, separated by whitespace
5615       or comma. Tables will be searched in the specified order until a  match
5616       is found.
5617
5618       If  this  parameter  is  non-empty,  then  the Postfix SMTP server will
5619       reject mail to unknown relay users. This feature is off by default.
5620
5621       See also the relay domains address class  in  the  ADDRESS_CLASS_README
5622       file.
5623
5624       Example:
5625
5626       relay_recipient_maps = hash:/etc/postfix/relay_recipients
5627
5628       This feature is available in Postfix 2.0 and later.
5629

relay_transport (default: relay)

5631       The default mail delivery transport and next-hop destination for remote
5632       delivery to domains listed with $relay_domains. In order of  decreasing
5633       precedence,  the  nexthop  destination  is taken from $relay_transport,
5634       $sender_dependent_relayhost_maps, $relayhost,  or  from  the  recipient
5635       domain. This information can be overruled with the transport(5) table.
5636
5637       Specify  a string of the form transport:nexthop, where transport is the
5638       name of a mail delivery transport defined in master.cf.   The  :nexthop
5639       destination is optional; its syntax is documented in the manual page of
5640       the corresponding delivery agent.
5641
5642       See also the relay domains address class  in  the  ADDRESS_CLASS_README
5643       file.
5644
5645       This feature is available in Postfix 2.0 and later.
5646

relayhost (default: empty)

5648       The next-hop destination of non-local mail; overrides non-local domains
5649       in recipient addresses. This information is overruled with relay_trans‐
5650       port,    sender_dependent_default_transport_maps,    default_transport,
5651       sender_dependent_relayhost_maps and with the transport(5) table.
5652
5653       On an intranet, specify the organizational domain name. If your  inter‐
5654       nal  DNS  uses  no MX records, specify the name of the intranet gateway
5655       host instead.
5656
5657       In the case of SMTP, specify a domain  name,  hostname,  hostname:port,
5658       [hostname]:port,  [hostaddress]  or [hostaddress]:port. The form [host‐
5659       name] turns off MX lookups.
5660
5661       If you're connected via UUCP,  see  the  UUCP_README  file  for  useful
5662       information.
5663
5664       Examples:
5665
5666       relayhost = $mydomain
5667       relayhost = [gateway.example.com]
5668       relayhost = uucphost
5669       relayhost = [an.ip.add.ress]
5670

relocated_maps (default: empty)

5672       Optional  lookup  tables  with  new  contact  information  for users or
5673       domains that no longer exist.  The table format and lookups  are  docu‐
5674       mented in relocated(5).
5675
5676       Specify zero or more "type:name" lookup tables, separated by whitespace
5677       or comma. Tables will be searched in the specified order until a  match
5678       is found.
5679
5680       If  you use this feature, run "postmap /etc/postfix/relocated" to build
5681       the necessary DBM or DB file after change,  then  "postfix  reload"  to
5682       make the changes visible.
5683
5684       Examples:
5685
5686       relocated_maps = dbm:/etc/postfix/relocated
5687       relocated_maps = hash:/etc/postfix/relocated
5688

remote_header_rewrite_domain (default: empty)

5690       Don't  rewrite  message  headers  from  remote clients at all when this
5691       parameter is empty; otherwise, rewrite message headers and  append  the
5692       specified  domain  name  to incomplete addresses.  The local_header_re‐
5693       write_clients parameter controls what clients Postfix considers local.
5694
5695       Examples:
5696
5697       The  safe  setting:  append  "domain.invalid"  to   incomplete   header
5698       addresses  from  remote SMTP clients, so that those addresses cannot be
5699       confused with local addresses.
5700
5701           remote_header_rewrite_domain = domain.invalid
5702
5703       The default, purist, setting: don't rewrite headers from remote clients
5704       at all.
5705
5706           remote_header_rewrite_domain =
5707

require_home_directory (default: no)

5709       Require  that  a local(8) recipient's home directory exists before mail
5710       delivery is attempted. By default this test is  disabled.   It  can  be
5711       useful for environments that import home directories to the mail server
5712       (IMPORTING HOME DIRECTORIES IS NOT RECOMMENDED).
5713

reset_owner_alias (default: no)

5715       Reset the local(8) delivery agent's idea of the owner-alias  attribute,
5716       when  delivering mail to a child alias that does not have its own owner
5717       alias.
5718
5719       This feature is available in Postfix 2.8 and later. With older  Postfix
5720       releases, the behavior is as if this parameter is set to "yes".
5721
5722       As  documented  in aliases(5), when an alias name has a companion alias
5723       named owner-name, this will replace the  envelope  sender  address,  so
5724       that delivery errors will be reported to the owner alias instead of the
5725       sender. This configuration is recommended for mailing lists.
5726
5727       A less known property of the owner alias is that  it  also  forces  the
5728       local(8)  delivery agent to write local and remote addresses from alias
5729       expansion to a new queue file, instead of attempting to deliver mail to
5730       local addresses as soon as they come out of alias expansion.
5731
5732       Writing local addresses from alias expansion to a new queue file allows
5733       for robust handling of temporary delivery errors: errors with one local
5734       member  have  no effect on deliveries to other members of the list.  On
5735       the other hand, delivery to local addresses as soon as they come out of
5736       alias  expansion  is  fragile: a temporary error with one local address
5737       from alias expansion will cause the entire alias to be expanded repeat‐
5738       edly  until  the  error  goes away, or until the message expires in the
5739       queue.  In that case, a problem with one list member results in  multi‐
5740       ple message deliveries to other list members.
5741
5742       The  default  behavior  of  Postfix  2.8  and  later  is  to  keep  the
5743       owner-alias attribute of the parent alias, when delivering  mail  to  a
5744       child  alias  that  does  not  have  its  own  owner alias. Then, local
5745       addresses from that child alias will be written to a  new  queue  file,
5746       and  a  temporary error with one local address will not affect delivery
5747       to other mailing list members.
5748
5749       Unfortunately, older Postfix releases reset the  owner-alias  attribute
5750       when  delivering mail to a child alias that does not have its own owner
5751       alias. To be precise, this resets only the decision  to  create  a  new
5752       queue  file,  not the decision to override the envelope sender address.
5753       The local(8) delivery agent then attempts to deliver local addresses as
5754       soon  as  they  come  out of child alias expansion.  If delivery to any
5755       address from child alias expansion fails with a temporary error  condi‐
5756       tion, the entire mailing list may be expanded repeatedly until the mail
5757       expires in the queue, resulting in multiple deliveries of the same mes‐
5758       sage to mailing list members.
5759

resolve_dequoted_address (default: yes)

5761       Resolve  a  recipient  address  safely instead of correctly, by looking
5762       inside quotes.
5763
5764       By default, the Postfix address resolver does  not  quote  the  address
5765       localpart  as  per  RFC  822, so that additional @ or % or !  operators
5766       remain visible. This behavior is safe but it is also technically incor‐
5767       rect.
5768
5769       If  you  specify  "resolve_dequoted_address  =  no",  then  the Postfix
5770       resolver will not know about additional @ etc. operators in the address
5771       localpart. This opens opportunities for obscure mail relay attacks with
5772       user@domain@domain addresses when Postfix provides  backup  MX  service
5773       for Sendmail systems.
5774

resolve_null_domain (default: no)

5776       Resolve  an  address  that  ends in the "@" null domain as if the local
5777       hostname were specified, instead of rejecting the address as invalid.
5778
5779       This feature is available in Postfix 2.1 and later.   Earlier  versions
5780       always resolve the null domain as the local hostname.
5781
5782       The  Postfix  SMTP  server  uses this feature to reject mail from or to
5783       addresses that end in the "@" null domain, and from addresses that  re‐
5784       write into a form that ends in the "@" null domain.
5785

resolve_numeric_domain (default: no)

5787       Resolve  "user@ipaddress"  as  "user@[ipaddress]", instead of rejecting
5788       the address as invalid.
5789
5790       This feature is available in Postfix 2.3 and later.
5791

rewrite_service_name (default: rewrite)

5793       The name of  the  address  rewriting  service.  This  service  rewrites
5794       addresses  to  standard  form  and resolves them to a (delivery method,
5795       next-hop host, recipient) triple.
5796
5797       This feature is available in Postfix 2.0 and later.
5798

sample_directory (default: /etc/postfix)

5800       The name of the directory with  example  Postfix  configuration  files.
5801       Starting  with  Postfix  2.1,  these  files have been replaced with the
5802       postconf(5) manual page.
5803

send_cyrus_sasl_authzid (default: no)

5805       When authenticating to a remote SMTP or LMTP server  with  the  default
5806       setting  "no",  send  no SASL authoriZation ID (authzid); send only the
5807       SASL authentiCation ID (authcid) plus the authcid's password.
5808
5809       The non-default setting "yes" enables the  behavior  of  older  Postfix
5810       versions.   These  always send a SASL authzid that is equal to the SASL
5811       authcid, but this  causes  interoperability  problems  with  some  SMTP
5812       servers.
5813
5814       This feature is available in Postfix 2.4.4 and later.
5815

sender_based_routing (default: no)

5817       This  parameter  should  not  be used. It was replaced by sender_depen‐
5818       dent_relayhost_maps in Postfix version 2.3.
5819

sender_bcc_maps (default: empty)

5821       Optional BCC (blind carbon-copy)  address  lookup  tables,  indexed  by
5822       sender  address.   The BCC address (multiple results are not supported)
5823       is added when mail enters from outside of Postfix.
5824
5825       Specify zero or more "type:name" lookup tables, separated by whitespace
5826       or  comma. Tables will be searched in the specified order until a match
5827       is found.
5828
5829       The table search order is as follows:
5830
5831       ·      Look up the "user+extension@domain.tld"  address  including  the
5832              optional address extension.
5833
5834       ·      Look  up  the  "user@domain.tld"  address  without  the optional
5835              address extension.
5836
5837       ·      Look up the "user+extension" address local part when the  sender
5838              domain  equals  $myorigin,  $mydestination,  $inet_interfaces or
5839              $proxy_interfaces.
5840
5841       ·      Look up the "user" address local part  when  the  sender  domain
5842              equals    $myorigin,    $mydestination,    $inet_interfaces   or
5843              $proxy_interfaces.
5844
5845       ·      Look up the "@domain.tld" part.
5846
5847       Note: with Postfix 2.3 and later the BCC address is added as if it  was
5848       specified  with  NOTIFY=NONE.  The sender will not be notified when the
5849       BCC address is undeliverable,  as  long  as  all  down-stream  software
5850       implements RFC 3461.
5851
5852       Note: with Postfix 2.2 and earlier the sender will be notified when the
5853       BCC address is undeliverable.
5854
5855       Note: automatic BCC recipients are produced  only  for  new  mail.   To
5856       avoid  mailer  loops,  automatic BCC recipients are not generated after
5857       Postfix forwards mail  internally,  or  after  Postfix  generates  mail
5858       itself.
5859
5860       Example:
5861
5862       sender_bcc_maps = hash:/etc/postfix/sender_bcc
5863
5864       After a change, run "postmap /etc/postfix/sender_bcc".
5865
5866       This feature is available in Postfix 2.1 and later.
5867

sender_canonical_classes (default: envelope_sender, header_sender)

5869       What  addresses  are  subject to sender_canonical_maps address mapping.
5870       By default, sender_canonical_maps address mapping is applied  to  enve‐
5871       lope sender addresses, and to header sender addresses.
5872
5873       Specify one or more of: envelope_sender, header_sender
5874
5875       This feature is available in Postfix 2.2 and later.
5876

sender_canonical_maps (default: empty)

5878       Optional  address  mapping lookup tables for envelope and header sender
5879       addresses.  The table format and  lookups  are  documented  in  canoni‐
5880       cal(5).
5881
5882       Example:  you  want to rewrite the SENDER address "user@ugly.domain" to
5883       "user@pretty.domain", while still being able to send mail to the RECIP‐
5884       IENT address "user@ugly.domain".
5885
5886       Note: $sender_canonical_maps is processed before $canonical_maps.
5887
5888       Example:
5889
5890       sender_canonical_maps = hash:/etc/postfix/sender_canonical
5891

sender_dependent_default_transport_maps (default: empty)

5893       A  sender-dependent override for the global default_transport parameter
5894       setting. The tables are searched by the  envelope  sender  address  and
5895       @domain.  A  lookup result of DUNNO terminates the search without over‐
5896       riding the global default_transport parameter setting.   This  informa‐
5897       tion is overruled with the transport(5) table.
5898
5899       Specify zero or more "type:name" lookup tables, separated by whitespace
5900       or comma. Tables will be searched in the specified order until a  match
5901       is found.
5902
5903       Note:  this overrides default_transport, not transport_maps, and there‐
5904       fore the expected syntax is that of default_transport, not  the  syntax
5905       of  transport_maps.   Specifically,  this  does  not support the trans‐
5906       port_maps syntax for  null  transport,  null  nexthop,  or  null  email
5907       addresses.
5908
5909       For  safety  reasons, this feature does not allow $number substitutions
5910       in regular expression maps.
5911
5912       This feature is available in Postfix 2.7 and later.
5913

sender_dependent_relayhost_maps (default: empty)

5915       A sender-dependent override for the global relayhost parameter setting.
5916       The  tables  are searched by the envelope sender address and @domain. A
5917       lookup result of DUNNO terminates the  search  without  overriding  the
5918       global relayhost parameter setting (Postfix 2.6 and later). This infor‐
5919       mation    is    overruled    with    relay_transport,     sender_depen‐
5920       dent_default_transport_maps,  default_transport  and  with  the  trans‐
5921       port(5) table.
5922
5923       Specify zero or more "type:name" lookup tables, separated by whitespace
5924       or  comma. Tables will be searched in the specified order until a match
5925       is found.
5926
5927       For safety reasons, this feature does not allow  $number  substitutions
5928       in regular expression maps.
5929
5930       This feature is available in Postfix 2.3 and later.
5931

sendmail_fix_line_endings (default: always)

5933       Controls  how  the Postfix sendmail command converts email message line
5934       endings from <CR><LF> into UNIX format (<LF>).
5935
5936       always Always convert message lines ending in <CR><LF>. This setting is
5937              the default with Postfix 2.9 and later.
5938
5939       strict Convert message lines ending in <CR><LF> only if the first input
5940              line ends in <CR><LF>. This setting is backwards-compatible with
5941              Postfix 2.8 and earlier.
5942
5943       never  Never  convert  message  lines  ending in <CR><LF>. This setting
5944              exists for completeness only.
5945
5946       This feature is available in Postfix 2.9 and later.
5947

sendmail_path (default: see postconf -d output)

5949       A Sendmail compatibility feature that specifies  the  location  of  the
5950       Postfix  sendmail(1)  command.  This command can be used to submit mail
5951       into the Postfix queue.
5952

service_name (read-only)

5954       The master.cf service name of a Postfix daemon  process.  This  can  be
5955       used  to  distinguish  the logging from different services that use the
5956       same program name.
5957
5958       Example master.cf entries:
5959
5960       # Distinguish inbound MTA logging from submission and smtps logging.
5961       smtp      inet  n       -       n       -       -       smtpd
5962       submission inet n       -       n       -       -       smtpd
5963           -o syslog_name=postfix/$service_name
5964       smtps     inet  n       -       n       -       -       smtpd
5965           -o syslog_name=postfix/$service_name
5966
5967       # Distinguish outbound MTA logging from inbound relay logging.
5968       smtp      unix  -       -       n       -       -       smtp
5969       relay     unix  -       -       n       -       -       smtp
5970           -o syslog_name=postfix/$service_name
5971

service_throttle_time (default: 60s)

5973       How long the Postfix master(8)  waits  before  forking  a  server  that
5974       appears to be malfunctioning.
5975
5976       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
5977       The default time unit is s (seconds).
5978

setgid_group (default: postdrop)

5980       The group ownership of set-gid Postfix commands and  of  group-writable
5981       Postfix  directories.  When this parameter value is changed you need to
5982       re-run "postfix set-permissions" (with Postfix version 2.0 and earlier:
5983       "/etc/postfix/post-install set-permissions".
5984

shlib_directory (default: see 'postconf -d' output)

5986       The location of Postfix dynamically-linked libraries (libpostfix-*.so),
5987       and the default location of  Postfix  database  plugins  (postfix-*.so)
5988       that  have  a  relative  pathname  in  the  dynamicmaps.cf  file.   The
5989       shlib_directory  parameter  defaults  to  "no"  when  Postfix   dynami‐
5990       cally-linked  libraries  and  database  plugins are disabled at compile
5991       time,  otherwise  it  typically   defaults   to   /usr/lib/postfix   or
5992       /usr/local/lib/postfix.
5993
5994       Notes:
5995
5996       ·      The directory specified with shlib_directory should contain only
5997              Postfix-related files. Postfix dynamically-linked libraries  and
5998              database  plugins  should  not be installed in a "public" system
5999              directory such as /usr/lib or  /usr/local/lib.  Linking  Postfix
6000              dynamically-linked   library  files  or  database  plugins  into
6001              non-Postfix  programs  is  not   supported.    Postfix   dynami‐
6002              cally-linked  libraries  and  database plugins implement a Post‐
6003              fix-internal API that changes without maintaining compatibility.
6004
6005       ·      You can change the shlib_directory value after Postfix is built.
6006              However,  you  may have to run ldconfig or equivalent to prevent
6007              Postfix programs from failing because the libpostfix-*.so  files
6008              are  not  found.   No ldconfig command is needed if you keep the
6009              libpostfix-*.so files in the compiled-in  default  $shlib_direc‐
6010              tory location.
6011
6012       This feature is available in Postfix 3.0 and later.
6013

show_user_unknown_table_name (default: yes)

6015       Display  the  name  of  the  recipient  table  in  the  "User  unknown"
6016       responses.  The extra detail makes trouble  shooting  easier  but  also
6017       reveals information that is nobody elses business.
6018
6019       This feature is available in Postfix 2.0 and later.
6020

showq_service_name (default: showq)

6022       The name of the showq(8) service. This service produces mail queue sta‐
6023       tus reports.
6024
6025       This feature is available in Postfix 2.0 and later.
6026

smtp_address_preference (default: any)

6028       The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP client
6029       will  try  first,  when  a destination has IPv6 and IPv4 addresses with
6030       equal MX preference. This feature has no effect unless the  inet_proto‐
6031       cols setting enables both IPv4 and IPv6.
6032
6033       Postfix  SMTP  client  address preference has evolved. With Postfix 2.8
6034       the default is "ipv6"; earlier implementations are hard-coded to prefer
6035       IPv6 over IPv4.
6036
6037       Notes for mail delivery between sites that have both IPv4 and IPv6 con‐
6038       nectivity:
6039
6040       ·      The setting "smtp_address_preference = ipv6" is unsafe.  It  can
6041              fail  to deliver mail when there is an outage that affects IPv6,
6042              while the destination is still reachable over IPv4.
6043
6044       ·      The setting "smtp_address_preference = any" is safe. With  this,
6045              mail  will  eventually  be  delivered even if there is an outage
6046              that affects IPv6 or IPv4, as long as it does not affect both.
6047
6048       This feature is available in Postfix 2.8 and later.
6049

smtp_address_verify_target (default: rcpt)

6051       In the context of email address verification, the SMTP  protocol  stage
6052       that  determines  whether an email address is deliverable.  Specify one
6053       of "rcpt" or "data".  The latter is needed  with  remote  SMTP  servers
6054       that  reject  recipients  after the DATA command. Use transport_maps to
6055       apply this feature selectively:
6056
6057           /etc/postfix/main.cf:
6058               transport_maps = hash:/etc/postfix/transport
6059
6060           /etc/postfix/transport:
6061               smtp-domain-that-verifies-after-data    smtp-data-target:
6062               lmtp-domain-that-verifies-after-data    lmtp-data-target:
6063
6064           /etc/postfix/master.cf:
6065               smtp-data-target    unix    -    -    n    -    -    smtp
6066                   -o smtp_address_verify_target=data
6067               lmtp-data-target    unix    -    -    n    -    -    lmtp
6068                   -o lmtp_address_verify_target=data
6069
6070       Unselective use of the "data" target does no harm, but will  result  in
6071       unnecessary  "lost  connection  after  DATA" events at remote SMTP/LMTP
6072       servers.
6073
6074       This feature is available in Postfix 3.0 and later.
6075

smtp_always_send_ehlo (default: yes)

6077       Always send EHLO at the start of an SMTP session.
6078
6079       With "smtp_always_send_ehlo = no", the Postfix SMTP client  sends  EHLO
6080       only when the word "ESMTP" appears in the server greeting banner (exam‐
6081       ple: 220 spike.porcupine.org ESMTP Postfix).
6082

smtp_balance_inet_protocols (default: yes)

6084       When a remote destination resolves to a combination of  IPv4  and  IPv6
6085       addresses,  ensure  that  the  Postfix SMTP client can try both address
6086       types before it runs into the smtp_mx_address_limit.
6087
6088       This avoids an interoperability problem when a destination resolves  to
6089       primarily  IPv6  addresses,  the  smtp_address_limit feature eliminates
6090       most or all IPv4 addresses, and the destination is not  reachable  over
6091       IPv6.
6092
6093       This feature is available in Postfix 3.3 and later.
6094

smtp_bind_address (default: empty)

6096       An  optional  numerical  network  address  that the Postfix SMTP client
6097       should bind to when making an IPv4 connection.
6098
6099       This can be specified in the main.cf file for all SMTP clients,  or  it
6100       can be specified in the master.cf file for a specific client, for exam‐
6101       ple:
6102
6103           /etc/postfix/master.cf:
6104               smtp ... smtp -o smtp_bind_address=11.22.33.44
6105
6106       Note 1: when inet_interfaces specifies no more than one  IPv4  address,
6107       and that address is a non-loopback address, it is automatically used as
6108       the smtp_bind_address.  This supports virtual IP hosting, but can be  a
6109       problem on multi-homed firewalls. See the inet_interfaces documentation
6110       for more detail.
6111
6112       Note 2: address information may be enclosed inside [], but this form is
6113       not required here.
6114

smtp_bind_address6 (default: empty)

6116       An  optional  numerical  network  address  that the Postfix SMTP client
6117       should bind to when making an IPv6 connection.
6118
6119       This feature is available in Postfix 2.2 and later.
6120
6121       This can be specified in the main.cf file for all SMTP clients,  or  it
6122       can be specified in the master.cf file for a specific client, for exam‐
6123       ple:
6124
6125           /etc/postfix/master.cf:
6126               smtp ... smtp -o smtp_bind_address6=1:2:3:4:5:6:7:8
6127
6128       Note 1: when inet_interfaces specifies no more than one  IPv6  address,
6129       and that address is a non-loopback address, it is automatically used as
6130       the smtp_bind_address6.  This supports virtual IP hosting, but can be a
6131       problem on multi-homed firewalls. See the inet_interfaces documentation
6132       for more detail.
6133
6134       Note 2: address information may be enclosed inside [], but this form is
6135       not recommended here.
6136

smtp_body_checks (default: empty)

6138       Restricted  body_checks(5)  tables  for the Postfix SMTP client.  These
6139       tables are searched while mail is being delivered.  Actions that change
6140       the delivery time or destination are not available.
6141
6142       This feature is available in Postfix 2.5 and later.
6143

smtp_cname_overrides_servername (default: version dependent)

6145       When  the remote SMTP servername is a DNS CNAME, replace the servername
6146       with the result from CNAME expansion for the purpose of  logging,  SASL
6147       password lookup, TLS policy decisions, or TLS certificate verification.
6148       The value "no" hardens Postfix smtp_tls_per_site  hostname-based  poli‐
6149       cies against false hostname information in DNS CNAME records, and makes
6150       SASL password file lookups more predictable. This is the  default  set‐
6151       ting as of Postfix 2.3.
6152
6153       When   DNS   CNAME  records  are  validated  with  secure  DNS  lookups
6154       (smtp_dns_support_level = dnssec), they are always allowed to  override
6155       the above servername (Postfix 2.11 and later).
6156
6157       This feature is available in Postfix 2.2.9 and later.
6158

smtp_connect_timeout (default: 30s)

6160       The  Postfix SMTP client time limit for completing a TCP connection, or
6161       zero (use the operating system built-in time limit).
6162
6163       When no connection can be made within the deadline,  the  Postfix  SMTP
6164       client  tries the next address on the mail exchanger list. Specify 0 to
6165       disable the time limit (i.e. use whatever timeout is implemented by the
6166       operating system).
6167
6168       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6169       The default time unit is s (seconds).
6170

smtp_connection_cache_destinations (default: empty)

6172       Permanently enable SMTP connection caching for the  specified  destina‐
6173       tions.   With SMTP connection caching, a connection is not closed imme‐
6174       diately after completion of a mail transaction.  Instead,  the  connec‐
6175       tion  is kept open for up to $smtp_connection_cache_time_limit seconds.
6176       This allows connections to be reused  for  other  deliveries,  and  can
6177       improve mail delivery performance.
6178
6179       Specify  a  comma  or  white  space  separated  list of destinations or
6180       pseudo-destinations:
6181
6182       ·      if mail is sent  without  a  relay  host:  a  domain  name  (the
6183              right-hand  side  of  an  email address, without the [] around a
6184              numeric IP address),
6185
6186       ·      if mail is sent via a relay host: a relay host name (without  []
6187              or  non-default  TCP  port),  as  specified in main.cf or in the
6188              transport map,
6189
6190       ·      if mail is sent via a UNIX-domain socket:  a  pathname  (without
6191              the unix: prefix),
6192
6193       ·      a  /file/name  with  domain  names  and/or  relay  host names as
6194              defined above,
6195
6196       ·      a "type:table" with domain names and/or relay host names on  the
6197              left-hand  side.   The  right-hand side result from "type:table"
6198              lookups is ignored.
6199
6200       This feature is available in Postfix 2.2 and later.
6201

smtp_connection_cache_on_demand (default: yes)

6203       Temporarily enable SMTP connection caching while a  destination  has  a
6204       high volume of mail in the active queue.  With SMTP connection caching,
6205       a connection is not closed  immediately  after  completion  of  a  mail
6206       transaction.  Instead, the connection is kept open for up to $smtp_con‐
6207       nection_cache_time_limit seconds.  This allows connections to be reused
6208       for other deliveries, and can improve mail delivery performance.
6209
6210       This feature is available in Postfix 2.2 and later.
6211

smtp_connection_cache_time_limit (default: 2s)

6213       When  SMTP  connection  caching  is enabled, the amount of time that an
6214       unused SMTP client socket is kept open before it  is  closed.   Do  not
6215       specify larger values without permission from the remote sites.
6216
6217       This feature is available in Postfix 2.2 and later.
6218

smtp_connection_reuse_count_limit (default: 0)

6220       When  SMTP  connection  caching is enabled, the number of times that an
6221       SMTP session may be reused before it is closed,  or  zero  (no  limit).
6222       With a reuse count limit of N, a connection is used up to N+1 times.
6223
6224       NOTE: This feature is unsafe. When a high-volume destination has multi‐
6225       ple inbound MTAs, then the slowest inbound MTA will  attract  the  most
6226       connections  to  that destination.  This limitation does not exist with
6227       the smtp_connection_reuse_time_limit feature.
6228
6229       This feature is available in Postfix 2.11.
6230

smtp_connection_reuse_time_limit (default: 300s)

6232       The amount of time during which Postfix will  use  an  SMTP  connection
6233       repeatedly.  The timer starts when the connection is initiated (i.e. it
6234       includes the connect, greeting and helo latency,  in  addition  to  the
6235       latencies of subsequent mail delivery transactions).
6236
6237       This feature addresses a performance stability problem with remote SMTP
6238       servers. This problem is not specific to Postfix: it  can  happen  when
6239       any  MTA  sends large amounts of SMTP email to a site that has multiple
6240       MX hosts.
6241
6242       The problem starts when one of a set of MX hosts  becomes  slower  than
6243       the  rest.   Even though SMTP clients connect to fast and slow MX hosts
6244       with equal probability, the slow MX host ends up with more simultaneous
6245       inbound  connections than the faster MX hosts, because the slow MX host
6246       needs more time to serve each client request.
6247
6248       The slow MX host becomes  a  connection  attractor.   If  one  MX  host
6249       becomes  N  times  slower  than  the  rest,  it dominates mail delivery
6250       latency unless there are more than N  fast  MX  hosts  to  counter  the
6251       effect.  And  if  the  number  of  MX hosts is smaller than N, the mail
6252       delivery latency becomes  effectively  that  of  the  slowest  MX  host
6253       divided by the total number of MX hosts.
6254
6255       The solution uses connection caching in a way that differs from Postfix
6256       version 2.2.  By limiting the amount of time during which a  connection
6257       can  be  used  repeatedly (instead of limiting the number of deliveries
6258       over that connection), Postfix not only restores fairness in  the  dis‐
6259       tribution of simultaneous connections across a set of MX hosts, it also
6260       favors deliveries over connections that perform well, which is  exactly
6261       what we want.
6262
6263       The  default  reuse time limit, 300s, is comparable to the various smtp
6264       transaction timeouts which are fair estimates of maximum excess latency
6265       for  a slow delivery.  Note that hosts may accept thousands of messages
6266       over a single connection  within  the  default  connection  reuse  time
6267       limit.  This number is much larger than the default Postfix version 2.2
6268       limit of 10 messages per cached connection. It may prove  necessary  to
6269       lower the limit to avoid interoperability issues with MTAs that exhibit
6270       bugs when many messages are delivered via a single connection.  A lower
6271       reuse  time limit risks losing the benefit of connection reuse when the
6272       average connection and mail delivery latency  exceeds  the  reuse  time
6273       limit.
6274
6275       This feature is available in Postfix 2.3 and later.
6276

smtp_data_done_timeout (default: 600s)

6278       The  Postfix  SMTP  client time limit for sending the SMTP ".", and for
6279       receiving the remote SMTP server response.
6280
6281       When no response is received within the deadline, a warning  is  logged
6282       that the mail may be delivered multiple times.
6283
6284       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6285       The default time unit is s (seconds).
6286

smtp_data_init_timeout (default: 120s)

6288       The Postfix SMTP client time limit for sending the SMTP  DATA  command,
6289       and for receiving the remote SMTP server response.
6290
6291       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6292       The default time unit is s (seconds).
6293

smtp_data_xfer_timeout (default: 180s)

6295       The Postfix SMTP client time limit for sending the  SMTP  message  con‐
6296       tent.    When   the   connection   makes  no  progress  for  more  than
6297       $smtp_data_xfer_timeout seconds the Postfix SMTP client terminates  the
6298       transfer.
6299
6300       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6301       The default time unit is s (seconds).
6302

smtp_defer_if_no_mx_address_found (default: no)

6304       Defer mail delivery when no MX record resolves to an IP address.
6305
6306       The default (no) is to return the mail  as  undeliverable.  With  older
6307       Postfix  versions  the  default  was to keep trying to deliver the mail
6308       until someone fixed the MX record or until the mail was too old.
6309
6310       Note: the Postfix SMTP client always ignores MX records with  equal  or
6311       worse preference than the local MTA itself.
6312
6313       This feature is available in Postfix 2.1 and later.
6314

smtp_delivery_status_filter (default: $default_delivery_status_filter)

6316       Optional  filter  for the smtp(8) delivery agent to change the delivery
6317       status code or explanatory text of successful or unsuccessful  deliver‐
6318       ies.  See default_delivery_status_filter for details.
6319
6320       NOTE: This feature modifies Postfix SMTP client error or non-error mes‐
6321       sages that may or may not be derived from remote SMTP server responses.
6322       In  contrast, the smtp_reply_filter feature modifies remote SMTP server
6323       responses only.
6324

smtp_destination_concurrency_limit (default: $default_destination_concur‐

6326       rency_limit)
6327       The  maximal  number of parallel deliveries to the same destination via
6328       the smtp message delivery transport. This  limit  is  enforced  by  the
6329       queue  manager.  The message delivery transport name is the first field
6330       in the entry in the master.cf file.
6331

smtp_destination_recipient_limit (default: $default_destination_recipi‐

6333       ent_limit)
6334       The  maximal  number  of  recipients  per  message for the smtp message
6335       delivery transport. This limit is enforced by the  queue  manager.  The
6336       message  delivery transport name is the first field in the entry in the
6337       master.cf file.
6338
6339       Setting this parameter to a value of 1 changes the meaning of smtp_des‐
6340       tination_concurrency_limit from concurrency per domain into concurrency
6341       per recipient.
6342

smtp_discard_ehlo_keyword_address_maps (default: empty)

6344       Lookup tables, indexed by the remote SMTP  server  address,  with  case
6345       insensitive  lists  of EHLO keywords (pipelining, starttls, auth, etc.)
6346       that the Postfix SMTP client will ignore in the EHLO  response  from  a
6347       remote SMTP server. See smtp_discard_ehlo_keywords for details. The ta‐
6348       ble  is  not  indexed  by  hostname  for  consistency  with  smtpd_dis‐
6349       card_ehlo_keyword_address_maps.
6350
6351       Specify zero or more "type:name" lookup tables, separated by whitespace
6352       or comma. Tables will be searched in the specified order until a  match
6353       is found.
6354
6355       This feature is available in Postfix 2.2 and later.
6356

smtp_discard_ehlo_keywords (default: empty)

6358       A  case  insensitive list of EHLO keywords (pipelining, starttls, auth,
6359       etc.) that the Postfix SMTP client will ignore  in  the  EHLO  response
6360       from a remote SMTP server.
6361
6362       This feature is available in Postfix 2.2 and later.
6363
6364       Notes:
6365
6366       ·      Specify the silent-discard pseudo keyword to prevent this action
6367              from being logged.
6368
6369       ·      Use the smtp_discard_ehlo_keyword_address_maps feature  to  dis‐
6370              card EHLO keywords selectively.
6371

smtp_dns_reply_filter (default: empty)

6373       Optional  filter  for  Postfix SMTP client DNS lookup results.  Specify
6374       zero or more lookup tables.  The lookup  tables  are  searched  in  the
6375       given  order  for  a match with the DNS lookup result, converted to the
6376       following form:
6377
6378           name ttl class type preference value
6379
6380       The class field is always "IN", the preference field exists only for MX
6381       records, the names of hosts, domains, etc.  end in ".", and those names
6382       are in ASCII form (xn--mumble form in the case of UTF8 names).
6383
6384       When a match is found, the table lookup result specifies an action.  By
6385       default,  the  table  query  and  the action name are case-insensitive.
6386       Currently, only the IGNORE action is implemented.
6387
6388       Notes:
6389
6390       ·      Postfix DNS reply filters have no effect on implicit DNS lookups
6391              through nsswitch.conf or equivalent mechanisms.
6392
6393       ·      The  Postfix  SMTP/LMTP  client  uses  smtp_dns_reply_filter and
6394              lmtp_dns_reply_filter only to discover a  remote  SMTP  or  LMTP
6395              service  (record  types  MX, A, AAAAA, and TLSA).  These lookups
6396              are also made to implement the features reject_unverified_sender
6397              and reject_unverified_recipient.
6398
6399       ·      The  Postfix SMTP/LMTP client defers mail delivery when a filter
6400              removes all lookup results from a successful query.
6401
6402       ·      Postfix SMTP server uses smtpd_dns_reply_filter only to look  up
6403              MX,  A,  AAAAA,  and  TXT  records  to  implement  the  features
6404              reject_unknown_helo_hostname,      reject_unknown_sender_domain,
6405              reject_unknown_recipient_domain,        reject_rbl_*,        and
6406              reject_rhsbl_*.
6407
6408       ·      The Postfix SMTP server logs a warning or defers  mail  delivery
6409              when  a  filter  removes  all  lookup  results from a successful
6410              query.
6411
6412       Example: ignore Google AAAA records in Postfix SMTP client DNS lookups,
6413       because Google sometimes hard-rejects mail from IPv6 clients with valid
6414       PTR etc. records.
6415
6416       /etc/postfix/main.cf:
6417           smtp_dns_reply_filter = pcre:/etc/postfix/smtp_dns_reply_filter
6418
6419       /etc/postfix/smtp_dns_reply_filter:
6420           # /domain ttl IN AAAA address/ action, all case-insensitive.
6421           # Note: the domain name ends in ".".
6422           /^\S+\.google\.com\.\s+\S+\s+\S+\s+AAAA\s+/ IGNORE
6423
6424       This feature is available in Postfix 3.0 and later.
6425

smtp_dns_resolver_options (default: empty)

6427       DNS Resolver options for the Postfix SMTP client.  Specify zero or more
6428       of  the  following  options,  separated by comma or whitespace.  Option
6429       names are case-sensitive. Some options refer to domain names  that  are
6430       specified in the file /etc/resolv.conf or equivalent.
6431
6432       res_defnames
6433              Append  the current domain name to single-component names (those
6434              that do not contain a "." character). This can produce incorrect
6435              results, and is the hard-coded behavior prior to Postfix 2.8.
6436
6437       res_dnsrch
6438              Search  for  host  names  in  the  current  domain and in parent
6439              domains. This can produce incorrect results and is therefore not
6440              recommended.
6441
6442       This feature is available in Postfix 2.8 and later.
6443

smtp_dns_support_level (default: empty)

6445       Level  of  DNS support in the Postfix SMTP client.  With "smtp_dns_sup‐
6446       port_level"  left  at  its  empty  default  value,  the  legacy   "dis‐
6447       able_dns_lookups"  parameter  controls  whether  DNS  is enabled in the
6448       Postfix SMTP client, otherwise the legacy parameter is ignored.
6449
6450       Specify one of the following:
6451
6452       disabled
6453              Disable DNS lookups.  No MX lookups are performed  and  hostname
6454              to  address  lookups are unconditionally "native".  This setting
6455              is not appropriate for hosts that deliver  mail  to  the  public
6456              Internet.   Some  obsolete  how-to documents recommend disabling
6457              DNS lookups in some configurations with  content_filters.   This
6458              is no longer required and strongly discouraged.
6459
6460       enabled
6461              Enable DNS lookups.  Nexthop destination domains not enclosed in
6462              "[]" will be subject to MX lookups.  If "dns" and  "native"  are
6463              included  in the "smtp_host_lookup" parameter value, DNS will be
6464              queried first to resolve MX-host A records, followed by "native"
6465              lookups if no answer is found in DNS.
6466
6467       dnssec Enable  DNSSEC  lookups.   The "dnssec" setting differs from the
6468              "enabled" setting above in the following ways:
6469
6470       ·      Any MX lookups will  set  RES_USE_DNSSEC  and  RES_USE_EDNS0  to
6471              request  DNSSEC-validated  responses.  If  the  MX  response  is
6472              DNSSEC-validated the corresponding hostnames are considered val‐
6473              idated.
6474
6475       ·      The  address  lookups of validated hostnames are also validated,
6476              (provided  of  course  "smtp_host_lookup"  includes  "dns",  see
6477              below).
6478
6479       ·      Temporary failures in DNSSEC-enabled hostname-to-address resolu‐
6480              tion block any "native" lookups.   Additional  "native"  lookups
6481              only happen when DNSSEC lookups hard-fail (NODATA or NXDOMAIN).
6482
6483       The  Postfix  SMTP  client  considers  non-MX  "[nexthop]"  and  "[nex‐
6484       thop]:port" destinations equivalent to statically-validated MX  records
6485       of the form "nexthop.  IN MX 0 nexthop."  Therefore, with "dnssec" sup‐
6486       port turned on, validated hostname-to-address lookups apply to the nex‐
6487       thop  domain  of any "[nexthop]" or "[nexthop]:port" destination.  This
6488       is also true for LMTP "inet:host" and "inet:host:port" destinations, as
6489       LMTP hostnames are never subject to MX lookups.
6490
6491       The "dnssec" setting is recommended only if you plan to use the dane or
6492       dane-only TLS security level,  otherwise  enabling  DNSSEC  support  in
6493       Postfix  offers  no additional security.  Postfix DNSSEC support relies
6494       on an upstream recursive nameserver that validates  DNSSEC  signatures.
6495       Such  a  DNS  server  will always filter out forged DNS responses, even
6496       when Postfix itself is not configured to use DNSSEC.
6497
6498       When using Postfix DANE support the "smtp_host_lookup" parameter should
6499       include "dns", as DANE is not applicable to hosts resolved via "native"
6500       lookups.
6501
6502       As mentioned above, Postfix is  not  a  validating  stub  resolver;  it
6503       relies  on  the  system's  configured DNSSEC-validating recursive name‐
6504       server to perform  all  DNSSEC  validation.   Since  this  nameserver's
6505       DNSSEC-validated responses will be fully trusted, it is strongly recom‐
6506       mended that the MTA  host  have  a  local  DNSSEC-validating  recursive
6507       caching  nameserver  listening on a loopback address, and be configured
6508       to use only this nameserver for all lookups.   Otherwise,  Postfix  may
6509       remain  subject  to man-in-the-middle attacks that forge responses from
6510       the recursive nameserver
6511
6512       DNSSEC support requires a version of Postfix compiled against a reason‐
6513       ably-modern  DNS resolver(3) library that implements the RES_USE_DNSSEC
6514       and RES_USE_EDNS0 resolver options.
6515
6516       This feature is available in Postfix 2.11 and later.
6517

smtp_enforce_tls (default: no)

6519       Enforcement mode: require that remote SMTP servers use TLS  encryption,
6520       and  never  send mail in the clear.  This also requires that the remote
6521       SMTP server hostname matches the information in the remote server  cer‐
6522       tificate,  and  that the remote SMTP server certificate was issued by a
6523       CA that is trusted by the  Postfix  SMTP  client.  If  the  certificate
6524       doesn't  verify or the hostname doesn't match, delivery is deferred and
6525       mail stays in the queue.
6526
6527       The server hostname is matched against all names provided  as  dNSNames
6528       in  the SubjectAlternativeName.  If no dNSNames are specified, the Com‐
6529       monName  is  checked.   The  behavior   may   be   changed   with   the
6530       smtp_tls_enforce_peername option.
6531
6532       This  option  is  useful  only if you are definitely sure that you will
6533       only connect to servers that support RFC 2487 _and_ that provide  valid
6534       server  certificates.   Typical  use is for clients that send all their
6535       email to a dedicated mailhub.
6536
6537       This feature is available in Postfix 2.2 and later.  With  Postfix  2.3
6538       and later use smtp_tls_security_level instead.
6539

smtp_fallback_relay (default: $fallback_relay)

6541       Optional  list of relay hosts for SMTP destinations that can't be found
6542       or that are unreachable. With Postfix 2.2 and earlier this parameter is
6543       called fallback_relay.
6544
6545       By  default,  mail  is returned to the sender when a destination is not
6546       found, and delivery is deferred when a destination is unreachable.
6547
6548       With bulk email deliveries, it can be beneficial to  run  the  fallback
6549       relay MTA on the same host, so that it can reuse the sender IP address.
6550       This speeds up deliveries that are delayed by IP-based reputation  sys‐
6551       tems (greylist, etc.).
6552
6553       The  fallback relays must be SMTP destinations. Specify a domain, host,
6554       host:port, [host]:port, [address] or [address]:port;  the  form  [host]
6555       turns off MX lookups.  If you specify multiple SMTP destinations, Post‐
6556       fix will try them in the specified order.
6557
6558       To prevent mailer loops between MX hosts and fall-back  hosts,  Postfix
6559       version 2.2 and later will not use the fallback relays for destinations
6560       that it is MX host for (assuming DNS lookup is turned on).
6561

smtp_generic_maps (default: empty)

6563       Optional lookup tables that perform address rewriting  in  the  Postfix
6564       SMTP  client,  typically  to  transform  a locally valid address into a
6565       globally valid address when sending mail across the Internet.  This  is
6566       needed  when  the  local  machine does not have its own Internet domain
6567       name, but uses something like localdomain.local instead.
6568
6569       Specify zero or more "type:name" lookup tables, separated by whitespace
6570       or  comma. Tables will be searched in the specified order until a match
6571       is found.
6572
6573       The table format and lookups are documented in generic(5); examples are
6574       shown in the ADDRESS_REWRITING_README and STANDARD_CONFIGURATION_README
6575       documents.
6576
6577       This feature is available in Postfix 2.2 and later.
6578

smtp_header_checks (default: empty)

6580       Restricted header_checks(5) tables for the Postfix SMTP client.   These
6581       tables are searched while mail is being delivered.  Actions that change
6582       the delivery time or destination are not available.
6583
6584       This feature is available in Postfix 2.5 and later.
6585

smtp_helo_name (default: $myhostname)

6587       The hostname to send in the SMTP HELO or EHLO command.
6588
6589       The default value is the  machine  hostname.   Specify  a  hostname  or
6590       [ip.add.re.ss].
6591
6592       This  information  can  be  specified  in the main.cf file for all SMTP
6593       clients, or it can be specified in the master.cf file  for  a  specific
6594       client, for example:
6595
6596           /etc/postfix/master.cf:
6597               mysmtp ... smtp -o smtp_helo_name=foo.bar.com
6598
6599       This feature is available in Postfix 2.0 and later.
6600

smtp_helo_timeout (default: 300s)

6602       The  Postfix  SMTP  client time limit for sending the HELO or EHLO com‐
6603       mand, and for receiving the initial remote SMTP server response.
6604
6605       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
6606       The default time unit is s (seconds).
6607

smtp_host_lookup (default: dns)

6609       What  mechanisms  the  Postfix  SMTP client uses to look up a host's IP
6610       address.  This parameter is ignored when DNS lookups are disabled (see:
6611       disable_dns_lookups  and  smtp_dns_support_level).  The "dns" mechanism
6612       is always tried before "native" if both are listed.
6613
6614       Specify one of the following:
6615
6616       dns    Hosts can be found in the DNS (preferred).
6617
6618       native Use the native naming service only (nsswitch.conf, or equivalent
6619              mechanism).
6620
6621       dns, native
6622              Use the native service for hosts not found in the DNS.
6623
6624       This feature is available in Postfix 2.1 and later.
6625

smtp_line_length_limit (default: 998)

6627       The  maximal  length of message header and body lines that Postfix will
6628       send via SMTP. This limit does not include the <CR><LF> at the  end  of
6629       each  line.  Longer lines are broken by inserting "<CR><LF><SPACE>", to
6630       minimize the damage to MIME formatted mail.
6631
6632       The Postfix limit of 998 characters not including <CR><LF>  is  consis‐
6633       tent  with  the  SMTP limit of 1000 characters including <CR><LF>.  The
6634       Postfix limit was 990 with Postfix 2.8 and earlier.
6635

smtp_mail_timeout (default: 300s)

6637       The Postfix SMTP client time limit for sending the MAIL  FROM  command,
6638       and for receiving the remote SMTP server response.
6639
6640       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6641       The default time unit is s (seconds).
6642

smtp_mime_header_checks (default: empty)

6644       Restricted mime_header_checks(5) tables for the  Postfix  SMTP  client.
6645       These  tables are searched while mail is being delivered.  Actions that
6646       change the delivery time or destination are not available.
6647
6648       This feature is available in Postfix 2.5 and later.
6649

smtp_mx_address_limit (default: 5)

6651       The maximal number of MX (mail exchanger) IP addresses that can  result
6652       from  Postfix  SMTP  client mail exchanger lookups, or zero (no limit).
6653       Prior to Postfix version 2.3, this limit was disabled by default.
6654
6655       This feature is available in Postfix 2.1 and later.
6656

smtp_mx_session_limit (default: 2)

6658       The maximal number of SMTP sessions per  delivery  request  before  the
6659       Postfix  SMTP client gives up or delivers to a fall-back relay host, or
6660       zero (no limit). This restriction ignores sessions that  fail  to  com‐
6661       plete  the  SMTP initial handshake (Postfix version 2.2 and earlier) or
6662       that fail to complete the EHLO and TLS handshake (Postfix  version  2.3
6663       and later).
6664
6665       This feature is available in Postfix 2.1 and later.
6666

smtp_nested_header_checks (default: empty)

6668       Restricted  nested_header_checks(5) tables for the Postfix SMTP client.
6669       These tables are searched while mail is being delivered.  Actions  that
6670       change the delivery time or destination are not available.
6671
6672       This feature is available in Postfix 2.5 and later.
6673

smtp_never_send_ehlo (default: no)

6675       Never  send  EHLO  at  the  start  of  an  SMTP  session.  See also the
6676       smtp_always_send_ehlo parameter.
6677

smtp_per_record_deadline (default: no)

6679       Change the behavior of the smtp_*_timeout  time  limits,  from  a  time
6680       limit per read or write system call, to a time limit to send or receive
6681       a complete record (an SMTP command line, SMTP response line, SMTP  mes‐
6682       sage  content  line,  or TLS protocol message).  This limits the impact
6683       from hostile peers that trickle data one byte at a time.
6684
6685       Note: when per-record deadlines are enabled, a short timeout may  cause
6686       problems  with TLS over very slow network connections.  The reasons are
6687       that a TLS protocol message can be up to 16 kbytes long  (with  TLSv1),
6688       and that an entire TLS protocol message must be sent or received within
6689       the per-record deadline.
6690
6691       This feature is available in Postfix 2.9 and later. With older  Postfix
6692       releases, the behavior is as if this parameter is set to "no".
6693

smtp_pix_workaround_delay_time (default: 10s)

6695       How  long  the Postfix SMTP client pauses before sending ".<CR><LF>" in
6696       order to work around the PIX firewall "<CR><LF>.<CR><LF>" bug.
6697
6698       Choosing a too short time makes this workaround ineffective when  send‐
6699       ing large messages over slow network connections.
6700

smtp_pix_workaround_maps (default: empty)

6702       Lookup tables, indexed by the remote SMTP server address, with per-des‐
6703       tination workarounds for CISCO PIX firewall bugs.   The  table  is  not
6704       indexed   by   hostname  for  consistency  with  smtp_discard_ehlo_key‐
6705       word_address_maps.
6706
6707       Specify zero or more "type:name" lookup tables, separated by whitespace
6708       or  comma. Tables will be searched in the specified order until a match
6709       is found.
6710
6711       This feature is available in Postfix 2.4 and later.
6712

smtp_pix_workaround_threshold_time (default: 500s)

6714       How long a message must be queued before the Postfix SMTP client  turns
6715       on  the  PIX  firewall  "<CR><LF>.<CR><LF>" bug workaround for delivery
6716       through firewalls with "smtp fixup" mode turned on.
6717
6718       By default, the workaround is turned off for mail that  is  queued  for
6719       less  than  500  seconds.  In  other  words, the workaround is normally
6720       turned off for the first delivery attempt.
6721
6722       Specify 0 to enable the PIX firewall "<CR><LF>.<CR><LF>" bug workaround
6723       upon the first delivery attempt.
6724

smtp_pix_workarounds (default: disable_esmtp, delay_dotcrlf)

6726       A  list  that specifies zero or more workarounds for CISCO PIX firewall
6727       bugs. These workarounds are implemented by  the  Postfix  SMTP  client.
6728       Workaround names are separated by comma or space, and are case insensi‐
6729       tive.  This parameter setting can  be  overruled  with  per-destination
6730       smtp_pix_workaround_maps settings.
6731
6732       delay_dotcrlf
6733              Insert  a  delay before sending ".<CR><LF>" after the end of the
6734              message content.  The delay is  subject  to  the  smtp_pix_work‐
6735              around_delay_time and smtp_pix_workaround_threshold_time parame‐
6736              ter settings.
6737
6738       disable_esmtp
6739              Disable all extended SMTP commands: send HELO instead of EHLO.
6740
6741       This feature is available in Postfix 2.4 and later.  The  default  set‐
6742       tings are backwards compatible with earlier Postfix versions.
6743

smtp_quit_timeout (default: 300s)

6745       The  Postfix  SMTP  client time limit for sending the QUIT command, and
6746       for receiving the remote SMTP server response.
6747
6748       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
6749       The default time unit is s (seconds).
6750

smtp_quote_rfc821_envelope (default: yes)

6752       Quote  addresses  in Postfix SMTP client MAIL FROM and RCPT TO commands
6753       as required by RFC 5321. This includes putting quotes around an address
6754       localpart that ends in ".".
6755
6756       The  default  is to comply with RFC 5321. If you have to send mail to a
6757       broken SMTP server, configure a special SMTP client in master.cf:
6758
6759           /etc/postfix/master.cf:
6760               broken-smtp . . . smtp -o smtp_quote_rfc821_envelope=no
6761
6762       and route mail for the destination in  question  to  the  "broken-smtp"
6763       message delivery with a transport(5) table.
6764
6765       This feature is available in Postfix 2.1 and later.
6766

smtp_randomize_addresses (default: yes)

6768       Randomize  the  order of equal-preference MX host addresses.  This is a
6769       performance feature of the Postfix SMTP client.
6770

smtp_rcpt_timeout (default: 300s)

6772       The Postfix SMTP client time limit for sending the SMTP  RCPT  TO  com‐
6773       mand, and for receiving the remote SMTP server response.
6774
6775       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6776       The default time unit is s (seconds).
6777

smtp_reply_filter (default: empty)

6779       A mechanism to transform replies from remote SMTP servers one line at a
6780       time.   This  is  a last-resort tool to work around server replies that
6781       break interoperability  with  the  Postfix  SMTP  client.   Other  uses
6782       involve   fault   injection  to  test  Postfix's  handling  of  invalid
6783       responses.
6784
6785       Notes:
6786
6787       ·      In the case of a multi-line reply, the Postfix SMTP client  uses
6788              the  final  reply  line's numerical SMTP reply code and enhanced
6789              status code.
6790
6791       ·      The numerical SMTP reply code (XYZ) takes  precedence  over  the
6792              enhanced  status  code  (X.Y.Z).   When the enhanced status code
6793              initial digit differs from the SMTP reply code initial digit, or
6794              when no enhanced status code is present, the Postfix SMTP client
6795              uses a generic enhanced status code (X.0.0) instead.
6796
6797       Specify the name of a "type:table" lookup table. The search string is a
6798       single  SMTP reply line as received from the remote SMTP server, except
6799       that the trailing <CR><LF> are removed.  When the lookup succeeds,  the
6800       result replaces the single SMTP reply line.
6801
6802       Examples:
6803
6804       /etc/postfix/main.cf:
6805           smtp_reply_filter = pcre:/etc/postfix/reply_filter
6806
6807       /etc/postfix/reply_filter:
6808           # Transform garbage into "250-filler..." so that it looks like
6809           # one line from a multi-line reply. It does not matter what we
6810           # substitute here as long it has the right syntax.  The Postfix
6811           # SMTP client will use the final line's numerical SMTP reply
6812           # code and enhanced status code.
6813           !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage
6814
6815       This feature is available in Postfix 2.7.
6816

smtp_rset_timeout (default: 20s)

6818       The  Postfix  SMTP  client time limit for sending the RSET command, and
6819       for receiving the remote SMTP server response. The  SMTP  client  sends
6820       RSET  in order to finish a recipient address probe, or to verify that a
6821       cached session is still usable.
6822
6823       This feature is available in Postfix 2.1 and later.
6824

smtp_sasl_auth_cache_name (default: empty)

6826       An optional table to prevent repeated SASL authentication failures with
6827       the same remote SMTP server hostname, username and password. Each table
6828       (key, value) pair contains a server name, a username and password,  and
6829       the full server response. This information is stored when a remote SMTP
6830       server rejects an authentication attempt with a  535  reply  code.   As
6831       long  as the smtp_sasl_password_maps information does no change, and as
6832       long as the smtp_sasl_auth_cache_name information does not expire  (see
6833       smtp_sasl_auth_cache_time)  the Postfix SMTP client avoids SASL authen‐
6834       tication attempts with the same  server,  username  and  password,  and
6835       instead    bounces    or   defers   mail   as   controlled   with   the
6836       smtp_sasl_auth_soft_bounce configuration parameter.
6837
6838       Use  a  per-destination  delivery  concurrency  of  1   (for   example,
6839       "smtp_destination_concurrency_limit  =  1",  "relay_destination_concur‐
6840       rency_limit = 1", etc.), otherwise multiple delivery agents may experi‐
6841       ence a login failure at the same time.
6842
6843       The  table  must  be  accessed via the proxywrite service, i.e. the map
6844       name must start with "proxy:". The table should  be  stored  under  the
6845       directory specified with the data_directory parameter.
6846
6847       This  feature  uses  cryptographic  hashing to protect plain-text pass‐
6848       words, and requires that Postfix is compiled with TLS support.
6849
6850       Example:
6851
6852       smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
6853
6854       This feature is available in Postfix 2.5 and later.
6855

smtp_sasl_auth_cache_time (default: 90d)

6857       The maximal age of an  smtp_sasl_auth_cache_name  entry  before  it  is
6858       removed.
6859
6860       This feature is available in Postfix 2.5 and later.
6861

smtp_sasl_auth_enable (default: no)

6863       Enable SASL authentication in the Postfix SMTP client.  By default, the
6864       Postfix SMTP client uses no authentication.
6865
6866       Example:
6867
6868       smtp_sasl_auth_enable = yes
6869

smtp_sasl_auth_soft_bounce (default: yes)

6871       When a remote SMTP server rejects a SASL authentication request with  a
6872       535  reply code, defer mail delivery instead of returning mail as unde‐
6873       liverable. The latter behavior was hard-coded prior to Postfix  version
6874       2.5.
6875
6876       Note: the setting "yes" overrides the global soft_bounce parameter, but
6877       the setting "no" does not.
6878
6879       Example:
6880
6881       # Default as of Postfix 2.5
6882       smtp_sasl_auth_soft_bounce = yes
6883       # The old hard-coded default
6884       smtp_sasl_auth_soft_bounce = no
6885
6886       This feature is available in Postfix 2.5 and later.
6887

smtp_sasl_mechanism_filter (default: empty)

6889       If non-empty, a Postfix SMTP client filter for the remote SMTP server's
6890       list of offered SASL mechanisms.  Different client and server implemen‐
6891       tations may support different mechanism lists; by default, the  Postfix
6892       SMTP  client  will  use  the  intersection of the two. smtp_sasl_mecha‐
6893       nism_filter specifies an optional third  mechanism  list  to  intersect
6894       with.
6895
6896       Specify  mechanism  names, "/file/name" patterns or "type:table" lookup
6897       tables.  The  right-hand  side  result  from  "type:table"  lookups  is
6898       ignored.  Specify "!pattern" to exclude a mechanism name from the list.
6899       The form "!/file/name" is supported only in  Postfix  version  2.4  and
6900       later.
6901
6902       This feature is available in Postfix 2.2 and later.
6903
6904       Examples:
6905
6906       smtp_sasl_mechanism_filter = plain, login
6907       smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs
6908       smtp_sasl_mechanism_filter = !gssapi, !login, static:rest
6909

smtp_sasl_password_maps (default: empty)

6911       Optional  Postfix  SMTP client lookup tables with one username:password
6912       entry per sender, remote hostname or next-hop domain. Per-sender lookup
6913       is  done  only  when sender-dependent authentication is enabled.  If no
6914       username:password entry is found, then the Postfix SMTP client will not
6915       attempt to authenticate to the remote host.
6916
6917       The  Postfix  SMTP client opens the lookup table before going to chroot
6918       jail, so you can leave the password file in /etc/postfix.
6919
6920       Specify zero or more "type:name" lookup tables, separated by whitespace
6921       or  comma. Tables will be searched in the specified order until a match
6922       is found.
6923

smtp_sasl_path (default: empty)

6925       Implementation-specific information that the Postfix SMTP client passes
6926       through  to  the  SASL  plug-in  implementation  that  is selected with
6927       smtp_sasl_type.  Typically this specifies the name of  a  configuration
6928       file or rendezvous point.
6929
6930       This feature is available in Postfix 2.3 and later.
6931

smtp_sasl_security_options (default: noplaintext, noanonymous)

6933       Postfix  SMTP  client SASL security options; as of Postfix 2.3 the list
6934       of available features depends on the SASL client implementation that is
6935       selected with smtp_sasl_type.
6936
6937       The  following  security features are defined for the cyrus client SASL
6938       implementation:
6939
6940       Specify zero or more of the following:
6941
6942       noplaintext
6943              Disallow methods that use plaintext passwords.
6944
6945       noactive
6946              Disallow methods subject to active (non-dictionary) attack.
6947
6948       nodictionary
6949              Disallow methods subject to passive (dictionary) attack.
6950
6951       noanonymous
6952              Disallow methods that allow anonymous authentication.
6953
6954       mutual_auth
6955              Only allow  methods  that  provide  mutual  authentication  (not
6956              available with SASL version 1).
6957
6958       Example:
6959
6960       smtp_sasl_security_options = noplaintext
6961

smtp_sasl_tls_security_options (default: $smtp_sasl_security_options)

6963       The  SASL  authentication security options that the Postfix SMTP client
6964       uses for TLS encrypted SMTP sessions.
6965
6966       This feature is available in Postfix 2.2 and later.
6967

smtp_sasl_tls_verified_security_options (default: $smtp_sasl_tls_secu‐

6969       rity_options)
6970       The  SASL  authentication security options that the Postfix SMTP client
6971       uses for TLS encrypted SMTP sessions with a  verified  server  certifi‐
6972       cate.
6973
6974       When  mail  is  sent  to the public MX host for the recipient's domain,
6975       server certificates are by default optional, and delivery proceeds even
6976       if  certificate  verification fails. For delivery via a submission ser‐
6977       vice that requires SASL authentication, it may be appropriate  to  send
6978       plaintext  passwords only when the connection to the server is strongly
6979       encrypted and the server identity is verified.
6980
6981       The smtp_sasl_tls_verified_security_options parameter makes it possible
6982       to  only  enable  plaintext  mechanisms when a secure connection to the
6983       server is available. Submission servers subject  to  this  policy  must
6984       either  have  verifiable  certificates  or offer suitable non-plaintext
6985       SASL mechanisms.
6986
6987       This feature is available in Postfix 2.6 and later.
6988

smtp_sasl_type (default: cyrus)

6990       The SASL plug-in type that the  Postfix  SMTP  client  should  use  for
6991       authentication.   The available types are listed with the "postconf -A"
6992       command.
6993
6994       This feature is available in Postfix 2.3 and later.
6995

smtp_send_dummy_mail_auth (default: no)

6997       Whether or not to append the "AUTH=<>" option to the MAIL FROM  command
6998       in  SASL-authenticated  SMTP sessions. The default is not to send this,
6999       to avoid problems with broken remote SMTP servers.  Before Postfix  2.9
7000       the behavior is as if "smtp_send_dummy_mail_auth = yes".
7001
7002       This feature is available in Postfix 2.9 and later.
7003

smtp_send_xforward_command (default: no)

7005       Send  the  non-standard  XFORWARD  command when the Postfix SMTP server
7006       EHLO response announces XFORWARD support.
7007
7008       This allows a Postfix SMTP delivery agent, used for injecting mail into
7009       a  content filter, to forward the name, address, protocol and HELO name
7010       of the original client to the content  filter  and  downstream  queuing
7011       SMTP   server.  This  can  produce  more  useful  logging  than  local‐
7012       host[127.0.0.1] etc.
7013
7014       This feature is available in Postfix 2.1 and later.
7015

smtp_sender_dependent_authentication (default: no)

7017       Enable sender-dependent authentication in the Postfix SMTP client; this
7018       is  available  only with SASL authentication, and disables SMTP connec‐
7019       tion caching to ensure that mail from different senders  will  use  the
7020       appropriate credentials.
7021
7022       This feature is available in Postfix 2.3 and later.
7023

smtp_skip_4xx_greeting (default: yes)

7025       Skip SMTP servers that greet with a 4XX status code (go away, try again
7026       later).
7027
7028       By default, the Postfix SMTP client moves on the next  mail  exchanger.
7029       Specify  "smtp_skip_4xx_greeting = no" if Postfix should defer delivery
7030       immediately.
7031
7032       This feature is available in Postfix 2.0 and  earlier.   Later  Postfix
7033       versions  always  skip remote SMTP servers that greet with a 4XX status
7034       code.
7035

smtp_skip_5xx_greeting (default: yes)

7037       Skip remote SMTP servers that greet with a 5XX status code.
7038
7039       By default, the Postfix SMTP client moves on the next  mail  exchanger.
7040       Specify "smtp_skip_5xx_greeting = no" if Postfix should bounce the mail
7041       immediately. Caution: the latter behavior  appears  to  contradict  RFC
7042       2821.
7043

smtp_skip_quit_response (default: yes)

7045       Do not wait for the response to the SMTP QUIT command.
7046

smtp_starttls_timeout (default: 300s)

7048       Time limit for Postfix SMTP client write and read operations during TLS
7049       startup and shutdown handshake procedures.
7050
7051       This feature is available in Postfix 2.2 and later.
7052

smtp_tcp_port (default: smtp)

7054       The default TCP port that the Postfix SMTP client connects to.  Specify
7055       a symbolic name (see services(5)) or a numeric port.
7056

smtp_tls_CAfile (default: empty)

7058       A  file  containing  CA certificates of root CAs trusted to sign either
7059       remote SMTP server certificates or intermediate CA certificates.  These
7060       are  loaded  into  memory  before  the smtp(8) client enters the chroot
7061       jail.  If  the  number  of  trusted  roots  is  large,  consider  using
7062       smtp_tls_CApath  instead,  but  note  that the latter directory must be
7063       present in the chroot jail if the smtp(8) client is chrooted. This file
7064       may  also be used to augment the client certificate trust chain, but it
7065       is  best  to  include  all  the  required  certificates   directly   in
7066       $smtp_tls_cert_file.
7067
7068       Specify  "smtp_tls_CAfile  =  /path/to/system_CA_file"  to use ONLY the
7069       system-supplied default Certification Authority certificates.
7070
7071       Specify "tls_append_default_CA = no" to prevent Postfix from  appending
7072       the system-supplied default CAs and trusting third-party certificates.
7073
7074       Example:
7075
7076       smtp_tls_CAfile = /etc/postfix/CAcert.pem
7077
7078       This feature is available in Postfix 2.2 and later.
7079

smtp_tls_CApath (default: empty)

7081       Directory with PEM format Certification Authority certificates that the
7082       Postfix SMTP client uses to verify a remote  SMTP  server  certificate.
7083       Don't  forget  to  create the necessary "hash" links with, for example,
7084       "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
7085
7086       To use this option in chroot mode, this directory (or a copy)  must  be
7087       inside the chroot jail.
7088
7089       Specify  "smtp_tls_CApath  =  /path/to/system_CA_directory" to use ONLY
7090       the system-supplied default Certification Authority certificates.
7091
7092       Specify "tls_append_default_CA = no" to prevent Postfix from  appending
7093       the system-supplied default CAs and trusting third-party certificates.
7094
7095       Example:
7096
7097       smtp_tls_CApath = /etc/postfix/certs
7098
7099       This feature is available in Postfix 2.2 and later.
7100

smtp_tls_block_early_mail_reply (default: no)

7102       Try  to detect a mail hijacking attack based on a TLS protocol vulnera‐
7103       bility (CVE-2009-3555), where  an  attacker  prepends  malicious  HELO,
7104       MAIL,  RCPT,  DATA  commands to a Postfix SMTP client TLS session.  The
7105       attack would succeed with non-Postfix SMTP servers that  reply  to  the
7106       malicious HELO, MAIL, RCPT, DATA commands after negotiating the Postfix
7107       SMTP client TLS session.
7108
7109       This feature is available in Postfix 2.7.
7110

smtp_tls_cert_file (default: empty)

7112       File with the Postfix SMTP client RSA certificate in PEM format.   This
7113       file  may  also  contain  the  Postfix SMTP client private RSA key, and
7114       these may be the same as the Postfix SMTP server  RSA  certificate  and
7115       key file.
7116
7117       Do not configure client certificates unless you must present client TLS
7118       certificates to one or more servers. Client certificates are  not  usu‐
7119       ally  needed,  and  can cause problems in configurations that work well
7120       without them. The recommended setting is to let the defaults stand:
7121
7122           smtp_tls_cert_file =
7123           smtp_tls_key_file =
7124           smtp_tls_dcert_file =
7125           smtp_tls_dkey_file =
7126           smtp_tls_eccert_file =
7127           smtp_tls_eckey_file =
7128
7129       The best way to use the default settings is to comment  out  the  above
7130       parameters in main.cf if present.
7131
7132       To  enable  remote  SMTP servers to verify the Postfix SMTP client cer‐
7133       tificate, the issuing CA certificates must be  made  available  to  the
7134       server. You should include the required certificates in the client cer‐
7135       tificate file, the client certificate first,  then  the  issuing  CA(s)
7136       (bottom-up order).
7137
7138       Example: the certificate for "client.example.com" was issued by "inter‐
7139       mediate CA" which itself has a certificate issued by "root CA".  Create
7140       the  client.pem  file  with  "cat  client_cert.pem  intermediate_CA.pem
7141       root_CA.pem > client.pem".
7142
7143       If you also want to verify remote SMTP server  certificates  issued  by
7144       these  CAs,  you can add the CA certificates to the smtp_tls_CAfile, in
7145       which case it is not necessary to have them in the  smtp_tls_cert_file,
7146       smtp_tls_dcert_file or smtp_tls_eccert_file.
7147
7148       A certificate supplied here must be usable as an SSL client certificate
7149       and hence pass the "openssl verify -purpose sslclient ..." test.
7150
7151       Example:
7152
7153       smtp_tls_cert_file = /etc/postfix/client.pem
7154
7155       This feature is available in Postfix 2.2 and later.
7156

smtp_tls_cipherlist (default: empty)

7158       Obsolete Postfix < 2.3 control for the Postfix SMTP client  TLS  cipher
7159       list. As this feature applies to all TLS security levels, it is easy to
7160       create interoperability problems by choosing a non-default cipher list.
7161       Do not use a non-default TLS cipher list on hosts that deliver email to
7162       the public Internet: you will be unable to send email to  servers  that
7163       only  support  the  ciphers you exclude. Using a restricted cipher list
7164       may be more appropriate for an internal MTA, where one can  exert  some
7165       control over the TLS software and settings of the peer servers.
7166
7167       Note: do not use "" quotes around the parameter value.
7168
7169       This  feature  is available in Postfix version 2.2. It is not used with
7170       Postfix 2.3 and later; use smtp_tls_mandatory_ciphers instead.
7171

smtp_tls_ciphers (default: medium)

7173       The minimum TLS cipher grade that the Postfix SMTP client will use with
7174       opportunistic     TLS    encryption.    Cipher    types    listed    in
7175       smtp_tls_exclude_ciphers are excluded from the base definition  of  the
7176       selected  cipher  grade.    The  default  value is "medium" for Postfix
7177       releases after the middle of 2015, "export" for older releases.
7178
7179       When  TLS  is  mandatory  the  cipher   grade   is   chosen   via   the
7180       smtp_tls_mandatory_ciphers  configuration parameter, see there for syn‐
7181       tax details. See smtp_tls_policy_maps for information on how to config‐
7182       ure ciphers on a per-destination basis.
7183
7184       This  feature is available in Postfix 2.6 and later. With earlier Post‐
7185       fix releases only the smtp_tls_mandatory_ciphers  parameter  is  imple‐
7186       mented, and opportunistic TLS always uses "export" or better (i.e. all)
7187       ciphers.
7188

smtp_tls_dane_insecure_mx_policy (default: dane)

7190       The TLS policy for MX hosts with "secure" TLSA records when the nexthop
7191       destination  security level is dane, but the MX record was found via an
7192       "insecure" MX lookup.  The choices are:
7193
7194       may    The TLSA records will be ignored and TLS will be  optional.   If
7195              the MX host does not appear to support STARTTLS, or the STARTTLS
7196              handshake fails, mail may be sent in the clear.
7197
7198       encrypt
7199              The TLSA records will signal a requirement to  use  TLS.   While
7200              TLS encryption will be required, authentication will not be per‐
7201              formed.
7202
7203       dane (default)
7204              The TLSA records will be used just as with "secure" MX  records.
7205              TLS  encryption  will  be  required, and, if at least one of the
7206              TLSA records is "usable", authentication will be required.  When
7207              authentication  succeeds,  it  will be logged only as "Trusted",
7208              not "Verified", because the MX host name could have been forged.
7209              Though with "insecure" MX records an active attacker can compro‐
7210              mise  SMTP  transport  security  by returning forged MX records,
7211              such attacks are "tamper-evident" since any forged MX  hostnames
7212              will  be  recorded in the mail logs.  Attackers who place a high
7213              value staying hidden may be deterred from forging MX records.
7214
7215       This feature is available in Postfix 3.1 and later. The may  policy  is
7216       backwards-compatible with earlier Postfix versions.
7217

smtp_tls_dcert_file (default: empty)

7219       File  with the Postfix SMTP client DSA certificate in PEM format.  This
7220       file may also contain the Postfix SMTP client private DSA key.
7221
7222       See the discussion under smtp_tls_cert_file for more details.
7223
7224       Example:
7225
7226       smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
7227
7228       This feature is available in Postfix 2.2 and later.
7229

smtp_tls_dkey_file (default: $smtp_tls_dcert_file)

7231       File with the Postfix SMTP client DSA private key in PEM format.   This
7232       file  may be combined with the Postfix SMTP client DSA certificate file
7233       specified with $smtp_tls_dcert_file.
7234
7235       The private key must be accessible without a pass-phrase, i.e. it  must
7236       not be encrypted. File permissions should grant read-only access to the
7237       system superuser account ("root"), and no access to anyone else.
7238
7239       This feature is available in Postfix 2.2 and later.
7240

smtp_tls_eccert_file (default: empty)

7242       File with the Postfix SMTP client  ECDSA  certificate  in  PEM  format.
7243       This file may also contain the Postfix SMTP client ECDSA private key.
7244
7245       See the discussion under smtp_tls_cert_file for more details.
7246
7247       Example:
7248
7249       smtp_tls_eccert_file = /etc/postfix/ecdsa-ccert.pem
7250
7251       This  feature  is  available  in Postfix 2.6 and later, when Postfix is
7252       compiled and linked with OpenSSL 1.0.0 or later.
7253

smtp_tls_eckey_file (default: $smtp_tls_eccert_file)

7255       File with the Postfix SMTP client ECDSA  private  key  in  PEM  format.
7256       This  file  may be combined with the Postfix SMTP client ECDSA certifi‐
7257       cate file specified with $smtp_tls_eccert_file.
7258
7259       The private key must be accessible without a pass-phrase, i.e. it  must
7260       not be encrypted. File permissions should grant read-only access to the
7261       system superuser account ("root"), and no access to anyone else.
7262
7263       This feature is available in Postfix 2.6 and  later,  when  Postfix  is
7264       compiled and linked with OpenSSL 1.0.0 or later.
7265

smtp_tls_enforce_peername (default: yes)

7267       With  mandatory  TLS  encryption,  require  that the remote SMTP server
7268       hostname matches the information in the remote SMTP server certificate.
7269       As  of  RFC 2487 the requirements for hostname checking for MTA clients
7270       are not specified.
7271
7272       This option can be set to "no" to disable strict  peer  name  checking.
7273       This  setting  has  no  effect  on sessions that are controlled via the
7274       smtp_tls_per_site table.
7275
7276       Disabling the hostname verification can make sense in  closed  environ‐
7277       ment where special CAs are created.  If not used carefully, this option
7278       opens the danger of a "man-in-the-middle"  attack  (the  CommonName  of
7279       this attacker will be logged).
7280
7281       This  feature  is  available in Postfix 2.2 and later. With Postfix 2.3
7282       and later use smtp_tls_security_level instead.
7283

smtp_tls_exclude_ciphers (default: empty)

7285       List of ciphers or cipher types to exclude from the Postfix SMTP client
7286       cipher  list  at  all  TLS  security  levels.  This  is  not an OpenSSL
7287       cipherlist, it is a simple list separated by whitespace and/or  commas.
7288       The  elements  are a single cipher, or one or more "+" separated cipher
7289       properties, in which case only ciphers matching all the properties  are
7290       excluded.
7291
7292       Examples (some of these will cause problems):
7293
7294           smtp_tls_exclude_ciphers = aNULL
7295           smtp_tls_exclude_ciphers = MD5, DES
7296           smtp_tls_exclude_ciphers = DES+MD5
7297           smtp_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
7298           smtp_tls_exclude_ciphers = kEDH+aRSA
7299
7300       The  first  setting,  disables anonymous ciphers. The next setting dis‐
7301       ables ciphers that use the MD5 digest algorithm  or  the  (single)  DES
7302       encryption  algorithm.  The  next setting disables ciphers that use MD5
7303       and  DES  together.   The  next  setting  disables  the   two   ciphers
7304       "AES256-SHA" and "DES-CBC3-MD5". The last setting disables ciphers that
7305       use "EDH" key exchange with RSA authentication.
7306
7307       This feature is available in Postfix 2.3 and later.
7308

smtp_tls_fingerprint_cert_match (default: empty)

7310       List of acceptable remote SMTP server certificate fingerprints for  the
7311       "fingerprint"  TLS  security  level  (smtp_tls_security_level = finger‐
7312       print). At this security level, Certification Authorities are not used,
7313       and  certificate expiration times are ignored. Instead, server certifi‐
7314       cates are verified directly via their certificate fingerprint or public
7315       key  fingerprint  (Postfix 2.9 and later). The fingerprint is a message
7316       digest of the server certificate (or public key). The digest  algorithm
7317       is selected via the smtp_tls_fingerprint_digest parameter.
7318
7319       When  an  smtp_tls_policy_maps  table entry specifies the "fingerprint"
7320       security level, any "match" attributes in that entry specify  the  list
7321       of  valid fingerprints for the corresponding destination. Multiple fin‐
7322       gerprints can be combined with  a  "|"  delimiter  in  a  single  match
7323       attribute, or multiple match attributes can be employed.
7324
7325       Example:  Certificate  fingerprint  verification with internal mailhub.
7326       Two matching fingerprints are listed. The  relayhost  may  be  multiple
7327       physical hosts behind a load-balancer, each with its own private/public
7328       key and self-signed certificate. Alternatively, a single relayhost  may
7329       be  in  the process of switching from one set of private/public keys to
7330       another, and both keys are trusted just prior to the transition.
7331
7332           relayhost = [mailhub.example.com]
7333           smtp_tls_security_level = fingerprint
7334           smtp_tls_fingerprint_digest = md5
7335           smtp_tls_fingerprint_cert_match =
7336               3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
7337               EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
7338
7339       Example: Certificate fingerprint verification  with  selected  destina‐
7340       tions.  As in the example above, we show two matching fingerprints:
7341
7342           /etc/postfix/main.cf:
7343               smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
7344               smtp_tls_fingerprint_digest = md5
7345
7346           /etc/postfix/tls_policy:
7347               example.com fingerprint
7348                   match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
7349                   match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
7350
7351       This feature is available in Postfix 2.5 and later.
7352

smtp_tls_fingerprint_digest (default: md5)

7354       The  message digest algorithm used to construct remote SMTP server cer‐
7355       tificate  fingerprints.  At  the  "fingerprint"  TLS   security   level
7356       (smtp_tls_security_level = fingerprint), the server certificate is ver‐
7357       ified by directly matching its certificate fingerprint  or  its  public
7358       key fingerprint (Postfix 2.9 and later). The fingerprint is the message
7359       digest of the server certificate (or its public key) using the selected
7360       algorithm.  With  a  digest  algorithm  resistant to "second pre-image"
7361       attacks, it is not feasible to create a new public key and  a  matching
7362       certificate (or public/private key-pair) that has the same fingerprint.
7363
7364       The  default  algorithm  is  md5; this is consistent with the backwards
7365       compatible setting of the digest used to verify client certificates  in
7366       the SMTP server.
7367
7368       The  best practice algorithm is now sha1. Recent advances in hash func‐
7369       tion cryptanalysis have led to md5 being deprecated in favor  of  sha1.
7370       However,  as  long  as  there  are  no known "second pre-image" attacks
7371       against md5, its use in this context can still be considered safe.
7372
7373       While additional digest algorithms are often available  with  OpenSSL's
7374       libcrypto, only those used by libssl in SSL cipher suites are available
7375       to Postfix. For now this means just md5 or sha1.
7376
7377       To find the fingerprint of a specific certificate file, with a specific
7378       digest algorithm, run:
7379
7380           $ openssl x509 -noout -fingerprint -digest -in certfile.pem
7381
7382       The  text  to  the  right  of "=" sign is the desired fingerprint.  For
7383       example:
7384
7385           $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
7386           SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
7387
7388       To extract the public key fingerprint from an  X.509  certificate,  you
7389       need  to  extract  the  public key from the certificate and compute the
7390       appropriate digest of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
7391       key"  option  of  the  "x509" command extracts the public key always in
7392       "PEM" format. We pipe the result to another OpenSSL command  that  con‐
7393       verts the key to DER and then to the "dgst" command to compute the fin‐
7394       gerprint.
7395
7396       The actual command to transform the key to DER format  depends  on  the
7397       version  of OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" com‐
7398       mand supports all key types. With OpenSSL 0.9.8 and  earlier,  the  key
7399       type  is  always  RSA  (nobody uses DSA, and EC keys are not fully sup‐
7400       ported by 0.9.8), so the "rsa" command is used.
7401
7402           # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
7403           $ openssl x509 -in cert.pem -noout -pubkey |
7404               openssl pkey -pubin -outform DER |
7405               openssl dgst -sha1 -c
7406           (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
7407
7408           # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
7409           $ openssl x509 -in cert.pem -noout -pubkey |
7410               openssl rsa -pubin -outform DER |
7411               openssl dgst -md5 -c
7412           (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
7413
7414       The Postfix SMTP server and client log the peer (leaf) certificate fin‐
7415       gerprint  and  public  key  fingerprint  when  the TLS loglevel is 2 or
7416       higher.
7417
7418       Note: Postfix 2.9.0-2.9.5 computed the public  key  fingerprint  incor‐
7419       rectly.  To  use  public-key  fingerprints, upgrade to Postfix 2.9.6 or
7420       later.
7421
7422       This feature is available in Postfix 2.5 and later.
7423

smtp_tls_force_insecure_host_tlsa_lookup (default: no)

7425       Lookup the associated DANE TLSA RRset even when a hostname  is  not  an
7426       alias  and  its  address  records  lie  in  an  unsigned zone.  This is
7427       unlikely to ever yield DNSSEC validated results, since child  zones  of
7428       unsigned  zones are also unsigned in the absence of DLV or locally con‐
7429       figured non-root trust-anchors.  We  anticipate  that  such  mechanisms
7430       will  not be used for just the "_tcp" subdomain of a host.  Suppressing
7431       the TLSA RRset lookup reduces latency and avoids  potential  interoper‐
7432       ability  problems with nameservers for unsigned zones that are not pre‐
7433       pared to handle the new TLSA RRset.
7434
7435       This feature is available in Postfix 2.11.
7436

smtp_tls_key_file (default: $smtp_tls_cert_file)

7438       File with the Postfix SMTP client RSA private key in PEM format.   This
7439       file  may be combined with the Postfix SMTP client RSA certificate file
7440       specified with $smtp_tls_cert_file.
7441
7442       The private key must be accessible without a pass-phrase, i.e. it  must
7443       not be encrypted. File permissions should grant read-only access to the
7444       system superuser account ("root"), and no access to anyone else.
7445
7446       Example:
7447
7448       smtp_tls_key_file = $smtp_tls_cert_file
7449
7450       This feature is available in Postfix 2.2 and later.
7451

smtp_tls_loglevel (default: 0)

7453       Enable additional Postfix SMTP client logging of  TLS  activity.   Each
7454       logging  level  also includes the information that is logged at a lower
7455       logging level.
7456
7457              0 Disable logging of TLS activity.
7458
7459              1 Log only a summary message on TLS handshake  completion  -  no
7460              logging  of remote SMTP server certificate trust-chain verifica‐
7461              tion errors if server certificate verification is not  required.
7462              With Postfix 2.8 and earlier, log the summary message and uncon‐
7463              ditionally log trust-chain verification errors.
7464
7465              2 Also log levels during TLS negotiation.
7466
7467              3 Also  log  hexadecimal  and  ASCII  dump  of  TLS  negotiation
7468              process.
7469
7470              4  Also  log hexadecimal and ASCII dump of complete transmission
7471              after STARTTLS.
7472
7473       Do not use "smtp_tls_loglevel = 2" or higher except in  case  of  prob‐
7474       lems. Use of loglevel 4 is strongly discouraged.
7475
7476       This feature is available in Postfix 2.2 and later.
7477

smtp_tls_mandatory_ciphers (default: medium)

7479       The minimum TLS cipher grade that the Postfix SMTP client will use with
7480       mandatory TLS encryption.  The default value "medium" is  suitable  for
7481       most destinations with which you may want to enforce TLS, and is beyond
7482       the reach of today's cryptanalytic  methods.  See  smtp_tls_policy_maps
7483       for information on how to configure ciphers on a per-destination basis.
7484
7485       The following cipher grades are supported:
7486
7487       export Enable "EXPORT" grade or better OpenSSL ciphers.  The underlying
7488              cipherlist is specified via the tls_export_cipherlist configura‐
7489              tion parameter, which you are strongly encouraged to not change.
7490              This choice is insecure and SHOULD NOT be used.
7491
7492       low    Enable "LOW" grade or better OpenSSL  ciphers.   The  underlying
7493              cipherlist is specified via the tls_low_cipherlist configuration
7494              parameter, which you are  strongly  encouraged  to  not  change.
7495              This choice is insecure and SHOULD NOT be used.
7496
7497       medium Enable "MEDIUM" grade or better OpenSSL ciphers.  The underlying
7498              cipherlist is specified via the tls_medium_cipherlist configura‐
7499              tion parameter, which you are strongly encouraged to not change.
7500
7501       high   Enable  only  "HIGH" grade OpenSSL ciphers.  This setting may be
7502              appropriate when all mandatory TLS destinations (e.g.  when  all
7503              mail is routed to a suitably capable relayhost) support at least
7504              one "HIGH" grade cipher. The underlying cipherlist is  specified
7505              via  the  tls_high_cipherlist configuration parameter, which you
7506              are strongly encouraged to not change.
7507
7508       null   Enable only the "NULL" OpenSSL ciphers, these provide  authenti‐
7509              cation  without encryption.  This setting is only appropriate in
7510              the rare case that all servers are prepared to use NULL  ciphers
7511              (not  normally  enabled in TLS servers). A plausible use-case is
7512              an LMTP server listening on a UNIX-domain socket that is config‐
7513              ured  to  support  "NULL"  ciphers. The underlying cipherlist is
7514              specified via the tls_null_cipherlist  configuration  parameter,
7515              which you are strongly encouraged to not change.
7516
7517       The  underlying cipherlists for grades other than "null" include anony‐
7518       mous ciphers, but these are automatically filtered out if  the  Postfix
7519       SMTP  client is configured to verify server certificates.  You are very
7520       unlikely to need to take any steps to exclude anonymous  ciphers,  they
7521       are excluded automatically as necessary.  If you must exclude anonymous
7522       ciphers at the "may" or "encrypt" security  levels,  when  the  Postfix
7523       SMTP   client   does   not   need   or   use   peer  certificates,  set
7524       "smtp_tls_exclude_ciphers = aNULL". To exclude anonymous  ciphers  only
7525       when TLS is enforced, set "smtp_tls_mandatory_exclude_ciphers = aNULL".
7526
7527       This feature is available in Postfix 2.3 and later.
7528

smtp_tls_mandatory_exclude_ciphers (default: empty)

7530       Additional  list of ciphers or cipher types to exclude from the Postfix
7531       SMTP client cipher list at mandatory TLS  security  levels.  This  list
7532       works     in     addition     to    the    exclusions    listed    with
7533       smtp_tls_exclude_ciphers (see there for syntax details).
7534
7535       Starting with Postfix 2.6, the mandatory cipher exclusions can be spec‐
7536       ified   on  a  per-destination  basis  via  the  TLS  policy  "exclude"
7537       attribute. See smtp_tls_policy_maps for notes and examples.
7538
7539       This feature is available in Postfix 2.3 and later.
7540

smtp_tls_mandatory_protocols (default: !SSLv2, !SSLv3)

7542       List of SSL/TLS protocols that the Postfix SMTP client  will  use  with
7543       mandatory  TLS  encryption.   In  main.cf  the  values are separated by
7544       whitespace, commas or colons. In the policy table "protocols" attribute
7545       (see  smtp_tls_policy_maps) the only valid separator is colon. An empty
7546       value means allow all protocols. The valid protocol names, (see  \fBfB‐
7547       SSL_get_version(3)),  are  "SSLv2",  "SSLv3"  and  "TLSv1". The default
7548       value is "!SSLv2, !SSLv3" for Postfix  releases  after  the  middle  of
7549       2015, "!SSLv2" for older releases.
7550
7551       With Postfix >= 2.5 the parameter syntax was expanded to support proto‐
7552       col  exclusions.  One  can  explicitly  exclude  "SSLv2"   by   setting
7553       "smtp_tls_mandatory_protocols  =  !SSLv2".  To exclude both "SSLv2" and
7554       "SSLv3" set "smtp_tls_mandatory_protocols =  !SSLv2,  !SSLv3".  Listing
7555       the  protocols  to  include,  rather than protocols to exclude, is sup‐
7556       ported, but not recommended. The exclusion form  more  closely  matches
7557       the underlying OpenSSL interface semantics.
7558
7559       The range of protocols advertised by an SSL/TLS client must be contigu‐
7560       ous.  When a protocol version is enabled, disabling any higher  version
7561       implicitly  disables all versions above that higher version.  Thus, for
7562       example:
7563
7564           smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
7565       also disables any protocols version  higher  than  TLSv1  leaving  only
7566       "SSLv3" enabled.
7567
7568       Note:  As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
7569       "TLSv1.2". When Postfix <= 2.5  is  linked  against  OpenSSL  1.0.1  or
7570       later,  these,  or  any other new protocol versions, cannot be disabled
7571       except by also disabling "TLSv1" (typically leaving just "SSLv3").  The
7572       latest  patch  levels of Postfix >= 2.6, and all versions of Postfix >=
7573       2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2".
7574
7575       At the dane and dane-only security levels, when usable TLSA records are
7576       obtained  for  the remote SMTP server, the Postfix SMTP client is obli‐
7577       gated to include the SNI TLS extension in its SSL client hello message.
7578       This  may help the remote SMTP server live up to its promise to provide
7579       a certificate that matches its  TLSA  records.   Since  TLS  extensions
7580       require  TLS 1.0 or later, the Postfix SMTP client must disable "SSLv2"
7581       and "SSLv3" when SNI is required.  If you use "dane" or "dane-only"  do
7582       not disable TLSv1, except perhaps via the policy table for destinations
7583       which you are sure will support "TLSv1.1" or "TLSv1.2".
7584
7585       See  the  documentation  of  the  smtp_tls_policy_maps  parameter   and
7586       TLS_README for more information about security levels.
7587
7588       Example:
7589
7590       # Preferred syntax with Postfix >= 2.5:
7591       smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
7592       # Legacy syntax:
7593       smtp_tls_mandatory_protocols = TLSv1
7594
7595       This feature is available in Postfix 2.3 and later.
7596

smtp_tls_note_starttls_offer (default: no)

7598       Log the hostname of a remote SMTP server that offers STARTTLS, when TLS
7599       is not already enabled for that server.
7600
7601       The logfile record looks like:
7602
7603       postfix/smtp[pid]:  Host offered STARTTLS: [name.of.host]
7604
7605       This feature is available in Postfix 2.2 and later.
7606

smtp_tls_per_site (default: empty)

7608       Optional lookup tables with the Postfix SMTP client TLS usage policy by
7609       next-hop  destination  and  by  remote SMTP server hostname.  When both
7610       lookups succeed, the more specific per-site policy  (NONE,  MUST,  etc)
7611       overrides  the  less  specific  one (MAY), and the more secure per-site
7612       policy (MUST, etc) overrides the less secure one (NONE).  With  Postfix
7613       2.3   and   later   smtp_tls_per_site   is  strongly  discouraged:  use
7614       smtp_tls_policy_maps instead.
7615
7616       Use of the bare hostname as the per-site table lookup key  is  discour‐
7617       aged.  Always  use  the full destination nexthop (enclosed in [] with a
7618       possible ":port" suffix). A recipient domain  or  MX-enabled  transport
7619       next-hop  with  no  port  suffix  may look like a bare hostname, but is
7620       still a suitable destination.
7621
7622       Specify a next-hop destination or  server  hostname  on  the  left-hand
7623       side;  no wildcards are allowed. The next-hop destination is either the
7624       recipient domain, or the destination specified with a transport(5)  ta‐
7625       ble, the relayhost parameter, or the relay_transport parameter.  On the
7626       right hand side specify one of the following keywords:
7627
7628       NONE   Don't use TLS at all. This overrides a less specific MAY  lookup
7629              result from the alternate host or next-hop lookup key, and over‐
7630              rides   the   global   smtp_use_tls,    smtp_enforce_tls,    and
7631              smtp_tls_enforce_peername settings.
7632
7633       MAY    Try  to  use  TLS if the server announces support, otherwise use
7634              the unencrypted connection. This has less precedence than a more
7635              specific  result  (including  NONE)  from  the alternate host or
7636              next-hop lookup key, and has less precedence than the more  spe‐
7637              cific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peer‐
7638              name = yes".
7639
7640       MUST_NOPEERMATCH
7641              Require TLS encryption, but do not require that the remote  SMTP
7642              server  hostname  matches  the  information  in  the remote SMTP
7643              server certificate, or that the server certificate was issued by
7644              a  trusted  CA. This overrides a less secure NONE or a less spe‐
7645              cific MAY lookup result from  the  alternate  host  or  next-hop
7646              lookup    key,    and   overrides   the   global   smtp_use_tls,
7647              smtp_enforce_tls and smtp_tls_enforce_peername settings.
7648
7649       MUST   Require TLS encryption, require  that  the  remote  SMTP  server
7650              hostname  matches the information in the remote SMTP server cer‐
7651              tificate, and require that the remote  SMTP  server  certificate
7652              was  issued  by  a trusted CA. This overrides a less secure NONE
7653              and MUST_NOPEERMATCH or a less specific MAY lookup  result  from
7654              the  alternate  host  or  next-hop lookup key, and overrides the
7655              global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peer‐
7656              name settings.
7657
7658       The above keywords correspond to the "none", "may", "encrypt" and "ver‐
7659       ify" security levels  for  the  new  smtp_tls_security_level  parameter
7660       introduced in Postfix 2.3. Starting with Postfix 2.3, and independently
7661       of how the policy  is  specified,  the  smtp_tls_mandatory_ciphers  and
7662       smtp_tls_mandatory_protocols  parameters  apply  when TLS encryption is
7663       mandatory. Connections  for  which  encryption  is  optional  typically
7664       enable  all "export" grade and better ciphers (see smtp_tls_ciphers and
7665       smtp_tls_protocols).
7666
7667       As long as no secure DNS lookup mechanism is available, false hostnames
7668       in  MX  or  CNAME responses can change the server hostname that Postfix
7669       uses for TLS policy lookup and server  certificate  verification.  Even
7670       with  a  perfect  match between the server hostname and the server cer‐
7671       tificate, there is no guarantee that Postfix is connected to the  right
7672       server.   See TLS_README (Closing a DNS loophole with obsolete per-site
7673       TLS policies) for a possible work-around.
7674
7675       This feature is available in Postfix 2.2 and later.  With  Postfix  2.3
7676       and later use smtp_tls_policy_maps instead.
7677

smtp_tls_policy_maps (default: empty)

7679       Optional lookup tables with the Postfix SMTP client TLS security policy
7680       by next-hop destination; when a  non-empty  value  is  specified,  this
7681       overrides the obsolete smtp_tls_per_site parameter.  See TLS_README for
7682       a more detailed discussion of TLS security levels.
7683
7684       Specify zero or more "type:name" lookup tables, separated by whitespace
7685       or  comma. Tables will be searched in the specified order until a match
7686       is found.
7687
7688       The TLS policy table is indexed by the full next-hop destination, which
7689       is  either  the recipient domain, or the verbatim next-hop specified in
7690       the    transport    table,    $local_transport,     $virtual_transport,
7691       $relay_transport  or  $default_transport.  This  includes any enclosing
7692       square brackets and any non-default destination server port suffix. The
7693       LMTP  socket type prefix (inet: or unix:) is not included in the lookup
7694       key.
7695
7696       Only the next-hop domain, or $myhostname  with  LMTP  over  UNIX-domain
7697       sockets,  is used as the nexthop name for certificate verification. The
7698       port and any enclosing square brackets are used  in  the  table  lookup
7699       key, but are not used for server name verification.
7700
7701       When  the lookup key is a domain name without enclosing square brackets
7702       or any :port suffix (typically the  recipient  domain),  and  the  full
7703       domain  is not found in the table, just as with the transport(5) table,
7704       the parent domain starting with a leading "." is  matched  recursively.
7705       This allows one to specify a security policy for a recipient domain and
7706       all its sub-domains.
7707
7708       The lookup result is a security level, followed by an optional list  of
7709       whitespace  and/or  comma separated name=value attributes that override
7710       related main.cf settings. The TLS security levels in order of  increas‐
7711       ing security are:
7712
7713       none   No TLS. No additional attributes are supported at this level.
7714
7715       may    Opportunistic  TLS.  Since  sending  in the clear is acceptable,
7716              demanding stronger than  default  TLS  security  merely  reduces
7717              interoperability.  The optional "ciphers", "exclude" and "proto‐
7718              cols" attributes (available for opportunistic TLS  with  Postfix
7719              >=       2.6)       override       the       "smtp_tls_ciphers",
7720              "smtp_tls_exclude_ciphers" and  "smtp_tls_protocols"  configura‐
7721              tion parameters. When opportunistic TLS handshakes fail, Postfix
7722              retries the connection with  TLS  disabled.   This  allows  mail
7723              delivery to sites with non-interoperable TLS implementations.
7724
7725       encrypt
7726              Mandatory TLS encryption. At this level and higher, the optional
7727              "protocols"  attribute  overrides  the  main.cf  smtp_tls_manda‐
7728              tory_protocols parameter, the optional "ciphers" attribute over‐
7729              rides the main.cf smtp_tls_mandatory_ciphers parameter, and  the
7730              optional  "exclude"  attribute  (Postfix  >=  2.6) overrides the
7731              main.cf  smtp_tls_mandatory_exclude_ciphers  parameter.  In  the
7732              policy  table,  multiple  protocols  or excluded ciphers must be
7733              separated by colons, as attribute values may not contain  white‐
7734              space or commas.
7735
7736       dane   Opportunistic  DANE  TLS.  The TLS policy for the destination is
7737              obtained via TLSA records in DNSSEC.  If  no  TLSA  records  are
7738              found,  the  effective  security  level  used  is  may.  If TLSA
7739              records are found, but none are usable, the  effective  security
7740              level is encrypt.  When usable TLSA records are obtained for the
7741              remote SMTP server, the server certificate must match  the  TLSA
7742              records.   RFC 7672 (DANE) TLS authentication and DNSSEC support
7743              is available with Postfix 2.11 and later.
7744
7745       dane-only
7746              Mandatory DANE TLS.  The  TLS  policy  for  the  destination  is
7747              obtained  via  TLSA  records  in DNSSEC.  If no TLSA records are
7748              found, or none are usable, no connection is made to the  server.
7749              When  usable  TLSA  records  are  obtained  for  the remote SMTP
7750              server, the server certificate must match the TLSA records.  RFC
7751              7672  (DANE)  TLS authentication and DNSSEC support is available
7752              with Postfix 2.11 and later.
7753
7754       fingerprint
7755              Certificate fingerprint verification. Available with Postfix 2.5
7756              and later. At this security level, there are no trusted Certifi‐
7757              cation Authorities.  The  certificate  trust  chain,  expiration
7758              date,   ...   are  not  checked.  Instead,  the  optional  match
7759              attribute, or else the  main.cf  smtp_tls_fingerprint_cert_match
7760              parameter,  lists the certificate fingerprints or the public key
7761              fingerprint (Postfix 2.9 and later) of the valid server certifi‐
7762              cate.  The digest algorithm used to calculate the fingerprint is
7763              selected by the smtp_tls_fingerprint_digest parameter.  Multiple
7764              fingerprints  can  be  combined with a "|" delimiter in a single
7765              match attribute, or multiple match attributes can  be  employed.
7766              The  ":"  character  is  not  used  as  a delimiter as it occurs
7767              between each pair of fingerprint (hexadecimal) digits.
7768
7769       verify Mandatory TLS verification.  At  this  security  level,  DNS  MX
7770              lookups  are  trusted to be secure enough, and the name verified
7771              in the server certificate is  usually  obtained  indirectly  via
7772              unauthenticated  DNS MX lookups.  The optional "match" attribute
7773              overrides the main.cf smtp_tls_verify_cert_match  parameter.  In
7774              the policy table, multiple match patterns and strategies must be
7775              separated by colons.  In practice explicit control over matching
7776              is more common with the "secure" policy, described below.
7777
7778       secure Secure-channel  TLS.  At  this  security  level, DNS MX lookups,
7779              though potentially used  to  determine  the  candidate  next-hop
7780              gateway  IP  addresses,  are not trusted to be secure enough for
7781              TLS peername verification. Instead, the default name verified in
7782              the  server  certificate is obtained directly from the next-hop,
7783              or is explicitly specified  via  the  optional  match  attribute
7784              which  overrides  the main.cf smtp_tls_secure_cert_match parame‐
7785              ter. In the policy table, multiple match patterns and strategies
7786              must be separated by colons.  The match attribute is most useful
7787              when multiple domains are supported by common server, the policy
7788              entries  for  additional  domains specify matching rules for the
7789              primary domain  certificate.  While  transport  table  overrides
7790              routing  the secondary domains to the primary nexthop also allow
7791              secure verification, they risk delivery to the wrong destination
7792              when  domains  change  hands or are re-assigned to new gateways.
7793              With the "match" attribute approach, routing is  not  perturbed,
7794              and mail is deferred if verification of a new MX host fails.
7795
7796       Example:
7797
7798       /etc/postfix/main.cf:
7799           smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
7800           # Postfix 2.5 and later
7801           smtp_tls_fingerprint_digest = md5
7802
7803       /etc/postfix/tls_policy:
7804           example.edu                 none
7805           example.mil                 may
7806           example.gov                 encrypt protocols=TLSv1
7807           example.com                 verify ciphers=high
7808           example.net                 secure
7809           .example.net                secure match=.example.net:example.net
7810           [mail.example.org]:587      secure match=nexthop
7811           # Postfix 2.5 and later
7812           [thumb.example.org]          fingerprint
7813               match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
7814               match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
7815
7816       Note:  The  hostname  strategy  if  listed  in a non-default setting of
7817       smtp_tls_secure_cert_match or in the match attribute in the policy  ta‐
7818       ble  can  render the secure level vulnerable to DNS forgery. Do not use
7819       the hostname strategy for secure-channel configurations in environments
7820       where DNS security is not assured.
7821
7822       This feature is available in Postfix 2.3 and later.
7823

smtp_tls_protocols (default: !SSLv2, !SSLv3)

7825       List  of  TLS  protocols  that  the Postfix SMTP client will exclude or
7826       include  with  opportunistic  TLS  encryption.  The  default  value  is
7827       "!SSLv2,  !SSLv3"  for  Postfix  releases  after  the  middle  of 2015,
7828       "!SSLv2" for older releases.  Before  Postfix  2.6,  the  Postfix  SMTP
7829       client would use all protocols with opportunistic TLS.
7830
7831       In main.cf the values are separated by whitespace, commas or colons. In
7832       the policy table (see smtp_tls_policy_maps) the only valid separator is
7833       colon.  An  empty  value  means allow all protocols. The valid protocol
7834       names, (see \fBfBSSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".
7835
7836       The range of protocols advertised by an SSL/TLS client must be contigu‐
7837       ous.   When a protocol version is enabled, disabling any higher version
7838       implicitly disables all versions above that higher version.  Thus,  for
7839       example:
7840
7841           smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
7842       also  disables  any  protocols  version  higher than TLSv1 leaving only
7843       "SSLv3" enabled.
7844
7845       Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"  and
7846       "TLSv1.2".  The latest patch levels of Postfix >= 2.6, and all versions
7847       of Postfix >= 2.10 can explicitly  disable  support  for  "TLSv1.1"  or
7848       "TLSv1.2"
7849
7850       To  include  a  protocol  list its name, to exclude it, prefix the name
7851       with a "!" character.  To  exclude  SSLv2  for  opportunistic  TLS  set
7852       "smtp_tls_protocols  = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
7853       "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols
7854       to  include,  rather  than  protocols to exclude, is supported, but not
7855       recommended.  The exclusion form more closely  matches  the  underlying
7856       OpenSSL interface semantics.
7857
7858       Example:
7859       # TLSv1 or better:
7860       smtp_tls_protocols = !SSLv2, !SSLv3
7861
7862       This feature is available in Postfix 2.6 and later.
7863

smtp_tls_scert_verifydepth (default: 9)

7865       The  verification depth for remote SMTP server certificates. A depth of
7866       1 is sufficient if the issuing CA is listed in a local CA file.
7867
7868       The default verification depth is 9 (the OpenSSL default) for  compati‐
7869       bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
7870       value was 5, but the limit was not actually enforced. If you  have  set
7871       this  to  a  lower  non-default  value,  certificates with longer trust
7872       chains may now fail to verify. Certificate chains with 1 or 2  CAs  are
7873       common,  deeper  chains  are  more  rare and any number between 5 and 9
7874       should suffice in practice. You can choose a lower number if, for exam‐
7875       ple,  you  trust  certificates directly signed by an issuing CA but not
7876       any CAs it delegates to.
7877
7878       This feature is available in Postfix 2.2 and later.
7879

smtp_tls_secure_cert_match (default: nexthop, dot-nexthop)

7881       How the Postfix SMTP client verifies the  server  certificate  peername
7882       for  the  "secure"  TLS  security level. In a "secure" TLS policy table
7883       ($smtp_tls_policy_maps) entry the optional "match" attribute  overrides
7884       this main.cf setting.
7885
7886       This  parameter  specifies one or more patterns or strategies separated
7887       by commas, whitespace or colons.  In the policy table  the  only  valid
7888       separator is the colon character.
7889
7890       For   a  description  of  the  pattern  and  strategy  syntax  see  the
7891       smtp_tls_verify_cert_match parameter. The "hostname" strategy should be
7892       avoided  in  this  context,  as  in the absence of a secure global DNS,
7893       using the results of MX lookups  in  certificate  verification  is  not
7894       immune to active (man-in-the-middle) attacks on DNS.
7895
7896       Sample main.cf setting:
7897
7898           smtp_tls_secure_cert_match = nexthop
7899
7900       Sample policy table override:
7901
7902           example.net     secure match=example.com:.example.com
7903           .example.net    secure match=example.com:.example.com
7904
7905       This feature is available in Postfix 2.3 and later.
7906

smtp_tls_security_level (default: empty)

7908       The default SMTP TLS security level for the Postfix SMTP client; when a
7909       non-empty value is specified, this overrides  the  obsolete  parameters
7910       smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
7911
7912       Specify one of the following security levels:
7913
7914       none   No  TLS. TLS will not be used unless enabled for specific desti‐
7915              nations via smtp_tls_policy_maps.
7916
7917       may    Opportunistic TLS. Use TLS if this is supported  by  the  remote
7918              SMTP server, otherwise use plaintext. Since sending in the clear
7919              is acceptable, demanding  stronger  than  default  TLS  security
7920              merely  reduces  interoperability.   The  "smtp_tls_ciphers" and
7921              "smtp_tls_protocols" (Postfix >= 2.6)  configuration  parameters
7922              provide  control  over  the protocols and cipher grade used with
7923              opportunistic TLS.  With earlier releases the opportunistic  TLS
7924              cipher  grade  is always "export" and no protocols are disabled.
7925              When TLS handshakes fail, the connection  is  retried  with  TLS
7926              disabled.   This allows mail delivery to sites with non-interop‐
7927              erable TLS implementations.
7928
7929       encrypt
7930              Mandatory TLS encryption. Since a minimum level of  security  is
7931              intended,  it  is  reasonable  to be specific about sufficiently
7932              secure protocol versions and ciphers. At this security level and
7933              higher,  the main.cf parameters smtp_tls_mandatory_protocols and
7934              smtp_tls_mandatory_ciphers specify the TLS protocols and minimum
7935              cipher grade which the administrator considers secure enough for
7936              mandatory encrypted sessions. This  security  level  is  not  an
7937              appropriate default for systems delivering mail to the Internet.
7938
7939       dane   Opportunistic  DANE TLS.  At this security level, the TLS policy
7940              for the destination is obtained via DNSSEC.  For TLSA policy  to
7941              be  in effect, the destination domain's containing DNS zone must
7942              be signed and the Postfix SMTP client's operating system must be
7943              configured to send its DNS queries to a recursive DNS nameserver
7944              that is able to validate the signed records.  Each MX host's DNS
7945              zone  should  also  be signed, and should publish DANE TLSA (RFC
7946              7672) records that specify how that MX host's TLS certificate is
7947              to  be verified.  TLSA records do not preempt the normal SMTP MX
7948              host selection algorithm, if some MX hosts support TLSA and oth‐
7949              ers  do  not,  TLS security will vary from delivery to delivery.
7950              It is up to the domain owner to configure  their  MX  hosts  and
7951              their  DNS  sensibly.   To configure the Postfix SMTP client for
7952              DNSSEC lookups  see  the  documentation  for  the  smtp_dns_sup‐
7953              port_level   main.cf   parameter.   When  DNSSEC-validated  TLSA
7954              records are not found the effective tls security level is "may".
7955              When  TLSA records are found, but are all unusable the effective
7956              security level is  "encrypt".   For  purposes  of  protocol  and
7957              cipher  selection,  the  "dane" security level is treated like a
7958              "mandatory" TLS security level, and weak ciphers  and  protocols
7959              are  disabled.  Since DANE authenticates server certificates the
7960              "aNULL" cipher-suites are transparently excluded at this  level,
7961              no need to configure this manually.  RFC 7672 (DANE) TLS authen‐
7962              tication is available with Postfix 2.11 and later.
7963
7964       dane-only
7965              Mandatory DANE TLS.  This is just like "dane"  above,  but  DANE
7966              TLSA  authentication is required.  There is no fallback to "may"
7967              or "encrypt" when TLSA records are  missing  or  unusable.   RFC
7968              7672  (DANE)  TLS  authentication is available with Postfix 2.11
7969              and later.
7970
7971       fingerprint
7972              Certificate fingerprint verification.  At this  security  level,
7973              there are no trusted Certification Authorities.  The certificate
7974              trust chain, expiration date, etc., are  not  checked.  Instead,
7975              the smtp_tls_fingerprint_cert_match parameter lists the certifi‐
7976              cate fingerprint or public  key  fingerprint  (Postfix  2.9  and
7977              later)  of  the  valid  server certificate. The digest algorithm
7978              used  to  calculate  the  fingerprint   is   selected   by   the
7979              smtp_tls_fingerprint_digest  parameter.  Available  with Postfix
7980              2.5 and later.
7981
7982       verify Mandatory TLS verification.  At  this  security  level,  DNS  MX
7983              lookups  are  trusted to be secure enough, and the name verified
7984              in the server certificate is  usually  obtained  indirectly  via
7985              unauthenticated  DNS  MX lookups. The smtp_tls_verify_cert_match
7986              parameter controls how the server name is verified. In  practice
7987              explicit  control  over  matching is more common at the "secure"
7988              level, described below. This security level is not an  appropri‐
7989              ate default for systems delivering mail to the Internet.
7990
7991       secure Secure-channel  TLS.   At  this  security level, DNS MX lookups,
7992              though potentially used  to  determine  the  candidate  next-hop
7993              gateway  IP  addresses,  are not trusted to be secure enough for
7994              TLS peername verification. Instead, the default name verified in
7995              the  server  certificate is obtained from the next-hop domain as
7996              specified in the smtp_tls_secure_cert_match configuration param‐
7997              eter.  The  default  matching  rule is that a server certificate
7998              matches when its name is equal to or is a sub-domain of the nex‐
7999              thop  domain.  This security level is not an appropriate default
8000              for systems delivering mail to the Internet.
8001
8002       Examples:
8003
8004       # No TLS. Formerly: smtp_use_tls=no and smtp_enforce_tls=no.
8005       smtp_tls_security_level = none
8006
8007       # Opportunistic TLS.
8008       smtp_tls_security_level = may
8009       # Postfix >= 2.6:
8010       # Do not tweak opportunistic ciphers or protocol unless it is essential
8011       # to do so (if a security vulnerability is found in the SSL library that
8012       # can be mitigated by disabling a particular protocol or raising the
8013       # cipher grade from "export" to "low" or "medium").
8014       smtp_tls_ciphers = export
8015       smtp_tls_protocols = !SSLv2, !SSLv3
8016
8017       # Mandatory (high-grade) TLS encryption.
8018       smtp_tls_security_level = encrypt
8019       smtp_tls_mandatory_ciphers = high
8020
8021       # Mandatory TLS verification of hostname or nexthop domain.
8022       smtp_tls_security_level = verify
8023       smtp_tls_mandatory_ciphers = high
8024       smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
8025
8026       # Secure channel TLS with exact nexthop name match.
8027       smtp_tls_security_level = secure
8028       smtp_tls_mandatory_protocols = TLSv1
8029       smtp_tls_mandatory_ciphers = high
8030       smtp_tls_secure_cert_match = nexthop
8031
8032       # Certificate fingerprint verification (Postfix >= 2.5).
8033       # The CA-less "fingerprint" security level only scales to a limited
8034       # number of destinations. As a global default rather than a per-site
8035       # setting, this is practical when mail for all recipients is sent
8036       # to a central mail hub.
8037       relayhost = [mailhub.example.com]
8038       smtp_tls_security_level = fingerprint
8039       smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
8040       smtp_tls_mandatory_ciphers = high
8041       smtp_tls_fingerprint_cert_match =
8042           3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
8043           EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
8044
8045       This feature is available in Postfix 2.3 and later.
8046

smtp_tls_session_cache_database (default: empty)

8048       Name of the file containing the optional Postfix SMTP client  TLS  ses‐
8049       sion  cache. Specify a database type that supports enumeration, such as
8050       btree or sdbm; there is no need to support concurrent access.  The file
8051       is  created  if it does not exist. The smtp(8) daemon does not use this
8052       parameter directly, rather the cache is implemented indirectly  in  the
8053       tlsmgr(8) daemon. This means that per-smtp-instance master.cf overrides
8054       of this parameter are not effective.  Note,  that  each  of  the  cache
8055       databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
8056       base, $smtp_tls_session_cache_database (and with Postfix 2.3 and  later
8057       $lmtp_tls_session_cache_database), needs to be stored separately. It is
8058       not at this time possible to store multiple caches in  a  single  data‐
8059       base.
8060
8061       Note:  dbm  databases  are  not  suitable.  TLS session objects are too
8062       large.
8063
8064       As of version 2.5, Postfix no longer uses root privileges when  opening
8065       this  file.  The  file  should  now  be  stored under the Postfix-owned
8066       data_directory. As a migration aid, an attempt to open the file under a
8067       non-Postfix  directory  is  redirected to the Postfix-owned data_direc‐
8068       tory, and a warning is logged.
8069
8070       Example:
8071
8072       smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
8073
8074       This feature is available in Postfix 2.2 and later.
8075

smtp_tls_session_cache_timeout (default: 3600s)

8077       The expiration time of Postfix SMTP client TLS session  cache  informa‐
8078       tion.   A  cache cleanup is performed periodically every $smtp_tls_ses‐
8079       sion_cache_timeout seconds. As  with  $smtp_tls_session_cache_database,
8080       this  parameter  is  implemented  in the tlsmgr(8) daemon and therefore
8081       per-smtp-instance master.cf overrides are not possible.
8082
8083       As of Postfix 2.11 this setting cannot exceed 100 days.  If set  <=  0,
8084       session  caching  is  disabled.  If set to a positive value less than 2
8085       minutes, the minimum value of 2 minutes is used instead.
8086
8087       This feature is available in Postfix 2.2 and later.
8088

smtp_tls_trust_anchor_file (default: empty)

8090       Zero or more PEM-format files  with  trust-anchor  certificates  and/or
8091       public  keys.  If the parameter is not empty the root CAs in CAfile and
8092       CApath are no longer trusted.  Rather, the  Postfix  SMTP  client  will
8093       only  trust  certificate-chains signed by one of the trust-anchors con‐
8094       tained in the chosen files.  The  specified  trust-anchor  certificates
8095       and  public  keys  are  not  subject  to  expiration,  and  need not be
8096       (self-signed) root CAs.  They may, if desired, be intermediate certifi‐
8097       cates.  Therefore, these certificates also may be found "in the middle"
8098       of the trust chain  presented  by  the  remote  SMTP  server,  and  any
8099       untrusted  issuing parent certificates will be ignored.  Specify a list
8100       of pathnames separated by comma or whitespace.
8101
8102       Whether specified in  main.cf,  or  on  a  per-destination  basis,  the
8103       trust-anchor  PEM file must be accessible to the Postfix SMTP client in
8104       the chroot jail if applicable.  The trust-anchor  file  should  contain
8105       only certificates and public keys, no private key material, and must be
8106       readable by the non-privileged $mail_owner user.  This allows  destina‐
8107       tions  to  be  bound  to  a  set of specific CAs or public keys without
8108       trusting the same CAs for all destinations.
8109
8110       The main.cf parameter  supports  single-purpose  Postfix  installations
8111       that  send  mail  to  a  fixed  set  of  SMTP peers.  At most sites, if
8112       trust-anchor files are used  at  all,  they  will  be  specified  on  a
8113       per-destination  basis  via  the "tafile" attribute of the "verify" and
8114       "secure" levels in smtp_tls_policy_maps.
8115
8116       The underlying mechanism is in support of RFC 7672 (DANE  TLSA),  which
8117       defines  mechanisms for an SMTP client MTA to securely determine server
8118       TLS certificates via DNS.
8119
8120       If you want your trust anchors to be public keys, with OpenSSL you  can
8121       extract a single PEM public key from a PEM X.509 file containing a sin‐
8122       gle certificate, as follows:
8123
8124           $ openssl x509 -in cert.pem -out ta-key.pem -noout -pubkey
8125
8126       This feature is available in Postfix 2.11 and later.
8127

smtp_tls_verify_cert_match (default: hostname)

8129       How the Postfix SMTP client verifies the  server  certificate  peername
8130       for  the  "verify"  TLS  security level. In a "verify" TLS policy table
8131       ($smtp_tls_policy_maps) entry the optional "match" attribute  overrides
8132       this main.cf setting.
8133
8134       This  parameter  specifies one or more patterns or strategies separated
8135       by commas, whitespace or colons.  In the policy table  the  only  valid
8136       separator is the colon character.
8137
8138       Patterns specify domain names, or domain name suffixes:
8139
8140       example.com
8141              Match  the  example.com domain, i.e. one of the names the server
8142              certificate must be example.com, upper and lower  case  distinc‐
8143              tions are ignored.
8144
8145       .example.com
8146              Match subdomains of the example.com domain, i.e. match a name in
8147              the server certificate that consists of  a  non-zero  number  of
8148              labels  followed by a .example.com suffix. Case distinctions are
8149              ignored.
8150
8151       Strategies specify a transformation from the  next-hop  domain  to  the
8152       expected name in the server certificate:
8153
8154       nexthop
8155              Match against the next-hop domain, which is either the recipient
8156              domain, or the transport  next-hop  configured  for  the  domain
8157              stripped  of  any  optional socket type prefix, enclosing square
8158              brackets and trailing port. When MX lookups are not  suppressed,
8159              this  is the original nexthop domain prior to the MX lookup, not
8160              the result of the MX lookup. For LMTP delivery  via  UNIX-domain
8161              sockets, the verified next-hop name is $myhostname.  This strat‐
8162              egy is suitable for  use  with  the  "secure"  policy.  Case  is
8163              ignored.
8164
8165       dot-nexthop
8166              As above, but match server certificate names that are subdomains
8167              of the next-hop domain. Case is ignored.
8168
8169       hostname
8170              Match against the hostname of the server, often obtained via  an
8171              unauthenticated DNS MX lookup. For LMTP delivery via UNIX-domain
8172              sockets, the verified name is $myhostname. This matches the ver‐
8173              ification  strategy  of  the  "MUST"  keyword  in  the  obsolete
8174              smtp_tls_per_site table, and is suitable for use with the  "ver‐
8175              ify"  security  level.  When  the  next-hop  name is enclosed in
8176              square brackets to suppress MX lookups, the "hostname"  strategy
8177              is the same as the "nexthop" strategy. Case is ignored.
8178
8179       Sample main.cf setting:
8180
8181       smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
8182
8183       Sample policy table override:
8184
8185       example.com     verify  match=hostname:nexthop
8186       .example.com    verify  match=example.com:.example.com:hostname
8187
8188       This feature is available in Postfix 2.3 and later.
8189

smtp_tls_wrappermode (default: no)

8191       Request  that  the  Postfix SMTP client connects using the legacy SMTPS
8192       protocol instead of using the STARTTLS command.
8193
8194       This mode requires "smtp_tls_security_level = encrypt" or stronger.
8195
8196       Example: deliver all remote mail via a  provider's  server  "mail.exam‐
8197       ple.com".
8198
8199       /etc/postfix/main.cf:
8200           # Client-side SMTPS requires "encrypt" or stronger.
8201           smtp_tls_security_level = encrypt
8202           smtp_tls_wrappermode = yes
8203           # The [] suppress MX lookups.
8204           relayhost = [mail.example.com]:465
8205
8206       More  examples  are in TLS_README, including examples for older Postfix
8207       versions.
8208
8209       This feature is available in Postfix 3.0 and later.
8210

smtp_use_tls (default: no)

8212       Opportunistic mode: use TLS when a remote SMTP server announces  START‐
8213       TLS  support,  otherwise  send the mail in the clear. Beware: some SMTP
8214       servers offer STARTTLS even if it is not configured.   With  Postfix  <
8215       2.3,  if  the  TLS  handshake  fails, and no other server is available,
8216       delivery is deferred and mail stays in the queue. If this is a  concern
8217       for you, use the smtp_tls_per_site feature instead.
8218
8219       This  feature  is  available in Postfix 2.2 and later. With Postfix 2.3
8220       and later use smtp_tls_security_level instead.
8221

smtp_xforward_timeout (default: 300s)

8223       The Postfix SMTP client time limit for sending  the  XFORWARD  command,
8224       and for receiving the remote SMTP server response.
8225
8226       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
8227       The default time unit is s (seconds).
8228
8229       This feature is available in Postfix 2.1 and later.
8230

smtpd_authorized_verp_clients (default: $authorized_verp_clients)

8232       What remote SMTP clients are allowed  to  specify  the  XVERP  command.
8233       This  command  requests  that mail be delivered one recipient at a time
8234       with a per recipient return address.
8235
8236       By default, no clients are allowed to specify XVERP.
8237
8238       This parameter was renamed with Postfix version 2.1. The default  value
8239       is backwards compatible with Postfix version 2.0.
8240
8241       Specify  a list of network/netmask patterns, separated by commas and/or
8242       whitespace. The mask specifies the number of bits in the  network  part
8243       of a host address. You can also specify hostnames or .domain names (the
8244       initial  dot  causes  the  domain  to  match  any   name   below   it),
8245       "/file/name"  or  "type:table"  patterns.   A  "/file/name"  pattern is
8246       replaced by its contents; a "type:table" lookup table is matched when a
8247       table  entry  matches  a  lookup string (the lookup result is ignored).
8248       Continue long lines by starting the next line with whitespace.  Specify
8249       "!pattern"  to  exclude  an address or network block from the list. The
8250       form "!/file/name" is supported only in Postfix version 2.4 and later.
8251
8252       Note: IP version 6 address information must be specified inside  []  in
8253       the  smtpd_authorized_verp_clients  value,  and in files specified with
8254       "/file/name".  IP version 6 addresses contain the  ":"  character,  and
8255       would otherwise be confused with a "type:table" pattern.
8256

smtpd_authorized_xclient_hosts (default: empty)

8258       What  remote SMTP clients are allowed to use the XCLIENT feature.  This
8259       command overrides remote SMTP  client  information  that  is  used  for
8260       access  control.  Typical use is for SMTP-based content filters, fetch‐
8261       mail-like programs,  or  SMTP  server  access  rule  testing.  See  the
8262       XCLIENT_README document for details.
8263
8264       This feature is available in Postfix 2.1 and later.
8265
8266       By default, no clients are allowed to specify XCLIENT.
8267
8268       Specify  a list of network/netmask patterns, separated by commas and/or
8269       whitespace. The mask specifies the number of bits in the  network  part
8270       of a host address. You can also specify hostnames or .domain names (the
8271       initial  dot  causes  the  domain  to  match  any   name   below   it),
8272       "/file/name"  or  "type:table"  patterns.   A  "/file/name"  pattern is
8273       replaced by its contents; a "type:table" lookup table is matched when a
8274       table  entry  matches  a  lookup string (the lookup result is ignored).
8275       Continue long lines by starting the next line with whitespace.  Specify
8276       "!pattern"  to  exclude  an address or network block from the list. The
8277       form "!/file/name" is supported only in Postfix version 2.4 and later.
8278
8279       Note: IP version 6 address information must be specified inside  []  in
8280       the  smtpd_authorized_xclient_hosts  value, and in files specified with
8281       "/file/name".  IP version 6 addresses contain the  ":"  character,  and
8282       would otherwise be confused with a "type:table" pattern.
8283

smtpd_authorized_xforward_hosts (default: empty)

8285       What remote SMTP clients are allowed to use the XFORWARD feature.  This
8286       command forwards information that is  used  to  improve  logging  after
8287       SMTP-based  content  filters.  See  the  XFORWARD_README  document  for
8288       details.
8289
8290       This feature is available in Postfix 2.1 and later.
8291
8292       By default, no clients are allowed to specify XFORWARD.
8293
8294       Specify a list of network/netmask patterns, separated by commas  and/or
8295       whitespace.  The  mask specifies the number of bits in the network part
8296       of a host address. You can also specify hostnames or .domain names (the
8297       initial   dot   causes   the  domain  to  match  any  name  below  it),
8298       "/file/name" or  "type:table"  patterns.   A  "/file/name"  pattern  is
8299       replaced by its contents; a "type:table" lookup table is matched when a
8300       table entry matches a lookup string (the  lookup  result  is  ignored).
8301       Continue  long lines by starting the next line with whitespace. Specify
8302       "!pattern" to exclude an address or network block from  the  list.  The
8303       form "!/file/name" is supported only in Postfix version 2.4 and later.
8304
8305       Note:  IP  version 6 address information must be specified inside [] in
8306       the smtpd_authorized_xforward_hosts value, and in files specified  with
8307       "/file/name".   IP  version  6 addresses contain the ":" character, and
8308       would otherwise be confused with a "type:table" pattern.
8309

smtpd_banner (default: $myhostname ESMTP $mail_name)

8311       The text that follows the 220 status code in the SMTP greeting  banner.
8312       Some  people like to see the mail version advertised. By default, Post‐
8313       fix shows no version.
8314
8315       You MUST specify $myhostname at the start of the text. This is required
8316       by the SMTP protocol.
8317
8318       Example:
8319
8320       smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
8321

smtpd_client_auth_rate_limit (default: 0)

8323       The  maximal number of AUTH commands that any client is allowed to send
8324       to this service per time unit, regardless of  whether  or  not  Postfix
8325       actually  accepts  those commands.  The time unit is specified with the
8326       anvil_rate_time_unit configuration parameter.
8327
8328       By default, there is no limit on the number AUTH commands that a client
8329       may send.
8330
8331       To disable this feature, specify a limit of 0.
8332
8333       WARNING:  The purpose of this feature is to limit abuse. It must not be
8334       used to regulate legitimate mail traffic.
8335
8336       This feature is available in Postfix 3.1 and later.
8337

smtpd_client_connection_count_limit (default: 50)

8339       How many simultaneous connections any client is allowed to make to this
8340       service.   By  default,  the  limit  is set to half the default process
8341       limit value.
8342
8343       To disable this feature, specify a limit of 0.
8344
8345       WARNING: The purpose of this feature is to limit abuse. It must not  be
8346       used to regulate legitimate mail traffic.
8347
8348       This feature is available in Postfix 2.2 and later.
8349

smtpd_client_connection_rate_limit (default: 0)

8351       The maximal number of connection attempts any client is allowed to make
8352       to this service per time unit.  The time unit  is  specified  with  the
8353       anvil_rate_time_unit configuration parameter.
8354
8355       By  default,  a  client  can  make as many connections per time unit as
8356       Postfix can accept.
8357
8358       To disable this feature, specify a limit of 0.
8359
8360       WARNING: The purpose of this feature is to limit abuse. It must not  be
8361       used to regulate legitimate mail traffic.
8362
8363       This feature is available in Postfix 2.2 and later.
8364
8365       Example:
8366
8367       smtpd_client_connection_rate_limit = 1000
8368

smtpd_client_event_limit_exceptions (default: $mynetworks)

8370       Clients that are excluded from smtpd_client_*_count/rate_limit restric‐
8371       tions. See the mynetworks parameter description for the parameter value
8372       syntax.
8373
8374       By default, clients in trusted networks are excluded. Specify a list of
8375       network blocks, hostnames or .domain names (the initial dot causes  the
8376       domain to match any name below it).
8377
8378       Note:  IP  version 6 address information must be specified inside [] in
8379       the smtpd_client_event_limit_exceptions value, and in  files  specified
8380       with  "/file/name".   IP version 6 addresses contain the ":" character,
8381       and would otherwise be confused with a "type:table" pattern.
8382
8383       Pattern matching of domain names  is  controlled  by  the  presence  or
8384       absence    of   "smtpd_client_event_limit_exceptions"   in   the   par‐
8385       ent_domain_matches_subdomains parameter value (postfix 3.0 and later).
8386
8387       This feature is available in Postfix 2.2 and later.
8388

smtpd_client_message_rate_limit (default: 0)

8390       The maximal number of message delivery  requests  that  any  client  is
8391       allowed to make to this service per time unit, regardless of whether or
8392       not Postfix actually accepts those messages.  The time unit  is  speci‐
8393       fied with the anvil_rate_time_unit configuration parameter.
8394
8395       By  default,  a  client  can send as many message delivery requests per
8396       time unit as Postfix can accept.
8397
8398       To disable this feature, specify a limit of 0.
8399
8400       WARNING: The purpose of this feature is to limit abuse. It must not  be
8401       used to regulate legitimate mail traffic.
8402
8403       This feature is available in Postfix 2.2 and later.
8404
8405       Example:
8406
8407       smtpd_client_message_rate_limit = 1000
8408

smtpd_client_new_tls_session_rate_limit (default: 0)

8410       The  maximal  number of new (i.e., uncached) TLS sessions that a remote
8411       SMTP client is allowed to negotiate with this service  per  time  unit.
8412       The  time unit is specified with the anvil_rate_time_unit configuration
8413       parameter.
8414
8415       By default, a remote SMTP client can negotiate as many new TLS sessions
8416       per time unit as Postfix can accept.
8417
8418       To  disable  this  feature,  specify a limit of 0. Otherwise, specify a
8419       limit that is at least the per-client concurrent session limit, or else
8420       legitimate client sessions may be rejected.
8421
8422       WARNING:  The purpose of this feature is to limit abuse. It must not be
8423       used to regulate legitimate mail traffic.
8424
8425       This feature is available in Postfix 2.3 and later.
8426
8427       Example:
8428
8429       smtpd_client_new_tls_session_rate_limit = 100
8430

smtpd_client_port_logging (default: no)

8432       Enable logging of the remote SMTP client port in addition to the  host‐
8433       name and IP address. The logging format is "host[address]:port".
8434
8435       This feature is available in Postfix 2.5 and later.
8436

smtpd_client_recipient_rate_limit (default: 0)

8438       The maximal number of recipient addresses that any client is allowed to
8439       send to this service per time unit, regardless of whether or not  Post‐
8440       fix actually accepts those recipients.  The time unit is specified with
8441       the anvil_rate_time_unit configuration parameter.
8442
8443       By default, a client can send as many recipient addresses per time unit
8444       as Postfix can accept.
8445
8446       To disable this feature, specify a limit of 0.
8447
8448       WARNING:  The purpose of this feature is to limit abuse. It must not be
8449       used to regulate legitimate mail traffic.
8450
8451       This feature is available in Postfix 2.2 and later.
8452
8453       Example:
8454
8455       smtpd_client_recipient_rate_limit = 1000
8456

smtpd_client_restrictions (default: empty)

8458       Optional restrictions that the Postfix SMTP server applies in the  con‐
8459       text  of a client connection request.  See SMTPD_ACCESS_README, section
8460       "Delayed evaluation of SMTP access restriction lists" for a  discussion
8461       of evaluation context and time.
8462
8463       The default is to allow all connection requests.
8464
8465       Specify  a list of restrictions, separated by commas and/or whitespace.
8466       Continue  long  lines  by  starting  the  next  line  with  whitespace.
8467       Restrictions  are applied in the order as specified; the first restric‐
8468       tion that matches wins.
8469
8470       The following restrictions are specific to client  hostname  or  client
8471       network address information.
8472
8473       check_ccert_access type:table
8474              Use the remote SMTP client certificate fingerprint or the public
8475              key fingerprint (Postfix 2.9 and later) as lookup  key  for  the
8476              specified  access(5)  database;  with  Postfix version 2.2, also
8477              require that the remote SMTP client certificate is verified suc‐
8478              cessfully.  The fingerprint digest algorithm is configurable via
8479              the smtpd_tls_fingerprint_digest parameter  (hard-coded  as  md5
8480              prior  to  Postfix version 2.5).  This feature is available with
8481              Postfix version 2.2 and later.
8482
8483       check_client_access type:table
8484              Search the specified access database for  the  client  hostname,
8485              parent  domains,  client  IP  address,  or  networks obtained by
8486              stripping least significant octets.  See  the  access(5)  manual
8487              page for details.
8488
8489       check_client_a_access type:table
8490              Search the specified access(5) database for the IP addresses for
8491              the client  hostname,  and  execute  the  corresponding  action.
8492              Note:  a  result  of  "OK"  is  not  allowed for safety reasons.
8493              Instead, use DUNNO in  order  to  exclude  specific  hosts  from
8494              blacklists.  This feature is available in Postfix 3.0 and later.
8495
8496       check_client_mx_access type:table
8497              Search the specified access(5) database for the MX hosts for the
8498              client hostname, and execute the corresponding action.  Note:  a
8499              result  of  "OK" is not allowed for safety reasons. Instead, use
8500              DUNNO in order to exclude specific hosts from blacklists.   This
8501              feature is available in Postfix 2.7 and later.
8502
8503       check_client_ns_access type:table
8504              Search  the specified access(5) database for the DNS servers for
8505              the client  hostname,  and  execute  the  corresponding  action.
8506              Note:  a  result  of  "OK"  is  not  allowed for safety reasons.
8507              Instead, use DUNNO in  order  to  exclude  specific  hosts  from
8508              blacklists.  This feature is available in Postfix 2.7 and later.
8509
8510       check_reverse_client_hostname_access type:table
8511              Search  the specified access database for the unverified reverse
8512              client hostname, parent domains, client IP address, or  networks
8513              obtained   by   stripping  least  significant  octets.  See  the
8514              access(5) manual page for details.  Note: a result  of  "OK"  is
8515              not  allowed for safety reasons.  Instead, use DUNNO in order to
8516              exclude specific hosts from blacklists.  This feature is  avail‐
8517              able in Postfix 2.6 and later.
8518
8519       check_reverse_client_hostname_a_access type:table
8520              Search the specified access(5) database for the IP addresses for
8521              the unverified reverse client hostname, and execute  the  corre‐
8522              sponding  action.   Note:  a  result  of "OK" is not allowed for
8523              safety reasons.  Instead, use DUNNO in order to exclude specific
8524              hosts from blacklists.  This feature is available in Postfix 3.0
8525              and later.
8526
8527       check_reverse_client_hostname_mx_access type:table
8528              Search the specified access(5) database for the MX hosts for the
8529              unverified  reverse client hostname, and execute the correspond‐
8530              ing action.  Note: a result of "OK" is not  allowed  for  safety
8531              reasons.   Instead, use DUNNO in order to exclude specific hosts
8532              from blacklists.  This feature is available in Postfix  2.7  and
8533              later.
8534
8535       check_reverse_client_hostname_ns_access type:table
8536              Search  the specified access(5) database for the DNS servers for
8537              the unverified reverse client hostname, and execute  the  corre‐
8538              sponding  action.   Note:  a  result  of "OK" is not allowed for
8539              safety reasons.  Instead, use DUNNO in order to exclude specific
8540              hosts from blacklists.  This feature is available in Postfix 2.7
8541              and later.
8542
8543       check_sasl_access type:table
8544              Use the remote SMTP client SASL user name as lookup key for  the
8545              specified access(5) database. The lookup key has the form "user‐
8546              name@domainname"  when  the  smtpd_sasl_local_domain   parameter
8547              value  is  non-empty.   Unlike  the check_client_access feature,
8548              check_sasl_access does not perform matches of parent domains  or
8549              IP  subnet  ranges.  This feature is available with Postfix ver‐
8550              sion 2.11 and later.
8551
8552       permit_inet_interfaces
8553              Permit  the  request  when  the  client   IP   address   matches
8554              $inet_interfaces.
8555
8556       permit_mynetworks
8557              Permit  the  request when the client IP address matches any net‐
8558              work or network address listed in  $mynetworks.
8559
8560       permit_sasl_authenticated
8561              Permit the request when the client is successfully authenticated
8562              via the RFC 4954 (AUTH) protocol.
8563
8564       permit_tls_all_clientcerts
8565              Permit  the  request  when the remote SMTP client certificate is
8566              verified successfully.  This option must be used only if a  spe‐
8567              cial  CA  issues  the certificates and only this CA is listed as
8568              trusted CA. Otherwise, clients with  a  third-party  certificate
8569              would  also be allowed to relay.  Specify "tls_append_default_CA
8570              = no" when the trusted CA is specified with smtpd_tls_CAfile  or
8571              smtpd_tls_CApath,  to  prevent  Postfix  from appending the sys‐
8572              tem-supplied default CAs.  This feature is available with  Post‐
8573              fix version 2.2.
8574
8575       permit_tls_clientcerts
8576              Permit  the request when the remote SMTP client certificate fin‐
8577              gerprint or public key fingerprint (Postfix 2.9  and  later)  is
8578              listed  in $relay_clientcerts.  The fingerprint digest algorithm
8579              is configurable via the  smtpd_tls_fingerprint_digest  parameter
8580              (hard-coded  as md5 prior to Postfix version 2.5).  This feature
8581              is available with Postfix version 2.2.
8582
8583       reject_rbl_client rbl_domain=d.d.d.d
8584              Reject the request when the reversed client network  address  is
8585              listed  with  the  A  record "d.d.d.d" under rbl_domain (Postfix
8586              version 2.1 and later only).  Each "d" is a number, or a pattern
8587              inside  "[]"  that contains one or more ";"-separated numbers or
8588              number..number ranges (Postfix version 2.8 and  later).   If  no
8589              "=d.d.d.d"  is  specified,  reject the request when the reversed
8590              client network  address  is  listed  with  any  A  record  under
8591              rbl_domain.
8592              The  maps_rbl_reject_code  parameter specifies the response code
8593              for rejected requests  (default:   554),  the  default_rbl_reply
8594              parameter   specifies   the   default   server  reply,  and  the
8595              rbl_reply_maps  parameter specifies tables with  server  replies
8596              indexed by rbl_domain.  This feature is available in Postfix 2.0
8597              and later.
8598
8599       permit_dnswl_client dnswl_domain=d.d.d.d
8600              Accept the request when the reversed client network  address  is
8601              listed with the A record "d.d.d.d" under dnswl_domain.  Each "d"
8602              is a number, or a pattern inside "[]" that contains one or  more
8603              ";"-separated   numbers   or   number..number   ranges.   If  no
8604              "=d.d.d.d" is specified, accept the request  when  the  reversed
8605              client  network  address  is  listed  with  any  A  record under
8606              dnswl_domain.
8607              For safety, permit_dnswl_client  is  silently  ignored  when  it
8608              would   override   reject_unauth_destination.    The  result  is
8609              DEFER_IF_REJECT when whitelist lookup fails.   This  feature  is
8610              available in Postfix 2.8 and later.
8611
8612       reject_rhsbl_client rbl_domain=d.d.d.d
8613              Reject the request when the client hostname is listed with the A
8614              record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
8615              only).  Each "d" is a number, or a pattern inside "[]" that con‐
8616              tains one or more ";"-separated numbers or number..number ranges
8617              (Postfix version 2.8 and later).  If no "=d.d.d.d" is specified,
8618              reject the request when the client hostname is listed with any A
8619              record  under  rbl_domain. See the reject_rbl_client description
8620              above for additional RBL related configuration parameters.  This
8621              feature is available in Postfix 2.0 and later; with Postfix ver‐
8622              sion 2.8 and  later,  reject_rhsbl_reverse_client  will  usually
8623              produce better results.
8624
8625       permit_rhswl_client rhswl_domain=d.d.d.d
8626              Accept the request when the client hostname is listed with the A
8627              record "d.d.d.d" under rhswl_domain.  Each "d" is a number, or a
8628              pattern inside "[]" that contains one or more ";"-separated num‐
8629              bers or number..number ranges. If no  "=d.d.d.d"  is  specified,
8630              accept the request when the client hostname is listed with any A
8631              record under rhswl_domain.
8632              Caution: client name whitelisting is fragile, since  the  client
8633              name  lookup  can  fail  due  to temporary outages.  Client name
8634              whitelisting should be used only to reduce  false  positives  in
8635              e.g.   DNS-based  blocklists,  and  not  for  making access rule
8636              exceptions.
8637              For safety, permit_rhswl_client  is  silently  ignored  when  it
8638              would   override   reject_unauth_destination.    The  result  is
8639              DEFER_IF_REJECT when whitelist lookup fails.   This  feature  is
8640              available in Postfix 2.8 and later.
8641
8642       reject_rhsbl_reverse_client rbl_domain=d.d.d.d
8643              Reject  the  request when the unverified reverse client hostname
8644              is listed with the A record "d.d.d.d"  under  rbl_domain.   Each
8645              "d"  is  a number, or a pattern inside "[]" that contains one or
8646              more ";"-separated numbers  or  number..number  ranges.   If  no
8647              "=d.d.d.d"  is specified, reject the request when the unverified
8648              reverse client hostname  is  listed  with  any  A  record  under
8649              rbl_domain.  See  the  reject_rbl_client  description  above for
8650              additional RBL related configuration parameters.   This  feature
8651              is available in Postfix 2.8 and later.
8652
8653       reject_unknown_client_hostname      (with      Postfix      <      2.3:
8654       reject_unknown_client)
8655              Reject the request when 1) the client IP  address->name  mapping
8656              fails,   2)   the   name->address   mapping  fails,  or  3)  the
8657              name->address mapping does not match the client IP address.
8658              This     is     a     stronger     restriction     than      the
8659              reject_unknown_reverse_client_hostname  feature,  which triggers
8660              only under condition 1) above.
8661              The unknown_client_reject_code parameter specifies the  response
8662              code  for  rejected requests (default: 450). The reply is always
8663              450 in case the address->name or name->address lookup failed due
8664              to a temporary problem.
8665
8666       reject_unknown_reverse_client_hostname
8667              Reject   the   request   when  the  client  IP  address  has  no
8668              address->name mapping.
8669              This     is     a     weaker      restriction      than      the
8670              reject_unknown_client_hostname  feature, which requires not only
8671              that the address->name and  name->address  mappings  exist,  but
8672              also that the two mappings reproduce the client IP address.
8673              The  unknown_client_reject_code parameter specifies the response
8674              code for rejected requests (default: 450).  The reply is  always
8675              450  in  case the address->name lookup failed due to a temporary
8676              problem.
8677              This feature is available in Postfix 2.3 and later.
8678
8679       In addition, you can use any of  the  following  generic  restrictions.
8680       These restrictions are applicable in any SMTP command context.
8681
8682       check_policy_service servername
8683              Query  the  specified policy server. See the SMTPD_POLICY_README
8684              document for details. This feature is available in  Postfix  2.1
8685              and later.
8686
8687       defer  Defer  the  request. The client is told to try again later. This
8688              restriction is useful at the end of a restriction list, to  make
8689              the default policy explicit.
8690              The  defer_code  parameter  specifies the SMTP server reply code
8691              (default: 450).
8692
8693       defer_if_permit
8694              Defer the request if some later restriction would result  in  an
8695              explicit  or  implicit  PERMIT  action.   This  is useful when a
8696              blacklisting feature fails due to  a  temporary  problem.   This
8697              feature is available in Postfix version 2.1 and later.
8698
8699       defer_if_reject
8700              Defer  the  request  if some later restriction would result in a
8701              REJECT action.  This is useful when a whitelisting feature fails
8702              due  to a temporary problem.  This feature is available in Post‐
8703              fix version 2.1 and later.
8704
8705       permit Permit the request. This restriction is useful at the end  of  a
8706              restriction list, to make the default policy explicit.
8707
8708       reject_multi_recipient_bounce
8709              Reject the request when the envelope sender is the null address,
8710              and the message has multiple envelope recipients. This usage has
8711              rare  but  legitimate  applications:  under  certain conditions,
8712              multi-recipient  mail  that  was  posted  with  the  DSN  option
8713              NOTIFY=NEVER may be forwarded with the null sender address.
8714              Note:  this  restriction  can  only  work  reliably when used in
8715              smtpd_data_restrictions    or    smtpd_end_of_data_restrictions,
8716              because  the  total number of recipients is not known at an ear‐
8717              lier stage of the SMTP conversation.  Use at the RCPT stage will
8718              only reject the second etc.  recipient.
8719              The  multi_recipient_bounce_reject_code  parameter specifies the
8720              response code for rejected requests (default:  550).  This  fea‐
8721              ture is available in Postfix 2.1 and later.
8722
8723       reject_plaintext_session
8724              Reject  the  request  when the connection is not encrypted. This
8725              restriction should not be used  before  the  client  has  had  a
8726              chance  to  negotiate  encryption with the AUTH or STARTTLS com‐
8727              mands.
8728              The plaintext_reject_code parameter specifies the response  code
8729              for  rejected  requests (default:  450).  This feature is avail‐
8730              able in Postfix 2.3 and later.
8731
8732       reject_unauth_pipelining
8733              Reject the request when the client sends SMTP commands ahead  of
8734              time where it is not allowed, or when the client sends SMTP com‐
8735              mands ahead of time without knowing that Postfix  actually  sup‐
8736              ports  ESMTP  command pipelining. This stops mail from bulk mail
8737              software that improperly uses ESMTP command pipelining in  order
8738              to speed up deliveries.
8739              With  Postfix  2.6 and later, the SMTP server sets a per-session
8740              flag whenever it detects illegal pipelining, including pipelined
8741              HELO or EHLO commands. The reject_unauth_pipelining feature sim‐
8742              ply tests whether the flag was set at any point in  time  during
8743              the session.
8744              With older Postfix versions, reject_unauth_pipelining checks the
8745              current status of the input read queue, and  its  usage  is  not
8746              recommended in contexts other than smtpd_data_restrictions.
8747
8748       reject Reject  the  request. This restriction is useful at the end of a
8749              restriction list, to make  the  default  policy  explicit.   The
8750              reject_code  configuration parameter specifies the response code
8751              for rejected requests (default: 554).
8752
8753       sleep seconds
8754              Pause for the specified number of seconds and proceed  with  the
8755              next  restriction in the list, if any. This may stop zombie mail
8756              when used as:
8757              /etc/postfix/main.cf:
8758                  smtpd_client_restrictions =
8759                      sleep 1, reject_unauth_pipelining
8760                  smtpd_delay_reject = no
8761              This feature is available in Postfix 2.3.
8762
8763       warn_if_reject
8764              A safety net for testing. When "warn_if_reject" is placed before
8765              a  reject-type  restriction,  access  table query, or check_pol‐
8766              icy_service query, this logs a "reject_warning" message  instead
8767              of rejecting a request (when a reject-type restriction fails due
8768              to a temporary error, this logs a "reject_warning"  message  for
8769              any  implicit "defer_if_permit" actions that would normally pre‐
8770              vent mail from being accepted by some later access restriction).
8771              This feature has no effect on defer_if_reject restrictions.
8772
8773       Other restrictions that are valid in this context:
8774
8775       ·      SMTP  command specific restrictions that are described under the
8776              smtpd_helo_restrictions,      smtpd_sender_restrictions       or
8777              smtpd_recipient_restrictions  parameters.  When  helo, sender or
8778              recipient restrictions are  listed  under  smtpd_client_restric‐
8779              tions, they have effect only with "smtpd_delay_reject = yes", so
8780              that $smtpd_client_restrictions is evaluated at the time of  the
8781              RCPT TO command.
8782
8783       Example:
8784
8785       smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname
8786

smtpd_command_filter (default: empty)

8788       A  mechanism to transform commands from remote SMTP clients.  This is a
8789       last-resort tool to work around client commands that  break  interoper‐
8790       ability  with the Postfix SMTP server.  Other uses involve fault injec‐
8791       tion to test Postfix's handling of invalid commands.
8792
8793       Specify the name of a "type:table" lookup table. The search  string  is
8794       the  SMTP  command as received from the remote SMTP client, except that
8795       initial whitespace and the trailing <CR><LF> are removed.   The  result
8796       value is executed by the Postfix SMTP server.
8797
8798       There is no need to use smtpd_command_filter for the following cases:
8799
8800       ·      Use "resolve_numeric_domain = yes" to accept "user@ipaddress".
8801
8802       ·      Postfix already accepts the correct form "user@[ipaddress]". Use
8803              virtual_alias_maps or canonical_maps  to  translate  these  into
8804              domain names if necessary.
8805
8806       ·      Use "strict_rfc821_envelopes = no" to accept "RCPT TO:<User Name
8807              <user@example.com>>". Postfix will ignore the "User  Name"  part
8808              and deliver to the <user@example.com> address.
8809
8810       Examples  of  problems that can be solved with the smtpd_command_filter
8811       feature:
8812
8813       /etc/postfix/main.cf:
8814           smtpd_command_filter = pcre:/etc/postfix/command_filter
8815
8816       /etc/postfix/command_filter:
8817           # Work around clients that send malformed HELO commands.
8818           /^HELO\s*$/ HELO domain.invalid
8819
8820           # Work around clients that send empty lines.
8821           /^\s*$/     NOOP
8822
8823           # Work around clients that send RCPT TO:<'user@domain'>.
8824           # WARNING: do not lose the parameters that follow the address.
8825           /^(RCPT\s+TO:\s*<)'([^[:space:]]+)'(>.*)/     $1$2$3
8826
8827           # Append XVERP to MAIL FROM commands to request VERP-style delivery.
8828           # See VERP_README for more information on how to use Postfix VERP.
8829           /^(MAIL FROM:\s*<listname@example\.com>.*)/   $1 XVERP
8830
8831           # Bounce-never mail sink. Use notify_classes=bounce,resource,software
8832           # to send bounced mail to the postmaster (with message body removed).
8833           /^(RCPT\s+TO:\s*<.*>.*)\s+NOTIFY=\S+(.*)/     $1 NOTIFY=NEVER$2
8834           /^(RCPT\s+TO:.*)/                             $1 NOTIFY=NEVER
8835
8836       This feature is available in Postfix 2.7.
8837

smtpd_data_restrictions (default: empty)

8839       Optional access restrictions that the Postfix SMTP  server  applies  in
8840       the context of the SMTP DATA command.  See SMTPD_ACCESS_README, section
8841       "Delayed evaluation of SMTP access restriction lists" for a  discussion
8842       of evaluation context and time.
8843
8844       This feature is available in Postfix 2.0 and later.
8845
8846       Specify  a list of restrictions, separated by commas and/or whitespace.
8847       Continue  long  lines  by  starting  the  next  line  with  whitespace.
8848       Restrictions  are applied in the order as specified; the first restric‐
8849       tion that matches wins.
8850
8851       The following restrictions are valid in this context:
8852
8853       ·      Generic restrictions that can be used in any SMTP  command  con‐
8854              text, described under smtpd_client_restrictions.
8855
8856       ·      SMTP    command    specific    restrictions    described   under
8857              smtpd_client_restrictions,              smtpd_helo_restrictions,
8858              smtpd_sender_restrictions or smtpd_recipient_restrictions.
8859
8860       ·      However,  no  recipient  information is available in the case of
8861              multi-recipient mail. Acting on only one recipient would be mis‐
8862              leading,   because  any  decision  will  affect  all  recipients
8863              equally. Acting on all recipients would require a possibly  very
8864              large  amount  of  memory,  and would also be misleading for the
8865              reasons mentioned before.
8866
8867       Examples:
8868
8869       smtpd_data_restrictions = reject_unauth_pipelining
8870       smtpd_data_restrictions = reject_multi_recipient_bounce
8871

smtpd_delay_open_until_valid_rcpt (default: yes)

8873       Postpone the start of an SMTP mail transaction until a  valid  RCPT  TO
8874       command  is received. Specify "no" to create a mail transaction as soon
8875       as the Postfix SMTP server receives a valid MAIL FROM command.
8876
8877       With sites that reject lots of mail, the default  setting  reduces  the
8878       use  of  disk,  CPU and memory resources. The downside is that rejected
8879       recipients are logged with NOQUEUE instead of a  mail  transaction  ID.
8880       This complicates the logfile analysis of multi-recipient mail.
8881
8882       This feature is available in Postfix 2.3 and later.
8883

smtpd_delay_reject (default: yes)

8885       Wait until the RCPT TO command before evaluating $smtpd_client_restric‐
8886       tions, $smtpd_helo_restrictions and $smtpd_sender_restrictions, or wait
8887       until the ETRN command before evaluating $smtpd_client_restrictions and
8888       $smtpd_helo_restrictions.
8889
8890       This feature is turned on by default because  some  clients  apparently
8891       mis-behave  when  the  Postfix SMTP server rejects commands before RCPT
8892       TO.
8893
8894       The default setting has one major benefit: it  allows  Postfix  to  log
8895       recipient  address  information when rejecting a client name/address or
8896       sender address, so that it is possible to find out whose mail is  being
8897       rejected.
8898

smtpd_discard_ehlo_keyword_address_maps (default: empty)

8900       Lookup  tables,  indexed  by  the remote SMTP client address, with case
8901       insensitive lists of EHLO keywords (pipelining, starttls,  auth,  etc.)
8902       that  the  Postfix  SMTP server will not send in the EHLO response to a
8903       remote SMTP client. See smtpd_discard_ehlo_keywords for  details.   The
8904       tables are not searched by hostname for robustness reasons.
8905
8906       Specify zero or more "type:name" lookup tables, separated by whitespace
8907       or comma. Tables will be searched in the specified order until a  match
8908       is found.
8909
8910       This feature is available in Postfix 2.2 and later.
8911

smtpd_discard_ehlo_keywords (default: empty)

8913       A  case  insensitive list of EHLO keywords (pipelining, starttls, auth,
8914       etc.) that the Postfix SMTP server will not send in the  EHLO  response
8915       to a remote SMTP client.
8916
8917       This feature is available in Postfix 2.2 and later.
8918
8919       Notes:
8920
8921       ·      Specify the silent-discard pseudo keyword to prevent this action
8922              from being logged.
8923
8924       ·      Use the smtpd_discard_ehlo_keyword_address_maps feature to  dis‐
8925              card EHLO keywords selectively.
8926

smtpd_dns_reply_filter (default: empty)

8928       Optional  filter  for  Postfix  SMTP  server  DNS  lookup results.  See
8929       smtp_dns_reply_filter for details including an example.
8930
8931       This feature is available in Postfix 3.0 and later.
8932

smtpd_end_of_data_restrictions (default: empty)

8934       Optional access restrictions that the Postfix SMTP  server  applies  in
8935       the  context of the SMTP END-OF-DATA command.  See SMTPD_ACCESS_README,
8936       section "Delayed evaluation of SMTP access  restriction  lists"  for  a
8937       discussion of evaluation context and time.
8938
8939       This feature is available in Postfix 2.2 and later.
8940
8941       See smtpd_data_restrictions for details and limitations.
8942

smtpd_enforce_tls (default: no)

8944       Mandatory  TLS:  announce  STARTTLS support to remote SMTP clients, and
8945       require that clients use TLS encryption.  According to  RFC  2487  this
8946       MUST NOT be applied in case of a publicly-referenced SMTP server.  This
8947       option is therefore off by default.
8948
8949       Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes".
8950
8951       Note 2: when invoked via  "sendmail  -bs",  Postfix  will  never  offer
8952       STARTTLS  due  to  insufficient privileges to access the server private
8953       key. This is intended behavior.
8954
8955       This feature is available in Postfix 2.2 and later.  With  Postfix  2.3
8956       and later use smtpd_tls_security_level instead.
8957

smtpd_error_sleep_time (default: 1s)

8959       With  Postfix  version  2.1  and  later: the SMTP server response delay
8960       after a client has made more than $smtpd_soft_error_limit  errors,  and
8961       fewer than $smtpd_hard_error_limit errors, without delivering mail.
8962
8963       With  Postfix  version  2.0  and  earlier: the SMTP server delay before
8964       sending a reject (4xx or 5xx) response, when the client has made  fewer
8965       than $smtpd_soft_error_limit errors without delivering mail.
8966

smtpd_etrn_restrictions (default: empty)

8968       Optional  restrictions that the Postfix SMTP server applies in the con‐
8969       text of  a  client  ETRN  command.   See  SMTPD_ACCESS_README,  section
8970       "Delayed  evaluation of SMTP access restriction lists" for a discussion
8971       of evaluation context and time.
8972
8973       The Postfix ETRN implementation accepts only destinations that are eli‐
8974       gible  for  the  Postfix "fast flush" service. See the ETRN_README file
8975       for details.
8976
8977       Specify a list of restrictions, separated by commas and/or  whitespace.
8978       Continue  long  lines  by  starting  the  next  line  with  whitespace.
8979       Restrictions are applied in the order as specified; the first  restric‐
8980       tion that matches wins.
8981
8982       The  following restrictions are specific to the domain name information
8983       received with the ETRN command.
8984
8985       check_etrn_access type:table
8986              Search the specified access database for the ETRN domain name or
8987              its parent domains. See the access(5) manual page for details.
8988
8989       Other restrictions that are valid in this context:
8990
8991       ·      Generic  restrictions  that can be used in any SMTP command con‐
8992              text, described under smtpd_client_restrictions.
8993
8994       ·      SMTP   command    specific    restrictions    described    under
8995              smtpd_client_restrictions and smtpd_helo_restrictions.
8996
8997       Example:
8998
8999       smtpd_etrn_restrictions = permit_mynetworks, reject
9000

smtpd_expansion_filter (default: see postconf -d output)

9002       What characters are allowed in $name expansions of RBL reply templates.
9003       Characters not in the allowed set are replaced  by  "_".   Use  C  like
9004       escapes to specify special characters such as whitespace.
9005
9006       This parameter is not subjected to $parameter expansion.
9007
9008       This feature is available in Postfix 2.0 and later.
9009

smtpd_forbidden_commands (default: CONNECT, GET, POST)

9011       List of commands that cause the Postfix SMTP server to immediately ter‐
9012       minate the session with a 221 code. This  can  be  used  to  disconnect
9013       clients  that obviously attempt to abuse the system. In addition to the
9014       commands listed in this parameter, commands that  follow  the  "Label:"
9015       format of message headers will also cause a disconnect.
9016
9017       This feature is available in Postfix 2.2 and later.
9018

smtpd_hard_error_limit (default: normal: 20, overload: 1)

9020       The  maximal  number  of errors a remote SMTP client is allowed to make
9021       without delivering mail. The Postfix SMTP server disconnects  when  the
9022       limit  is  exceeded.  Normally  the default limit is 20, but it changes
9023       under overload to just 1. With Postfix 2.5 and earlier, the SMTP server
9024       always allows up to 20 errors by default.
9025

smtpd_helo_required (default: no)

9027       Require  that  a  remote SMTP client introduces itself with the HELO or
9028       EHLO command before sending the MAIL command  or  other  commands  that
9029       require EHLO negotiation.
9030
9031       Example:
9032
9033       smtpd_helo_required = yes
9034

smtpd_helo_restrictions (default: empty)

9036       Optional  restrictions that the Postfix SMTP server applies in the con‐
9037       text of  a  client  HELO  command.   See  SMTPD_ACCESS_README,  section
9038       "Delayed  evaluation of SMTP access restriction lists" for a discussion
9039       of evaluation context and time.
9040
9041       The default is to permit everything.
9042
9043       Note:  specify  "smtpd_helo_required  =  yes"  to  fully  enforce  this
9044       restriction  (without  "smtpd_helo_required = yes", a client can simply
9045       skip smtpd_helo_restrictions by not sending HELO or EHLO).
9046
9047       Specify a list of restrictions, separated by commas and/or  whitespace.
9048       Continue  long  lines  by  starting  the  next  line  with  whitespace.
9049       Restrictions are applied in the order as specified; the first  restric‐
9050       tion that matches wins.
9051
9052       The  following  restrictions  are  specific to the hostname information
9053       received with the HELO or EHLO command.
9054
9055       check_helo_access type:table
9056              Search the specified access(5) database for  the  HELO  or  EHLO
9057              hostname  or  parent  domains,  and  execute  the  corresponding
9058              action.  Note: specify  "smtpd_helo_required  =  yes"  to  fully
9059              enforce this restriction (without "smtpd_helo_required = yes", a
9060              client can simply skip check_helo_access by not sending HELO  or
9061              EHLO).
9062
9063       check_helo_a_access type:table
9064              Search the specified access(5) database for the IP addresses for
9065              the HELO or EHLO hostname, and execute the corresponding action.
9066              Note  1:  a  result  of  "OK" is not allowed for safety reasons.
9067              Instead, use DUNNO in  order  to  exclude  specific  hosts  from
9068              blacklists.   Note  2:  specify  "smtpd_helo_required  = yes" to
9069              fully enforce this restriction (without  "smtpd_helo_required  =
9070              yes",  a client can simply skip check_helo_a_access by not send‐
9071              ing HELO or EHLO).  This feature is available in Postfix 3.0 and
9072              later.
9073
9074       check_helo_mx_access type:table
9075              Search the specified access(5) database for the MX hosts for the
9076              HELO or EHLO hostname, and  execute  the  corresponding  action.
9077              Note  1:  a  result  of  "OK" is not allowed for safety reasons.
9078              Instead, use DUNNO in  order  to  exclude  specific  hosts  from
9079              blacklists.   Note  2:  specify  "smtpd_helo_required  = yes" to
9080              fully enforce this restriction (without  "smtpd_helo_required  =
9081              yes", a client can simply skip check_helo_mx_access by not send‐
9082              ing HELO or EHLO).  This feature is available in Postfix 2.1 and
9083              later.
9084
9085       check_helo_ns_access type:table
9086              Search  the specified access(5) database for the DNS servers for
9087              the HELO or EHLO hostname, and execute the corresponding action.
9088              Note  1:  a  result  of  "OK" is not allowed for safety reasons.
9089              Instead, use DUNNO in  order  to  exclude  specific  hosts  from
9090              blacklists.   Note  2:  specify  "smtpd_helo_required  = yes" to
9091              fully enforce this restriction (without  "smtpd_helo_required  =
9092              yes", a client can simply skip check_helo_ns_access by not send‐
9093              ing HELO or EHLO). This feature is available in Postfix 2.1  and
9094              later.
9095
9096       reject_invalid_helo_hostname  (with Postfix < 2.3: reject_invalid_host‐
9097       name)
9098              Reject the request when the HELO or EHLO hostname is  malformed.
9099              Note:  specify "smtpd_helo_required = yes" to fully enforce this
9100              restriction (without "smtpd_helo_required = yes", a  client  can
9101              simply  skip reject_invalid_helo_hostname by not sending HELO or
9102              EHLO).
9103              The invalid_hostname_reject_code specifies the response code for
9104              rejected requests (default: 501).
9105
9106       reject_non_fqdn_helo_hostname       (with      Postfix      <      2.3:
9107       reject_non_fqdn_hostname)
9108              Reject the request when the HELO or  EHLO  hostname  is  not  in
9109              fully-qualified  domain  or address literal form, as required by
9110              the RFC. Note: specify  "smtpd_helo_required  =  yes"  to  fully
9111              enforce this restriction (without "smtpd_helo_required = yes", a
9112              client can  simply  skip  reject_non_fqdn_helo_hostname  by  not
9113              sending HELO or EHLO).
9114              The  non_fqdn_reject_code  parameter specifies the response code
9115              for rejected requests (default: 504).
9116
9117       reject_rhsbl_helo rbl_domain=d.d.d.d
9118              Reject the request when the HELO or EHLO hostname is listed with
9119              the A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and
9120              later only).  Each "d" is a number, or  a  pattern  inside  "[]"
9121              that  contains one or more ";"-separated numbers or number..num‐
9122              ber ranges (Postfix version 2.8 and later).  If no "=d.d.d.d" is
9123              specified,  reject the request when the HELO or EHLO hostname is
9124              listed  with  any   A   record   under   rbl_domain.   See   the
9125              reject_rbl_client description for additional RBL related config‐
9126              uration parameters.  Note: specify "smtpd_helo_required  =  yes"
9127              to  fully enforce this restriction (without "smtpd_helo_required
9128              = yes", a client can simply skip reject_rhsbl_helo by not  send‐
9129              ing  HELO or EHLO). This feature is available in Postfix 2.0 and
9130              later.
9131
9132       reject_unknown_helo_hostname (with Postfix < 2.3:  reject_unknown_host‐
9133       name)
9134              Reject  the  request when the HELO or EHLO hostname has no DNS A
9135              or MX record.
9136              The reply is  specified  with  the  unknown_hostname_reject_code
9137              parameter    (default:   450)   or   unknown_helo_hostname_temp‐
9138              fail_action  (default:  defer_if_permit).   See  the  respective
9139              parameter descriptions for details.
9140              Note:  specify "smtpd_helo_required = yes" to fully enforce this
9141              restriction (without "smtpd_helo_required = yes", a  client  can
9142              simply  skip reject_unknown_helo_hostname by not sending HELO or
9143              EHLO).
9144
9145       Other restrictions that are valid in this context:
9146
9147       ·      Generic restrictions that can be used in any SMTP  command  con‐
9148              text, described under smtpd_client_restrictions.
9149
9150       ·      Client   hostname   or  network  address  specific  restrictions
9151              described under smtpd_client_restrictions.
9152
9153       ·      SMTP   command    specific    restrictions    described    under
9154              smtpd_sender_restrictions or smtpd_recipient_restrictions.  When
9155              sender   or   recipient   restrictions    are    listed    under
9156              smtpd_helo_restrictions,    they    have    effect   only   with
9157              "smtpd_delay_reject = yes", so that $smtpd_helo_restrictions  is
9158              evaluated at the time of the RCPT TO command.
9159
9160       Examples:
9161
9162       smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname
9163       smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname
9164

smtpd_history_flush_threshold (default: 100)

9166       The  maximal number of lines in the Postfix SMTP server command history
9167       before it is flushed upon receipt of EHLO, RSET, or end of DATA.
9168

smtpd_junk_command_limit (default: normal: 100, overload: 1)

9170       The number of junk commands (NOOP, VRFY, ETRN or RSET)  that  a  remote
9171       SMTP client can send before the Postfix SMTP server starts to increment
9172       the error counter with each junk command.  The junk  command  count  is
9173       reset after mail is delivered.  See also the smtpd_error_sleep_time and
9174       smtpd_soft_error_limit configuration parameters.  Normally the  default
9175       limit is 100, but it changes under overload to just 1. With Postfix 2.5
9176       and earlier, the SMTP server always allows up to 100 junk  commands  by
9177       default.
9178

smtpd_log_access_permit_actions (default: empty)

9180       Enable  logging  of  the  named  "permit" actions in SMTP server access
9181       lists (by default, the SMTP server logs "reject" actions but not  "per‐
9182       mit"  actions).   This feature does not affect conditional actions such
9183       as "defer_if_permit".
9184
9185       Specify a list of "permit" action names, "/file/name"  or  "type:table"
9186       patterns,  separated  by  commas and/or whitespace. The list is matched
9187       left to right, and the search stops on the first match. A  "/file/name"
9188       pattern  is  replaced  by  its contents; a "type:table" lookup table is
9189       matched when a  name  matches  a  lookup  key  (the  lookup  result  is
9190       ignored).   Continue  long  lines by starting the next line with white‐
9191       space. Specify "!pattern" to exclude a name from the list.
9192
9193       Examples:
9194
9195       /etc/postfix/main.cf:
9196           # Log all "permit" actions.
9197           smtpd_log_access_permit_actions = static:all
9198
9199       /etc/postfix/main.cf:
9200           # Log "permit_dnswl_client" only.
9201           smtpd_log_access_permit_actions = permit_dnswl_client
9202
9203       This feature is available in Postfix 2.10 and later.
9204

smtpd_milter_maps (default: empty)

9206       Lookup tables with Milter settings per remote SMTP client  IP  address.
9207       The lookup result overrides the smtpd_milters setting, and has the same
9208       syntax.
9209
9210       Note: lookup tables cannot return empty  responses.  Specify  a  lookup
9211       result  of  DISABLE (case does not matter) to indicate that Milter sup‐
9212       port should be disabled.
9213
9214       Example to disable Milters for local clients:
9215
9216       /etc/postfix/main.cf:
9217           smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
9218           smtpd_milters = inet:host:port, { inet:host:port, ... }, ...
9219
9220       /etc/postfix/smtpd_milter_map:
9221           # Disable Milters for local clients.
9222           127.0.0.0/8    DISABLE
9223           192.168.0.0/16 DISABLE
9224           ::/64          DISABLE
9225           2001:db8::/32  DISABLE
9226
9227       This feature is available in Postfix 3.2 and later.
9228

smtpd_milters (default: empty)

9230       A list of Milter (mail filter) applications for new mail  that  arrives
9231       via  the  Postfix smtpd(8) server. Specify space or comma as separator.
9232       See the MILTER_README document for details.
9233
9234       This feature is available in Postfix 2.3 and later.
9235

smtpd_noop_commands (default: empty)

9237       List of commands that the Postfix SMTP server replies to with "250 Ok",
9238       without  doing any syntax checks and without changing state.  This list
9239       overrides any commands built into the Postfix SMTP server.
9240

smtpd_null_access_lookup_key (default: <>)

9242       The lookup key to be used in SMTP access(5) tables instead of the  null
9243       sender address.
9244

smtpd_peername_lookup (default: yes)

9246       Attempt to look up the remote SMTP client hostname, and verify that the
9247       name matches the client IP address. A client name is set  to  "unknown"
9248       when  it  cannot  be looked up or verified, or when name lookup is dis‐
9249       abled.  Turning off name lookup reduces delays due to  DNS  lookup  and
9250       increases the maximal inbound delivery rate.
9251
9252       This feature is available in Postfix 2.3 and later.
9253

smtpd_per_record_deadline (default: normal: no, overload: yes)

9255       Change  the  behavior  of  the smtpd_timeout and smtpd_starttls_timeout
9256       time limits, from a time limit per read or write system call, to a time
9257       limit  to send or receive a complete record (an SMTP command line, SMTP
9258       response line, SMTP message content line,  or  TLS  protocol  message).
9259       This limits the impact from hostile peers that trickle data one byte at
9260       a time.
9261
9262       Note: when per-record deadlines are enabled, a short timeout may  cause
9263       problems  with TLS over very slow network connections.  The reasons are
9264       that a TLS protocol message can be up to 16 kbytes long  (with  TLSv1),
9265       and that an entire TLS protocol message must be sent or received within
9266       the per-record deadline.
9267
9268       This feature is available in Postfix 2.9 and later. With older  Postfix
9269       releases, the behavior is as if this parameter is set to "no".
9270

smtpd_policy_service_default_action (default: 451 4.3.5 Server configuration

9272       problem)
9273       The default action when an SMTPD policy service request fails.  Specify
9274       "DUNNO"  to  behave  as if the failed  SMTPD policy service request was
9275       not sent, and to continue processing other access restrictions, if any.
9276
9277       Limitations:
9278
9279       ·      This parameter may specify any value that would be a valid SMTPD
9280              policy  server  response  (or  access(5) map lookup result).  An
9281              access(5) map or policy server in this parameter value may  need
9282              to be declared in advance with a restriction_class setting.
9283
9284       ·      If  the  specified  action  invokes another check_policy_service
9285              request, that request will have the built-in default action.
9286
9287       This feature is available in Postfix 3.0 and later.
9288

smtpd_policy_service_max_idle (default: 300s)

9290       The time after which an idle SMTPD policy service connection is closed.
9291
9292       This feature is available in Postfix 2.1 and later.
9293

smtpd_policy_service_max_ttl (default: 1000s)

9295       The time after which an  active  SMTPD  policy  service  connection  is
9296       closed.
9297
9298       This feature is available in Postfix 2.1 and later.
9299

smtpd_policy_service_policy_context (default: empty)

9301       Optional  information  that  the  Postfix  SMTP server specifies in the
9302       "policy_context" attribute of a policy service request (originally,  to
9303       share  the  same  service  endpoint among multiple check_policy_service
9304       clients).
9305
9306       This feature is available in Postfix 3.1 and later.
9307

smtpd_policy_service_request_limit (default: 0)

9309       The maximal number of requests per SMTPD policy service connection,  or
9310       zero  (no  limit). Once a connection reaches this limit, the connection
9311       is closed and the next request will be sent over a new connection. This
9312       is a workaround to avoid error-recovery delays with policy servers that
9313       cannot maintain a persistent connection.
9314
9315       This feature is available in Postfix 3.0 and later.
9316

smtpd_policy_service_retry_delay (default: 1s)

9318       The delay between attempts to resend  a  failed  SMTPD  policy  service
9319       request. Specify a value greater than zero.
9320
9321       This feature is available in Postfix 3.0 and later.
9322

smtpd_policy_service_timeout (default: 100s)

9324       The time limit for connecting to, writing to, or receiving from a dele‐
9325       gated SMTPD policy server.
9326
9327       This feature is available in Postfix 2.1 and later.
9328

smtpd_policy_service_try_limit (default: 2)

9330       The maximal number of attempts to send an SMTPD policy service  request
9331       before giving up. Specify a value greater than zero.
9332
9333       This feature is available in Postfix 3.0 and later.
9334

smtpd_proxy_ehlo (default: $myhostname)

9336       How  the  Postfix SMTP server announces itself to the proxy filter.  By
9337       default, the Postfix hostname is used.
9338
9339       This feature is available in Postfix 2.1 and later.
9340

smtpd_proxy_filter (default: empty)

9342       The hostname and TCP port of the  mail  filtering  proxy  server.   The
9343       proxy  receives  all mail from the Postfix SMTP server, and is supposed
9344       to give the result to another Postfix SMTP server process.
9345
9346       Specify  "host:port"  or  "inet:host:port"  for  a  TCP  endpoint,   or
9347       "unix:pathname"  for  a UNIX-domain endpoint. The host can be specified
9348       as an IP address or as a symbolic name; no MX lookups are  done.   When
9349       no  "host"  or  "host:"   are  specified, the local machine is assumed.
9350       Pathname interpretation is relative to the Postfix queue directory.
9351
9352       This feature is available in Postfix 2.1 and later.
9353
9354       The "inet:" and "unix:" prefixes  are  available  in  Postfix  2.3  and
9355       later.
9356

smtpd_proxy_options (default: empty)

9358       List  of  options that control how the Postfix SMTP server communicates
9359       with a before-queue content filter. Specify zero or more of the follow‐
9360       ing, separated by comma or whitespace.
9361
9362       speed_adjust
9363              Do  not connect to a before-queue content filter until an entire
9364              message has been received. This reduces the number of simultane‐
9365              ous before-queue content filter processes.
9366
9367       NOTE   1:  A  filter  must  not  selectively  reject  recipients  of  a
9368       multi-recipient message.  Rejecting all recipients is OK, as is accept‐
9369       ing all recipients.
9370
9371       NOTE  2:  This feature increases the minimum amount of free queue space
9372       by $message_size_limit. The extra space is needed to save  the  message
9373       to a temporary file.
9374
9375       This feature is available in Postfix 2.7 and later.
9376

smtpd_proxy_timeout (default: 100s)

9378       The  time  limit  for  connecting  to a proxy filter and for sending or
9379       receiving information.  When a  connection  fails  the  client  gets  a
9380       generic  error message while more detailed information is logged to the
9381       maillog file.
9382
9383       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
9384       The default time unit is s (seconds).
9385
9386       This feature is available in Postfix 2.1 and later.
9387

smtpd_recipient_limit (default: 1000)

9389       The  maximal  number of recipients that the Postfix SMTP server accepts
9390       per message delivery request.
9391

smtpd_recipient_overshoot_limit (default: 1000)

9393       The number of recipients that a remote SMTP client can send  in  excess
9394       of  the limit specified with $smtpd_recipient_limit, before the Postfix
9395       SMTP server increments the per-session  error  count  for  each  excess
9396       recipient.
9397

smtpd_recipient_restrictions (default: see postconf -d output)

9399       Optional  restrictions that the Postfix SMTP server applies in the con‐
9400       text of a client RCPT TO command, after smtpd_relay_restrictions.   See
9401       SMTPD_ACCESS_README,   section   "Delayed  evaluation  of  SMTP  access
9402       restriction lists" for a discussion of evaluation context and time.
9403
9404       With Postfix versions before 2.10, the rules for relay  permission  and
9405       spam blocking were combined under smtpd_recipient_restrictions, result‐
9406       ing in error-prone configuration.  As of Postfix 2.10, relay permission
9407       rules are preferably implemented with smtpd_relay_restrictions, so that
9408       a permissive spam blocking  policy  under  smtpd_recipient_restrictions
9409       will no longer result in a permissive mail relay policy.
9410
9411       For  backwards  compatibility, sites that migrate from Postfix versions
9412       before 2.10 can set smtpd_relay_restrictions to the  empty  value,  and
9413       use smtpd_recipient_restrictions exactly as before.
9414
9415       IMPORTANT:  Either  the  smtpd_relay_restrictions  or the smtpd_recipi‐
9416       ent_restrictions parameter must specify at least one of  the  following
9417       restrictions. Otherwise Postfix will refuse to receive mail:
9418
9419           reject, reject_unauth_destination
9420
9421           defer, defer_if_permit, defer_unauth_destination
9422
9423       Specify  a list of restrictions, separated by commas and/or whitespace.
9424       Continue  long  lines  by  starting  the  next  line  with  whitespace.
9425       Restrictions  are applied in the order as specified; the first restric‐
9426       tion that matches wins.
9427
9428       The following restrictions are specific to the recipient  address  that
9429       is received with the RCPT TO command.
9430
9431       check_recipient_access type:table
9432              Search the specified access(5) database for the resolved RCPT TO
9433              address, domain, parent domains, or localpart@, and execute  the
9434              corresponding action.
9435
9436       check_recipient_a_access type:table
9437              Search the specified access(5) database for the IP addresses for
9438              the RCPT TO domain, and execute the corresponding action.  Note:
9439              a result of "OK" is not allowed for safety reasons. Instead, use
9440              DUNNO in order to exclude specific hosts from blacklists.   This
9441              feature is available in Postfix 3.0 and later.
9442
9443       check_recipient_mx_access type:table
9444              Search the specified access(5) database for the MX hosts for the
9445              RCPT TO domain, and execute the corresponding action.   Note:  a
9446              result  of  "OK" is not allowed for safety reasons. Instead, use
9447              DUNNO in order to exclude specific hosts from blacklists.   This
9448              feature is available in Postfix 2.1 and later.
9449
9450       check_recipient_ns_access type:table
9451              Search  the specified access(5) database for the DNS servers for
9452              the RCPT TO domain, and execute the corresponding action.  Note:
9453              a result of "OK" is not allowed for safety reasons. Instead, use
9454              DUNNO in order to exclude specific hosts from blacklists.   This
9455              feature is available in Postfix 2.1 and later.
9456
9457       permit_auth_destination
9458              Permit the request when one of the following is true:
9459
9460       ·      Postfix  is  mail forwarder: the resolved RCPT TO domain matches
9461              $relay_domains or a subdomain thereof, and the address  contains
9462              no sender-specified routing (user@elsewhere@domain),
9463
9464       ·      Postfix  is  the  final destination: the resolved RCPT TO domain
9465              matches  $mydestination,  $inet_interfaces,   $proxy_interfaces,
9466              $virtual_alias_domains,  or  $virtual_mailbox_domains,  and  the
9467              address  contains  no   sender-specified   routing   (user@else‐
9468              where@domain).
9469
9470       permit_mx_backup
9471              Permit  the  request when the local mail system is backup MX for
9472              the RCPT TO domain, or when the domain is an authorized destina‐
9473              tion (see permit_auth_destination for definition).
9474
9475       ·      Safety:  permit_mx_backup  does  not  accept addresses that have
9476              sender-specified  routing   information   (example:   user@else‐
9477              where@domain).
9478
9479       ·      Safety:  permit_mx_backup  can  be  vulnerable  to  mis-use when
9480              access is not restricted with permit_mx_backup_networks.
9481
9482       ·      Safety: as of Postfix version 2.3,  permit_mx_backup  no  longer
9483              accepts the address when the local mail system is primary MX for
9484              the recipient domain.  Exception: permit_mx_backup  accepts  the
9485              address  when  it  specifies an authorized destination (see per‐
9486              mit_auth_destination for definition).
9487
9488       ·      Limitation: mail may be rejected in  case  of  a  temporary  DNS
9489              lookup problem with Postfix prior to version 2.0.
9490
9491       reject_non_fqdn_recipient
9492              Reject  the  request when the RCPT TO address specifies a domain
9493              that is not in fully-qualified domain form, as required  by  the
9494              RFC.
9495              The  non_fqdn_reject_code  parameter specifies the response code
9496              for rejected requests (default: 504).
9497
9498       reject_rhsbl_recipient rbl_domain=d.d.d.d
9499              Reject the request when the RCPT TO domain is listed with the  A
9500              record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
9501              only).  Each "d" is a number, or a pattern inside "[]" that con‐
9502              tains one or more ";"-separated numbers or number..number ranges
9503              (Postfix version 2.8 and later). If no "=d.d.d.d" is  specified,
9504              reject  the request when the RCPT TO domain is listed with any A
9505              record under rbl_domain.
9506              The maps_rbl_reject_code parameter specifies the  response  code
9507              for  rejected  requests  (default:  554);  the default_rbl_reply
9508              parameter  specifies  the  default   server   reply;   and   the
9509              rbl_reply_maps  parameter  specifies  tables with server replies
9510              indexed by rbl_domain.  This feature  is  available  in  Postfix
9511              version 2.0 and later.
9512
9513       reject_unauth_destination
9514              Reject the request unless one of the following is true:
9515
9516       ·      Postfix  is  mail forwarder: the resolved RCPT TO domain matches
9517              $relay_domains  or  a  subdomain  thereof,   and   contains   no
9518              sender-specified routing (user@elsewhere@domain),
9519
9520       ·      Postfix  is  the  final destination: the resolved RCPT TO domain
9521              matches  $mydestination,  $inet_interfaces,   $proxy_interfaces,
9522              $virtual_alias_domains,  or  $virtual_mailbox_domains,  and con‐
9523              tains no sender-specified routing (user@elsewhere@domain).
9524              The relay_domains_reject_code parameter specifies  the  response
9525              code for rejected requests (default: 554).
9526
9527       defer_unauth_destination
9528              Reject  the  same  requests as reject_unauth_destination, with a
9529              non-permanent error code.  This feature is available in  Postfix
9530              2.10 and later.
9531
9532       reject_unknown_recipient_domain
9533              Reject the request when Postfix is not final destination for the
9534              recipient domain, and the RCPT TO domain has 1) no DNS MX and no
9535              DNS A record or 2) a malformed MX record such as a record with a
9536              zero-length MX hostname (Postfix version 2.3 and later).
9537              The reply  is  specified  with  the  unknown_address_reject_code
9538              parameter    (default:   450),   unknown_address_tempfail_action
9539              (default: defer_if_permit), or  556  (nullmx,  Postfix  3.0  and
9540              later). See the respective parameter descriptions for details.
9541
9542       reject_unlisted_recipient  (with  Postfix  version  2.0:  check_recipi‐
9543       ent_maps)
9544              Reject the request when the RCPT TO address is not listed in the
9545              list   of  valid  recipients  for  its  domain  class.  See  the
9546              smtpd_reject_unlisted_recipient   parameter   description    for
9547              details.  This feature is available in Postfix 2.1 and later.
9548
9549       reject_unverified_recipient
9550              Reject  the request when mail to the RCPT TO address is known to
9551              bounce, or when the recipient address destination is not  reach‐
9552              able.   Address  verification information is managed by the ver‐
9553              ify(8) server;  see  the  ADDRESS_VERIFICATION_README  file  for
9554              details.
9555              The  unverified_recipient_reject_code  parameter  specifies  the
9556              numerical response code when  an  address  is  known  to  bounce
9557              (default: 450, change into 550 when you are confident that it is
9558              safe to do so).
9559              The  unverified_recipient_defer_code  parameter  specifies   the
9560              numerical  response  code  when an address probe failed due to a
9561              temporary problem (default: 450).
9562              The unverified_recipient_tempfail_action parameter specifies the
9563              action  after  address  probe failure due to a temporary problem
9564              (default: defer_if_permit).
9565              This feature breaks for aliased  addresses  with  "enable_origi‐
9566              nal_recipient = no" (Postfix <= 3.2).
9567              This feature is available in Postfix 2.1 and later.
9568
9569       Other restrictions that are valid in this context:
9570
9571       ·      Generic  restrictions  that can be used in any SMTP command con‐
9572              text, described under smtpd_client_restrictions.
9573
9574       ·      SMTP   command    specific    restrictions    described    under
9575              smtpd_client_restrictions,      smtpd_helo_restrictions      and
9576              smtpd_sender_restrictions.
9577
9578       Example:
9579
9580       # The Postfix before 2.10 default mail relay policy. Later Postfix
9581       # versions implement this preferably with smtpd_relay_restrictions.
9582       smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
9583
9585       Optional information that is appended after each  Postfix  SMTP  server
9586       4XX or 5XX response.
9587
9588       The following example uses "\c" at the start of the template (supported
9589       in Postfix 2.10 and later) to suppress the line break between the reply
9590       text  and  the  footer  text. With earlier Postfix versions, the footer
9591       text always begins on a new line, and the "\c" is output literally.
9592
9593       /etc/postfix/main.cf:
9594           smtpd_reject_footer = \c. For assistance, call 800-555-0101.
9595            Please provide the following information in your problem report:
9596            time ($localtime), client ($client_address) and server
9597            ($server_name).
9598
9599       Server response:
9600
9601           550-5.5.1 <user@example> Recipient address rejected: User
9602           unknown. For assistance, call 800-555-0101. Please provide the
9603           following information in your problem report: time (Jan 4 15:42:00),
9604           client (192.168.1.248) and server (mail1.example.com).
9605
9606       Note: the above text is meant to make it easier  to  find  the  Postfix
9607       logfile  records  for  a  failed  SMTP  session. The text itself is not
9608       logged to the Postfix SMTP server's maillog file.
9609
9610       Be sure to keep the text as short as possible. Long text may  be  trun‐
9611       cated  before it is logged to the remote SMTP client's maillog file, or
9612       before it is returned to the sender in a delivery status notification.
9613
9614       This feature supports a limited  number  of  $name  attributes  in  the
9615       footer  text.  These  are  replaced by their current value for the SMTP
9616       session:
9617
9618       client_address
9619              The Client IP address that is logged in the maillog file.
9620
9621       client_port
9622              The client TCP port that is logged in the maillog file.
9623
9624       localtime
9625              The server local time (Mmm dd hh:mm:ss) that is  logged  in  the
9626              maillog file.
9627
9628       server_name
9629              The server's myhostname value.  This attribute is made available
9630              for sites with multiple MTAs (perhaps behind  a  load-balancer),
9631              where  the  server  name  can  help  the  server support team to
9632              quickly find the right log files.
9633
9634       Notes:
9635
9636       ·      NOT SUPPORTED are other attributes such as sender, recipient, or
9637              main.cf parameters.
9638
9639       ·      For  safety  reasons,  text  that  does  not match $smtpd_expan‐
9640              sion_filter is censored.
9641
9642       This feature supports the two-character sequence \n as a request for  a
9643       line break in the footer text. Postfix automatically inserts after each
9644       line break the three-digit SMTP reply code (and optional enhanced  sta‐
9645       tus code) from the original Postfix reject message.
9646
9647       To work around mail software that mis-handles multi-line replies, spec‐
9648       ify the two-character sequence \c at the start of the  template.   This
9649       suppresses  the  line  break between the reply text and the footer text
9650       (Postfix 2.10 and later).
9651
9652       This feature is available in Postfix 2.8 and later.
9653

smtpd_reject_unlisted_recipient (default: yes)

9655       Request that the Postfix SMTP server rejects mail for unknown recipient
9656       addresses,  even  when  no  explicit  reject_unlisted_recipient  access
9657       restriction is specified. This prevents the Postfix queue from  filling
9658       up with undeliverable MAILER-DAEMON messages.
9659
9660       An  address  is  always considered "known" when it matches a virtual(5)
9661       alias or a canonical(5) mapping.
9662
9663       ·      The recipient domain matches $mydestination, $inet_interfaces or
9664              $proxy_interfaces,   but   the   recipient   is  not  listed  in
9665              $local_recipient_maps, and $local_recipient_maps is not null.
9666
9667       ·      The recipient  domain  matches  $virtual_alias_domains  but  the
9668              recipient is not listed in $virtual_alias_maps.
9669
9670       ·      The  recipient  domain  matches $virtual_mailbox_domains but the
9671              recipient is not  listed  in  $virtual_mailbox_maps,  and  $vir‐
9672              tual_mailbox_maps is not null.
9673
9674       ·      The recipient domain matches $relay_domains but the recipient is
9675              not listed in $relay_recipient_maps,  and  $relay_recipient_maps
9676              is not null.
9677
9678       This feature is available in Postfix 2.1 and later.
9679

smtpd_reject_unlisted_sender (default: no)

9681       Request  that  the Postfix SMTP server rejects mail from unknown sender
9682       addresses, even when no explicit reject_unlisted_sender access restric‐
9683       tion  is specified. This can slow down an explosion of forged mail from
9684       worms or viruses.
9685
9686       An address is always considered "known" when it  matches  a  virtual(5)
9687       alias or a canonical(5) mapping.
9688
9689       ·      The  sender  domain  matches $mydestination, $inet_interfaces or
9690              $proxy_interfaces, but the sender is not listed in $local_recip‐
9691              ient_maps, and $local_recipient_maps is not null.
9692
9693       ·      The  sender domain matches $virtual_alias_domains but the sender
9694              is not listed in $virtual_alias_maps.
9695
9696       ·      The  sender  domain  matches  $virtual_mailbox_domains  but  the
9697              sender   is  not  listed  in  $virtual_mailbox_maps,  and  $vir‐
9698              tual_mailbox_maps is not null.
9699
9700       ·      The sender domain matches $relay_domains but the sender  is  not
9701              listed  in  $relay_recipient_maps,  and $relay_recipient_maps is
9702              not null.
9703
9704       This feature is available in Postfix 2.1 and later.
9705

smtpd_relay_restrictions (default: permit_mynetworks, permit_sasl_authenti‐

9707       cated, defer_unauth_destination)
9708       Access restrictions for mail relay control that the Postfix SMTP server
9709       applies in the context of the RCPT  TO  command,  before  smtpd_recipi‐
9710       ent_restrictions.  See SMTPD_ACCESS_README, section "Delayed evaluation
9711       of SMTP access restriction lists" for a discussion of  evaluation  con‐
9712       text and time.
9713
9714       With  Postfix  versions before 2.10, the rules for relay permission and
9715       spam blocking were combined under smtpd_recipient_restrictions, result‐
9716       ing in error-prone configuration.  As of Postfix 2.10, relay permission
9717       rules are preferably implemented with smtpd_relay_restrictions, so that
9718       a  permissive  spam  blocking policy under smtpd_recipient_restrictions
9719       will no longer result in a permissive mail relay policy.
9720
9721       For backwards compatibility, sites that migrate from  Postfix  versions
9722       before  2.10  can  set smtpd_relay_restrictions to the empty value, and
9723       use smtpd_recipient_restrictions exactly as before.
9724
9725       By default, the Postfix SMTP server accepts:
9726
9727       ·      Mail from clients whose IP address matches $mynetworks, or:
9728
9729       ·      Mail to remote destinations that  match  $relay_domains,  except
9730              for  addresses that contain sender-specified routing (user@else‐
9731              where@domain), or:
9732
9733       ·      Mail  to  local  destinations  that  match  $inet_interfaces  or
9734              $proxy_interfaces,  $mydestination,  $virtual_alias_domains,  or
9735              $virtual_mailbox_domains.
9736
9737       IMPORTANT: Either the  smtpd_relay_restrictions  or  the  smtpd_recipi‐
9738       ent_restrictions  parameter  must specify at least one of the following
9739       restrictions. Otherwise Postfix will refuse to receive mail:
9740
9741           reject, reject_unauth_destination
9742
9743           defer, defer_if_permit, defer_unauth_destination
9744
9745       Specify a list of restrictions, separated by commas and/or  whitespace.
9746       Continue  long  lines  by  starting the next line with whitespace.  The
9747       same restrictions  are  available  as  documented  under  smtpd_recipi‐
9748       ent_restrictions.
9749
9750       This feature is available in Postix 2.10 and later.
9751

smtpd_restriction_classes (default: empty)

9753       User-defined aliases for groups of access restrictions. The aliases can
9754       be  specified  in  smtpd_recipient_restrictions  etc.,   and   on   the
9755       right-hand side of a Postfix access(5) table.
9756
9757       One  major  application  is for implementing per-recipient UCE control.
9758       See the RESTRICTION_CLASS_README document for other examples.
9759

smtpd_sasl_application_name (default: smtpd)

9761       The application name that the Postfix SMTP server uses for SASL  server
9762       initialization.  This controls the name of the SASL configuration file.
9763       The default value is smtpd, corresponding to a SASL configuration  file
9764       named smtpd.conf.
9765
9766       This  feature  is available in Postfix 2.1 and 2.2. With Postfix 2.3 it
9767       was renamed to smtpd_sasl_path.
9768

smtpd_sasl_auth_enable (default: no)

9770       Enable SASL authentication in the Postfix SMTP server. By default,  the
9771       Postfix SMTP server does not use authentication.
9772
9773       If a remote SMTP client is authenticated, the permit_sasl_authenticated
9774       access restriction can be used to permit relay access, like this:
9775
9776           # With Postfix 2.10 and later, the mail relay policy is
9777           # preferably specified under smtpd_relay_restrictions.
9778           smtpd_relay_restrictions =
9779               permit_mynetworks, permit_sasl_authenticated, ...
9780
9781       # With Postfix before 2.10, the relay policy can be
9782       # specified only under smtpd_recipient_restrictions.
9783       smtpd_recipient_restrictions =
9784           permit_mynetworks, permit_sasl_authenticated, ...
9785
9786       To reject all SMTP connections from  unauthenticated  clients,  specify
9787       "smtpd_delay_reject = yes" (which is the default) and use:
9788
9789           smtpd_client_restrictions = permit_sasl_authenticated, reject
9790
9791       See the SASL_README file for SASL configuration and operation details.
9792

smtpd_sasl_authenticated_header (default: no)

9794       Report  the  SASL authenticated user name in the smtpd(8) Received mes‐
9795       sage header.
9796
9797       This feature is available in Postfix 2.3 and later.
9798

smtpd_sasl_exceptions_networks (default: empty)

9800       What remote SMTP clients the Postfix SMTP server will  not  offer  AUTH
9801       support to.
9802
9803       Some  clients  (Netscape  4  at  least)  have a bug that causes them to
9804       require a login and password whenever AUTH  is  offered,  whether  it's
9805       necessary  or  not.  To work around this, specify, for example, $mynet‐
9806       works to prevent Postfix from offering AUTH to local clients.
9807
9808       Specify a list of network/netmask patterns, separated by commas  and/or
9809       whitespace.  The  mask specifies the number of bits in the network part
9810       of a host address. You can also "/file/name" or "type:table"  patterns.
9811       A  "/file/name"  pattern  is  replaced  by its contents; a "type:table"
9812       lookup table is matched when a table entry matches a lookup string (the
9813       lookup  result  is  ignored).  Continue long lines by starting the next
9814       line with whitespace. Specify "!pattern" to exclude an address or  net‐
9815       work  block from the list.  The form "!/file/name" is supported only in
9816       Postfix version 2.4 and later.
9817
9818       Note: IP version 6 address information must be specified inside  []  in
9819       the  smtpd_sasl_exceptions_networks  value, and in files specified with
9820       "/file/name".  IP version 6 addresses contain the  ":"  character,  and
9821       would otherwise be confused with a "type:table" pattern.
9822
9823       Example:
9824
9825       smtpd_sasl_exceptions_networks = $mynetworks
9826
9827       This feature is available in Postfix 2.1 and later.
9828

smtpd_sasl_local_domain (default: empty)

9830       The name of the Postfix SMTP server's local SASL authentication realm.
9831
9832       By default, the local authentication realm name is the null string.
9833
9834       Examples:
9835
9836       smtpd_sasl_local_domain = $mydomain
9837       smtpd_sasl_local_domain = $myhostname
9838

smtpd_sasl_path (default: smtpd)

9840       Implementation-specific information that the Postfix SMTP server passes
9841       through to the  SASL  plug-in  implementation  that  is  selected  with
9842       smtpd_sasl_type.   Typically this specifies the name of a configuration
9843       file or rendezvous point.
9844
9845       This feature is available in Postfix 2.3 and later. In earlier releases
9846       it was called smtpd_sasl_application_name.
9847

smtpd_sasl_security_options (default: noanonymous)

9849       Postfix  SMTP  server SASL security options; as of Postfix 2.3 the list
9850       of available features depends on the SASL server implementation that is
9851       selected with smtpd_sasl_type.
9852
9853       The  following  security features are defined for the cyrus server SASL
9854       implementation:
9855
9856       Restrict what authentication mechanisms the Postfix  SMTP  server  will
9857       offer  to  the client.  The list of available authentication mechanisms
9858       is system dependent.
9859
9860       Specify zero or more of the following:
9861
9862       noplaintext
9863              Disallow methods that use plaintext passwords.
9864
9865       noactive
9866              Disallow methods subject to active (non-dictionary) attack.
9867
9868       nodictionary
9869              Disallow methods subject to passive (dictionary) attack.
9870
9871       noanonymous
9872              Disallow methods that allow anonymous authentication.
9873
9874       forward_secrecy
9875              Only allow methods that support forward secrecy (Dovecot only).
9876
9877       mutual_auth
9878              Only allow  methods  that  provide  mutual  authentication  (not
9879              available with Cyrus SASL version 1).
9880
9881       By default, the Postfix SMTP server accepts plaintext passwords but not
9882       anonymous logins.
9883
9884       Warning: it appears that clients  try  authentication  methods  in  the
9885       order  as  advertised  by  the  server (e.g., PLAIN ANONYMOUS CRAM-MD5)
9886       which means that if you disable plaintext passwords, clients  will  log
9887       in  anonymously, even when they should be able to use CRAM-MD5.  So, if
9888       you disable plaintext logins, disable anonymous  logins  too.   Postfix
9889       treats anonymous login as no authentication.
9890
9891       Example:
9892
9893       smtpd_sasl_security_options = noanonymous, noplaintext
9894

smtpd_sasl_service (default: smtp)

9896       The  service  name  that is passed to the SASL plug-in that is selected
9897       with smtpd_sasl_type and smtpd_sasl_path.
9898
9899       This feature is available in Postfix 2.11  and  later.  Prior  versions
9900       behave as if "smtp" is specified.
9901

smtpd_sasl_tls_security_options (default: $smtpd_sasl_security_options)

9903       The  SASL  authentication security options that the Postfix SMTP server
9904       uses for TLS encrypted SMTP sessions.
9905
9906       This feature is available in Postfix 2.2 and later.
9907

smtpd_sasl_type (default: cyrus)

9909       The SASL plug-in type that the  Postfix  SMTP  server  should  use  for
9910       authentication.  The  available types are listed with the "postconf -a"
9911       command.
9912
9913       This feature is available in Postfix 2.3 and later.
9914

smtpd_sender_login_maps (default: empty)

9916       Optional lookup table with the SASL login names  that  own  the  sender
9917       (MAIL FROM) addresses.
9918
9919       Specify zero or more "type:name" lookup tables, separated by whitespace
9920       or comma. Tables will be searched in the specified order until a  match
9921       is  found.   With lookups from indexed files such as DB or DBM, or from
9922       networked tables such as NIS, LDAP or SQL, the following search  opera‐
9923       tions are done with a sender address of user@domain:
9924
9925       1) user@domain
9926              This table lookup is always done and has the highest precedence.
9927
9928       2) user
9929              This  table  lookup  is  done  only  when the domain part of the
9930              sender address matches $myorigin,  $mydestination,  $inet_inter‐
9931              faces or $proxy_interfaces.
9932
9933       3) @domain
9934              This table lookup is done last and has the lowest precedence.
9935
9936       In all cases the result of table lookup must be either "not found" or a
9937       list of SASL login names separated by comma and/or whitespace.
9938

smtpd_sender_restrictions (default: empty)

9940       Optional restrictions that the Postfix SMTP server applies in the  con‐
9941       text  of  a client MAIL FROM command.  See SMTPD_ACCESS_README, section
9942       "Delayed evaluation of SMTP access restriction lists" for a  discussion
9943       of evaluation context and time.
9944
9945       The default is to permit everything.
9946
9947       Specify  a list of restrictions, separated by commas and/or whitespace.
9948       Continue  long  lines  by  starting  the  next  line  with  whitespace.
9949       Restrictions  are applied in the order as specified; the first restric‐
9950       tion that matches wins.
9951
9952       The following restrictions are specific to the sender address  received
9953       with the MAIL FROM command.
9954
9955       check_sender_access type:table
9956              Search  the  specified  access(5)  database  for  the  MAIL FROM
9957              address, domain, parent domains, or localpart@, and execute  the
9958              corresponding action.
9959
9960       check_sender_a_access type:table
9961              Search the specified access(5) database for the IP addresses for
9962              the MAIL FROM domain,  and  execute  the  corresponding  action.
9963              Note:  a  result  of  "OK"  is  not  allowed for safety reasons.
9964              Instead, use DUNNO in  order  to  exclude  specific  hosts  from
9965              blacklists.  This feature is available in Postfix 3.0 and later.
9966
9967       check_sender_mx_access type:table
9968              Search the specified access(5) database for the MX hosts for the
9969              MAIL FROM domain, and execute the corresponding action.  Note: a
9970              result  of  "OK" is not allowed for safety reasons. Instead, use
9971              DUNNO in order to exclude specific hosts from blacklists.   This
9972              feature is available in Postfix 2.1 and later.
9973
9974       check_sender_ns_access type:table
9975              Search  the specified access(5) database for the DNS servers for
9976              the MAIL FROM domain,  and  execute  the  corresponding  action.
9977              Note:  a  result  of  "OK"  is  not  allowed for safety reasons.
9978              Instead, use DUNNO in  order  to  exclude  specific  hosts  from
9979              blacklists.  This feature is available in Postfix 2.1 and later.
9980
9981       reject_authenticated_sender_login_mismatch
9982              Enforces   the   reject_sender_login_mismatch   restriction  for
9983              authenticated clients only. This feature is available in Postfix
9984              version 2.1 and later.
9985
9986       reject_known_sender_login_mismatch
9987              Apply  the reject_sender_login_mismatch restriction only to MAIL
9988              FROM addresses that are known in $smtpd_sender_login_maps.  This
9989              feature is available in Postfix version 2.11 and later.
9990
9991       reject_non_fqdn_sender
9992              Reject the request when the MAIL FROM address specifies a domain
9993              that is not in fully-qualified domain form as  required  by  the
9994              RFC.
9995              The  non_fqdn_reject_code  parameter specifies the response code
9996              for rejected requests (default: 504).
9997
9998       reject_rhsbl_sender rbl_domain=d.d.d.d
9999              Reject the request when the MAIL FROM domain is listed with  the
10000              A  record  "d.d.d.d"  under  rbl_domain (Postfix version 2.1 and
10001              later only).  Each "d" is a number, or  a  pattern  inside  "[]"
10002              that  contains one or more ";"-separated numbers or number..num‐
10003              ber ranges (Postfix version 2.8 and later). If no "=d.d.d.d"  is
10004              specified,  reject  the  request  when  the  MAIL FROM domain is
10005              listed with any A record under rbl_domain.
10006              The maps_rbl_reject_code parameter specifies the  response  code
10007              for  rejected  requests  (default:   554); the default_rbl_reply
10008              parameter  specifies  the  default   server   reply;   and   the
10009              rbl_reply_maps  parameter  specifies  tables with server replies
10010              indexed by rbl_domain.  This feature is available in Postfix 2.0
10011              and later.
10012
10013       reject_sender_login_mismatch
10014              Reject  the  request  when $smtpd_sender_login_maps specifies an
10015              owner for the MAIL FROM address, but the client  is  not  (SASL)
10016              logged in as that MAIL FROM address owner; or when the client is
10017              (SASL) logged in, but the client login name doesn't own the MAIL
10018              FROM address according to $smtpd_sender_login_maps.
10019
10020       reject_unauthenticated_sender_login_mismatch
10021              Enforces  the reject_sender_login_mismatch restriction for unau‐
10022              thenticated clients only. This feature is available  in  Postfix
10023              version 2.1 and later.
10024
10025       reject_unknown_sender_domain
10026              Reject the request when Postfix is not final destination for the
10027              sender address, and the MAIL FROM domain has 1) no DNS MX and no
10028              DNS  A record, or 2) a malformed MX record such as a record with
10029              a zero-length MX hostname (Postfix version 2.3 and later).
10030              The reply  is  specified  with  the  unknown_address_reject_code
10031              parameter    (default:   450),   unknown_address_tempfail_action
10032              (default: defer_if_permit), or  550  (nullmx,  Postfix  3.0  and
10033              later). See the respective parameter descriptions for details.
10034
10035       reject_unlisted_sender
10036              Reject  the  request when the MAIL FROM address is not listed in
10037              the list of valid recipients  for  its  domain  class.  See  the
10038              smtpd_reject_unlisted_sender  parameter description for details.
10039              This feature is available in Postfix 2.1 and later.
10040
10041       reject_unverified_sender
10042              Reject the request when mail to the MAIL FROM address  is  known
10043              to  bounce, or when the sender address destination is not reach‐
10044              able.  Address verification information is managed by  the  ver‐
10045              ify(8)  server;  see  the  ADDRESS_VERIFICATION_README  file for
10046              details.
10047              The unverified_sender_reject_code parameter specifies the numer‐
10048              ical  response code when an address is known to bounce (default:
10049              450, change into 550 when you are confident that it is  safe  to
10050              do so).
10051              The   unverified_sender_defer_code   specifies   the   numerical
10052              response code when an address probe failed due  to  a  temporary
10053              problem (default: 450).
10054              The  unverified_sender_tempfail_action  parameter  specifies the
10055              action after address probe failure due to  a  temporary  problem
10056              (default: defer_if_permit).
10057              This  feature  breaks  for aliased addresses with "enable_origi‐
10058              nal_recipient = no" (Postfix <= 3.2).
10059              This feature is available in Postfix 2.1 and later.
10060
10061       Other restrictions that are valid in this context:
10062
10063       ·      Generic restrictions that can be used in any SMTP  command  con‐
10064              text, described under smtpd_client_restrictions.
10065
10066       ·      SMTP    command    specific    restrictions    described   under
10067              smtpd_client_restrictions and smtpd_helo_restrictions.
10068
10069       ·      SMTP command specific restrictions described under smtpd_recipi‐
10070              ent_restrictions.  When  recipient restrictions are listed under
10071              smtpd_sender_restrictions,   they   have   effect   only    with
10072              "smtpd_delay_reject  =  yes", so that $smtpd_sender_restrictions
10073              is evaluated at the time of the RCPT TO command.
10074
10075       Examples:
10076
10077       smtpd_sender_restrictions = reject_unknown_sender_domain
10078       smtpd_sender_restrictions = reject_unknown_sender_domain,
10079           check_sender_access hash:/etc/postfix/access
10080

smtpd_service_name (default: smtpd)

10082       The internal service that postscreen(8) hands off  allowed  connections
10083       to. In a future version there may be different classes of SMTP service.
10084
10085       This feature is available in Postfix 2.8.
10086

smtpd_soft_error_limit (default: 10)

10088       The  number  of  errors a remote SMTP client is allowed to make without
10089       delivering mail before the Postfix  SMTP  server  slows  down  all  its
10090       responses.
10091
10092       ·      With  Postfix  version  2.1  and  later, the Postfix SMTP server
10093              delays all responses by $smtpd_error_sleep_time seconds.
10094
10095       ·      With Postfix versions 2.0 and earlier, the Postfix  SMTP  server
10096              delays all responses by (number of errors) seconds.
10097

smtpd_starttls_timeout (default: see postconf -d output)

10099       The time limit for Postfix SMTP server write and read operations during
10100       TLS startup and shutdown  handshake  procedures.  The  current  default
10101       value  is stress-dependent. Before Postfix version 2.8, it was fixed at
10102       300s.
10103
10104       This feature is available in Postfix 2.2 and later.
10105

smtpd_timeout (default: normal: 300s, overload: 10s)

10107       The time limit for sending a  Postfix  SMTP  server  response  and  for
10108       receiving  a  remote SMTP client request. Normally the default limit is
10109       300s, but it changes under overload to just 10s. With Postfix  2.5  and
10110       earlier, the SMTP server always uses a time limit of 300s by default.
10111
10112       Note:  if you set SMTP time limits to very large values you may have to
10113       update the global ipc_timeout parameter.
10114
10115       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
10116       The default time unit is s (seconds).
10117

smtpd_tls_CAfile (default: empty)

10119       A  file  containing (PEM format) CA certificates of root CAs trusted to
10120       sign either remote SMTP client certificates or intermediate CA certifi‐
10121       cates.   These are loaded into memory before the smtpd(8) server enters
10122       the chroot jail. If the number of  trusted  roots  is  large,  consider
10123       using smtpd_tls_CApath instead, but note that the latter directory must
10124       be present in the chroot jail if the smtpd(8) server is chrooted.  This
10125       file  may  also  be used to augment the server certificate trust chain,
10126       but it is best to include all the required certificates directly in the
10127       server certificate file.
10128
10129       Specify  "smtpd_tls_CAfile  =  /path/to/system_CA_file" to use ONLY the
10130       system-supplied default Certification Authority certificates.
10131
10132       Specify "tls_append_default_CA = no" to prevent Postfix from  appending
10133       the system-supplied default CAs and trusting third-party certificates.
10134
10135       By  default  (see  smtpd_tls_ask_ccert),  client  certificates  are not
10136       requested, and smtpd_tls_CAfile should remain empty. If you do make use
10137       of client certificates, the distinguished names (DNs) of the Certifica‐
10138       tion Authorities listed in smtpd_tls_CAfile are sent to the remote SMTP
10139       client  in  the  client certificate request message. MUAs with multiple
10140       client certificates may use the list of preferred Certification Author‐
10141       ities  to  select  the correct client certificate.  You may want to put
10142       your "preferred" CA or CAs in this file, and install other trusted  CAs
10143       in $smtpd_tls_CApath.
10144
10145       Example:
10146
10147       smtpd_tls_CAfile = /etc/postfix/CAcert.pem
10148
10149       This feature is available in Postfix 2.2 and later.
10150

smtpd_tls_CApath (default: empty)

10152       A directory containing (PEM format) CA certificates of root CAs trusted
10153       to sign either remote SMTP client certificates or intermediate CA  cer‐
10154       tificates. Do not forget to create the necessary "hash" links with, for
10155       example,  "$OPENSSL_HOME/bin/c_rehash   /etc/postfix/certs".   To   use
10156       smtpd_tls_CApath  in  chroot  mode,  this directory (or a copy) must be
10157       inside the chroot jail.
10158
10159       Specify "smtpd_tls_CApath = /path/to/system_CA_directory" to  use  ONLY
10160       the system-supplied default Certification Authority certificates.
10161
10162       Specify  "tls_append_default_CA = no" to prevent Postfix from appending
10163       the system-supplied default CAs and trusting third-party certificates.
10164
10165       By default  (see  smtpd_tls_ask_ccert),  client  certificates  are  not
10166       requested,  and  smtpd_tls_CApath  should  remain empty. In contrast to
10167       smtpd_tls_CAfile,  DNs  of  Certification  Authorities   installed   in
10168       $smtpd_tls_CApath  are  not  included in the client certificate request
10169       message. MUAs with multiple client certificates may  use  the  list  of
10170       preferred  Certification  Authorities to select the correct client cer‐
10171       tificate.   You  may  want  to  put  your  "preferred"  CA  or  CAs  in
10172       $smtpd_tls_CAfile,   and   install   the   remaining   trusted  CAs  in
10173       $smtpd_tls_CApath.
10174
10175       Example:
10176
10177       smtpd_tls_CApath = /etc/postfix/certs
10178
10179       This feature is available in Postfix 2.2 and later.
10180

smtpd_tls_always_issue_session_ids (default: yes)

10182       Force the Postfix SMTP server to issue a TLS session id, even when  TLS
10183       session  caching  is  turned  off  (smtpd_tls_session_cache_database is
10184       empty). This behavior is compatible with Postfix < 2.3.
10185
10186       With Postfix 2.3 and later the Postfix SMTP server can disable  session
10187       id generation when TLS session caching is turned off. This keeps remote
10188       SMTP clients from caching sessions  that  almost  certainly  cannot  be
10189       re-used.
10190
10191       By  default,  the Postfix SMTP server always generates TLS session ids.
10192       This works around a known defect in mail client applications such as MS
10193       Outlook, and may also prevent interoperability issues with other MTAs.
10194
10195       Example:
10196
10197       smtpd_tls_always_issue_session_ids = no
10198
10199       This feature is available in Postfix 2.3 and later.
10200

smtpd_tls_ask_ccert (default: no)

10202       Ask  a remote SMTP client for a client certificate. This information is
10203       needed for certificate based mail relaying with, for example, the  per‐
10204       mit_tls_clientcerts feature.
10205
10206       Some clients such as Netscape will either complain if no certificate is
10207       available (for the list of CAs in $smtpd_tls_CAfile) or will offer mul‐
10208       tiple client certificates to choose from. This may be annoying, so this
10209       option is "off" by default.
10210
10211       This feature is available in Postfix 2.2 and later.
10212

smtpd_tls_auth_only (default: no)

10214       When TLS encryption is optional in the  Postfix  SMTP  server,  do  not
10215       announce or accept SASL authentication over unencrypted connections.
10216
10217       This feature is available in Postfix 2.2 and later.
10218

smtpd_tls_ccert_verifydepth (default: 9)

10220       The  verification depth for remote SMTP client certificates. A depth of
10221       1 is sufficient if the issuing CA is listed in a local CA file.
10222
10223       The default verification depth is 9 (the OpenSSL default) for  compati‐
10224       bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
10225       value was 5, but the limit was not actually enforced. If you  have  set
10226       this  to  a  lower  non-default  value,  certificates with longer trust
10227       chains may now fail to verify. Certificate chains with 1 or 2  CAs  are
10228       common,  deeper  chains  are  more  rare and any number between 5 and 9
10229       should suffice in practice. You can choose a lower number if, for exam‐
10230       ple,  you  trust  certificates directly signed by an issuing CA but not
10231       any CAs it delegates to.
10232
10233       This feature is available in Postfix 2.2 and later.
10234

smtpd_tls_cert_file (default: empty)

10236       File with the Postfix SMTP server RSA certificate in PEM format.   This
10237       file may also contain the Postfix SMTP server private RSA key.
10238
10239       Public  Internet  MX hosts without certificates signed by a "reputable"
10240       CA must generate, and  be  prepared  to  present  to  most  clients,  a
10241       self-signed  or  private-CA  signed certificate. The client will not be
10242       able to authenticate the server, but unless it is running  Postfix  2.3
10243       or similar software, it will still insist on a server certificate.
10244
10245       For servers that are not public Internet MX hosts, Postfix 2.3 supports
10246       configurations with no certificates. This entails the use of  just  the
10247       anonymous TLS ciphers, which are not supported by typical SMTP clients.
10248       Since such clients will not, as a rule, fall back to plain text after a
10249       TLS  handshake failure, the server will be unable to receive email from
10250       TLS enabled clients. To avoid accidental configurations  with  no  cer‐
10251       tificates, Postfix 2.3 enables certificate-less operation only when the
10252       administrator  explicitly  sets  "smtpd_tls_cert_file  =  none".   This
10253       ensures  that new Postfix configurations will not accidentally run with
10254       no certificates.
10255
10256       Both RSA and DSA certificates  are  supported.   When  both  types  are
10257       present, the cipher used determines which certificate will be presented
10258       to the client.  For Netscape and OpenSSL clients without special cipher
10259       choices the RSA certificate is preferred.
10260
10261       To  enable  a remote SMTP client to verify the Postfix SMTP server cer‐
10262       tificate, the issuing CA certificates must be  made  available  to  the
10263       client. You should include the required certificates in the server cer‐
10264       tificate file, the server certificate first,  then  the  issuing  CA(s)
10265       (bottom-up order).
10266
10267       Example: the certificate for "server.example.com" was issued by "inter‐
10268       mediate CA" which itself has a certificate of "root  CA".   Create  the
10269       server.pem   file   with   "cat   server_cert.pem   intermediate_CA.pem
10270       root_CA.pem > server.pem".
10271
10272       If you also want to verify client certificates issued by these CAs, you
10273       can  add  the CA certificates to the smtpd_tls_CAfile, in which case it
10274       is  not  necessary  to  have  them  in   the   smtpd_tls_cert_file   or
10275       smtpd_tls_dcert_file.
10276
10277       A certificate supplied here must be usable as an SSL server certificate
10278       and hence pass the "openssl verify -purpose sslserver ..." test.
10279
10280       Example:
10281
10282       smtpd_tls_cert_file = /etc/postfix/server.pem
10283
10284       This feature is available in Postfix 2.2 and later.
10285

smtpd_tls_cipherlist (default: empty)

10287       Obsolete Postfix < 2.3 control for the Postfix SMTP server  TLS  cipher
10288       list.  It  is  easy  to  create interoperability problems by choosing a
10289       non-default cipher list. Do not use a non-default TLS cipherlist for MX
10290       hosts on the public Internet. Clients that begin the TLS handshake, but
10291       are unable to agree on a common cipher, may not be  able  to  send  any
10292       email  to  the  SMTP server. Using a restricted cipher list may be more
10293       appropriate for a dedicated MSA or an internal mailhub, where  one  can
10294       exert some control over the TLS software and settings of the connecting
10295       clients.
10296
10297       Note: do not use "" quotes around the parameter value.
10298
10299       This feature is available with Postfix version 2.2. It is not used with
10300       Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead.
10301

smtpd_tls_ciphers (default: medium)

10303       The minimum TLS cipher grade that the Postfix SMTP server will use with
10304       opportunistic    TLS    encryption.    Cipher    types    listed     in
10305       smtpd_tls_exclude_ciphers  are excluded from the base definition of the
10306       selected cipher grade.  The  default  value  is  "medium"  for  Postfix
10307       releases after the middle of 2015, "export" for older releases.
10308
10309       When   TLS   is   mandatory   the   cipher  grade  is  chosen  via  the
10310       smtpd_tls_mandatory_ciphers configuration parameter, see there for syn‐
10311       tax details.
10312
10313       This  feature is available in Postfix 2.6 and later. With earlier Post‐
10314       fix releases only the smtpd_tls_mandatory_ciphers parameter  is  imple‐
10315       mented, and opportunistic TLS always uses "export" or better (i.e. all)
10316       ciphers.
10317

smtpd_tls_dcert_file (default: empty)

10319       File with the Postfix SMTP server DSA certificate in PEM format.   This
10320       file may also contain the Postfix SMTP server private DSA key.
10321
10322       See the discussion under smtpd_tls_cert_file for more details.
10323
10324       Example:
10325
10326       smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
10327
10328       This feature is available in Postfix 2.2 and later.
10329

smtpd_tls_dh1024_param_file (default: empty)

10331       File  with  DH  parameters that the Postfix SMTP server should use with
10332       non-export EDH ciphers.
10333
10334       Instead of using the exact same  parameter  sets  as  distributed  with
10335       other  TLS  packages,  it  is  more  secure to generate your own set of
10336       parameters with something like the following commands:
10337
10338           openssl dhparam -out /etc/postfix/dh512.pem 512
10339           openssl dhparam -out /etc/postfix/dh1024.pem 1024
10340           openssl dhparam -out /etc/postfix/dh2048.pem 2048
10341
10342       It is safe to share the same DH  parameters  between  multiple  Postfix
10343       instances.   If  you  prefer,  you can generate separate parameters for
10344       each instance.
10345
10346       If you want to take maximal advantage of  ciphers  that  offer  forward
10347       secrecy see the Getting started section of FORWARD_SECRECY_README.  The
10348       full document conveniently presents all information about Postfix "per‐
10349       fect"  forward  secrecy  support in one place: what forward secrecy is,
10350       how to tweak settings, and what you can expect to see when Postfix uses
10351       ciphers with forward secrecy.
10352
10353       Example:
10354
10355       smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
10356
10357       This feature is available with Postfix version 2.2.
10358

smtpd_tls_dh512_param_file (default: empty)

10360       File  with  DH  parameters that the Postfix SMTP server should use with
10361       export-grade EDH ciphers.  The default  SMTP  server  cipher  grade  is
10362       "medium"  with  Postfix  releases  after  the  middle of 2015, and as a
10363       result export-grade cipher suites are by default not used.
10364
10365       See also the discussion under the smtpd_tls_dh1024_param_file  configu‐
10366       ration parameter.
10367
10368       Example:
10369
10370       smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
10371
10372       This feature is available with Postfix version 2.2.
10373

smtpd_tls_dkey_file (default: $smtpd_tls_dcert_file)

10375       File  with the Postfix SMTP server DSA private key in PEM format.  This
10376       file may be combined with the Postfix SMTP server DSA certificate  file
10377       specified with $smtpd_tls_dcert_file.
10378
10379       The  private key must be accessible without a pass-phrase, i.e. it must
10380       not be encrypted. File permissions should grant read-only access to the
10381       system superuser account ("root"), and no access to anyone else.
10382
10383       This feature is available in Postfix 2.2 and later.
10384

smtpd_tls_eccert_file (default: empty)

10386       File  with  the  Postfix  SMTP  server ECDSA certificate in PEM format.
10387       This file may also contain the Postfix SMTP server private ECDSA key.
10388
10389       See the discussion under smtpd_tls_cert_file for more details.
10390
10391       Example:
10392
10393       smtpd_tls_eccert_file = /etc/postfix/ecdsa-scert.pem
10394
10395       This feature is available in Postfix 2.6 and  later,  when  Postfix  is
10396       compiled and linked with OpenSSL 1.0.0 or later.
10397

smtpd_tls_eckey_file (default: $smtpd_tls_eccert_file)

10399       File  with  the  Postfix  SMTP  server ECDSA private key in PEM format.
10400       This file may be combined with the Postfix SMTP server  ECDSA  certifi‐
10401       cate file specified with $smtpd_tls_eccert_file.
10402
10403       The  private key must be accessible without a pass-phrase, i.e. it must
10404       not be encrypted. File permissions should grant read-only access to the
10405       system superuser account ("root"), and no access to anyone else.
10406
10407       This  feature  is  available  in Postfix 2.6 and later, when Postfix is
10408       compiled and linked with OpenSSL 1.0.0 or later.
10409

smtpd_tls_eecdh_grade (default: see postconf -d output)

10411       The Postfix SMTP server security  grade  for  ephemeral  elliptic-curve
10412       Diffie-Hellman (EECDH) key exchange.
10413
10414       The available choices are:
10415
10416       none   Don't  use  EECDH.  Ciphers  based on EECDH key exchange will be
10417              disabled. This is the default in Postfix versions 2.6 and 2.7.
10418
10419       strong Use EECDH with approximately 128 bits of security at  a  reason‐
10420              able  computational  cost.  This  is  the  current best-practice
10421              trade-off between security and computational efficiency. This is
10422              the default in Postfix version 2.8 and later.
10423
10424       ultra  Use  EECDH  with  approximately 192 bits of security at computa‐
10425              tional cost that is approximately  twice  as  high  as  128  bit
10426              strength  ECC. Barring significant progress in attacks on ellip‐
10427              tic curve crypto-systems, the "strong" curve is  sufficient  for
10428              most users.
10429
10430       auto   Use  the  most  preferred  curve  that  is supported by both the
10431              client and the server.  This setting  requires  Postfix  >=  3.2
10432              compiled  and linked with OpenSSL >= 1.0.2.  This is the default
10433              setting under the above conditions.
10434
10435       If you want to take maximal advantage of  ciphers  that  offer  forward
10436       secrecy see the Getting started section of FORWARD_SECRECY_README.  The
10437       full document conveniently presents all information about Postfix "per‐
10438       fect"  forward  secrecy  support in one place: what forward secrecy is,
10439       how to tweak settings, and what you can expect to see when Postfix uses
10440       ciphers with forward secrecy.
10441
10442       This feature is available in Postfix 2.6 and later, when it is compiled
10443       and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
10444       have not been disabled by the vendor.
10445

smtpd_tls_exclude_ciphers (default: empty)

10447       List  of ciphers or cipher types to exclude from the SMTP server cipher
10448       list at all TLS security levels. Excluding  valid  ciphers  can  create
10449       interoperability  problems.  DO NOT exclude ciphers unless it is essen‐
10450       tial to do so. This is not an OpenSSL cipherlist; it is a  simple  list
10451       separated  by  whitespace  and/or  commas.  The  elements  are a single
10452       cipher, or one or more "+" separated cipher properties, in  which  case
10453       only ciphers matching all the properties are excluded.
10454
10455       Examples (some of these will cause problems):
10456
10457           smtpd_tls_exclude_ciphers = aNULL
10458           smtpd_tls_exclude_ciphers = MD5, DES
10459           smtpd_tls_exclude_ciphers = DES+MD5
10460           smtpd_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
10461           smtpd_tls_exclude_ciphers = kEDH+aRSA
10462
10463       The first setting disables anonymous ciphers. The next setting disables
10464       ciphers that use the MD5 digest algorithm or the (single)  DES  encryp‐
10465       tion  algorithm. The next setting disables ciphers that use MD5 and DES
10466       together.  The next setting disables the two ciphers  "AES256-SHA"  and
10467       "DES-CBC3-MD5".  The  last  setting disables ciphers that use "EDH" key
10468       exchange with RSA authentication.
10469
10470       This feature is available in Postfix 2.3 and later.
10471

smtpd_tls_fingerprint_digest (default: md5)

10473       The message digest algorithm to construct remote  SMTP  client-certifi‐
10474       cate  fingerprints  or  public key fingerprints (Postfix 2.9 and later)
10475       for check_ccert_access and permit_tls_clientcerts.  The  default  algo‐
10476       rithm  is  md5, for backwards compatibility with Postfix releases prior
10477       to 2.5.
10478
10479       Advances in hash function cryptanalysis have led to  md5  being  depre‐
10480       cated in favor of sha1.  However, as long as there are no known "second
10481       pre-image" attacks against md5, its use in this context  can  still  be
10482       considered safe.
10483
10484       While  additional  digest algorithms are often available with OpenSSL's
10485       libcrypto, only those used by libssl in SSL cipher suites are available
10486       to Postfix.
10487
10488       To find the fingerprint of a specific certificate file, with a specific
10489       digest algorithm, run:
10490
10491           $ openssl x509 -noout -fingerprint -digest -in certfile.pem
10492
10493       The text to the right of "=" sign  is  the  desired  fingerprint.   For
10494       example:
10495
10496           $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
10497           SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
10498
10499       To  extract  the  public key fingerprint from an X.509 certificate, you
10500       need to extract the public key from the  certificate  and  compute  the
10501       appropriate digest of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
10502       key" option of the "x509" command extracts the  public  key  always  in
10503       "PEM"  format.  We pipe the result to another OpenSSL command that con‐
10504       verts the key to DER and then to the "dgst" command to compute the fin‐
10505       gerprint.
10506
10507       The  actual  command  to transform the key to DER format depends on the
10508       version of OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey"  com‐
10509       mand  supports  all  key types. With OpenSSL 0.9.8 and earlier, the key
10510       type is always RSA (nobody uses DSA, and EC keys  are  not  fully  sup‐
10511       ported by 0.9.8), so the "rsa" command is used.
10512
10513           # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
10514           $ openssl x509 -in cert.pem -noout -pubkey |
10515               openssl pkey -pubin -outform DER |
10516               openssl dgst -sha1 -c
10517           (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
10518
10519           # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
10520           $ openssl x509 -in cert.pem -noout -pubkey |
10521               openssl rsa -pubin -outform DER |
10522               openssl dgst -md5 -c
10523           (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
10524
10525       The Postfix SMTP server and client log the peer (leaf) certificate fin‐
10526       gerprint and public key fingerprint when  the  TLS  loglevel  is  2  or
10527       higher.
10528
10529       Note:  Postfix  2.9.0-2.9.5  computed the public key fingerprint incor‐
10530       rectly. To use public-key fingerprints, upgrade  to  Postfix  2.9.6  or
10531       later.
10532
10533       Example: client-certificate access table, with sha1 fingerprints:
10534
10535           /etc/postfix/main.cf:
10536               smtpd_tls_fingerprint_digest = sha1
10537               smtpd_client_restrictions =
10538                   check_ccert_access hash:/etc/postfix/access,
10539                   reject
10540           /etc/postfix/access:
10541               # Action folded to next line...
10542               AF:88:7C:AD:51:95:6F:36:96:F6:01:FB:2E:48:CD:AB:49:25:A2:3B
10543                   OK
10544               85:16:78:FD:73:6E:CE:70:E0:31:5F:0D:3C:C8:6D:C4:2C:24:59:E1
10545                   permit_auth_destination
10546
10547       This feature is available in Postfix 2.5 and later.
10548

smtpd_tls_key_file (default: $smtpd_tls_cert_file)

10550       File  with the Postfix SMTP server RSA private key in PEM format.  This
10551       file may be combined with the Postfix SMTP server RSA certificate  file
10552       specified with $smtpd_tls_cert_file.
10553
10554       The  private key must be accessible without a pass-phrase, i.e. it must
10555       not be encrypted. File permissions should grant read-only access to the
10556       system superuser account ("root"), and no access to anyone else.
10557

smtpd_tls_loglevel (default: 0)

10559       Enable  additional  Postfix  SMTP server logging of TLS activity.  Each
10560       logging level also includes the information that is logged at  a  lower
10561       logging level.
10562
10563              0 Disable logging of TLS activity.
10564
10565              1  Log  only  a summary message on TLS handshake completion - no
10566              logging of client certificate trust-chain verification errors if
10567              client  certificate  verification is not required.  With Postfix
10568              2.8 and earlier, log the summary message, peer certificate  sum‐
10569              mary  information  and unconditionally log trust-chain verifica‐
10570              tion errors.
10571
10572              2 Also log levels during TLS negotiation.
10573
10574              3 Also  log  hexadecimal  and  ASCII  dump  of  TLS  negotiation
10575              process.
10576
10577              4  Also  log hexadecimal and ASCII dump of complete transmission
10578              after STARTTLS.
10579
10580       Do not use "smtpd_tls_loglevel = 2" or higher except in case  of  prob‐
10581       lems. Use of loglevel 4 is strongly discouraged.
10582
10583       This feature is available in Postfix 2.2 and later.
10584

smtpd_tls_mandatory_ciphers (default: medium)

10586       The minimum TLS cipher grade that the Postfix SMTP server will use with
10587       mandatory TLS encryption. The default grade ("medium") is  sufficiently
10588       strong  that  any  benefit  from globally restricting TLS sessions to a
10589       more stringent grade is likely negligible, especially  given  the  fact
10590       that  many  implementations  still  do  not  offer any stronger ("high"
10591       grade) ciphers, while those that  do,  will  always  use  "high"  grade
10592       ciphers. So insisting on "high" grade ciphers is generally counter-pro‐
10593       ductive. Allowing "export" or "low" ciphers is  typically  not  a  good
10594       idea,  as  systems  limited  to  just  these  are  limited  to obsolete
10595       browsers. No known SMTP clients fail to support at least  one  "medium"
10596       or "high" grade cipher.
10597
10598       The following cipher grades are supported:
10599
10600       export Enable "EXPORT" grade or stronger OpenSSL ciphers.  The underly‐
10601              ing cipherlist is specified via the  tls_export_cipherlist  con‐
10602              figuration  parameter,  which you are strongly encouraged to not
10603              change.  This choice is insecure and SHOULD NOT be used.
10604
10605       low    Enable "LOW" grade or stronger OpenSSL ciphers.  The  underlying
10606              cipherlist is specified via the tls_low_cipherlist configuration
10607              parameter, which you are  strongly  encouraged  to  not  change.
10608              This choice is insecure and SHOULD NOT be used.
10609
10610       medium Enable  "MEDIUM"  grade  or  stronger OpenSSL ciphers. These use
10611              128-bit or longer symmetric bulk-encryption keys.  This  is  the
10612              default  minimum  strength  for  mandatory  TLS  encryption. The
10613              underlying cipherlist is specified via the tls_medium_cipherlist
10614              configuration  parameter,  which  you are strongly encouraged to
10615              not change.
10616
10617       high   Enable  only  "HIGH"  grade  OpenSSL  ciphers.  The   underlying
10618              cipherlist  is  specified via the tls_high_cipherlist configura‐
10619              tion parameter, which you are strongly encouraged to not change.
10620
10621       null   Enable only the "NULL" OpenSSL ciphers, these provide  authenti‐
10622              cation  without encryption.  This setting is only appropriate in
10623              the rare case that all clients are prepared to use NULL  ciphers
10624              (not normally enabled in TLS clients). The underlying cipherlist
10625              is specified via the tls_null_cipherlist  configuration  parame‐
10626              ter, which you are strongly encouraged to not change.
10627
10628       Cipher   types   listed   in   smtpd_tls_mandatory_exclude_ciphers   or
10629       smtpd_tls_exclude_ciphers are excluded from the base definition of  the
10630       selected  cipher  grade. See smtpd_tls_ciphers for cipher controls that
10631       apply to opportunistic TLS.
10632
10633       The underlying cipherlists for grades other than "null" include  anony‐
10634       mous ciphers, but these are automatically filtered out if the server is
10635       configured to ask for remote SMTP client certificates.   You  are  very
10636       unlikely  to  need to take any steps to exclude anonymous ciphers, they
10637       are excluded automatically as required.  If you must exclude  anonymous
10638       ciphers  even  when Postfix does not need or use peer certificates, set
10639       "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers  only
10640       when   TLS  is  enforced,  set  "smtpd_tls_mandatory_exclude_ciphers  =
10641       aNULL".
10642
10643       This feature is available in Postfix 2.3 and later.
10644

smtpd_tls_mandatory_exclude_ciphers (default: empty)

10646       Additional list of ciphers or cipher types to exclude from the  Postfix
10647       SMTP  server  cipher  list at mandatory TLS security levels.  This list
10648       works    in    addition    to    the     exclusions     listed     with
10649       smtpd_tls_exclude_ciphers (see there for syntax details).
10650
10651       This feature is available in Postfix 2.3 and later.
10652

smtpd_tls_mandatory_protocols (default: !SSLv2, !SSLv3)

10654       The  SSL/TLS  protocols accepted by the Postfix SMTP server with manda‐
10655       tory TLS encryption. If the list is  empty,  the  server  supports  all
10656       available  SSL/TLS  protocol  versions.  A non-empty value is a list of
10657       protocol names separated by whitespace, commas  or  colons.   The  sup‐
10658       ported  protocol  names  are  "SSLv2", "SSLv3" and "TLSv1", and are not
10659       case sensitive. The default  value  is  "!SSLv2,  !SSLv3"  for  Postfix
10660       releases after the middle of 2015, "!SSLv2" for older releases.
10661
10662       With Postfix >= 2.5 the parameter syntax was expanded to support proto‐
10663       col  exclusions.  One  can  explicitly  exclude  "SSLv2"   by   setting
10664       "smtpd_tls_mandatory_protocols  =  !SSLv2". To exclude both "SSLv2" and
10665       "SSLv3" set "smtpd_tls_mandatory_protocols = !SSLv2,  !SSLv3".  Listing
10666       the  protocols  to  include,  rather than protocols to exclude, is sup‐
10667       ported, but not recommended. The exclusion form  more  closely  matches
10668       the underlying OpenSSL interface semantics.
10669
10670       Note:  As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
10671       "TLSv1.2". When Postfix <= 2.5  is  linked  against  OpenSSL  1.0.1  or
10672       later,  these,  or any other new protocol versions, cannot be disabled.
10673       The latest patch levels of Postfix >= 2.6, and all versions of  Postfix
10674       >= 2.10 can disable support for "TLSv1.1" or "TLSv1.2".
10675
10676       Example:
10677
10678       # Preferred syntax with Postfix >= 2.5:
10679       smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
10680       # Legacy syntax:
10681       smtpd_tls_mandatory_protocols = TLSv1
10682
10683       This feature is available in Postfix 2.3 and later.
10684

smtpd_tls_protocols (default: !SSLv2, !SSLv3)

10686       List  of  TLS  protocols  that  the Postfix SMTP server will exclude or
10687       include  with  opportunistic  TLS  encryption.  The  default  value  is
10688       "!SSLv2,  !SSLv3"  for Postfix releases after the middle of 2015, empty
10689       for older releases allowing all protocols to be used with opportunistic
10690       TLS.  A non-empty value is a list of protocol names separated by white‐
10691       space, commas or colons.  The supported  protocol  names  are  "SSLv2",
10692       "SSLv3" and "TLSv1", and are not case sensitive.
10693
10694       Note:  As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
10695       "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all  versions
10696       of Postfix >= 2.10 can disable support for "TLSv1.1" or "TLSv1.2".
10697
10698       To  include  a  protocol  list its name, to exclude it, prefix the name
10699       with a "!" character.  To  exclude  SSLv2  for  opportunistic  TLS  set
10700       "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
10701       "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing  the  proto‐
10702       cols  to  include,  rather than protocols to exclude, is supported, but
10703       not recommended.  The exclusion form more closely matches the  underly‐
10704       ing OpenSSL interface semantics.
10705
10706       Example:
10707       smtpd_tls_protocols = !SSLv2, !SSLv3
10708
10709       This feature is available in Postfix 2.6 and later.
10710

smtpd_tls_received_header (default: no)

10712       Request  that the Postfix SMTP server produces Received:  message head‐
10713       ers that include information about the protocol  and  cipher  used,  as
10714       well as the remote SMTP client CommonName and client certificate issuer
10715       CommonName.  This is disabled by default, as  the  information  may  be
10716       modified  in transit through other mail servers.  Only information that
10717       was recorded by the final destination can be trusted.
10718
10719       This feature is available in Postfix 2.2 and later.
10720

smtpd_tls_req_ccert (default: no)

10722       With mandatory TLS encryption, require a  trusted  remote  SMTP  client
10723       certificate  in order to allow TLS connections to proceed.  This option
10724       implies "smtpd_tls_ask_ccert = yes".
10725
10726       When TLS encryption is optional, this setting is ignored with a warning
10727       written to the mail log.
10728
10729       This feature is available in Postfix 2.2 and later.
10730

smtpd_tls_security_level (default: empty)

10732       The  SMTP  TLS  security  level  for  the  Postfix  SMTP server; when a
10733       non-empty value is specified, this overrides  the  obsolete  parameters
10734       smtpd_use_tls  and  smtpd_enforce_tls.  This  parameter is ignored with
10735       "smtpd_tls_wrappermode = yes".
10736
10737       Specify one of the following security levels:
10738
10739       none   TLS will not be used.
10740
10741       may    Opportunistic TLS: announce  STARTTLS  support  to  remote  SMTP
10742              clients, but do not require that clients use TLS encryption.
10743
10744       encrypt
10745              Mandatory  TLS  encryption:  announce STARTTLS support to remote
10746              SMTP clients, and  require  that  clients  use  TLS  encryption.
10747              According to RFC 2487 this MUST NOT be applied in case of a pub‐
10748              licly-referenced SMTP server. Instead,  this  option  should  be
10749              used only on dedicated servers.
10750
10751       Note  1:  the  "fingerprint", "verify" and "secure" levels are not sup‐
10752       ported here.  The Postfix SMTP server logs a warning and uses "encrypt"
10753       instead.  To verify remote SMTP client certificates, see TLS_README for
10754       a discussion of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and  per‐
10755       mit_tls_clientcerts features.
10756
10757       Note  2:  The  parameter  setting  "smtpd_tls_security_level = encrypt"
10758       implies "smtpd_tls_auth_only = yes".
10759
10760       Note 3: when invoked via  "sendmail  -bs",  Postfix  will  never  offer
10761       STARTTLS  due  to  insufficient privileges to access the server private
10762       key. This is intended behavior.
10763
10764       This feature is available in Postfix 2.3 and later.
10765

smtpd_tls_session_cache_database (default: empty)

10767       Name of the file containing the optional Postfix SMTP server  TLS  ses‐
10768       sion  cache. Specify a database type that supports enumeration, such as
10769       btree or sdbm; there is no need to support concurrent access.  The file
10770       is  created if it does not exist. The smtpd(8) daemon does not use this
10771       parameter directly, rather the cache is implemented indirectly  in  the
10772       tlsmgr(8)  daemon.  This  means that per-smtpd-instance master.cf over‐
10773       rides of this parameter are not effective. Note, that each of the cache
10774       databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
10775       base, $smtp_tls_session_cache_database (and with Postfix 2.3 and  later
10776       $lmtp_tls_session_cache_database), needs to be stored separately. It is
10777       not at this time possible to store multiple caches in  a  single  data‐
10778       base.
10779
10780       Note:  dbm  databases  are  not  suitable.  TLS session objects are too
10781       large.
10782
10783       As of version 2.5, Postfix no longer uses root privileges when  opening
10784       this  file.  The  file  should  now  be  stored under the Postfix-owned
10785       data_directory. As a migration aid, an attempt to open the file under a
10786       non-Postfix  directory  is  redirected to the Postfix-owned data_direc‐
10787       tory, and a warning is logged.
10788
10789       As of Postfix 2.11 the preferred mechanism for  session  resumption  is
10790       RFC  5077 TLS session tickets, which don't require server-side storage.
10791       Consequently, for Postfix >= 2.11 this parameter  should  generally  be
10792       left  empty.   TLS session tickets require an OpenSSL library (at least
10793       version 0.9.8h) that provides full support for this TLS extension.  See
10794       also smtpd_tls_session_cache_timeout.
10795
10796       Example:
10797
10798       smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
10799
10800       This feature is available in Postfix 2.2 and later.
10801

smtpd_tls_session_cache_timeout (default: 3600s)

10803       The  expiration  time of Postfix SMTP server TLS session cache informa‐
10804       tion. A cache cleanup is performed periodically  every  $smtpd_tls_ses‐
10805       sion_cache_timeout  seconds. As with $smtpd_tls_session_cache_database,
10806       this parameter is implemented in the  tlsmgr(8)  daemon  and  therefore
10807       per-smtpd-instance master.cf overrides are not possible.
10808
10809       As  of  Postfix 2.11 this setting cannot exceed 100 days.  If set <= 0,
10810       session caching is disabled, not just via the database,  but  also  via
10811       RFC  5077 TLS session tickets, which don't require server-side storage.
10812       If set to a positive value less than 2 minutes, the minimum value of  2
10813       minutes  is  used  instead.   TLS  session  tickets  require an OpenSSL
10814       library (at least version 0.9.8h) that provides full support  for  this
10815       TLS extension.
10816
10817       This feature is available in Postfix 2.2 and later, and updated for TLS
10818       session ticket support in Postfix 2.11.
10819

smtpd_tls_wrappermode (default: no)

10821       Run the Postfix SMTP server in the non-standard "wrapper" mode, instead
10822       of using the STARTTLS command.
10823
10824       If  you  want  to  support  this service, enable a special port in mas‐
10825       ter.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP server's
10826       command line. Port 465 (smtps) was once chosen for this purpose.
10827
10828       This feature is available in Postfix 2.2 and later.
10829

smtpd_upstream_proxy_protocol (default: empty)

10831       The  name  of the proxy protocol used by an optional before-smtpd proxy
10832       agent. When a proxy agent is used,  this  protocol  conveys  local  and
10833       remote       address      and      port      information.       Specify
10834       "smtpd_upstream_proxy_protocol = haproxy" to enable the haproxy  proto‐
10835       col.
10836
10837       NOTE: To use the nginx proxy with smtpd(8), enable the XCLIENT protocol
10838       with smtpd_authorized_xclient_hosts. This supports SASL  authentication
10839       in the proxy agent (Postfix 2.9 and later).
10840
10841       This feature is available in Postfix 2.10 and later.
10842

smtpd_upstream_proxy_timeout (default: 5s)

10844       The   time   limit   for   the   proxy   protocol  specified  with  the
10845       smtpd_upstream_proxy_protocol parameter.
10846
10847       This feature is available in Postfix 2.10 and later.
10848

smtpd_use_tls (default: no)

10850       Opportunistic TLS: announce STARTTLS support to  remote  SMTP  clients,
10851       but do not require that clients use TLS encryption.
10852
10853       Note:  when invoked via "sendmail -bs", Postfix will never offer START‐
10854       TLS due to insufficient privileges to access the  server  private  key.
10855       This is intended behavior.
10856
10857       This  feature  is  available in Postfix 2.2 and later. With Postfix 2.3
10858       and later use smtpd_tls_security_level instead.
10859

smtputf8_autodetect_classes (default: sendmail, verify)

10861       Detect that a message requires SMTPUTF8 support for the specified  mail
10862       origin classes.  This is a workaround to avoid chicken-and-egg problems
10863       during the initial SMTPUTF8 roll-out in environments with  pre-existing
10864       mail flows that contain UTF8. Those mail flows should not break because
10865       Postfix suddenly refuses to deliver such mail to down-stream MTAs  that
10866       don't announce SMTPUTF8 support.
10867
10868       The problem is that Postfix cannot rely solely on the sender's declara‐
10869       tion that a message requires SMTPUTF8  support,  because  UTF8  may  be
10870       introduced during local processing (for example, the client hostname in
10871       Postfix's Received: header,  adding  @$myorigin  or  .$mydomain  to  an
10872       incomplete  address,  address rewriting, alias expansion, automatic BCC
10873       recipients, local forwarding, and changes made by header checks or Mil‐
10874       ter applications).
10875
10876       For  now,  the  default  is to enable "SMTPUTF8 required" autodetection
10877       only for Postfix sendmail command-line submissions and address  verifi‐
10878       cation  probes.   This  may change once SMTPUTF8 support achieves world
10879       domination.  However, sites that add UTF8 content via local  processing
10880       (see  above)  should  autodetect  the need for SMTPUTF8 support for all
10881       email.
10882
10883       Specify one or more of the following:
10884
10885        sendmail
10886              Submission with the Postfix sendmail(1) command.
10887
10888        smtpd Mail received with the smtpd(8) daemon.
10889
10890        qmqpd Mail received with the qmqpd(8) daemon.
10891
10892        forward
10893              Local forwarding or aliasing.  When a message is  received  with
10894              "SMTPUTF8 required", then the forwarded (aliased) message always
10895              has "SMTPUTF8 required".
10896
10897        bounce
10898              Submission by the bounce(8) daemon.  When a message is  received
10899              with  "SMTPUTF8 required", then the delivery status notification
10900              always has "SMTPUTF8 required".
10901
10902        notify
10903              Postmaster notification from the smtp(8) or smtpd(8) daemon.
10904
10905        verify
10906              Address verification probe from the verify(8) daemon.
10907
10908        all   Enable SMTPUTF8 autodetection for all mail.
10909
10910       This feature is available in Postfix 3.0 and later.
10911

smtputf8_enable (default: yes)

10913       Enable preliminary SMTPUTF8 support for the protocols described in  RFC
10914       6531..6533. This requires that Postfix is built to support these proto‐
10915       cols.
10916
10917       This feature is available in Postfix 3.0 and later.
10918

soft_bounce (default: no)

10920       Safety net to keep mail queued that would otherwise be returned to  the
10921       sender.  This parameter disables locally-generated bounces, changes the
10922       handling of negative responses from remote servers, content filters  or
10923       plugins,  and prevents the Postfix SMTP server from rejecting mail per‐
10924       manently by changing 5xx reply codes into 4xx.  However, soft_bounce is
10925       no cure for address rewriting mistakes or mail routing mistakes.
10926
10927       Note:  "soft_bounce  =  yes"  is in some cases implemented by modifying
10928       server responses. Therefore, the response that Postfix logs may  differ
10929       from the response that Postfix actually sends or receives.
10930
10931       Example:
10932
10933       soft_bounce = yes
10934

stale_lock_time (default: 500s)

10936       The  time  after  which  a stale exclusive mailbox lockfile is removed.
10937       This is used for delivery to file or mailbox.
10938
10939       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
10940       The default time unit is s (seconds).
10941

stress (default: empty)

10943       This feature is documented in the STRESS_README document.
10944
10945       This feature is available in Postfix 2.5 and later.
10946

strict_7bit_headers (default: no)

10948       Reject  mail  with 8-bit text in message headers. This blocks mail from
10949       poorly written applications.
10950
10951       This feature should not be enabled on a general  purpose  mail  server,
10952       because it is likely to reject legitimate email.
10953
10954       This feature is available in Postfix 2.0 and later.
10955

strict_8bitmime (default: no)

10957       Enable both strict_7bit_headers and strict_8bitmime_body.
10958
10959       This  feature  should  not be enabled on a general purpose mail server,
10960       because it is likely to reject legitimate email.
10961
10962       This feature is available in Postfix 2.0 and later.
10963

strict_8bitmime_body (default: no)

10965       Reject 8-bit message body text  without  8-bit  MIME  content  encoding
10966       information.  This blocks mail from poorly written applications.
10967
10968       Unfortunately,  this  also rejects majordomo approval requests when the
10969       included request contains valid 8-bit MIME mail, and it rejects bounces
10970       from  mailers  that do not MIME encapsulate 8-bit content (for example,
10971       bounces from qmail or from old versions of Postfix).
10972
10973       This feature should not be enabled on a general  purpose  mail  server,
10974       because it is likely to reject legitimate email.
10975
10976       This feature is available in Postfix 2.0 and later.
10977

strict_mailbox_ownership (default: yes)

10979       Defer  delivery when a mailbox file is not owned by its recipient.  The
10980       default setting is not backwards compatible.
10981
10982       This feature is available in Postfix 2.5.3 and later.
10983

strict_mime_encoding_domain (default: no)

10985       Reject mail with invalid Content-Transfer-Encoding: information for the
10986       message/*  or  multipart/*  MIME  content types.  This blocks mail from
10987       poorly written software.
10988
10989       This feature should not be enabled on a general  purpose  mail  server,
10990       because it will reject mail after a single violation.
10991
10992       This feature is available in Postfix 2.0 and later.
10993

strict_rfc821_envelopes (default: no)

10995       Require  that addresses received in SMTP MAIL FROM and RCPT TO commands
10996       are enclosed with <>, and that those addresses do not contain  RFC  822
10997       style  comments  or phrases.  This stops mail from poorly written soft‐
10998       ware.
10999
11000       By default, the Postfix SMTP server accepts RFC 822 syntax in MAIL FROM
11001       and RCPT TO addresses.
11002

strict_smtputf8 (default: no)

11004       Enable  stricter enforcement of the SMTPUTF8 protocol. The Postfix SMTP
11005       server accepts UTF8 sender or recipient addresses only when the  client
11006       requests an SMTPUTF8 mail transaction.
11007
11008       This feature is available in Postfix 3.0 and later.
11009

sun_mailtool_compatibility (default: no)

11011       Obsolete  SUN  mailtool  compatibility  feature.  Instead,  use  "mail‐
11012       box_delivery_lock = dotlock".
11013

swap_bangpath (default: yes)

11015       Enable the rewriting of "site!user" into "user@site".  This  is  neces‐
11016       sary  if  your machine is connected to UUCP networks.  It is enabled by
11017       default.
11018
11019       Note: with Postfix version 2.2, message header address  rewriting  hap‐
11020       pens only when one of the following conditions is true:
11021
11022       ·      The message is received with the Postfix sendmail(1) command,
11023
11024       ·      The  message  is  received  from  a  network client that matches
11025              $local_header_rewrite_clients,
11026
11027       ·      The  message   is   received   from   the   network,   and   the
11028              remote_header_rewrite_domain  parameter  specifies  a  non-empty
11029              value.
11030
11031       To   get   the   behavior   before   Postfix   version   2.2,   specify
11032       "local_header_rewrite_clients = static:all".
11033
11034       Example:
11035
11036       swap_bangpath = no
11037

syslog_facility (default: mail)

11039       The  syslog  facility of Postfix logging. Specify a facility as defined
11040       in syslog.conf(5). The default facility is "mail".
11041
11042       Warning: a non-default syslog_facility setting takes effect only  after
11043       a  Postfix process has completed initialization.  Errors during process
11044       initialization will be logged with the default facility.  Examples  are
11045       errors  while  parsing  the  command  line  arguments, and errors while
11046       accessing the Postfix main.cf configuration file.
11047

syslog_name (default: see postconf -d output)

11049       A prefix that is prepended to the process name in  syslog  records,  so
11050       that, for example, "smtpd" becomes "prefix/smtpd".
11051
11052       Warning:  a  non-default  syslog_name setting takes effect only after a
11053       Postfix process has completed  initialization.  Errors  during  process
11054       initialization  will  be  logged  with  the  default name. Examples are
11055       errors while parsing the  command  line  arguments,  and  errors  while
11056       accessing the Postfix main.cf configuration file.
11057

tcp_windowsize (default: 0)

11059       An  optional  workaround  for  routers  that  break TCP window scaling.
11060       Specify a value > 0 and < 65536 to enable this feature.   With  Postfix
11061       TCP  servers  (smtpd(8),  qmqpd(8)), this feature is implemented by the
11062       Postfix master(8) daemon.
11063
11064       To change this parameter without stopping Postfix, you  need  to  first
11065       terminate all Postfix TCP servers:
11066
11067           # postconf -e master_service_disable=inet
11068           # postfix reload
11069
11070       This  immediately  terminates all processes that accept network connec‐
11071       tions.  Next, you enable Postfix TCP servers with the updated  tcp_win‐
11072       dowsize setting:
11073
11074           # postconf -e tcp_windowsize=65535 master_service_disable=
11075           # postfix reload
11076
11077       If  you  skip  these  steps  with  a  running  Postfix system, then the
11078       tcp_windowsize change will work only for Postfix TCP clients  (smtp(8),
11079       lmtp(8)).
11080
11081       This feature is available in Postfix 2.6 and later.
11082

tls_append_default_CA (default: no)

11084       Append the system-supplied default Certification Authority certificates
11085       to the ones specified with *_tls_CApath or *_tls_CAfile.   The  default
11086       is  "no";  this prevents Postfix from trusting third-party certificates
11087       and giving them relay permission with permit_tls_all_clientcerts.
11088
11089       This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,  2.7.2  and
11090       later  versions.  Specify  "tls_append_default_CA  = yes" for backwards
11091       compatibility, to avoid breaking certificate  verification  with  sites
11092       that don't use permit_tls_all_clientcerts.
11093

tls_daemon_random_bytes (default: 32)

11095       The  number  of pseudo-random bytes that an smtp(8) or smtpd(8) process
11096       requests from the tlsmgr(8) server in order to seed its internal pseudo
11097       random number generator (PRNG).  The default of 32 bytes (equivalent to
11098       256 bits) is sufficient to generate a 128bit (or 168bit) session key.
11099
11100       This feature is available in Postfix 2.2 and later.
11101

tls_dane_digest_agility (default: on)

11103       Configure RFC7671 DANE TLSA digest algorithm agility.   Do  not  change
11104       this setting from its default value.
11105
11106       See Section 8 of RFC7671 for correct key rotation procedures.
11107
11108       This feature is available in Postfix 2.11 through 3.1.  Postfix 3.2 and
11109       later ignore this configuration parameter and behave as though it  were
11110       set to "on".
11111

tls_dane_digests (default: sha512 sha256)

11113       DANE  TLSA  (RFC  6698,  RFC  7671, RFC 7672) resource-record "matching
11114       type" digest algorithms in descending preference order.  All the speci‐
11115       fied  algorithms  must  be supported by the underlying OpenSSL library,
11116       otherwise the Postfix SMTP client will not support DANE TLSA security.
11117
11118       Specify a list of digest names separated by commas  and/or  whitespace.
11119       Each  digest  name  may  be followed by an optional "=<number>" suffix.
11120       For example, "sha512"  may  instead  be  specified  as  "sha512=2"  and
11121       "sha256"  may  instead be specified as "sha256=1".  The optional number
11122       must match the  <a  href="https://www.iana.org/assignments/dane-parame
11123       ters/dane-parameters.xhtml#matching-types" >IANA assigned TLSA matching
11124       type number the algorithm in question.  Postfix will  check  this  con‐
11125       straint  for  the  algorithms it knows about.  Additional matching type
11126       algorithms registered with IANA can be added with explicit numbers pro‐
11127       vided they are supported by OpenSSL.
11128
11129       Invalid  list  elements are logged with a warning and disable DANE sup‐
11130       port.  TLSA RRs that specify digests  not  included  in  the  list  are
11131       ignored with a warning.
11132
11133       Note:  It  is  unwise to omit sha256 from the digest list.  This digest
11134       algorithm is the only mandatory to implement digest  algorithm  in  RFC
11135       6698,  and  many  servers  are  expected publish TLSA records with just
11136       sha256 digests.  Unless one of the standard digests is  seriously  com‐
11137       promised  and  servers have had ample time to update their TLSA records
11138       you should not omit any standard digests, just arrange  them  in  order
11139       from strongest to weakest.
11140
11141       This feature is available in Postfix 2.11 and later.
11142

tls_dane_trust_anchor_digest_enable (default: yes)

11144       Enable  support  for  RFC  6698  (DANE  TLSA)  DNS records that contain
11145       digests of trust-anchors with certificate usage  "2".   Do  not  change
11146       this setting from its default value.
11147
11148       This  feature  is  available  in Postfix 2.11 through 3.1.  It has been
11149       withdrawn in Postfix 3.2, as trust-anchor TLSA records are  now  widely
11150       used  and  have  proved  sufficiently  reliable.  Postfix 3.2 and later
11151       ignore this configuration parameter and behaves as though it  were  set
11152       to "yes".
11153

tls_disable_workarounds (default: see postconf -d output)

11155       List or bit-mask of OpenSSL bug work-arounds to disable.
11156
11157       The  OpenSSL  toolkit  includes a set of work-arounds for buggy SSL/TLS
11158       implementations. Applications, such as Postfix, that want  to  maximize
11159       interoperability ask the OpenSSL library to enable the full set of rec‐
11160       ommended work-arounds.
11161
11162       From time to time, it is discovered that a work-around creates a  secu‐
11163       rity  issue,  and  should  no longer be used. If upgrading OpenSSL to a
11164       fixed version is not an option or an upgrade  is  not  available  in  a
11165       timely  manner,  or  in  closed  environments where no buggy clients or
11166       servers exist, it may be appropriate to disable  some  or  all  of  the
11167       OpenSSL  interoperability  work-arounds. This parameter specifies which
11168       bug work-arounds to disable.
11169
11170       If the value of the parameter is a hexadecimal  long  integer  starting
11171       with  "0x", the bug work-arounds corresponding to the bits specified in
11172       its value are removed from the  SSL_OP_ALL  work-around  bit-mask  (see
11173       openssl/ssl.h  and  SSL_CTX_set_options(3)).  You can specify more bits
11174       than are present in SSL_OP_ALL, excess  bits  are  ignored.  Specifying
11175       0xFFFFFFFF disables all bug-workarounds on a 32-bit system. This should
11176       also be sufficient on 64-bit systems, until  OpenSSL  abandons  support
11177       for  32-bit  systems  and  starts  using  the  high 32 bits of a 64-bit
11178       bug-workaround mask.
11179
11180       Otherwise, the parameter is a white-space or comma  separated  list  of
11181       specific  named bug work-arounds chosen from the list below. It is pos‐
11182       sible that your OpenSSL version includes  new  bug  work-arounds  added
11183       after  your  Postfix source code was last updated, in that case you can
11184       only disable one of these via the hexadecimal syntax above.
11185
11186       MICROSOFT_SESS_ID_BUG
11187              See SSL_CTX_set_options(3)
11188
11189       NETSCAPE_CHALLENGE_BUG
11190              See SSL_CTX_set_options(3)
11191
11192       LEGACY_SERVER_CONNECT
11193              See SSL_CTX_set_options(3)
11194
11195       NETSCAPE_REUSE_CIPHER_CHANGE_BUG
11196              also  aliased  as  CVE-2010-4180.  Postfix  2.8  disables   this
11197              work-around  by  default  with OpenSSL versions that may predate
11198              the fix. Fixed in OpenSSL 0.9.8q and OpenSSL 1.0.0c.
11199
11200       SSLREF2_REUSE_CERT_TYPE_BUG
11201              See SSL_CTX_set_options(3)
11202
11203       MICROSOFT_BIG_SSLV3_BUFFER
11204              See SSL_CTX_set_options(3)
11205
11206       MSIE_SSLV2_RSA_PADDING
11207              also  aliased  as  CVE-2005-2969.  Postfix  2.8  disables   this
11208              work-around  by  default  with OpenSSL versions that may predate
11209              the fix. Fixed in OpenSSL 0.9.7h and OpenSSL 0.9.8a.
11210
11211       SSLEAY_080_CLIENT_DH_BUG
11212              See SSL_CTX_set_options(3)
11213
11214       TLS_D5_BUG
11215              See SSL_CTX_set_options(3)
11216
11217       TLS_BLOCK_PADDING_BUG
11218              See SSL_CTX_set_options(3)
11219
11220       TLS_ROLLBACK_BUG
11221              See SSL_CTX_set_options(3).  This is disabled in  OpenSSL  0.9.7
11222              and later. Nobody should still be using 0.9.6!
11223
11224       DONT_INSERT_EMPTY_FRAGMENTS
11225              See SSL_CTX_set_options(3)
11226
11227       CRYPTOPRO_TLSEXT_BUG
11228              New with GOST support in OpenSSL 1.0.0.
11229
11230       This feature is available in Postfix 2.8 and later.
11231

tls_eecdh_auto_curves (default: see postconf -d output)

11233       The  prioritized  list of elliptic curves supported by the Postfix SMTP
11234       client and server.  These curves are used by the  Postfix  SMTP  server
11235       when  "smtpd_tls_eecdh_grade  =  auto".   The  selected  curves must be
11236       implemented by OpenSSL and be standardized for use in TLS (RFC 4492  or
11237       its  imminent  successor).   It  is unwise to list only "bleeding-edge"
11238       curves supported by a small subset of clients.   The  default  list  is
11239       suitable for most users.
11240
11241       Postfix  skips  curve  names  that  are unknown to OpenSSL, or that are
11242       known but not yet implemented.  This makes it possible to  "anticipate"
11243       support  for curves that should be used once they become available.  In
11244       particular, in some OpenSSL versions, the new RFC 8031 curves  "X25519"
11245       and  "X448"  may  be known by name, but ECDH support for either or both
11246       may be missing.  These curves may appear in the default value  of  this
11247       parameter,  even  though  they'll only be usable with later versions of
11248       OpenSSL.
11249
11250       This feature is available in Postfix 3.2 and later, when it is compiled
11251       and linked with OpenSSL 1.0.2 or later on platforms where EC algorithms
11252       have not been disabled by the vendor.
11253

tls_eecdh_strong_curve (default: prime256v1)

11255       The elliptic curve used by the Postfix SMTP server for sensibly  strong
11256       ephemeral  ECDH  key  exchange.  This curve is used by the Postfix SMTP
11257       server when "smtpd_tls_eecdh_grade  =  strong".  The  phrase  "sensibly
11258       strong"  means  approximately  128-bit  security  based  on  best known
11259       attacks. The selected curve must be implemented by OpenSSL (as reported
11260       by  ecparam(1) with the "-list_curves" option) and be one of the curves
11261       listed in Section 5.1.1 of RFC 4492. You should  not  generally  change
11262       this  setting.   Remote  SMTP  client implementations must support this
11263       curve for EECDH key exchange to take place.  It is unwise to choose  an
11264       "bleeding-edge" curve supported by only a small subset of clients.
11265
11266       The  default  "strong"  curve  is  rated in NSA Suite B for information
11267       classified up to SECRET.
11268
11269       Note: elliptic curve names are poorly standardized; different standards
11270       groups  are  assigning  different  names to the same underlying curves.
11271       The curve with the X9.62 name "prime256v1" is also known under the SECG
11272       name "secp256r1", but OpenSSL does not recognize the latter name.
11273
11274       If  you  want  to  take maximal advantage of ciphers that offer forward
11275       secrecy see the Getting started section of FORWARD_SECRECY_README.  The
11276       full document conveniently presents all information about Postfix "per‐
11277       fect" forward secrecy support in one place: what  forward  secrecy  is,
11278       how to tweak settings, and what you can expect to see when Postfix uses
11279       ciphers with forward secrecy.
11280
11281       This feature is available in Postfix 2.6 and later, when it is compiled
11282       and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
11283       have not been disabled by the vendor.
11284

tls_eecdh_ultra_curve (default: secp384r1)

11286       The elliptic curve used by the Postfix SMTP server for maximally strong
11287       ephemeral  ECDH  key  exchange.  This curve is used by the Postfix SMTP
11288       server when "smtpd_tls_eecdh_grade  =  ultra".  The  phrase  "maximally
11289       strong"  means  approximately  192-bit  security  based  on  best known
11290       attacks.  This additional strength comes at a significant computational
11291       cost,  most  users should instead set "smtpd_tls_eecdh_grade = strong".
11292       The selected curve must be  implemented  by  OpenSSL  (as  reported  by
11293       ecparam(1)  with  the  "-list_curves"  option) and be one of the curves
11294       listed in Section 5.1.1 of RFC 4492. You should  not  generally  change
11295       this setting.
11296
11297       This  default  "ultra"  curve  is  rated in NSA Suite B for information
11298       classified up to TOP SECRET.
11299
11300       If you want to take maximal advantage of  ciphers  that  offer  forward
11301       secrecy see the Getting started section of FORWARD_SECRECY_README.  The
11302       full document conveniently presents all information about Postfix "per‐
11303       fect"  forward  secrecy  support in one place: what forward secrecy is,
11304       how to tweak settings, and what you can expect to see when Postfix uses
11305       ciphers with forward secrecy.
11306
11307       This feature is available in Postfix 2.6 and later, when it is compiled
11308       and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
11309       have not been disabled by the vendor.
11310

tls_export_cipherlist (default: see postconf -d output)

11312       The  OpenSSL  cipherlist  for  "export"  or  higher grade ciphers. This
11313       defines the meaning  of  the  "export"  setting  in  smtpd_tls_ciphers,
11314       smtpd_tls_mandatory_ciphers,      smtp_tls_ciphers,     smtp_tls_manda‐
11315       tory_ciphers, lmtp_tls_ciphers, and  lmtp_tls_mandatory_ciphers.   With
11316       Postfix  releases  before  the  middle  of  2015  this  is  the default
11317       cipherlist for the opportunistic ("may") TLS client security level  and
11318       also  the  default  cipherlist  for  the  SMTP server. You are strongly
11319       encouraged to not change this setting.
11320
11321       This feature is available in Postfix 2.3 and later.
11322

tls_high_cipherlist (default: see postconf -d output)

11324       The OpenSSL cipherlist for "high" grade ciphers. This defines the mean‐
11325       ing  of  the  "high"  setting  in  smtpd_tls_ciphers,  smtpd_tls_manda‐
11326       tory_ciphers,       smtp_tls_ciphers,       smtp_tls_mandatory_ciphers,
11327       lmtp_tls_ciphers,  and  lmtp_tls_mandatory_ciphers.  You  are  strongly
11328       encouraged to not change this setting.
11329
11330       This feature is available in Postfix 2.3 and later.
11331

tls_legacy_public_key_fingerprints (default: no)

11333       A temporary migration aid for sites  that  use  certificate  public-key
11334       fingerprints  with  Postfix  2.9.0..2.9.5, which use an incorrect algo‐
11335       rithm. This parameter has no effect on the certificate fingerprint sup‐
11336       port that is available since Postfix 2.2.
11337
11338       Specify "tls_legacy_public_key_fingerprints = yes" temporarily, pending
11339       a  migration  from   configuration   files   with   incorrect   Postfix
11340       2.9.0..2.9.5  certificate public-key finger prints, to the correct fin‐
11341       gerprints used by Postfix 2.9.6 and later.  To compute the correct cer‐
11342       tificate public-key fingerprints, see TLS_README.
11343
11344       This feature is available in Postfix 2.9.6 and later.
11345

tls_low_cipherlist (default: see postconf -d output)

11347       The  OpenSSL cipherlist for "low" or higher grade ciphers. This defines
11348       the meaning of the "low" setting in smtpd_tls_ciphers, smtpd_tls_manda‐
11349       tory_ciphers,       smtp_tls_ciphers,       smtp_tls_mandatory_ciphers,
11350       lmtp_tls_ciphers,  and  lmtp_tls_mandatory_ciphers.  You  are  strongly
11351       encouraged to not change this setting.
11352
11353       This feature is available in Postfix 2.3 and later.
11354

tls_medium_cipherlist (default: see postconf -d output)

11356       The  OpenSSL  cipherlist  for  "medium"  or  higher grade ciphers. This
11357       defines the meaning  of  the  "medium"  setting  in  smtpd_tls_ciphers,
11358       smtpd_tls_mandatory_ciphers,      smtp_tls_ciphers,     smtp_tls_manda‐
11359       tory_ciphers, lmtp_tls_ciphers, and  lmtp_tls_mandatory_ciphers.   This
11360       is  the  default  cipherlist  for  mandatory  TLS encryption in the TLS
11361       client (with anonymous ciphers disabled when verifying server  certifi‐
11362       cates).   This  is  the  default  cipherlist for opportunistic TLS with
11363       Postfix releases after the middle of 2015.  You are strongly encouraged
11364       to not change this setting.
11365
11366       This feature is available in Postfix 2.3 and later.
11367

tls_null_cipherlist (default: eNULL:!aNULL)

11369       The  OpenSSL cipherlist for "NULL" grade ciphers that provide authenti‐
11370       cation without encryption. This defines the meaning of the "null"  set‐
11371       ting  in  smtpd_mandatory_tls_ciphers,  smtp_tls_mandatory_ciphers  and
11372       lmtp_tls_mandatory_ciphers.  You are strongly encouraged to not  change
11373       this setting.
11374
11375       This feature is available in Postfix 2.3 and later.
11376

tls_preempt_cipherlist (default: no)

11378       With  SSLv3  and later, use the Postfix SMTP server's cipher preference
11379       order instead of the remote client's cipher preference order.
11380
11381       By default, the OpenSSL server  selects  the  client's  most  preferred
11382       cipher  that  the server supports. With SSLv3 and later, the server may
11383       choose its own most preferred cipher that is supported (offered) by the
11384       client.  Setting  "tls_preempt_cipherlist  = yes" enables server cipher
11385       preferences.
11386
11387       While server cipher selection may in some cases lead to a  more  secure
11388       or  performant  cipher  choice,  there is some risk of interoperability
11389       issues. In the past,  some  SSL  clients  have  listed  lower  priority
11390       ciphers  that they did not implement correctly. If the server chooses a
11391       cipher that the client prefers less,  it  may  select  a  cipher  whose
11392       client  implementation  is  flawed. Most notably Windows 2003 Microsoft
11393       Exchange servers have flawed  implementations  of  DES-CBC3-SHA,  which
11394       OpenSSL  considers stronger than RC4-SHA.  Enabling server cipher-suite
11395       selection may create interoperability issues with Windows  2003  Micro‐
11396       soft Exchange clients.
11397
11398       This feature is available in Postfix 2.8 and later, in combination with
11399       OpenSSL 0.9.7 and later.
11400

tls_random_bytes (default: 32)

11402       The number of bytes that tlsmgr(8) reads from  $tls_random_source  when
11403       (re)seeding  the  in-memory pseudo random number generator (PRNG) pool.
11404       The default of 32 bytes (256 bits) is good enough for 128bit  symmetric
11405       keys.  If using EGD or a device file, a maximum of 255 bytes is read.
11406
11407       This feature is available in Postfix 2.2 and later.
11408

tls_random_exchange_name (default: see postconf -d output)

11410       Name  of  the  pseudo random number generator (PRNG) state file that is
11411       maintained by tlsmgr(8). The file is created when it  does  not  exist,
11412       and its length is fixed at 1024 bytes.
11413
11414       As  of version 2.5, Postfix no longer uses root privileges when opening
11415       this file, and the  default  file  location  was  changed  from  ${con‐
11416       fig_directory}/prng_exch  to  ${data_directory}/prng_exch.  As a migra‐
11417       tion aid, an attempt to open the file under a non-Postfix directory  is
11418       redirected  to  the  Postfix-owned  data_directory,  and  a  warning is
11419       logged.
11420
11421       This feature is available in Postfix 2.2 and later.
11422

tls_random_prng_update_period (default: 3600s)

11424       The time between attempts by tlsmgr(8) to save the state of the  pseudo
11425       random  number  generator  (PRNG)  to the file specified with $tls_ran‐
11426       dom_exchange_name.
11427
11428       This feature is available in Postfix 2.2 and later.
11429

tls_random_reseed_period (default: 3600s)

11431       The maximal time between attempts by tlsmgr(8) to re-seed the in-memory
11432       pseudo  random number generator (PRNG) pool from external sources.  The
11433       actual time between re-seeding attempts is calculated using  the  PRNG,
11434       and is between 0 and the time specified.
11435
11436       This feature is available in Postfix 2.2 and later.
11437

tls_random_source (default: see postconf -d output)

11439       The  external  entropy source for the in-memory tlsmgr(8) pseudo random
11440       number generator (PRNG) pool. Be sure to specify a non-blocking source.
11441       If  this  source is not a regular file, the entropy source type must be
11442       prepended:  egd:/path/to/egd_socket for a source  with  EGD  compatible
11443       socket interface, or dev:/path/to/device for a device file.
11444
11445       Note:  on  OpenBSD systems specify /dev/arandom when /dev/urandom gives
11446       timeout errors.
11447
11448       This feature is available in Postfix 2.2 and later.
11449

tls_session_ticket_cipher (default: Postfix >= 3.0: aes-256-cbc, Postfix <

11451       3.0: aes-128-cbc)
11452       Algorithm  used to encrypt RFC5077 TLS session tickets.  This algorithm
11453       must use CBC mode, have a 128-bit block  size,  and  must  have  a  key
11454       length between 128 and 256 bits.  The default is aes-256-cbc.  Overrid‐
11455       ing the default to choose a different algorithm is discouraged.
11456
11457       Setting this parameter empty disables session  ticket  support  in  the
11458       Postfix  SMTP server.  Another way to disable session ticket support is
11459       via the tls_ssl_options parameter.
11460
11461       This feature is available in Postfix 3.0 and later.
11462

tls_ssl_options (default: empty)

11464       List or bit-mask of OpenSSL options to enable.
11465
11466       The OpenSSL toolkit provides a set of  options  that  applications  can
11467       enable to tune the OpenSSL behavior.  Some of these work around bugs in
11468       other implementations and are on by default.  You can use the  tls_dis‐
11469       able_workarounds  parameter  to  selectively disable some or all of the
11470       bug work-arounds, making OpenSSL more strict at the cost of  non-inter‐
11471       operability with SSL clients or servers that exhibit the bugs.
11472
11473       Other  options are off by default, and typically enable or disable fea‐
11474       tures rather than bug work-arounds.  These may be turned on (with care)
11475       via the tls_ssl_options parameter.  The value is a white-space or comma
11476       separated list of named options chosen from the list below.  The  names
11477       are  not  case-sensitive,  you  can  use lower-case if you prefer.  The
11478       upper case values below match the corresponding macro name in the ssl.h
11479       header  file with the SSL_OP_ prefix removed.  It is possible that your
11480       OpenSSL version includes new options added after  your  Postfix  source
11481       code  was  last  updated, in that case you can only enable one of these
11482       via the hexadecimal syntax below.
11483
11484       You should only enable features via the hexadecimal mask when the  need
11485       to control the feature is critical (to deal with a new vulnerability or
11486       a serious interoperability problem).  Postfix DOES  NOT  promise  back‐
11487       wards  compatible  behavior  with  respect to the mask bits.  A feature
11488       enabled via the mask in one release may be enabled by other means in  a
11489       later  release,  and the mask bit will then be ignored.  Therefore, use
11490       of the hexadecimal mask is only a temporary measure until a new Postfix
11491       or OpenSSL release provides a better solution.
11492
11493       If  the  value  of the parameter is a hexadecimal long integer starting
11494       with "0x", the options corresponding to the bits specified in its value
11495       are  enabled  (see  openssl/ssl.h and SSL_CTX_set_options(3)).  You can
11496       only enable options not already controlled by other  Postfix  settings.
11497       For example, you cannot disable protocols or enable server cipher pref‐
11498       erence.  Do not attempt to turn all features by specifying  0xFFFFFFFF,
11499       this is unlikely to be a good idea.
11500
11501       LEGACY_SERVER_CONNECT
11502              See SSL_CTX_set_options(3).
11503
11504       NO_TICKET
11505              See SSL_CTX_set_options(3).
11506
11507       NO_COMPRESSION
11508              Disable  SSL  compression  even  if  supported  by  the  OpenSSL
11509              library.  Compression is CPU-intensive, and  compression  before
11510              encryption does not always improve security.
11511
11512       This feature is available in Postfix 2.11 and later.
11513

tls_wildcard_matches_multiple_labels (default: yes)

11515       Match multiple DNS labels with "*" in wildcard certificates.
11516
11517       Some  mail service providers prepend the customer domain name to a base
11518       domain for which they have a wildcard TLS  certificate.   For  example,
11519       the MX records for example.com hosted by example.net may be:
11520
11521           example.com. IN MX 0 example.com.mx1.example.net.
11522           example.com. IN MX 0 example.com.mx2.example.net.
11523
11524       and the TLS certificate may be for "*.example.net". The "*" then corre‐
11525       sponds with multiple labels in the  mail  server  domain  name.   While
11526       multi-label  wildcards are not widely supported, and are not blessed by
11527       any standard, there is little to be gained by disallowing their use  in
11528       this context.
11529
11530       Notes:
11531
11532       ·      In  a  certificate name, the "*" is special only when it is used
11533              as the first label.
11534
11535       ·      While Postfix (2.11 or later) can match "*" with multiple domain
11536              name labels, other implementations likely will not.
11537
11538       ·      Earlier   Postfix   implementations   behave  as  if  "tls_wild‐
11539              card_matches_multiple_labels = no".
11540
11541       This feature is available in Postfix 2.11 and later.
11542

tlsmgr_service_name (default: tlsmgr)

11544       The name of the tlsmgr(8) service  entry  in  master.cf.  This  service
11545       maintains TLS session caches and other information in support of TLS.
11546
11547       This feature is available in Postfix 2.11 and later.
11548

tlsproxy_enforce_tls (default: $smtpd_enforce_tls)

11550       Mandatory  TLS:  announce  STARTTLS support to remote SMTP clients, and
11551       require that clients use TLS encryption. See smtpd_enforce_tls for fur‐
11552       ther details.
11553
11554       This feature is available in Postfix 2.8 and later.
11555

tlsproxy_service_name (default: tlsproxy)

11557       The  name  of  the tlsproxy(8) service entry in master.cf. This service
11558       performs plaintext <=> TLS ciphertext conversion.
11559
11560       This feature is available in Postfix 2.8 and later.
11561

tlsproxy_tls_CAfile (default: $smtpd_tls_CAfile)

11563       A file containing (PEM format) CA certificates of root CAs  trusted  to
11564       sign either remote SMTP client certificates or intermediate CA certifi‐
11565       cates.  See smtpd_tls_CAfile for further details.
11566
11567       This feature is available in Postfix 2.8 and later.
11568

tlsproxy_tls_CApath (default: $smtpd_tls_CApath)

11570       A directory containing (PEM format) CA certificates of root CAs trusted
11571       to  sign either remote SMTP client certificates or intermediate CA cer‐
11572       tificates. See smtpd_tls_CApath for further details.
11573
11574       This feature is available in Postfix 2.8 and later.
11575

tlsproxy_tls_always_issue_session_ids (default: $smtpd_tls_always_issue_ses‐

11577       sion_ids)
11578       Force  the  Postfix  tlsproxy(8) server to issue a TLS session id, even
11579       when TLS session caching is turned off. See smtpd_tls_always_issue_ses‐
11580       sion_ids for further details.
11581
11582       This feature is available in Postfix 2.8 and later.
11583

tlsproxy_tls_ask_ccert (default: $smtpd_tls_ask_ccert)

11585       Ask   a   remote   SMTP   client   for   a   client   certificate.  See
11586       smtpd_tls_ask_ccert for further details.
11587
11588       This feature is available in Postfix 2.8 and later.
11589

tlsproxy_tls_ccert_verifydepth (default: $smtpd_tls_ccert_verifydepth)

11591       The verification depth for remote SMTP client certificates. A depth  of
11592       1  is  sufficient  if  the issuing CA is listed in a local CA file. See
11593       smtpd_tls_ccert_verifydepth for further details.
11594
11595       This feature is available in Postfix 2.8 and later.
11596

tlsproxy_tls_cert_file (default: $smtpd_tls_cert_file)

11598       File with the Postfix tlsproxy(8) server RSA certificate in PEM format.
11599       This  file  may also contain the Postfix tlsproxy(8) server private RSA
11600       key.  See smtpd_tls_cert_file for further details.
11601
11602       This feature is available in Postfix 2.8 and later.
11603

tlsproxy_tls_ciphers (default: $smtpd_tls_ciphers)

11605       The minimum TLS cipher grade that the Postfix tlsproxy(8)  server  will
11606       use  with  opportunistic TLS encryption. See smtpd_tls_ciphers for fur‐
11607       ther details.
11608
11609       This feature is available in Postfix 2.8 and later.
11610

tlsproxy_tls_dcert_file (default: $smtpd_tls_dcert_file)

11612       File with the Postfix tlsproxy(8) server DSA certificate in PEM format.
11613       This  file  may also contain the Postfix tlsproxy(8) server private DSA
11614       key.  See smtpd_tls_dcert_file for further details.
11615
11616       This feature is available in Postfix 2.8 and later.
11617

tlsproxy_tls_dh1024_param_file (default: $smtpd_tls_dh1024_param_file)

11619       File with DH parameters that the Postfix tlsproxy(8) server should  use
11620       with  non-export  EDH ciphers. See smtpd_tls_dh1024_param_file for fur‐
11621       ther details.
11622
11623       This feature is available in Postfix 2.8 and later.
11624

tlsproxy_tls_dh512_param_file (default: $smtpd_tls_dh512_param_file)

11626       File with DH parameters that the Postfix tlsproxy(8) server should  use
11627       with  export-grade EDH ciphers. See smtpd_tls_dh512_param_file for fur‐
11628       ther details.  The default SMTP server cipher grade  is  "medium"  with
11629       Postfix releases after the middle of 2015, and as a result export-grade
11630       cipher suites are by default not used.
11631
11632       This feature is available in Postfix 2.8 and later.
11633

tlsproxy_tls_dkey_file (default: $smtpd_tls_dkey_file)

11635       File with the Postfix tlsproxy(8) server DSA private key in PEM format.
11636       This  file may be combined with the Postfix tlsproxy(8) server DSA cer‐
11637       tificate    file    specified    with    $smtpd_tls_dcert_file.     See
11638       smtpd_tls_dkey_file for further details.
11639
11640       This feature is available in Postfix 2.8 and later.
11641

tlsproxy_tls_eccert_file (default: $smtpd_tls_eccert_file)

11643       File  with the Postfix tlsproxy(8) server ECDSA certificate in PEM for‐
11644       mat.  This file may also contain the Postfix tlsproxy(8) server private
11645       ECDSA key.  See smtpd_tls_eccert_file for further details.
11646
11647       This feature is available in Postfix 2.8 and later.
11648

tlsproxy_tls_eckey_file (default: $smtpd_tls_eckey_file)

11650       File  with the Postfix tlsproxy(8) server ECDSA private key in PEM for‐
11651       mat.  This file may be combined with  the  Postfix  tlsproxy(8)  server
11652       ECDSA  certificate  file  specified  with  $smtpd_tls_eccert_file.  See
11653       smtpd_tls_eckey_file for further details.
11654
11655       This feature is available in Postfix 2.8 and later.
11656

tlsproxy_tls_eecdh_grade (default: $smtpd_tls_eecdh_grade)

11658       The Postfix tlsproxy(8) server  security  grade  for  ephemeral  ellip‐
11659       tic-curve      Diffie-Hellman     (EECDH)     key     exchange.     See
11660       smtpd_tls_eecdh_grade for further details.
11661
11662       This feature is available in Postfix 2.8 and later.
11663

tlsproxy_tls_exclude_ciphers (default: $smtpd_tls_exclude_ciphers)

11665       List of ciphers or cipher types to exclude from the tlsproxy(8)  server
11666       cipher  list  at all TLS security levels. See smtpd_tls_exclude_ciphers
11667       for further details.
11668
11669       This feature is available in Postfix 2.8 and later.
11670

tlsproxy_tls_fingerprint_digest (default: $smtpd_tls_fingerprint_digest)

11672       The message digest algorithm to construct remote  SMTP  client-certifi‐
11673       cate   fingerprints.   See   smtpd_tls_fingerprint_digest  for  further
11674       details.
11675
11676       This feature is available in Postfix 2.8 and later.
11677

tlsproxy_tls_key_file (default: $smtpd_tls_key_file)

11679       File with the Postfix tlsproxy(8) server RSA private key in PEM format.
11680       This  file may be combined with the Postfix tlsproxy(8) server RSA cer‐
11681       tificate    file    specified    with    $smtpd_tls_cert_file.      See
11682       smtpd_tls_key_file for further details.
11683
11684       This feature is available in Postfix 2.8 and later.
11685

tlsproxy_tls_loglevel (default: $smtpd_tls_loglevel)

11687       Enable  additional  Postfix tlsproxy(8) server logging of TLS activity.
11688       Each logging level also includes the information that is  logged  at  a
11689       lower logging level. See smtpd_tls_loglevel for further details.
11690
11691       This feature is available in Postfix 2.8 and later.
11692

tlsproxy_tls_mandatory_ciphers (default: $smtpd_tls_mandatory_ciphers)

11694       The  minimum  TLS cipher grade that the Postfix tlsproxy(8) server will
11695       use with mandatory TLS encryption. See smtpd_tls_mandatory_ciphers  for
11696       further details.
11697
11698       This feature is available in Postfix 2.8 and later.
11699

tlsproxy_tls_mandatory_exclude_ciphers (default: $smtpd_tls_manda‐

11701       tory_exclude_ciphers)
11702       Additional list  of  ciphers  or  cipher  types  to  exclude  from  the
11703       tlsproxy(8)  server  cipher list at mandatory TLS security levels.  See
11704       smtpd_tls_mandatory_exclude_ciphers for further details.
11705
11706       This feature is available in Postfix 2.8 and later.
11707

tlsproxy_tls_mandatory_protocols (default: $smtpd_tls_mandatory_protocols)

11709       The SSL/TLS protocols accepted by the Postfix tlsproxy(8)  server  with
11710       mandatory TLS encryption. If the list is empty, the server supports all
11711       available SSL/TLS protocol versions.  See smtpd_tls_mandatory_protocols
11712       for further details.
11713
11714       This feature is available in Postfix 2.8 and later.
11715

tlsproxy_tls_protocols (default: $smtpd_tls_protocols)

11717       List  of TLS protocols that the Postfix tlsproxy(8) server will exclude
11718       or include with opportunistic TLS encryption.  See  smtpd_tls_protocols
11719       for further details.
11720
11721       This feature is available in Postfix 2.8 and later.
11722

tlsproxy_tls_req_ccert (default: $smtpd_tls_req_ccert)

11724       With  mandatory  TLS  encryption,  require a trusted remote SMTP client
11725       certificate  in  order  to  allow  TLS  connections  to  proceed.   See
11726       smtpd_tls_req_ccert for further details.
11727
11728       This feature is available in Postfix 2.8 and later.
11729

tlsproxy_tls_security_level (default: $smtpd_tls_security_level)

11731       The  SMTP TLS security level for the Postfix tlsproxy(8) server; when a
11732       non-empty value is specified, this overrides  the  obsolete  parameters
11733       smtpd_use_tls  and  smtpd_enforce_tls. See smtpd_tls_security_level for
11734       further details.
11735
11736       This feature is available in Postfix 2.8 and later.
11737

tlsproxy_tls_session_cache_timeout (default: $smtpd_tls_session_cache_timeout)

11739
11740       Obsolete  expiration  time  of  Postfix  tlsproxy(8) server TLS session
11741       cache information. Since the cache is shared with smtpd(8) and  managed
11742       by  tlsmgr(8),  there  is  only one expiration time for the SMTP server
11743       cache   shared   by   all   three   services,   namely   smtpd_tls_ses‐
11744       sion_cache_timeout.
11745
11746       This feature is available in Postfix 2.8 and later.
11747

tlsproxy_use_tls (default: $smtpd_use_tls)

11749       Opportunistic  TLS:  announce  STARTTLS support to remote SMTP clients,
11750       but do not require that clients use TLS encryption.  See  smtpd_use_tls
11751       for further details.
11752
11753       This feature is available in Postfix 2.8 and later.
11754

tlsproxy_watchdog_timeout (default: 10s)

11756       How much time a tlsproxy(8) process may take to process local or remote
11757       I/O before it is terminated by a built-in watchdog timer.   This  is  a
11758       safety mechanism that prevents tlsproxy(8) from becoming non-responsive
11759       due to a bug in Postfix itself or in system software.  To  avoid  false
11760       alarms  and unnecessary cache corruption this limit cannot be set under
11761       10s.
11762
11763       Specify a non-zero time value  (an  integral  value  plus  an  optional
11764       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
11765       onds), m (minutes), h (hours), d (days), w (weeks).
11766
11767       This feature is available in Postfix 2.8.
11768

trace_service_name (default: trace)

11770       The name of the trace service.  This  service  is  implemented  by  the
11771       bounce(8) daemon and maintains a record of mail deliveries and produces
11772       a mail delivery report when verbose delivery is requested  with  "send‐
11773       mail -v".
11774
11775       This feature is available in Postfix 2.1 and later.
11776

transport_delivery_slot_cost (default: $default_delivery_slot_cost)

11778       A transport-specific override for the default_delivery_slot_cost param‐
11779       eter value, where transport is the master.cf name of the message deliv‐
11780       ery transport.
11781
11782       Note:  transport_delivery_slot_cost  parameters  will  not  show  up in
11783       "postconf" command output before Postfix version 2.9.  This  limitation
11784       applies  to  many parameters whose name is a combination of a master.cf
11785       service  name  and  a  built-in  suffix   (in   this   case:   "_deliv‐
11786       ery_slot_cost").
11787

transport_delivery_slot_discount (default: $default_delivery_slot_discount)

11789       A  transport-specific  override  for the default_delivery_slot_discount
11790       parameter value, where transport is the master.cf name of  the  message
11791       delivery transport.
11792
11793       Note:  transport_delivery_slot_discount  parameters will not show up in
11794       "postconf" command output before Postfix version 2.9.  This  limitation
11795       applies  to  many parameters whose name is a combination of a master.cf
11796       service name and a built-in suffix (in this case:  "_delivery_slot_dis‐
11797       count").
11798

transport_delivery_slot_loan (default: $default_delivery_slot_loan)

11800       A transport-specific override for the default_delivery_slot_loan param‐
11801       eter value, where transport is the master.cf name of the message deliv‐
11802       ery transport.
11803
11804       Note:  transport_delivery_slot_loan  parameters  will  not  show  up in
11805       "postconf" command output before Postfix version 2.9.  This  limitation
11806       applies  to  many parameters whose name is a combination of a master.cf
11807       service  name  and  a  built-in  suffix   (in   this   case:   "_deliv‐
11808       ery_slot_loan").
11809

transport_destination_concurrency_failed_cohort_limit (default: $default_des‐

11811       tination_concurrency_failed_cohort_limit)
11812       A  transport-specific  override  for  the   default_destination_concur‐
11813       rency_failed_cohort_limit  parameter value, where transport is the mas‐
11814       ter.cf name of the message delivery transport.
11815
11816       Note: some transport_destination_concurrency_failed_cohort_limit param‐
11817       eters will not show up in "postconf" command output before Postfix ver‐
11818       sion 2.9.  This limitation applies to many parameters whose name  is  a
11819       combination  of a master.cf service name and a built-in suffix (in this
11820       case: "_destination_concurrency_failed_cohort_limit").
11821
11822       This feature is available in Postfix 2.5 and later.
11823

transport_destination_concurrency_limit (default: $default_destination_concur‐

11825       rency_limit)
11826       A   transport-specific  override  for  the  default_destination_concur‐
11827       rency_limit parameter value, where transport is the master.cf  name  of
11828       the message delivery transport.
11829
11830       Note:  some transport_destination_concurrency_limit parameters will not
11831       show up in "postconf" command output before Postfix version 2.9.   This
11832       limitation  applies to many parameters whose name is a combination of a
11833       master.cf service name and a built-in suffix (in this case:  "_destina‐
11834       tion_concurrency_limit").
11835

transport_destination_concurrency_negative_feedback (default: $default_desti‐

11837       nation_concurrency_negative_feedback)
11838       A  transport-specific  override  for  the   default_destination_concur‐
11839       rency_negative_feedback  parameter  value,  where transport is the mas‐
11840       ter.cf name of the message delivery transport.
11841
11842       Note: some transport_destination_concurrency_negative_feedback  parame‐
11843       ters  will not show up in "postconf" command output before Postfix ver‐
11844       sion 2.9.  This limitation applies to many parameters whose name  is  a
11845       combination  of a master.cf service name and a built-in suffix (in this
11846       case: "_destination_concurrency_negative_feedback").
11847
11848       This feature is available in Postfix 2.5 and later.
11849

transport_destination_concurrency_positive_feedback (default: $default_desti‐

11851       nation_concurrency_positive_feedback)
11852       A   transport-specific  override  for  the  default_destination_concur‐
11853       rency_positive_feedback parameter value, where transport  is  the  mas‐
11854       ter.cf name of the message delivery transport.
11855
11856       Note:  some transport_destination_concurrency_positive_feedback parame‐
11857       ters will not show up in "postconf" command output before Postfix  ver‐
11858       sion  2.9.   This limitation applies to many parameters whose name is a
11859       combination of a master.cf service name and a built-in suffix (in  this
11860       case: "_destination_concurrency_positive_feedback").
11861
11862       This feature is available in Postfix 2.5 and later.
11863

transport_destination_rate_delay (default: $default_destination_rate_delay)

11865       A  transport-specific  override  for the default_destination_rate_delay
11866       parameter value, where transport is the master.cf name of  the  message
11867       delivery transport.
11868
11869       Note: some transport_destination_rate_delay parameters will not show up
11870       in "postconf" command output before Postfix version 2.9.  This  limita‐
11871       tion  applies  to many parameters whose name is a combination of a mas‐
11872       ter.cf service name and a built-in suffix  (in  this  case:  "_destina‐
11873       tion_rate_delay").
11874
11875       This feature is available in Postfix 2.5 and later.
11876

transport_destination_recipient_limit (default: $default_destination_recipi‐

11878       ent_limit)
11879       A  transport-specific  override  for  the   default_destination_recipi‐
11880       ent_limit parameter value, where transport is the master.cf name of the
11881       message delivery transport.
11882
11883       Note: some transport_destination_recipient_limit  parameters  will  not
11884       show  up in "postconf" command output before Postfix version 2.9.  This
11885       limitation applies to many parameters whose name is a combination of  a
11886       master.cf  service name and a built-in suffix (in this case: "_destina‐
11887       tion_recipient_limit").
11888

transport_extra_recipient_limit (default: $default_extra_recipient_limit)

11890       A transport-specific  override  for  the  default_extra_recipient_limit
11891       parameter  value,  where transport is the master.cf name of the message
11892       delivery transport.
11893
11894       Note: transport_extra_recipient_limit parameters will not  show  up  in
11895       "postconf"  command output before Postfix version 2.9.  This limitation
11896       applies to many parameters whose name is a combination of  a  master.cf
11897       service  name  and  a  built-in  suffix  (in this case: "_extra_recipi‐
11898       ent_limit").
11899

transport_initial_destination_concurrency (default: $initial_destination_con‐

11901       currency)
11902       A  transport-specific  override for the initial_destination_concurrency
11903       parameter value, where transport is the master.cf name of  the  message
11904       delivery transport.
11905
11906       Note:  some  transport_initial_destination_concurrency  parameters will
11907       not show up in "postconf" command output before  Postfix  version  2.9.
11908       This  limitation applies to many parameters whose name is a combination
11909       of a master.cf service name and a built-in suffix (in this case: "_ini‐
11910       tial_destination_concurrency").
11911
11912       This feature is available in Postfix 2.5 and later.
11913

transport_maps (default: empty)

11915       Optional lookup tables with mappings from recipient address to (message
11916       delivery  transport,  next-hop  destination).   See  transport(5)   for
11917       details.
11918
11919       Specify  zero  or  more "type:table" lookup tables, separated by white‐
11920       space or comma. Tables will be searched in the specified order until  a
11921       match is found.  If you use this feature with local files, run "postmap
11922       /etc/postfix/transport" after making a change.
11923
11924       Pattern matching of domain names  is  controlled  by  the  presence  or
11925       absence  of  "transport_maps"  in  the parent_domain_matches_subdomains
11926       parameter value.
11927
11928       For safety reasons, as of Postfix 2.3 this feature does not allow $num‐
11929       ber substitutions in regular expression maps.
11930
11931       Examples:
11932
11933       transport_maps = dbm:/etc/postfix/transport
11934       transport_maps = hash:/etc/postfix/transport
11935

transport_minimum_delivery_slots (default: $default_minimum_delivery_slots)

11937       A  transport-specific  override  for the default_minimum_delivery_slots
11938       parameter value, where transport is the master.cf name of  the  message
11939       delivery transport.
11940
11941       Note:  transport_minimum_delivery_slots  parameters will not show up in
11942       "postconf" command output before Postfix version 2.9.  This  limitation
11943       applies  to  many parameters whose name is a combination of a master.cf
11944       service name and a built-in  suffix  (in  this  case:  "_minimum_deliv‐
11945       ery_slots").
11946

transport_recipient_limit (default: $default_recipient_limit)

11948       A transport-specific override for the default_recipient_limit parameter
11949       value, where transport is the master.cf name of  the  message  delivery
11950       transport.
11951
11952       Note:  some  transport_recipient_limit  parameters  will not show up in
11953       "postconf" command output before Postfix version 2.9.  This  limitation
11954       applies  to  many parameters whose name is a combination of a master.cf
11955       service name and a built-in suffix (in this case: "_recipient_limit").
11956

transport_recipient_refill_delay (default: $default_recipient_refill_delay)

11958       A transport-specific override  for  the  default_recipient_refill_delay
11959       parameter  value,  where transport is the master.cf name of the message
11960       delivery transport.
11961
11962       Note: transport_recipient_refill_delay parameters will not show  up  in
11963       "postconf"  command output before Postfix version 2.9.  This limitation
11964       applies to many parameters whose name is a combination of  a  master.cf
11965       service   name   and   a  built-in  suffix  (in  this  case:  "_recipi‐
11966       ent_refill_delay").
11967
11968       This feature is available in Postfix 2.4 and later.
11969

transport_recipient_refill_limit (default: $default_recipient_refill_limit)

11971       A transport-specific override  for  the  default_recipient_refill_limit
11972       parameter  value,  where transport is the master.cf name of the message
11973       delivery transport.
11974
11975       Note: transport_recipient_refill_limit parameters will not show  up  in
11976       "postconf"  command output before Postfix version 2.9.  This limitation
11977       applies to many parameters whose name is a combination of  a  master.cf
11978       service   name   and   a  built-in  suffix  (in  this  case:  "_recipi‐
11979       ent_refill_limit").
11980
11981       This feature is available in Postfix 2.4 and later.
11982

transport_retry_time (default: 60s)

11984       The time between attempts by the Postfix queue  manager  to  contact  a
11985       malfunctioning message delivery transport.
11986
11987       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
11988       The default time unit is s (seconds).
11989

transport_time_limit (default: $command_time_limit)

11991       A transport-specific  override  for  the  command_time_limit  parameter
11992       value,  where  transport  is the master.cf name of the message delivery
11993       transport.
11994
11995       Note: transport_time_limit parameters will not show  up  in  "postconf"
11996       command  output before Postfix version 2.9.  This limitation applies to
11997       many parameters whose name is a combination of a master.cf service name
11998       and a built-in suffix (in this case: "_time_limit").
11999

transport_transport_rate_delay (default: $default_transport_rate_delay)

12001       A  transport-specific  override  for  the  default_transport_rate_delay
12002       parameter value, where the initial transport in the parameter  name  is
12003       the master.cf name of the message delivery transport.
12004

trigger_timeout (default: 10s)

12006       The  time limit for sending a trigger to a Postfix daemon (for example,
12007       the pickup(8) or qmgr(8) daemon). This  time  limit  prevents  programs
12008       from getting stuck when the mail system is under heavy load.
12009
12010       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
12011       The default time unit is s (seconds).
12012

undisclosed_recipients_header (default: see postconf -d output)

12014       Message header that the Postfix cleanup(8) server inserts when  a  mes‐
12015       sage contains no To: or Cc: message header. With Postfix 2.8 and later,
12016       the default value is empty. With  Postfix  2.4-2.7,  specify  an  empty
12017       value to disable this feature.
12018
12019       Example:
12020
12021       # Default value before Postfix 2.8.
12022       # Note: the ":" and ";" are both required.
12023       undisclosed_recipients_header = To: undisclosed-recipients:;
12024

unknown_address_reject_code (default: 450)

12026       The  numerical  response  code  when  the Postfix SMTP server rejects a
12027       sender or recipient address because its domain is unknown.  This is one
12028       of      the      possible     replies     from     the     restrictions
12029       reject_unknown_sender_domain and reject_unknown_recipient_domain.
12030
12031       Do not change this unless you have  a  complete  understanding  of  RFC
12032       5321.
12033

unknown_address_tempfail_action (default: $reject_tempfail_action)

12035       The  Postfix  SMTP server's action when reject_unknown_sender_domain or
12036       reject_unknown_recipient_domain fail due to a  temporary  error  condi‐
12037       tion.  Specify  "defer" to defer the remote SMTP client request immedi‐
12038       ately. With the default  "defer_if_permit"  action,  the  Postfix  SMTP
12039       server  continues  to look for opportunities to reject mail, and defers
12040       the client request only if it would otherwise be accepted.
12041
12042       This feature is available in Postfix 2.6 and later.
12043

unknown_client_reject_code (default: 450)

12045       The numerical Postfix SMTP server response code when a  client  without
12046       valid    address    <=>    name    mapping    is    rejected   by   the
12047       reject_unknown_client_hostname  restriction.  The  SMTP  server  always
12048       replies  with 450 when the mapping failed due to a temporary error con‐
12049       dition.
12050
12051       Do not change this unless you have  a  complete  understanding  of  RFC
12052       5321.
12053

unknown_helo_hostname_tempfail_action (default: $reject_tempfail_action)

12055       The  Postfix  SMTP  server's  action  when reject_unknown_helo_hostname
12056       fails due to an temporary error condition. Specify "defer" to defer the
12057       remote SMTP client request immediately. With the default "defer_if_per‐
12058       mit" action, the Postfix SMTP server continues to look  for  opportuni‐
12059       ties  to  reject  mail,  and defers the client request only if it would
12060       otherwise be accepted.
12061
12062       This feature is available in Postfix 2.6 and later.
12063

unknown_hostname_reject_code (default: 450)

12065       The numerical Postfix SMTP server response code when the hostname spec‐
12066       ified   with   the   HELO   or   EHLO   command   is  rejected  by  the
12067       reject_unknown_helo_hostname restriction.
12068
12069       Do not change this unless you have  a  complete  understanding  of  RFC
12070       5321.
12071

unknown_local_recipient_reject_code (default: 550)

12073       The  numerical  Postfix  SMTP  server  response  code  when a recipient
12074       address is local, and $local_recipient_maps specifies a list of  lookup
12075       tables that does not match the recipient.  A recipient address is local
12076       when  its   domain   matches   $mydestination,   $proxy_interfaces   or
12077       $inet_interfaces.
12078
12079       The  default  setting is 550 (reject mail) but it is safer to initially
12080       use 450 (try again later)  so  you  have  time  to  find  out  if  your
12081       local_recipient_maps settings are OK.
12082
12083       Example:
12084
12085       unknown_local_recipient_reject_code = 450
12086
12087       This feature is available in Postfix 2.0 and later.
12088

unknown_relay_recipient_reject_code (default: 550)

12090       The  numerical  Postfix SMTP server reply code when a recipient address
12091       matches $relay_domains, and relay_recipient_maps specifies  a  list  of
12092       lookup tables that does not match the recipient address.
12093
12094       This feature is available in Postfix 2.0 and later.
12095

unknown_virtual_alias_reject_code (default: 550)

12097       The  Postfix  SMTP  server  reply code when a recipient address matches
12098       $virtual_alias_domains, and $virtual_alias_maps  specifies  a  list  of
12099       lookup tables that does not match the recipient address.
12100
12101       This feature is available in Postfix 2.0 and later.
12102

unknown_virtual_mailbox_reject_code (default: 550)

12104       The  Postfix  SMTP  server  reply code when a recipient address matches
12105       $virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list of
12106       lookup tables that does not match the recipient address.
12107
12108       This feature is available in Postfix 2.0 and later.
12109

unverified_recipient_defer_code (default: 450)

12111       The  numerical  Postfix  SMTP  server response when a recipient address
12112       probe fails due to a temporary error condition.
12113
12114       Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12115       address anyway.
12116
12117       Do  not  change  this  unless  you have a complete understanding of RFC
12118       5321.
12119
12120       This feature is available in Postfix 2.6 and later.
12121

unverified_recipient_reject_code (default: 450)

12123       The numerical Postfix SMTP server response when a recipient address  is
12124       rejected by the reject_unverified_recipient restriction.
12125
12126       Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12127       address anyway.
12128
12129       Do not change this unless you have  a  complete  understanding  of  RFC
12130       5321.
12131
12132       This feature is available in Postfix 2.1 and later.
12133

unverified_recipient_reject_reason (default: empty)

12135       The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
12136       fied_recipient. Do not include the  numeric  SMTP  reply  code  or  the
12137       enhanced  status code. By default, the response includes actual address
12138       verification details.
12139
12140       Example:
12141
12142       unverified_recipient_reject_reason = Recipient address lookup failed
12143
12144       This feature is available in Postfix 2.6 and later.
12145

unverified_recipient_tempfail_action (default: $reject_tempfail_action)

12147       The Postfix SMTP server's action when reject_unverified_recipient fails
12148       due to a temporary error condition. Specify "defer" to defer the remote
12149       SMTP client request immediately.  With  the  default  "defer_if_permit"
12150       action,  the Postfix SMTP server continues to look for opportunities to
12151       reject mail, and defers the client request only if it  would  otherwise
12152       be accepted.
12153
12154       This feature is available in Postfix 2.6 and later.
12155

unverified_sender_defer_code (default: 450)

12157       The  numerical  Postfix SMTP server response code when a sender address
12158       probe fails due to a temporary error condition.
12159
12160       Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12161       address anyway.
12162
12163       Do  not  change  this  unless  you have a complete understanding of RFC
12164       5321.
12165
12166       This feature is available in Postfix 2.6 and later.
12167

unverified_sender_reject_code (default: 450)

12169       The numerical Postfix  SMTP  server  response  code  when  a  recipient
12170       address is rejected by the reject_unverified_sender restriction.
12171
12172       Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12173       address anyway.
12174
12175       Do not change this unless you have  a  complete  understanding  of  RFC
12176       5321.
12177
12178       This feature is available in Postfix 2.1 and later.
12179

unverified_sender_reject_reason (default: empty)

12181       The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
12182       fied_sender. Do not include the numeric SMTP reply code or the enhanced
12183       status code. By default, the response includes actual address verifica‐
12184       tion details.
12185
12186       Example:
12187
12188       unverified_sender_reject_reason = Sender address lookup failed
12189
12190       This feature is available in Postfix 2.6 and later.
12191

unverified_sender_tempfail_action (default: $reject_tempfail_action)

12193       The Postfix SMTP server's action  when  reject_unverified_sender  fails
12194       due to a temporary error condition. Specify "defer" to defer the remote
12195       SMTP client request immediately.  With  the  default  "defer_if_permit"
12196       action,  the Postfix SMTP server continues to look for opportunities to
12197       reject mail, and defers the client request only if it  would  otherwise
12198       be accepted.
12199
12200       This feature is available in Postfix 2.6 and later.
12201

verp_delimiter_filter (default: -=+)

12203       The  characters  Postfix  accepts  as  VERP delimiter characters on the
12204       Postfix sendmail(1) command line and in SMTP commands.
12205
12206       This feature is available in Postfix 1.1 and later.
12207

virtual_alias_address_length_limit (default: 1000)

12209       The maximal length of an email address after virtual  alias  expansion.
12210       This  stops  virtual  aliasing  loops  that increase the address length
12211       exponentially.
12212
12213       This feature is available in Postfix 3.0 and later.
12214

virtual_alias_domains (default: $virtual_alias_maps)

12216       Postfix is final destination for the specified list  of  virtual  alias
12217       domains,  that  is,  domains  for  which  all  addresses are aliased to
12218       addresses in other local or remote domains. The SMTP  server  validates
12219       recipient  addresses  with $virtual_alias_maps and rejects non-existent
12220       recipients.  See  also  the  virtual  alias   domain   class   in   the
12221       ADDRESS_CLASS_README file
12222
12223       This  feature  is available in Postfix 2.0 and later. The default value
12224       is backwards compatible with Postfix version 1.1.
12225
12226       The default value is $virtual_alias_maps  so  that  you  can  keep  all
12227       information about virtual alias domains in one place.  If you have many
12228       users, it is better to separate  information  that  changes  more  fre‐
12229       quently  (virtual  address  ->  local  or  remote address mapping) from
12230       information that changes less frequently (the list  of  virtual  domain
12231       names).
12232
12233       Specify  a  list  of host or domain names, "/file/name" or "type:table"
12234       patterns, separated by commas and/or whitespace. A "/file/name" pattern
12235       is  replaced  by  its  contents; a "type:table" lookup table is matched
12236       when a table entry matches  a  lookup  string  (the  lookup  result  is
12237       ignored).   Continue  long  lines by starting the next line with white‐
12238       space. Specify "!pattern" to exclude a host or  domain  name  from  the
12239       list.  The  form "!/file/name" is supported only in Postfix version 2.4
12240       and later.
12241
12242       See also the VIRTUAL_README and ADDRESS_CLASS_README documents for fur‐
12243       ther information.
12244
12245       Example:
12246
12247       virtual_alias_domains = virtual1.tld virtual2.tld
12248

virtual_alias_expansion_limit (default: 1000)

12250       The  maximal  number of addresses that virtual alias expansion produces
12251       from each original recipient.
12252
12253       This feature is available in Postfix 2.1 and later.
12254

virtual_alias_maps (default: $virtual_maps)

12256       Optional lookup tables that alias specific mail addresses or domains to
12257       other  local or remote address.  The table format and lookups are docu‐
12258       mented in virtual(5). For an overview of Postfix address  manipulations
12259       see the ADDRESS_REWRITING_README document.
12260
12261       This  feature  is available in Postfix 2.0 and later. The default value
12262       is backwards compatible with Postfix version 1.1.
12263
12264       Specify zero or more "type:name" lookup tables, separated by whitespace
12265       or  comma. Tables will be searched in the specified order until a match
12266       is found.  Note: these lookups are recursive.
12267
12268       If you use this feature with indexed  files,  run  "postmap  /etc/post‐
12269       fix/virtual" after changing the file.
12270
12271       Examples:
12272
12273       virtual_alias_maps = dbm:/etc/postfix/virtual
12274       virtual_alias_maps = hash:/etc/postfix/virtual
12275

virtual_alias_recursion_limit (default: 1000)

12277       The  maximal  nesting  depth of virtual alias expansion.  Currently the
12278       recursion limit is applied only to the left  branch  of  the  expansion
12279       graph,  so the depth of the tree can in the worst case reach the sum of
12280       the expansion and recursion limits.  This may change in the future.
12281
12282       This feature is available in Postfix 2.1 and later.
12283

virtual_delivery_status_filter (default: $default_delivery_status_filter)

12285       Optional filter for the virtual(8) delivery agent to change the  deliv‐
12286       ery  status  code  or  explanatory  text  of successful or unsuccessful
12287       deliveries.  See default_delivery_status_filter for details.
12288
12289       This feature is available in Postfix 3.0 and later.
12290

virtual_destination_concurrency_limit (default: $default_destination_concur‐

12292       rency_limit)
12293       The  maximal  number of parallel deliveries to the same destination via
12294       the virtual message delivery transport. This limit is enforced  by  the
12295       queue  manager.  The message delivery transport name is the first field
12296       in the entry in the master.cf file.
12297

virtual_destination_recipient_limit (default: $default_destination_recipi‐

12299       ent_limit)
12300       The  maximal  number  of recipients per message for the virtual message
12301       delivery transport. This limit is enforced by the  queue  manager.  The
12302       message  delivery transport name is the first field in the entry in the
12303       master.cf file.
12304
12305       Setting this parameter to a value of 1  changes  the  meaning  of  vir‐
12306       tual_destination_concurrency_limit  from  concurrency  per  domain into
12307       concurrency per recipient.
12308

virtual_gid_maps (default: empty)

12310       Lookup tables with the per-recipient group ID  for  virtual(8)  mailbox
12311       delivery.
12312
12313       This  parameter  is specific to the virtual(8) delivery agent.  It does
12314       not apply when mail is delivered with a different  mail  delivery  pro‐
12315       gram.
12316
12317       Specify zero or more "type:name" lookup tables, separated by whitespace
12318       or comma. Tables will be searched in the specified order until a  match
12319       is found.
12320
12321       In  a  lookup table, specify a left-hand side of "@domain.tld" to match
12322       any user in  the  specified  domain  that  does  not  have  a  specific
12323       "user@domain.tld" entry.
12324
12325       When   a   recipient   address   has   an  optional  address  extension
12326       (user+foo@domain.tld), the virtual(8) delivery agent looks up the  full
12327       address  first,  and  when the lookup fails, it looks up the unextended
12328       address (user@domain.tld).
12329
12330       Note 1: for security reasons, the virtual(8) delivery  agent  disallows
12331       regular expression substitution of $1 etc. in regular expression lookup
12332       tables, because that would open a security hole.
12333
12334       Note 2: for  security  reasons,  the  virtual(8)  delivery  agent  will
12335       silently ignore requests to use the proxymap(8) server. Instead it will
12336       open the table directly. Before Postfix  version  2.2,  the  virtual(8)
12337       delivery agent will terminate with a fatal error.
12338

virtual_mailbox_base (default: empty)

12340       A  prefix  that  the virtual(8) delivery agent prepends to all pathname
12341       results from $virtual_mailbox_maps table lookups.   This  is  a  safety
12342       measure  to  ensure  that an out of control map doesn't litter the file
12343       system with mailboxes.  While virtual_mailbox_base could be set to "/",
12344       this setting isn't recommended.
12345
12346       This  parameter  is specific to the virtual(8) delivery agent.  It does
12347       not apply when mail is delivered with a different  mail  delivery  pro‐
12348       gram.
12349
12350       Example:
12351
12352       virtual_mailbox_base = /var/mail
12353

virtual_mailbox_domains (default: $virtual_mailbox_maps)

12355       Postfix is final destination for the specified list of domains; mail is
12356       delivered via  the  $virtual_transport  mail  delivery  transport.   By
12357       default this is the Postfix virtual(8) delivery agent.  The SMTP server
12358       validates recipient addresses with  $virtual_mailbox_maps  and  rejects
12359       mail  for non-existent recipients.  See also the virtual mailbox domain
12360       class in the ADDRESS_CLASS_README file.
12361
12362       This parameter expects the same syntax as the mydestination  configura‐
12363       tion parameter.
12364
12365       This  feature  is available in Postfix 2.0 and later. The default value
12366       is backwards compatible with Postfix version 1.1.
12367

virtual_mailbox_limit (default: 51200000)

12369       The maximal size in  bytes  of  an  individual  virtual(8)  mailbox  or
12370       maildir file, or zero (no limit).
12371
12372       This  parameter  is specific to the virtual(8) delivery agent.  It does
12373       not apply when mail is delivered with a different  mail  delivery  pro‐
12374       gram.
12375

virtual_mailbox_lock (default: see postconf -d output)

12377       How to lock a UNIX-style virtual(8) mailbox before attempting delivery.
12378       For a list of available file locking methods,  use  the  "postconf  -l"
12379       command.
12380
12381       This  parameter  is specific to the virtual(8) delivery agent.  It does
12382       not apply when mail is delivered with a different  mail  delivery  pro‐
12383       gram.
12384
12385       This  setting  is  ignored  with  maildir  style delivery, because such
12386       deliveries are safe without application-level locks.
12387
12388       Note 1: the dotlock method requires that the recipient UID or  GID  has
12389       write access to the parent directory of the recipient's mailbox file.
12390
12391       Note 2: the default setting of this parameter is system dependent.
12392

virtual_mailbox_maps (default: empty)

12394       Optional  lookup  tables  with  all valid addresses in the domains that
12395       match $virtual_mailbox_domains.
12396
12397       Specify zero or more "type:name" lookup tables, separated by whitespace
12398       or  comma. Tables will be searched in the specified order until a match
12399       is found.
12400
12401       In a lookup table, specify a left-hand side of "@domain.tld"  to  match
12402       any  user  in  the  specified  domain  that  does  not  have a specific
12403       "user@domain.tld" entry.
12404
12405       The remainder of this text  is  specific  to  the  virtual(8)  delivery
12406       agent.   It does not apply when mail is delivered with a different mail
12407       delivery program.
12408
12409       The virtual(8) delivery agent uses this table to look up the per-recip‐
12410       ient mailbox or maildir pathname.  If the lookup result ends in a slash
12411       ("/"), maildir-style delivery is carried out,  otherwise  the  path  is
12412       assumed to specify a UNIX-style mailbox file.  Note that $virtual_mail‐
12413       box_base is unconditionally prepended to this path.
12414
12415       When  a  recipient  address   has   an   optional   address   extension
12416       (user+foo@domain.tld),  the virtual(8) delivery agent looks up the full
12417       address first, and when the lookup fails, it looks  up  the  unextended
12418       address (user@domain.tld).
12419
12420       Note  1:  for security reasons, the virtual(8) delivery agent disallows
12421       regular expression substitution of $1 etc. in regular expression lookup
12422       tables, because that would open a security hole.
12423
12424       Note  2:  for  security  reasons,  the  virtual(8)  delivery agent will
12425       silently ignore requests to use the proxymap(8) server. Instead it will
12426       open  the  table  directly.  Before Postfix version 2.2, the virtual(8)
12427       delivery agent will terminate with a fatal error.
12428

virtual_maps (default: empty)

12430       Optional lookup tables with a) names of domains for which all addresses
12431       are  aliased  to  addresses  in  other  local or remote domains, and b)
12432       addresses that are aliased  to  addresses  in  other  local  or  remote
12433       domains.   Available  before  Postfix version 2.0. With Postfix version
12434       2.0  and  later,  this  is  replaced   by   separate   controls:   vir‐
12435       tual_alias_domains and virtual_alias_maps.
12436

virtual_minimum_uid (default: 100)

12438       The minimum user ID value that the virtual(8) delivery agent accepts as
12439       a result from $virtual_uid_maps table  lookup.   Returned  values  less
12440       than this will be rejected, and the message will be deferred.
12441
12442       This  parameter  is specific to the virtual(8) delivery agent.  It does
12443       not apply when mail is delivered with a different  mail  delivery  pro‐
12444       gram.
12445

virtual_transport (default: virtual)

12447       The  default mail delivery transport and next-hop destination for final
12448       delivery to domains listed with $virtual_mailbox_domains.  This  infor‐
12449       mation can be overruled with the transport(5) table.
12450
12451       Specify  a string of the form transport:nexthop, where transport is the
12452       name of a mail delivery transport defined in master.cf.   The  :nexthop
12453       destination is optional; its syntax is documented in the manual page of
12454       the corresponding delivery agent.
12455
12456       This feature is available in Postfix 2.0 and later.
12457

virtual_uid_maps (default: empty)

12459       Lookup tables with the per-recipient user ID that the virtual(8) deliv‐
12460       ery agent uses while writing to the recipient's mailbox.
12461
12462       This  parameter  is specific to the virtual(8) delivery agent.  It does
12463       not apply when mail is delivered with a different  mail  delivery  pro‐
12464       gram.
12465
12466       Specify zero or more "type:name" lookup tables, separated by whitespace
12467       or comma. Tables will be searched in the specified order until a  match
12468       is found.
12469
12470       In  a  lookup table, specify a left-hand side of "@domain.tld" to match
12471       any user in  the  specified  domain  that  does  not  have  a  specific
12472       "user@domain.tld" entry.
12473
12474       When   a   recipient   address   has   an  optional  address  extension
12475       (user+foo@domain.tld), the virtual(8) delivery agent looks up the  full
12476       address  first,  and  when the lookup fails, it looks up the unextended
12477       address (user@domain.tld).
12478
12479       Note 1: for security reasons, the virtual(8) delivery  agent  disallows
12480       regular expression substitution of $1 etc. in regular expression lookup
12481       tables, because that would open a security hole.
12482
12483       Note 2: for  security  reasons,  the  virtual(8)  delivery  agent  will
12484       silently ignore requests to use the proxymap(8) server. Instead it will
12485       open the table directly. Before Postfix  version  2.2,  the  virtual(8)
12486       delivery agent will terminate with a fatal error.
12487

SEE ALSO

12489       postconf(1), Postfix configuration parameter maintenance
12490       master(5), Postfix daemon configuration maintenance
12491

LICENSE

12493       The Secure Mailer license must be distributed with this software.
12494

AUTHOR(S)

12496       Wietse Venema
12497       IBM T.J. Watson Research
12498       P.O. Box 704
12499       Yorktown Heights, NY 10598, USA
12500
12501       Wietse Venema
12502       Google, Inc.
12503       111 8th Avenue
12504       New York, NY 10011, USA
12505
12506       Viktor Dukhovni
12507
12508
12509
12510                                                                   POSTCONF(5)
Impressum