1POSTCONF(5) File Formats Manual POSTCONF(5)
2
6 postconf - Postfix configuration parameters
7
9 postconf parameter ...
10 postconf -e "parameter=value" ...
12
14 The Postfix main.cf configuration file specifies a small subset of all
15 the parameters that control the operation of the Postfix mail system.
16 Parameters not specified in main.cf are left at their default values.
17 The general format of the main.cf file is as follows:
19 · Each logical line has the form "parameter = value". Whitespace
21 around the "=" is ignored, as is whitespace at the end of a log‐
22 ical line.
23 · Empty lines and whitespace-only lines are ignored, as are lines
25 whose first non-whitespace character is a `#'.
26 · A logical line starts with non-whitespace text. A line that
28 starts with whitespace continues a logical line.
29 · A parameter value may refer to other parameters.
31 · The expressions "$name", "${name}" or "$(name)" are
33 recursively replaced by the value of the named parameter.
34 · The expression "${name?value}" expands to "value" when
36 "$name" is non-empty. This form is supported with Postfix
37 version 2.2 and later.
38 · The expression "${name:value}" expands to "value" when
40 "$name" is empty. This form is supported with Postfix
41 version 2.2 and later.
42 · Specify "$$" to produce a single "$" character.
44 · When the same parameter is defined multiple times, only the last
46 instance is remembered.
47 · Otherwise, the order of main.cf parameter definitions does not
49 matter.
50 The remainder of this document is a description of all Postfix configu‐
52 ration parameters. Default values are shown after the parameter name in
53 parentheses, and can be looked up with the "postconf -d" command.
54 Note: this is not an invitation to make changes to Postfix configura‐
56 tion parameters. Unnecessary changes can impair the operation of the
57 mail system.
58
60 The recipient of undeliverable mail that cannot be returned to the
61 sender. This feature is enabled with the notify_classes parameter.
62
64 The numerical Postfix SMTP server response code for an access(5) map
65 "defer" action, including "defer_if_permit" or "defer_if_reject". Prior
66 to Postfix 2.6, the response is hard-coded as "450".
67 Do not change this unless you have a complete understanding of RFC
69 2821.
70 This feature is available in Postfix 2.6 and later.
72
74 The numerical Postfix SMTP server response code for an access(5) map
75 "reject" action.
76 Do not change this unless you have a complete understanding of RFC
78 2821.
79
81 The amount of time between verify(8) address verification database
82 cleanup runs. This feature requires that the database supports the
83 "delete" and "sequence" operators. Specify a zero interval to disable
84 database cleanup.
85 After each database cleanup run, the verify(8) daemon logs the number
87 of entries that were retained and dropped. A cleanup run is logged as
88 "partial" when the daemon terminates early after "postfix reload",
89 "postfix stop", or no requests for $max_idle seconds.
90 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
92 This feature is available in Postfix 2.7.
94
96 Overrides the default_transport parameter setting for address verifica‐
97 tion probes.
98 This feature is available in Postfix 2.1 and later.
100
102 Overrides the local_transport parameter setting for address verifica‐
103 tion probes.
104 This feature is available in Postfix 2.1 and later.
106
108 Lookup table for persistent address verification status storage. The
109 table is maintained by the verify(8) service, and is opened before the
110 process releases privileges.
111 The lookup table is persistent by default (Postfix 2.7 and later).
113 Specify an empty table name to keep the information in volatile memory
114 which is lost after "postfix reload" or "postfix stop". This is the
115 default with Postfix version 2.6 and earlier.
116 Specify a location in a file system that will not fill up. If the data‐
118 base becomes corrupted, the world comes to an end. To recover delete
119 (NOT: truncate) the file and do "postfix reload".
120 Postfix daemon processes do not use root privileges when opening this
122 file (Postfix 2.5 and later). The file must therefore be stored under
123 a Postfix-owned directory such as the data_directory. As a migration
124 aid, an attempt to open the file under a non-Postfix directory is redi‐
125 rected to the Postfix-owned data_directory, and a warning is logged.
126 Examples:
128 address_verify_map = hash:/var/lib/postfix/verify
130 address_verify_map = btree:/var/lib/postfix/verify
131 This feature is available in Postfix 2.1 and later.
133
135 Enable caching of failed address verification probe results. When this
136 feature is enabled, the cache may pollute quickly with garbage. When
137 this feature is disabled, Postfix will generate an address probe for
138 every lookup.
139 This feature is available in Postfix 2.1 and later.
141
143 The time after which a failed probe expires from the address verifica‐
144 tion cache.
145 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
147 This feature is available in Postfix 2.1 and later.
149
151 The time after which a failed address verification probe needs to be
152 refreshed.
153 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
155 This feature is available in Postfix 2.1 and later.
157
159 How many times to query the verify(8) service for the completion of an
160 address verification request in progress.
161 By default, the Postfix SMTP server polls the verify(8) service up to
163 three times under non-overload conditions, and only once when under
164 overload. With Postfix version 2.6 and earlier, the SMTP server always
165 polls the verify(8) service up to three times by default.
166 Specify 1 to implement a crude form of greylisting, that is, always
168 defer the first delivery request for a new address.
169 Examples:
171 # Postfix <= 2.6 default
173 address_verify_poll_count = 3
174 # Poor man's greylisting
175 address_verify_poll_count = 1
176 This feature is available in Postfix 2.1 and later.
178
180 The delay between queries for the completion of an address verification
181 request in progress.
182 The default polling delay is 3 seconds.
184 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
186 This feature is available in Postfix 2.1 and later.
188
190 The time after which a successful probe expires from the address veri‐
191 fication cache.
192 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
194 This feature is available in Postfix 2.1 and later.
196
198 The time after which a successful address verification probe needs to
199 be refreshed. The address verification status is not updated when the
200 probe fails (optimistic caching).
201 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
203 This feature is available in Postfix 2.1 and later.
205
207 Overrides the relay_transport parameter setting for address verifica‐
208 tion probes.
209 This feature is available in Postfix 2.1 and later.
211
213 Overrides the relayhost parameter setting for address verification
214 probes. This information can be overruled with the transport(5) table.
215 This feature is available in Postfix 2.1 and later.
217
219 The sender address to use in address verification probes; prior to
220 Postfix 2.5 the default was "postmaster". To avoid problems with
221 address probes that are sent in response to address probes, the Postfix
222 SMTP server excludes the probe sender address from all SMTPD access
223 blocks.
224 Specify an empty value (address_verify_sender =) or <> if you want to
226 use the null sender address. Beware, some sites reject mail from <>,
227 even though RFCs require that such addresses be accepted.
228 Examples:
230 address_verify_sender = <>
232 address_verify_sender = postmaster@my.domain
233 This feature is available in Postfix 2.1 and later.
235
237 $sender_dependent_default_transport_maps)
238 Overrides the sender_dependent_default_transport_maps parameter setting
239 for address verification probes.
240 This feature is available in Postfix 2.7 and later.
242
244 dent_relayhost_maps)
245 Overrides the sender_dependent_relayhost_maps parameter setting for
246 address verification probes.
247 This feature is available in Postfix 2.3 and later.
249
251 The name of the verify(8) address verification service. This service
252 maintains the status of sender and/or recipient address verification
253 probes, and generates probes on request by other Postfix processes.
254
256 Overrides the transport_maps parameter setting for address verification
257 probes.
258 This feature is available in Postfix 2.1 and later.
260
262 Overrides the virtual_transport parameter setting for address verifica‐
263 tion probes.
264 This feature is available in Postfix 2.1 and later.
266
268 The alias databases for local(8) delivery that are updated with
269 "newaliases" or with "sendmail -bi".
270 This is a separate configuration parameter because not all the tables
272 specified with $alias_maps have to be local files.
273 Examples:
275 alias_database = hash:/etc/aliases
277 alias_database = hash:/etc/mail/aliases
278
280 The alias databases that are used for local(8) delivery. See aliases(5)
281 for syntax details.
282 The default list is system dependent. On systems with NIS, the default
284 is to search the local alias database, then the NIS alias database.
285 If you change the alias database, run "postalias /etc/aliases" (or
287 wherever your system stores the mail alias file), or simply run
288 "newaliases" to build the necessary DBM or DB file.
289 The local(8) delivery agent disallows regular expression substitution
291 of $1 etc. in alias_maps, because that would open a security hole.
292 The local(8) delivery agent will silently ignore requests to use the
294 proxymap(8) server within alias_maps. Instead it will open the table
295 directly. Before Postfix version 2.2, the local(8) delivery agent will
296 terminate with a fatal error.
297 Examples:
299 alias_maps = hash:/etc/aliases, nis:mail.aliases
301 alias_maps = hash:/etc/aliases
302
304 Restrict local(8) mail delivery to external commands. The default is
305 to disallow delivery to "|command" in :include: files (see aliases(5)
306 for the text that defines this terminology).
307 Specify zero or more of: alias, forward or include, in order to allow
309 commands in aliases(5), .forward files or in :include: files, respec‐
310 tively.
311 Example:
313 allow_mail_to_commands = alias,forward,include
315
317 Restrict local(8) mail delivery to external files. The default is to
318 disallow "/file/name" destinations in :include: files (see aliases(5)
319 for the text that defines this terminology).
320 Specify zero or more of: alias, forward or include, in order to allow
322 "/file/name" destinations in aliases(5), .forward files and in
323 :include: files, respectively.
324 Example:
326 allow_mail_to_files = alias,forward,include
328
330 Allow a sender or recipient address to have `-' as the first character.
331 By default, this is not allowed, to avoid accidents with software that
332 passes email addresses via the command line. Such software would not be
333 able to distinguish a malicious address from a bona fide command-line
334 option. Although this can be prevented by inserting a "--" option ter‐
335 minator into the command line, this is difficult to enforce consis‐
336 tently and globally.
337 As of Postfix version 2.5, this feature is implemented by trivial-re‐
339 write(8). With earlier versions this feature was implemented by
340 qmgr(8) and was limited to recipient addresses only.
341
343 Enable the rewriting of the form "user%domain" to "user@domain". This
344 is enabled by default.
345 Note: with Postfix version 2.2, message header address rewriting hap‐
347 pens only when one of the following conditions is true:
348 · The message is received with the Postfix sendmail(1) command,
350 · The message is received from a network client that matches
352 $local_header_rewrite_clients,
353 · The message is received from the network, and the
355 remote_header_rewrite_domain parameter specifies a non-empty
356 value.
357 To get the behavior before Postfix version 2.2, specify
359 "local_header_rewrite_clients = static:all".
360 Example:
362 allow_percent_hack = no
364
366 Forward mail with sender-specified routing (user[@%!]remote[@%!]site)
367 from untrusted clients to destinations matching $relay_domains.
368 By default, this feature is turned off. This closes a nasty open relay
370 loophole where a backup MX host can be tricked into forwarding junk
371 mail to a primary MX host which then spams it out to the world.
372 This parameter also controls if non-local addresses with sender-speci‐
374 fied routing can match Postfix access tables. By default, such
375 addresses cannot match Postfix access tables, because the address is
376 ambiguous.
377
379 A list of non-default Postfix configuration directories that may be
380 specified with "-c config_directory" on the command line, or via the
381 MAIL_CONFIG environment parameter.
382 This list must be specified in the default Postfix configuration direc‐
384 tory, and is used by set-gid Postfix commands such as postqueue(1) and
385 postdrop(1).
386
388 Always add (Resent-) From:, To:, Date: or Message-ID: headers when not
389 present. Postfix 2.6 and later add these headers only when clients
390 match the local_header_rewrite_clients parameter setting. Earlier
391 Postfix versions always add these headers; this may break DKIM signa‐
392 tures that cover non-existent headers.
393
395 Optional address that receives a "blind carbon copy" of each message
396 that is received by the Postfix mail system.
397 Note: if mail to the BCC address bounces it will be returned to the
399 sender.
400 Note: automatic BCC recipients are produced only for new mail. To
402 avoid mailer loops, automatic BCC recipients are not generated for mail
403 that Postfix forwards internally, nor for mail that Postfix generates
404 itself.
405
407 The time unit over which client connection rates and other rates are
408 calculated.
409 This feature is implemented by the anvil(8) service which is available
411 in Postfix version 2.2 and later.
412 The default interval is relatively short. Because of the high frequency
414 of updates, the anvil(8) server uses volatile memory only. Thus, infor‐
415 mation is lost whenever the process terminates.
416 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
418 The default time unit is s (seconds).
419
421 How frequently the anvil(8) connection and rate limiting server logs
422 peak usage information.
423 This feature is available in Postfix 2.2 and later.
425 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
427 The default time unit is s (seconds).
428
430 With locally submitted mail, append the string "@$myorigin" to mail
431 addresses without domain information. With remotely submitted mail,
432 append the string "@$remote_header_rewrite_domain" instead.
433 Note 1: this feature is enabled by default and must not be turned off.
435 Postfix does not support domain-less addresses.
436 Note 2: with Postfix version 2.2, message header address rewriting hap‐
438 pens only when one of the following conditions is true:
439 · The message is received with the Postfix sendmail(1) command,
441 · The message is received from a network client that matches
443 $local_header_rewrite_clients,
444 · The message is received from the network, and the
446 remote_header_rewrite_domain parameter specifies a non-empty
447 value.
448 To get the behavior before Postfix version 2.2, specify
450 "local_header_rewrite_clients = static:all".
451
453 With locally submitted mail, append the string ".$mydomain" to
454 addresses that have no ".domain" information. With remotely submitted
455 mail, append the string ".$remote_header_rewrite_domain" instead.
456 Note 1: this feature is enabled by default. If disabled, users will not
458 be able to send mail to "user@partialdomainname" but will have to spec‐
459 ify full domain names instead.
460 Note 2: with Postfix version 2.2, message header address rewriting hap‐
462 pens only when one of the following conditions is true:
463 · The message is received with the Postfix sendmail(1) command,
465 · The message is received from a network client that matches
467 $local_header_rewrite_clients,
468 · The message is received from the network, and the
470 remote_header_rewrite_domain parameter specifies a non-empty
471 value.
472 To get the behavior before Postfix version 2.2, specify
474 "local_header_rewrite_clients = static:all".
475
477 How long the postkick(1) command waits for a request to enter the
478 server's input buffer before giving up.
479 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
481 The default time unit is s (seconds).
482 This feature is available in Postfix 2.1 and later.
484
486 List of users who are authorized to flush the queue.
487 By default, all users are allowed to flush the queue. Access is always
489 granted if the invoking user is the super-user or the $mail_owner user.
490 Otherwise, the real UID of the process is looked up in the system pass‐
491 word file, and access is granted only if the corresponding login name
492 is on the access list. The username "unknown" is used for processes
493 whose real UID is not found in the password file.
494 Specify a list of user names, "/file/name" or "type:table" patterns,
496 separated by commas and/or whitespace. The list is matched left to
497 right, and the search stops on the first match. A "/file/name" pattern
498 is replaced by its contents; a "type:table" lookup table is matched
499 when a name matches a lookup key (the lookup result is ignored). Con‐
500 tinue long lines by starting the next line with whitespace. Specify
501 "!pattern" to exclude a name from the list. The form "!/file/name" is
502 supported only in Postfix version 2.4 and later.
503 This feature is available in Postfix 2.2 and later.
505
507 List of users who are authorized to view the queue.
508 By default, all users are allowed to view the queue. Access is always
510 granted if the invoking user is the super-user or the $mail_owner user.
511 Otherwise, the real UID of the process is looked up in the system pass‐
512 word file, and access is granted only if the corresponding login name
513 is on the access list. The username "unknown" is used for processes
514 whose real UID is not found in the password file.
515 Specify a list of user names, "/file/name" or "type:table" patterns,
517 separated by commas and/or whitespace. The list is matched left to
518 right, and the search stops on the first match. A "/file/name" pattern
519 is replaced by its contents; a "type:table" lookup table is matched
520 when a name matches a lookup key (the lookup result is ignored). Con‐
521 tinue long lines by starting the next line with whitespace. Specify
522 "!pattern" to exclude a user name from the list. The form "!/file/name"
523 is supported only in Postfix version 2.4 and later.
524 This feature is available in Postfix 2.2 and later.
526
528 List of users who are authorized to submit mail with the sendmail(1)
529 command (and with the privileged postdrop(1) helper command).
530 By default, all users are allowed to submit mail. Otherwise, the real
532 UID of the process is looked up in the system password file, and access
533 is granted only if the corresponding login name is on the access list.
534 The username "unknown" is used for processes whose real UID is not
535 found in the password file. To deny mail submission access to all users
536 specify an empty list.
537 Specify a list of user names, "/file/name" or "type:table" patterns,
539 separated by commas and/or whitespace. The list is matched left to
540 right, and the search stops on the first match. A "/file/name" pattern
541 is replaced by its contents; a "type:table" lookup table is matched
542 when a name matches a lookup key (the lookup result is ignored). Con‐
543 tinue long lines by starting the next line with whitespace. Specify
544 "!pattern" to exclude a user name from the list. The form "!/file/name"
545 is supported only in Postfix version 2.4 and later.
546 Example:
548 authorized_submit_users = !www, static:all
550 This feature is available in Postfix 2.2 and later.
552
554 What SMTP clients are allowed to specify the XVERP command. This com‐
555 mand requests that mail be delivered one recipient at a time with a per
556 recipient return address.
557 By default, only trusted clients are allowed to specify XVERP.
559 This parameter was introduced with Postfix version 1.1. Postfix ver‐
561 sion 2.1 renamed this parameter to smtpd_authorized_verp_clients and
562 changed the default to none.
563 Specify a list of network/netmask patterns, separated by commas and/or
565 whitespace. The mask specifies the number of bits in the network part
566 of a host address. You can also specify hostnames or .domain names (the
567 initial dot causes the domain to match any name below it),
568 "/file/name" or "type:table" patterns. A "/file/name" pattern is
569 replaced by its contents; a "type:table" lookup table is matched when a
570 table entry matches a lookup string (the lookup result is ignored).
571 Continue long lines by starting the next line with whitespace. Specify
572 "!pattern" to exclude an address or network block from the list. The
573 form "!/file/name" is supported only in Postfix version 2.4 and later.
574 Note: IP version 6 address information must be specified inside [] in
576 the authorized_verp_clients value, and in files specified with
577 "/file/name". IP version 6 addresses contain the ":" character, and
578 would otherwise be confused with a "type:table" pattern.
579
581 Produce additional bounce(8) logfile records that can be read by Post‐
582 fix versions before 2.0. The current and more extensible "name = value"
583 format is needed in order to implement more sophisticated functional‐
584 ity.
585 This feature is available in Postfix 2.1 and later.
587
589 The per-table I/O buffer size for programs that create Berkeley DB hash
590 or btree tables. Specify a byte count.
591 This feature is available in Postfix 2.0 and later.
593
595 The per-table I/O buffer size for programs that read Berkeley DB hash
596 or btree tables. Specify a byte count.
597 This feature is available in Postfix 2.0 and later.
599
601 Where the Postfix SMTP client should deliver mail when it detects a
602 "mail loops back to myself" error condition. This happens when the
603 local MTA is the best SMTP mail exchanger for a destination not listed
604 in $mydestination, $inet_interfaces, $proxy_interfaces, $vir‐
605 tual_alias_domains, or $virtual_mailbox_domains. By default, the Post‐
606 fix SMTP client returns such mail as undeliverable.
607 Specify, for example, "best_mx_transport = local" to pass the mail from
609 the Postfix SMTP client to the local(8) delivery agent. You can specify
610 any message delivery "transport" or "transport:nexthop" that is defined
611 in the master.cf file. See the transport(5) manual page for the syntax
612 and meaning of "transport" or "transport:nexthop".
613 However, this feature is expensive because it ties up a Postfix SMTP
615 client process while the local(8) delivery agent is doing its work. It
616 is more efficient (for Postfix) to list all hosted domains in a table
617 or database.
618
620 Whether or not to use the local biff service. This service sends "new
621 mail" notifications to users who have requested new mail notification
622 with the UNIX command "biff y".
623 For compatibility reasons this feature is on by default. On systems
625 with lots of interactive users, the biff service can be a performance
626 drain. Specify "biff = no" in main.cf to disable.
627
629 Optional lookup tables for content inspection as specified in the
630 body_checks(5) manual page.
631 Note: with Postfix versions before 2.0, these rules inspect all content
633 after the primary message headers.
634
636 How much text in a message body segment (or attachment, if you prefer
637 to use that term) is subjected to body_checks inspection. The amount
638 of text is limited to avoid scanning huge attachments.
639 This feature is available in Postfix 2.0 and later.
641
643 The recipient of postmaster notifications with the message headers of
644 mail that Postfix did not deliver and of SMTP conversation transcripts
645 of mail that Postfix did not receive. This feature is enabled with the
646 notify_classes parameter.
647
649 The maximal time a bounce message is queued before it is considered
650 undeliverable. By default, this is the same as the queue life time for
651 regular mail.
652 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
654 The default time unit is d (days).
655 Specify 0 when mail delivery should be tried only once.
657 This feature is available in Postfix 2.1 and later.
659
661 The name of the bounce(8) service. This service maintains a record of
662 failed delivery attempts and generates non-delivery notifications.
663 This feature is available in Postfix 2.0 and later.
665
667 The maximal amount of original message text that is sent in a non-
668 delivery notification. Specify a byte count. A message is returned as
669 either message/rfc822 (the complete original) or as text/rfc822-headers
670 (the headers only). With Postfix version 2.4 and earlier, a message is
671 always returned as message/rfc822 and is truncated when it exceeds the
672 size limit.
673 Notes:
675 · If you increase this limit, then you should increase the
677 mime_nesting_limit value proportionally.
678 · Be careful when making changes. Excessively large values will
680 result in the loss of non-delivery notifications, when a bounce
681 message size exceeds a local or remote MTA's message size limit.
682
684 Pathname of a configuration file with bounce message templates. These
685 override the built-in templates of delivery status notification (DSN)
686 messages for undeliverable mail, for delayed mail, successful delivery,
687 or delivery verification. The bounce(5) manual page describes how to
688 edit and test template files.
689 Template message body text may contain $name references to Postfix con‐
691 figuration parameters. The result of $name expansion can be previewed
692 with "postconf -b file_name" before the file is placed into the Postfix
693 configuration directory.
694 This feature is available in Postfix 2.3 and later.
696
698 Enable inter-operability with SMTP clients that implement an obsolete
699 version of the AUTH command (RFC 4954). Examples of such clients are
700 MicroSoft Outlook Express version 4 and MicroSoft Exchange version 5.0.
701 Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH
703 support in a non-standard way.
704
706 header_sender, header_recipient)
707 What addresses are subject to canonical_maps address mapping. By
708 default, canonical_maps address mapping is applied to envelope sender
709 and recipient addresses, and to header sender and header recipient
710 addresses.
711 Specify one or more of: envelope_sender, envelope_recipient,
713 header_sender, header_recipient
714 This feature is available in Postfix 2.2 and later.
716
718 Optional address mapping lookup tables for message headers and
719 envelopes. The mapping is applied to both sender and recipient
720 addresses, in both envelopes and in headers, as controlled with the
721 canonical_classes parameter. This is typically used to clean up dirty
722 addresses from legacy mail systems, or to replace login names by First‐
723 name.Lastname. The table format and lookups are documented in canoni‐
724 cal(5). For an overview of Postfix address manipulations see the
725 ADDRESS_REWRITING_README document.
726 If you use this feature, run "postmap /etc/postfix/canonical" to build
728 the necessary DBM or DB file after every change. The changes will
729 become visible after a minute or so. Use "postfix reload" to eliminate
730 the delay.
731 Note: with Postfix version 2.2, message header address mapping happens
733 only when message header address rewriting is enabled:
734 · The message is received with the Postfix sendmail(1) command,
736 · The message is received from a network client that matches
738 $local_header_rewrite_clients,
739 · The message is received from the network, and the
741 remote_header_rewrite_domain parameter specifies a non-empty
742 value.
743 To get the behavior before Postfix version 2.2, specify
745 "local_header_rewrite_clients = static:all".
746 Examples:
748 canonical_maps = dbm:/etc/postfix/canonical
750 canonical_maps = hash:/etc/postfix/canonical
751
753 The name of the cleanup(8) service. This service rewrites addresses
754 into the standard form, and performs canonical(5) address mapping and
755 virtual(5) aliasing.
756 This feature is available in Postfix 2.0 and later.
758
760 The location of all postfix administrative commands.
761
763 The local(8) delivery agent working directory for delivery to external
764 command. Failure to change directory causes the delivery to be
765 deferred.
766 The following $name expansions are done on command_execution_directory
768 before the directory is changed. Expansion happens in the context of
769 the delivery request. The result of $name expansion is filtered with
770 the character set that is specified with the execution_directory_expan‐
771 sion_filter parameter.
772 $user The recipient's username.
774 $shell The recipient's login shell pathname.
776 $home The recipient's home directory.
778 $recipient
780 The full recipient address.
781 $extension
783 The optional recipient address extension.
784 $domain
786 The recipient domain.
787 $local The entire recipient localpart.
789 $recipient_delimiter
791 The system-wide recipient address extension delimiter.
792 ${name?value}
794 Expands to value when $name is non-empty.
795 ${name:value}
797 Expands to value when $name is empty.
798 Instead of $name you can also specify ${name} or $(name).
800 This feature is available in Postfix 2.2 and later.
802
804 Restrict the characters that the local(8) delivery agent allows in
805 $name expansions of $mailbox_command and $command_execution_directory.
806 Characters outside the allowed set are replaced by underscores.
807
809 Time limit for delivery to external commands. This limit is used by the
810 local(8) delivery agent, and is the default time limit for delivery by
811 the pipe(8) delivery agent.
812 Note: if you set this time limit to a large value you must update the
814 global ipc_timeout parameter as well.
815
817 The default location of the Postfix main.cf and master.cf configuration
818 files. This can be overruled via the following mechanisms:
819 · The MAIL_CONFIG environment variable (daemon processes and com‐
821 mands).
822 · The "-c" command-line option (commands only).
824 With Postfix command that run with set-gid privileges, a config_direc‐
826 tory override requires either root privileges, or it requires that the
827 directory is listed with the alternate_config_directories parameter in
828 the default main.cf file.
829
831 Time limit for connection cache connect, send or receive operations.
832 The time limit is enforced in the client.
833 This feature is available in Postfix 2.3 and later.
835
837 The name of the scache(8) connection cache service. This service main‐
838 tains a limited pool of cached sessions.
839 This feature is available in Postfix 2.2 and later.
841
843 How frequently the scache(8) server logs usage statistics with connec‐
844 tion cache hit and miss rates for logical destinations and for physical
845 endpoints.
846
848 The maximal time-to-live value that the scache(8) connection cache
849 server allows. Requests that specify a larger TTL will be stored with
850 the maximum allowed TTL. The purpose of this additional control is to
851 protect the infrastructure against careless people. The cache TTL is
852 already bounded by $max_idle.
853
855 After the message is queued, send the entire message to the specified
856 transport:destination. The transport name specifies the first field of
857 a mail delivery agent definition in master.cf; the syntax of the next-
858 hop destination is described in the manual page of the corresponding
859 delivery agent. More information about external content filters is in
860 the Postfix FILTER_README file.
861 Notes:
863 · This setting has lower precedence than a FILTER action that is
865 specified in an access(5), header_checks(5) or body_checks(5)
866 table.
867 · The meaning of an empty next-hop filter destination is version
869 dependent. Postfix 2.7 and later will use the recipient domain;
870 earlier versions will use $myhostname. Specify "default_fil‐
871 ter_nexthop = $myhostname" for compatibility with Postfix 2.6 or
872 earlier, or specify a content_filter value with an explicit
873 next-hop destination.
874
876 Search path for Cyrus SASL application configuration files, currently
877 used only to locate the $smtpd_sasl_path.conf file. Specify zero or
878 more directories separated by a colon character, or an empty value to
879 use Cyrus SASL's built-in search path.
880 This feature is available in Postfix 2.5 and later when compiled with
882 Cyrus SASL 2.1.22 or later.
883
885 The directory with Postfix support programs and daemon programs. These
886 should not be invoked directly by humans. The directory must be owned
887 by root.
888
890 How much time a Postfix daemon process may take to handle a request
891 before it is terminated by a built-in watchdog timer.
892 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
894 The default time unit is s (seconds).
895
897 The directory with Postfix-writable data files (for example: caches,
898 pseudo-random numbers). This directory must be owned by the mail_owner
899 account, and must not be shared with non-Postfix software.
900 This feature is available in Postfix 2.5 and later.
902
904 The increment in verbose logging level when a remote client or server
905 matches a pattern in the debug_peer_list parameter.
906
908 Optional list of remote client or server hostname or network address
909 patterns that cause the verbose logging level to increase by the amount
910 specified in $debug_peer_level.
911 Specify domain names, network/netmask patterns, "/file/name" patterns
913 or "type:table" lookup tables. The right-hand side result from
914 "type:table" lookups is ignored.
915 Pattern matching of domain names is controlled by the par‐
917 ent_domain_matches_subdomains parameter.
918 Examples:
920 debug_peer_list = 127.0.0.1
922 debug_peer_list = example.com
923
925 The external command to execute when a Postfix daemon program is
926 invoked with the -D option.
927 Use "command .. & sleep 5" so that the debugger can attach before the
929 process marches on. If you use an X-based debugger, be sure to set up
930 your XAUTHORITY environment variable before starting Postfix.
931 Example:
933 debugger_command =
935 PATH=/usr/bin:/usr/X11R6/bin
936 ddd $daemon_directory/$process_name $process_id & sleep 5
937
939 The default database type for use in newaliases(1), postalias(1) and
940 postmap(1) commands. On many UNIX systems the default type is either
941 dbm or hash. The default setting is frozen when the Postfix system is
942 built.
943 Examples:
945 default_database_type = hash
947 default_database_type = dbm
948
950 How often the Postfix queue manager's scheduler is allowed to preempt
951 delivery of one message with another.
952 Each transport maintains a so-called "available delivery slot counter"
954 for each message. One message can be preempted by another one when the
955 other message can be delivered using no more delivery slots (i.e.,
956 invocations of delivery agents) than the current message counter has
957 accumulated (or will eventually accumulate - see about slot loans
958 below). This parameter controls how often is the counter incremented -
959 it happens after each default_delivery_slot_cost recipients have been
960 delivered.
961 The cost of 0 is used to disable the preempting scheduling completely.
963 The minimum value the scheduling algorithm can use is 2 - use it if you
964 want to maximize the message throughput rate. Although there is no max‐
965 imum, it doesn't make much sense to use values above say 50.
966 The only reason why the value of 2 is not the default is the way this
968 parameter affects the delivery of mailing-list mail. In the worst case,
969 their delivery can take somewhere between (cost+1/cost) and
970 (cost/cost-1) times more than if the preemptive scheduler was disabled.
971 The default value of 5 turns out to provide reasonable message response
972 times while making sure the mailing-list deliveries are not extended by
973 more than 20-25 percent even in the worst case.
974 Use transport_delivery_slot_cost to specify a transport-specific over‐
976 ride, where transport is the master.cf name of the message delivery
977 transport.
978 Examples:
980 default_delivery_slot_cost = 0
982 default_delivery_slot_cost = 2
983
985 The default value for transport-specific _delivery_slot_discount set‐
986 tings.
987 This parameter speeds up the moment when a message preemption can hap‐
989 pen. Instead of waiting until the full amount of delivery slots
990 required is available, the preemption can happen when transport_deliv‐
991 ery_slot_discount percent of the required amount plus transport_deliv‐
992 ery_slot_loan still remains to be accumulated. Note that the full
993 amount will still have to be accumulated before another preemption can
994 take place later.
995 Use transport_delivery_slot_discount to specify a transport-specific
997 override, where transport is the master.cf name of the message delivery
998 transport.
999
1001 The default value for transport-specific _delivery_slot_loan settings.
1002 This parameter speeds up the moment when a message preemption can hap‐
1004 pen. Instead of waiting until the full amount of delivery slots
1005 required is available, the preemption can happen when transport_deliv‐
1006 ery_slot_discount percent of the required amount plus transport_deliv‐
1007 ery_slot_loan still remains to be accumulated. Note that the full
1008 amount will still have to be accumulated before another preemption can
1009 take place later.
1010 Use transport_delivery_slot_loan to specify a transport-specific over‐
1012 ride, where transport is the master.cf name of the message delivery
1013 transport.
1014
1016 How many pseudo-cohorts must suffer connection or handshake failure
1017 before a specific destination is considered unavailable (and further
1018 delivery is suspended). Specify zero to disable this feature. A desti‐
1019 nation's pseudo-cohort failure count is reset each time a delivery com‐
1020 pletes without connection or handshake failure for that specific desti‐
1021 nation.
1022 A pseudo-cohort is the number of deliveries equal to a destination's
1024 delivery concurrency.
1025 Use transport_destination_concurrency_failed_cohort_limit to specify a
1027 transport-specific override, where transport is the master.cf name of
1028 the message delivery transport.
1029 This feature is available in Postfix 2.5. The default setting is com‐
1031 patible with earlier Postfix versions.
1032
1034 The default maximal number of parallel deliveries to the same destina‐
1035 tion. This is the default limit for delivery via the lmtp(8), pipe(8),
1036 smtp(8) and virtual(8) delivery agents. With per-destination recipient
1037 limit > 1, a destination is a domain, otherwise it is a recipient.
1038 Use transport_destination_concurrency_limit to specify a transport-spe‐
1040 cific override, where transport is the master.cf name of the message
1041 delivery transport.
1042
1044 The per-destination amount of delivery concurrency negative feedback,
1045 after a delivery completes with a connection or handshake failure.
1046 Feedback values are in the range 0..1 inclusive. With negative feed‐
1047 back, concurrency is decremented at the beginning of a sequence of
1048 length 1/feedback. This is unlike positive feedback, where concurrency
1049 is incremented at the end of a sequence of length 1/feedback.
1050 As of Postfix version 2.5, negative feedback cannot reduce delivery
1052 concurrency to zero. Instead, a destination is marked dead (further
1053 delivery suspended) after the failed pseudo-cohort count reaches
1054 $default_destination_concurrency_failed_cohort_limit (or $trans‐
1055 port_destination_concurrency_failed_cohort_limit). To make the sched‐
1056 uler completely immune to connection or handshake failures, specify a
1057 zero feedback value and a zero failed pseudo-cohort limit.
1058 Specify one of the following forms:
1060 number
1062 number / number
1064 Constant feedback. The value must be in the range 0..1 inclu‐
1065 sive. The default setting of "1" is compatible with Postfix
1066 versions before 2.5, where a destination's delivery concurrency
1067 is throttled down to zero (and further delivery suspended) after
1068 a single failed pseudo-cohort.
1069 number / concurrency
1071 Variable feedback of "number / (delivery concurrency)". The
1072 number must be in the range 0..1 inclusive. With number equal to
1073 "1", a destination's delivery concurrency is decremented by 1
1074 after each failed pseudo-cohort.
1075 A pseudo-cohort is the number of deliveries equal to a destination's
1077 delivery concurrency.
1078 Use transport_destination_concurrency_negative_feedback to specify a
1080 transport-specific override, where transport is the master.cf name of
1081 the message delivery transport.
1082 This feature is available in Postfix 2.5. The default setting is com‐
1084 patible with earlier Postfix versions.
1085
1087 The per-destination amount of delivery concurrency positive feedback,
1088 after a delivery completes without connection or handshake failure.
1089 Feedback values are in the range 0..1 inclusive. The concurrency
1090 increases until it reaches the per-destination maximal concurrency
1091 limit. With positive feedback, concurrency is incremented at the end of
1092 a sequence with length 1/feedback. This is unlike negative feedback,
1093 where concurrency is decremented at the start of a sequence of length
1094 1/feedback.
1095 Specify one of the following forms:
1097 number
1099 number / number
1101 Constant feedback. The value must be in the range 0..1 inclu‐
1102 sive. The default setting of "1" is compatible with Postfix ver‐
1103 sions before 2.5, where a destination's delivery concurrency
1104 doubles after each successful pseudo-cohort.
1105 number / concurrency
1107 Variable feedback of "number / (delivery concurrency)". The
1108 number must be in the range 0..1 inclusive. With number equal to
1109 "1", a destination's delivery concurrency is incremented by 1
1110 after each successful pseudo-cohort.
1111 A pseudo-cohort is the number of deliveries equal to a destination's
1113 delivery concurrency.
1114 Use transport_destination_concurrency_positive_feedback to specify a
1116 transport-specific override, where transport is the master.cf name of
1117 the message delivery transport.
1118 This feature is available in Postfix 2.5 and later.
1120
1122 The default amount of delay that is inserted between individual deliv‐
1123 eries to the same destination; with per-destination recipient limit >
1124 1, a destination is a domain, otherwise it is a recipient.
1125 To enable the delay, specify a non-zero time value (an integral value
1127 plus an optional one-letter suffix that specifies the time unit).
1128 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1130 The default time unit is s (seconds).
1131 NOTE: the delay is enforced by the queue manager. The delay timer state
1133 does not survive "postfix reload" or "postfix stop".
1134 Use transport_destination_rate_delay to specify a transport-specific
1136 override, where transport is the master.cf name of the message delivery
1137 transport.
1138 This feature is available in Postfix 2.5 and later.
1140
1142 The default maximal number of recipients per message delivery. This is
1143 the default limit for delivery via the lmtp(8), pipe(8), smtp(8) and
1144 virtual(8) delivery agents.
1145 Setting this parameter to a value of 1 changes the meaning of the cor‐
1147 responding per-destination concurrency limit from concurrency per
1148 domain into concurrency per recipient.
1149 Use transport_destination_recipient_limit to specify a transport-spe‐
1151 cific override, where transport is the master.cf name of the message
1152 delivery transport.
1153
1155 The default value for the extra per-transport limit imposed on the num‐
1156 ber of in-memory recipients. This extra recipient space is reserved
1157 for the cases when the Postfix queue manager's scheduler preempts one
1158 message with another and suddenly needs some extra recipients slots for
1159 the chosen message in order to avoid performance degradation.
1160 Use transport_extra_recipient_limit to specify a transport-specific
1162 override, where transport is the master.cf name of the message delivery
1163 transport.
1164
1166 When a content_filter or FILTER request specifies no explicit next-hop
1167 destination, use $default_filter_nexthop instead; when that value is
1168 empty, use the domain in the recipient address. Specify "default_fil‐
1169 ter_nexthop = $myhostname" for compatibility with Postfix version 2.6
1170 and earlier, or specify an explicit next-hop destination with each con‐
1171 tent_filter value or FILTER action.
1172 This feature is available in Postfix 2.7 and later.
1174
1176 How many recipients a message must have in order to invoke the Postfix
1177 queue manager's scheduling algorithm at all. Messages which would
1178 never accumulate at least this many delivery slots (subject to slot
1179 cost parameter as well) are never preempted.
1180 Use transport_minimum_delivery_slots to specify a transport-specific
1182 override, where transport is the master.cf name of the message delivery
1183 transport.
1184
1186 The default rights used by the local(8) delivery agent for delivery to
1187 external file or command. These rights are used when delivery is
1188 requested from an aliases(5) file that is owned by root, or when deliv‐
1189 ery is done on behalf of root. DO NOT SPECIFY A PRIVILEGED USER OR THE
1190 POSTFIX OWNER.
1191
1193 The default maximal number of Postfix child processes that provide a
1194 given service. This limit can be overruled for specific services in the
1195 master.cf file.
1196
1198 The default SMTP server response template for a request that is
1199 rejected by an RBL-based restriction. This template can be overruled by
1200 specific entries in the optional rbl_reply_maps lookup table.
1201 This feature is available in Postfix 2.0 and later.
1203 The template is subject to exactly one level of $name substitution:
1205 $client
1207 The client hostname and IP address, formatted as name[address].
1208 $client_address
1210 The client IP address.
1211 $client_name
1213 The client hostname or "unknown". See
1214 reject_unknown_client_hostname for more details.
1215 $reverse_client_name
1217 The client hostname from address->name lookup, or "unknown".
1218 See reject_unknown_reverse_client_hostname for more details.
1219 $helo_name
1221 The hostname given in HELO or EHLO command or empty string.
1222 $rbl_class
1224 The blacklisted entity type: Client host, Helo command, Sender
1225 address, or Recipient address.
1226 $rbl_code
1228 The numerical SMTP response code, as specified with the
1229 maps_rbl_reject_code configuration parameter. Note: The numeri‐
1230 cal SMTP response code is required, and must appear at the start
1231 of the reply. With Postfix version 2.3 and later this informa‐
1232 tion may be followed by an RFC 3463 enhanced status code.
1233 $rbl_domain
1235 The RBL domain where $rbl_what is blacklisted.
1236 $rbl_reason
1238 The reason why $rbl_what is blacklisted, or an empty string.
1239 $rbl_what
1241 The entity that is blacklisted (an IP address, a hostname, a
1242 domain name, or an email address whose domain was blacklisted).
1243 $recipient
1245 The recipient address or <> in case of the null address.
1246 $recipient_domain
1248 The recipient domain or empty string.
1249 $recipient_name
1251 The recipient address localpart or <> in case of null address.
1252 $sender
1254 The sender address or <> in case of the null address.
1255 $sender_domain
1257 The sender domain or empty string.
1258 $sender_name
1260 The sender address localpart or <> in case of the null address.
1261 ${name?text}
1263 Expands to `text' if $name is not empty.
1264 ${name:text}
1266 Expands to `text' if $name is empty.
1267 Instead of $name you can also specify ${name} or $(name).
1269 Note: when an enhanced status code is specified in an RBL reply tem‐
1271 plate, it is subject to modification. The following transformations
1272 are needed when the same RBL reply template is used for client, helo,
1273 sender, or recipient access restrictions.
1274 · When rejecting a sender address, the Postfix SMTP server will
1276 transform a recipient DSN status (e.g., 4.1.1-4.1.6) into the
1277 corresponding sender DSN status, and vice versa.
1278 · When rejecting non-address information (such as the HELO command
1280 argument or the client hostname/address), the Postfix SMTP
1281 server will transform a sender or recipient DSN status into a
1282 generic non-address DSN status (e.g., 4.0.0).
1283
1285 The default per-transport upper limit on the number of in-memory recip‐
1286 ients. These limits take priority over the global qmgr_message_recipi‐
1287 ent_limit after the message has been assigned to the respective trans‐
1288 ports. See also default_extra_recipient_limit and qmgr_message_recipi‐
1289 ent_minimum.
1290 Use transport_recipient_limit to specify a transport-specific override,
1292 where transport is the master.cf name of the message delivery trans‐
1293 port.
1294
1296 The default per-transport maximum delay between recipients refills.
1297 When not all message recipients fit into the memory at once, keep load‐
1298 ing more of them at least once every this many seconds. This is used
1299 to make sure the recipients are refilled in timely manner even when
1300 $default_recipient_refill_limit is too high for too slow deliveries.
1301 Use transport_recipient_refill_delay to specify a transport-specific
1303 override, where transport is the master.cf name of the message delivery
1304 transport.
1305 This feature is available in Postfix 2.4 and later.
1307
1309 The default per-transport limit on the number of recipients refilled at
1310 once. When not all message recipients fit into the memory at once,
1311 keep loading more of them in batches of at least this many at a time.
1312 See also $default_recipient_refill_delay, which may result in recipient
1313 batches lower than this when this limit is too high for too slow deliv‐
1314 eries.
1315 Use transport_recipient_refill_limit to specify a transport-specific
1317 override, where transport is the master.cf name of the message delivery
1318 transport.
1319 This feature is available in Postfix 2.4 and later.
1321
1323 The default mail delivery transport and next-hop destination for desti‐
1324 nations that do not match $mydestination, $inet_interfaces,
1325 $proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, or
1326 $relay_domains. This information can be overruled with the
1327 sender_dependent_default_transport_maps parameter and with the trans‐
1328 port(5) table.
1329 In order of decreasing precedence, the nexthop destination is taken
1331 from $sender_dependent_default_transport_maps, $default_transport,
1332 $sender_dependent_relayhost_maps, $relayhost, or from the recipient
1333 domain.
1334 Specify a string of the form transport:nexthop, where transport is the
1336 name of a mail delivery transport defined in master.cf. The :nexthop
1337 destination is optional; its syntax is documented in the manual page of
1338 the corresponding delivery agent.
1339 Example:
1341 default_transport = uucp:relayhostname
1343
1345 The two default VERP delimiter characters. These are used when no
1346 explicit delimiters are specified with the SMTP XVERP command or with
1347 the "sendmail -V" command-line option. Specify characters that are
1348 allowed by the verp_delimiter_filter setting.
1349 This feature is available in Postfix 1.1 and later.
1351
1353 The numerical Postfix SMTP server response code when a remote SMTP
1354 client request is rejected by the "defer" restriction.
1355 Do not change this unless you have a complete understanding of RFC
1357 2821.
1358
1360 The name of the defer service. This service is implemented by the
1361 bounce(8) daemon and maintains a record of failed delivery attempts and
1362 generates non-delivery notifications.
1363 This feature is available in Postfix 2.0 and later.
1365
1367 The names of message delivery transports that should not deliver mail
1368 unless someone issues "sendmail -q" or equivalent. Specify zero or more
1369 names of mail delivery transports names that appear in the first field
1370 of master.cf.
1371 Example:
1373 defer_transports = smtp
1375
1377 The maximal number of digits after the decimal point when logging sub-
1378 second delay values. Specify a number in the range 0..6.
1379 Large delay values are rounded off to an integral number seconds; delay
1381 values below the delay_logging_resolution_limit are logged as "0", and
1382 small delay values are logged with at most two-digit precision.
1383 The format of the "delays=a/b/c/d" logging is as follows:
1385 · a = time from message arrival to last active queue entry
1387 · b = time from last active queue entry to connection setup
1389 · c = time in connection setup, including DNS, EHLO and STARTTLS
1391 · d = time in message transmission
1393 This feature is available in Postfix 2.3 and later.
1395
1397 The recipient of postmaster notifications with the message headers of
1398 mail that cannot be delivered within $delay_warning_time time units.
1399 This feature is enabled with the delay_warning_time parameter.
1401
1403 The time after which the sender receives the message headers of mail
1404 that is still queued.
1405 To enable this feature, specify a non-zero time value (an integral
1407 value plus an optional one-letter suffix that specifies the time unit).
1408 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1410 The default time unit is h (hours).
1411
1413 The maximal number of attempts to acquire an exclusive lock on a mail‐
1414 box file or bounce(8) logfile.
1415
1417 The time between attempts to acquire an exclusive lock on a mailbox
1418 file or bounce(8) logfile.
1419 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1421 The default time unit is s (seconds).
1422
1424 Make the queue manager's feedback algorithm verbose for performance
1425 analysis purposes.
1426 This feature is available in Postfix 2.5 and later.
1428
1430 Automatically detect 8BITMIME body content by looking at Content-Trans‐
1431 fer-Encoding: message headers; historically, this behavior was hard-
1432 coded to be "always on".
1433 This feature is available in Postfix 2.5 and later.
1435
1437 Disable DNS lookups in the Postfix SMTP and LMTP clients. When dis‐
1438 abled, hosts are looked up with the getaddrinfo() system library rou‐
1439 tine which normally also looks in /etc/hosts.
1440 DNS lookups are enabled by default.
1442
1444 Turn off MIME processing while receiving mail. This means that no spe‐
1445 cial treatment is given to Content-Type: message headers, and that all
1446 text after the initial message headers is considered to be part of the
1447 message body.
1448 This feature is available in Postfix 2.0 and later.
1450 Mime input processing is enabled by default, and is needed in order to
1452 recognize MIME headers in message content.
1453
1455 Disable the conversion of 8BITMIME format to 7BIT format. Mime output
1456 conversion is needed when the destination does not advertise 8BITMIME
1457 support.
1458 This feature is available in Postfix 2.0 and later.
1460
1462 Disable sending one bounce report per recipient.
1463 The default, one per recipient, is what ezmlm needs.
1465 This feature is available in Postfix 1.1 and later.
1467
1469 Disable the SMTP VRFY command. This stops some techniques used to har‐
1470 vest email addresses.
1471 Example:
1473 disable_vrfy_command = no
1475
1477 Don't remove queue files and save them to the "saved" mail queue. This
1478 is a debugging aid. To inspect the envelope information and content of
1479 a Postfix queue file, use the postcat(1) command.
1480
1482 The sender address of postmaster notifications that are generated by
1483 the mail system. All mail to this address is silently discarded, in
1484 order to terminate mail bounce loops.
1485
1487 The maximal number of addresses remembered by the address duplicate
1488 filter for aliases(5) or virtual(5) alias expansion, or for showq(8)
1489 queue displays.
1490
1492 The sender_dependent_default_transport_maps search string that will be
1493 used instead of the null sender address.
1494 This feature is available in Postfix 2.7 and later.
1496
1498 The recipient of mail addressed to the null address. Postfix does not
1499 accept such addresses in SMTP commands, but they may still be created
1500 locally as the result of configuration or software error.
1501
1503 The sender_dependent_relayhost_maps search string that will be used
1504 instead of the null sender address.
1505 This feature is available in Postfix 2.5 and later. With earlier ver‐
1507 sions, sender_dependent_relayhost_maps lookups were skipped for the
1508 null sender address.
1509
1511 Report mail delivery errors to the address specified with the non-stan‐
1512 dard Errors-To: message header, instead of the envelope sender address
1513 (this feature is removed with Postfix version 2.2, is turned off by
1514 default with Postfix version 2.1, and is always turned on with older
1515 Postfix versions).
1516
1518 Enable support for the X-Original-To message header. This header is
1519 needed for multi-recipient mailboxes.
1520 When this parameter is set to yes, the cleanup(8) daemon performs
1522 duplicate elimination on distinct pairs of (original recipient, rewrit‐
1523 ten recipient), and generates non-empty original recipient queue file
1524 records.
1525 When this parameter is set to no, the cleanup(8) daemon performs dupli‐
1527 cate elimination on the rewritten recipient address only, and generates
1528 empty original recipient queue file records.
1529 This feature is available in Postfix 2.1 and later. With Postfix ver‐
1531 sion 2.0, support for the X-Original-To message header is always turned
1532 on. Postfix versions before 2.0 have no support for the X-Original-To
1533 message header.
1534
1536 The recipient of postmaster notifications about mail delivery problems
1537 that are caused by policy, resource, software or protocol errors.
1538 These notifications are enabled with the notify_classes parameter.
1539
1541 The name of the error(8) pseudo delivery agent. This service always
1542 returns mail as undeliverable.
1543 This feature is available in Postfix 2.0 and later.
1545
1547 Restrict the characters that the local(8) delivery agent allows in
1548 $name expansions of $command_execution_directory. Characters outside
1549 the allowed set are replaced by underscores.
1550 This feature is available in Postfix 2.2 and later.
1552
1554 When delivering to an alias "aliasname" that has an "owner-aliasname"
1555 companion alias, set the envelope sender address to the expansion of
1556 the "owner-aliasname" alias. Normally, Postfix sets the envelope sender
1557 address to the name of the "owner-aliasname" alias.
1558
1560 The list of environment variables that a Postfix process will export to
1561 non-Postfix processes. The TZ variable is needed for sane time keeping
1562 on System-V-ish systems.
1563 Specify a list of names and/or name=value pairs, separated by white‐
1565 space or comma. The name=value form is supported with Postfix version
1566 2.1 and later.
1567 Example:
1569 export_environment = TZ PATH=/bin:/usr/bin
1571
1573 The maximal number of recipient addresses that Postfix will extract
1574 from message headers when mail is submitted with "sendmail -t".
1575 This feature was removed in Postfix version 2.1.
1577
1579 Optional list of relay hosts for SMTP destinations that can't be found
1580 or that are unreachable. With Postfix 2.3 this parameter is renamed to
1581 smtp_fallback_relay.
1582 By default, mail is returned to the sender when a destination is not
1584 found, and delivery is deferred when a destination is unreachable.
1585 The fallback relays must be SMTP destinations. Specify a domain, host,
1587 host:port, [host]:port, [address] or [address]:port; the form [host]
1588 turns off MX lookups. If you specify multiple SMTP destinations, Post‐
1589 fix will try them in the specified order.
1590 Note: before Postfix 2.2, do not use the fallback_relay feature when
1592 relaying mail for a backup or primary MX domain. Mail would loop
1593 between the Postfix MX host and the fallback_relay host when the final
1594 destination is unavailable.
1595 · In main.cf specify "relay_transport = relay",
1597 · In master.cf specify "-o fallback_relay =" (i.e., empty) at the
1599 end of the relay entry.
1600 · In transport maps, specify "relay:nexthop..." as the right-hand
1602 side for backup or primary MX domain entries.
1603 Postfix version 2.2 and later will not use the fallback_relay feature
1605 for destinations that it is MX host for.
1606
1608 Optional message delivery transport that the local(8) delivery agent
1609 should use for names that are not found in the aliases(5) or UNIX pass‐
1610 word database.
1611 The precedence of local(8) delivery features from high to low is:
1613 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
1614 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
1615 tory, fallback_transport_maps, fallback_transport and luser_relay.
1616
1618 Optional lookup tables with per-recipient message delivery transports
1619 for recipients that the local(8) delivery agent could not find in the
1620 aliases(5) or UNIX password database.
1621 The precedence of local(8) delivery features from high to low is:
1623 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
1624 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
1625 tory, fallback_transport_maps, fallback_transport and luser_relay.
1626 For safety reasons, this feature does not allow $number substitutions
1628 in regular expression maps.
1629 This feature is available in Postfix 2.3 and later.
1631
1633 Optional list of destinations that are eligible for per-destination
1634 logfiles with mail that is queued to those destinations.
1635 By default, Postfix maintains "fast flush" logfiles only for destina‐
1637 tions that the Postfix SMTP server is willing to relay to (i.e. the
1638 default is: "fast_flush_domains = $relay_domains"; see the
1639 relay_domains parameter in the postconf(5) manual).
1640 Specify a list of hosts or domains, "/file/name" patterns or "type:ta‐
1642 ble" lookup tables, separated by commas and/or whitespace. Continue
1643 long lines by starting the next line with whitespace. A "/file/name"
1644 pattern is replaced by its contents; a "type:table" lookup table is
1645 matched when the domain or its parent domain appears as lookup key.
1646 Specify "fast_flush_domains =" (i.e., empty) to disable the feature
1648 altogether.
1649
1651 The time after which an empty per-destination "fast flush" logfile is
1652 deleted.
1653 You can specify the time as a number, or as a number followed by a let‐
1655 ter that indicates the time unit: s=seconds, m=minutes, h=hours,
1656 d=days, w=weeks. The default time unit is days.
1657
1659 The time after which a non-empty but unread per-destination "fast
1660 flush" logfile needs to be refreshed. The contents of a logfile are
1661 refreshed by requesting delivery of all messages listed in the logfile.
1662 You can specify the time as a number, or as a number followed by a let‐
1664 ter that indicates the time unit: s=seconds, m=minutes, h=hours,
1665 d=days, w=weeks. The default time unit is hours.
1666
1668 Force specific internal tests to fail, to test the handling of errors
1669 that are difficult to reproduce otherwise.
1670
1672 The name of the flush(8) service. This service maintains per-destina‐
1673 tion logfiles with the queue file names of mail that is queued for
1674 those destinations.
1675 This feature is available in Postfix 2.0 and later.
1677
1679 The maximal number of attempts to fork() a child process.
1680
1682 The delay between attempts to fork() a child process.
1683 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1685 The default time unit is s (seconds).
1686
1688 Restrict the characters that the local(8) delivery agent allows in
1689 $name expansions of $forward_path. Characters outside the allowed set
1690 are replaced by underscores.
1691
1693 The local(8) delivery agent search list for finding a .forward file
1694 with user-specified delivery methods. The first file that is found is
1695 used.
1696 The following $name expansions are done on forward_path before the
1698 search actually happens. The result of $name expansion is filtered with
1699 the character set that is specified with the forward_expansion_filter
1700 parameter.
1701 $user The recipient's username.
1703 $shell The recipient's login shell pathname.
1705 $home The recipient's home directory.
1707 $recipient
1709 The full recipient address.
1710 $extension
1712 The optional recipient address extension.
1713 $domain
1715 The recipient domain.
1716 $local The entire recipient localpart.
1718 $recipient_delimiter
1720 The system-wide recipient address extension delimiter.
1721 ${name?value}
1723 Expands to value when $name is non-empty.
1724 ${name:value}
1726 Expands to value when $name is empty.
1727 Instead of $name you can also specify ${name} or $(name).
1729 Examples:
1731 forward_path = /var/forward/$user
1733 forward_path =
1734 /var/forward/$user/.forward$recipient_delimiter$extension,
1735 /var/forward/$user/.forward
1736
1738 Update the local(8) delivery agent's idea of the Delivered-To: address
1739 (see prepend_delivered_header) only once, at the start of a delivery
1740 attempt; do not update the Delivered-To: address while expanding
1741 aliases or .forward files.
1742 This feature is available in Postfix 2.3 and later. With older Postfix
1744 releases, the behavior is as if this parameter is set to "no". The old
1745 setting can be expensive with deeply nested aliases or .forward files.
1746 When an alias or .forward file changes the Delivered-To: address, it
1747 ties up one queue file and one cleanup process instance while mail is
1748 being forwarded.
1749
1751 The number of subdirectory levels for queue directories listed with the
1752 hash_queue_names parameter.
1753 After changing the hash_queue_names or hash_queue_depth parameter, exe‐
1755 cute the command "postfix reload".
1756
1758 The names of queue directories that are split across multiple subdirec‐
1759 tory levels.
1760 Before Postfix version 2.2, the default list of hashed queues was sig‐
1762 nificantly larger. Claims about improvements in file system technology
1763 suggest that hashing of the incoming and active queues is no longer
1764 needed. Fewer hashed directories speed up the time needed to restart
1765 Postfix.
1766 After changing the hash_queue_names or hash_queue_depth parameter, exe‐
1768 cute the command "postfix reload".
1769
1771 The maximal number of address tokens are allowed in an address message
1772 header. Information that exceeds the limit is discarded. The limit is
1773 enforced by the cleanup(8) server.
1774
1776 Optional lookup tables for content inspection of primary non-MIME mes‐
1777 sage headers, as specified in the header_checks(5) manual page.
1778
1780 The maximal amount of memory in bytes for storing a message header. If
1781 a header is larger, the excess is discarded. The limit is enforced by
1782 the cleanup(8) server.
1783
1785 Log warnings about problematic configuration settings, and provide
1786 helpful suggestions.
1787 This feature is available in Postfix 2.0 and later.
1789
1791 Optional pathname of a mailbox file relative to a local(8) user's home
1792 directory.
1793 Specify a pathname ending in "/" for qmail-style delivery.
1795 The precedence of local(8) delivery features from high to low is:
1797 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
1798 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
1799 tory, fallback_transport_maps, fallback_transport and luser_relay.
1800 Examples:
1802 home_mailbox = Mailbox
1804 home_mailbox = Maildir/
1805
1807 The maximal number of Received: message headers that is allowed in the
1808 primary message headers. A message that exceeds the limit is bounced,
1809 in order to stop a mailer loop.
1810
1812 The location of Postfix HTML files that describe how to build, config‐
1813 ure or operate a specific Postfix subsystem or feature.
1814
1816 Ignore DNS MX lookups that produce no response. By default, the Post‐
1817 fix SMTP client defers delivery and tries again after some delay. This
1818 behavior is required by the SMTP standard.
1819 Specify "ignore_mx_lookup_error = yes" to force a DNS A record lookup
1821 instead. This violates the SMTP standard and can result in mis-delivery
1822 of mail.
1823
1825 The list of environment parameters that a Postfix process will import
1826 from a non-Postfix parent process. Examples of relevant parameters:
1827 TZ Needed for sane time keeping on most System-V-ish systems.
1829 DISPLAY
1831 Needed for debugging Postfix daemons with an X-windows debugger.
1832 XAUTHORITY
1834 Needed for debugging Postfix daemons with an X-windows debugger.
1835 MAIL_CONFIG
1837 Needed to make "postfix -c" work.
1838 Specify a list of names and/or name=value pairs, separated by white‐
1840 space or comma. The name=value form is supported with Postfix version
1841 2.1 and later.
1842
1844 Time to pause before accepting a new message, when the message arrival
1845 rate exceeds the message delivery rate. This feature is turned on by
1846 default (it's disabled on SCO UNIX due to an SCO bug).
1847 With the default 100 SMTP server process limit, "in_flow_delay = 1s"
1849 limits the mail inflow to 100 messages per second above the number of
1850 messages delivered per second.
1851 Specify 0 to disable the feature. Valid delays are 0..10.
1853
1855 The network interface addresses that this mail system receives mail on.
1856 Specify "all" to receive mail on all network interfaces (default), and
1857 "loopback-only" to receive mail on loopback network interfaces only
1858 (Postfix version 2.2 and later). The parameter also controls delivery
1859 of mail to user@[ip.address].
1860 Note 1: you need to stop and start Postfix when this parameter changes.
1862 Note 2: address information may be enclosed inside [], but this form is
1864 not required here.
1865 When inet_interfaces specifies just one IPv4 and/or IPv6 address that
1867 is not a loopback address, the Postfix SMTP client will use this
1868 address as the IP source address for outbound mail. Support for IPv6 is
1869 available in Postfix version 2.2 and later.
1870 On a multi-homed firewall with separate Postfix instances listening on
1872 the "inside" and "outside" interfaces, this can prevent each instance
1873 from being able to reach servers on the "other side" of the firewall.
1874 Setting smtp_bind_address to 0.0.0.0 avoids the potential problem for
1875 IPv4, and setting smtp_bind_address6 to :: solves the problem for IPv6.
1876 A better solution for multi-homed firewalls is to leave inet_interfaces
1878 at the default value and instead use explicit IP addresses in the mas‐
1879 ter.cf SMTP server definitions. This preserves the Postfix SMTP
1880 client's loop detection, by ensuring that each side of the firewall
1881 knows that the other IP address is still the same host. Setting
1882 $inet_interfaces to a single IPv4 and/or IPV6 address is primarily use‐
1883 ful with virtual hosting of domains on secondary IP addresses, when
1884 each IP address serves a different domain (and has a different $myhost‐
1885 name setting).
1886 See also the proxy_interfaces parameter, for network addresses that are
1888 forwarded to Postfix by way of a proxy or address translator.
1889 Examples:
1891 inet_interfaces = all (DEFAULT)
1893 inet_interfaces = loopback-only (Postfix version 2.2 and later)
1894 inet_interfaces = 127.0.0.1
1895 inet_interfaces = 127.0.0.1, [::1] (Postfix version 2.2 and later)
1896 inet_interfaces = 192.168.1.2, 127.0.0.1
1897
1899 The Internet protocols Postfix will attempt to use when making or
1900 accepting connections. Specify one or more of "ipv4" or "ipv6", sepa‐
1901 rated by whitespace or commas. The form "all" is equivalent to "ipv4,
1902 ipv6" or "ipv4", depending on whether the operating system implements
1903 IPv6.
1904 This feature is available in Postfix 2.2 and later.
1906 Note: you MUST stop and start Postfix after changing this parameter.
1908 On systems that pre-date IPV6_V6ONLY support (RFC 3493), an IPv6 server
1910 will also accept IPv4 connections, even when IPv4 is turned off with
1911 the inet_protocols parameter. On systems with IPV6_V6ONLY support,
1912 Postfix will use separate server sockets for IPv6 and IPv4, and each
1913 will accept only connections for the corresponding protocol.
1914 When IPv4 support is enabled via the inet_protocols parameter, Postfix
1916 will to DNS type A record lookups, and will convert IPv4-in-IPv6 client
1917 IP addresses (::ffff:1.2.3.4) to their original IPv4 form (1.2.3.4).
1918 The latter is needed on hosts that pre-date IPV6_V6ONLY support (RFC
1919 3493).
1920 When IPv6 support is enabled via the inet_protocols parameter, Postfix
1922 will do DNS type AAAA record lookups.
1923 When both IPv4 and IPv6 support are enabled, the Postfix SMTP client
1925 will attempt to connect via IPv6 before attempting to use IPv4.
1926 Examples:
1928 inet_protocols = ipv4 (DEFAULT)
1930 inet_protocols = all
1931 inet_protocols = ipv6
1932 inet_protocols = ipv4, ipv6
1933
1935 The initial per-destination concurrency level for parallel delivery to
1936 the same destination. With per-destination recipient limit > 1, a des‐
1937 tination is a domain, otherwise it is a recipient.
1938 Use transport_initial_destination_concurrency to specify a transport-
1940 specific override, where transport is the master.cf name of the message
1941 delivery transport (Postfix 2.5 and later).
1942 Warning: with concurrency of 1, one bad message can be enough to block
1944 all mail to a site.
1945
1947 What categories of Postfix-generated mail are subject to before-queue
1948 content inspection by non_smtpd_milters, header_checks and body_checks.
1949 Specify zero or more of the following, separated by whitespace or
1950 comma.
1951 bounce Inspect the content of delivery status notifications.
1953 notify Inspect the content of postmaster notifications by the smtp(8)
1955 and smtpd(8) processes.
1956 NOTE: It's generally not safe to enable content inspection of Postfix-
1958 generated email messages. The user is warned.
1959 This feature is available in Postfix 2.3 and later.
1961
1963 The numerical Postfix SMTP server response code when the client HELO or
1964 EHLO command parameter is rejected by the reject_invalid_helo_hostname
1965 restriction.
1966 Do not change this unless you have a complete understanding of RFC
1968 2821.
1969
1971 The time after which a client closes an idle internal communication
1972 channel. The purpose is to allow servers to terminate voluntarily
1973 after they become idle. This is used, for example, by the address
1974 resolving and rewriting clients.
1975 With Postfix 2.4 the default value was reduced from 100s to 5s.
1977 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1979 The default time unit is s (seconds).
1980
1982 The time limit for sending or receiving information over an internal
1983 communication channel. The purpose is to break out of deadlock situa‐
1984 tions. If the time limit is exceeded the software aborts with a fatal
1985 error.
1986 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1988 The default time unit is s (seconds).
1989
1991 The time after which a client closes an active internal communication
1992 channel. The purpose is to allow servers to terminate voluntarily
1993 after reaching their client limit. This is used, for example, by the
1994 address resolving and rewriting clients.
1995 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1997 The default time unit is s (seconds).
1998 This feature is available in Postfix 2.1 and later.
2000
2002 Upon input, long lines are chopped up into pieces of at most this
2003 length; upon delivery, long lines are reconstructed.
2004
2006 When an LMTP server announces no DSN support, assume that the server
2007 performs final delivery, and send "delivered" delivery status notifica‐
2008 tions instead of "relayed". The default setting is backwards compatible
2009 to avoid the infinetisimal possibility of breaking existing LMTP-based
2010 content filters.
2011
2013 The LMTP-specific version of the smtp_bind_address configuration param‐
2014 eter. See there for details.
2015 This feature is available in Postfix 2.3 and later.
2017
2019 The LMTP-specific version of the smtp_bind_address6 configuration
2020 parameter. See there for details.
2021 This feature is available in Postfix 2.3 and later.
2023
2025 The LMTP-specific version of the smtp_body_checks configuration parame‐
2026 ter. See there for details.
2027 This feature is available in Postfix 2.5 and later.
2029
2031 Keep Postfix LMTP client connections open for up to $max_idle seconds.
2032 When the LMTP client receives a request for the same connection the
2033 connection is reused.
2034 This parameter is available in Postfix version 2.2 and earlier. With
2036 Postfix version 2.3 and later, see lmtp_connection_cache_on_demand,
2037 lmtp_connection_cache_destinations, or lmtp_connection_re‐
2038 use_time_limit.
2039 The effectiveness of cached connections will be determined by the num‐
2041 ber of LMTP servers in use, and the concurrency limit specified for the
2042 LMTP client. Cached connections are closed under any of the following
2043 conditions:
2044 · The LMTP client idle time limit is reached. This limit is spec‐
2046 ified with the Postfix max_idle configuration parameter.
2047 · A delivery request specifies a different destination than the
2049 one currently cached.
2050 · The per-process limit on the number of delivery requests is
2052 reached. This limit is specified with the Postfix max_use con‐
2053 figuration parameter.
2054 · Upon the onset of another delivery request, the LMTP server
2056 associated with the current session does not respond to the RSET
2057 command.
2058 Most of these limitations will be removed after Postfix implements a
2060 connection cache that is shared among multiple LMTP client programs.
2061
2063 The LMTP-specific version of the smtp_cname_overrides_servername con‐
2064 figuration parameter. See there for details.
2065 This feature is available in Postfix 2.3 and later.
2067
2069 The LMTP client time limit for completing a TCP connection, or zero
2070 (use the operating system built-in time limit). When no connection can
2071 be made within the deadline, the LMTP client tries the next address on
2072 the mail exchanger list.
2073 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2075 The default time unit is s (seconds).
2076 Example:
2078 lmtp_connect_timeout = 30s
2080
2082 The LMTP-specific version of the smtp_connection_cache_destinations
2083 configuration parameter. See there for details.
2084 This feature is available in Postfix 2.3 and later.
2086
2088 The LMTP-specific version of the smtp_connection_cache_on_demand con‐
2089 figuration parameter. See there for details.
2090 This feature is available in Postfix 2.3 and later.
2092
2094 The LMTP-specific version of the smtp_connection_cache_time_limit con‐
2095 figuration parameter. See there for details.
2096 This feature is available in Postfix 2.3 and later.
2098
2100 The LMTP-specific version of the smtp_connection_reuse_time_limit con‐
2101 figuration parameter. See there for details.
2102 This feature is available in Postfix 2.3 and later.
2104
2106 The LMTP client time limit for sending the LMTP ".", and for receiving
2107 the server response. When no response is received within the deadline,
2108 a warning is logged that the mail may be delivered multiple times.
2109 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2111 The default time unit is s (seconds).
2112
2114 The LMTP client time limit for sending the LMTP DATA command, and for
2115 receiving the server response.
2116 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2118 The default time unit is s (seconds).
2119
2121 The LMTP client time limit for sending the LMTP message content. When
2122 the connection stalls for more than $lmtp_data_xfer_timeout the LMTP
2123 client terminates the transfer.
2124 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2126 The default time unit is s (seconds).
2127
2129 The LMTP-specific version of the smtp_defer_if_no_mx_address_found con‐
2130 figuration parameter. See there for details.
2131 This feature is available in Postfix 2.3 and later.
2133
2135 rency_limit)
2136 The maximal number of parallel deliveries to the same destination via
2137 the lmtp message delivery transport. This limit is enforced by the
2138 queue manager. The message delivery transport name is the first field
2139 in the entry in the master.cf file.
2140
2142 ent_limit)
2143 The maximal number of recipients per message for the lmtp message
2144 delivery transport. This limit is enforced by the queue manager. The
2145 message delivery transport name is the first field in the entry in the
2146 master.cf file.
2147 Setting this parameter to a value of 1 changes the meaning of lmtp_des‐
2149 tination_concurrency_limit from concurrency per domain into concurrency
2150 per recipient.
2151
2153 Lookup tables, indexed by the remote LMTP server address, with case
2154 insensitive lists of LHLO keywords (pipelining, starttls, auth, etc.)
2155 that the LMTP client will ignore in the LHLO response from a remote
2156 LMTP server. See lmtp_discard_lhlo_keywords for details. The table is
2157 not indexed by hostname for consistency with smtpd_discard_ehlo_key‐
2158 word_address_maps.
2159 This feature is available in Postfix 2.3 and later.
2161
2163 A case insensitive list of LHLO keywords (pipelining, starttls, auth,
2164 etc.) that the LMTP client will ignore in the LHLO response from a
2165 remote LMTP server.
2166 This feature is available in Postfix 2.3 and later.
2168 Notes:
2170 · Specify the silent-discard pseudo keyword to prevent this action
2172 from being logged.
2173 · Use the lmtp_discard_lhlo_keyword_address_maps feature to dis‐
2175 card LHLO keywords selectively.
2176
2178 The LMTP-specific version of the smtp_enforce_tls configuration parame‐
2179 ter. See there for details.
2180 This feature is available in Postfix 2.3 and later.
2182
2184 The LMTP-specific version of the smtp_generic_maps configuration param‐
2185 eter. See there for details.
2186 This feature is available in Postfix 2.3 and later.
2188
2190 The LMTP-specific version of the smtp_header_checks configuration
2191 parameter. See there for details.
2192 This feature is available in Postfix 2.5 and later.
2194
2196 The LMTP-specific version of the smtp_host_lookup configuration parame‐
2197 ter. See there for details.
2198 This feature is available in Postfix 2.3 and later.
2200
2202 The hostname to send in the LMTP LHLO command.
2203 The default value is the machine hostname. Specify a hostname or
2205 [ip.add.re.ss].
2206 This information can be specified in the main.cf file for all LMTP
2208 clients, or it can be specified in the master.cf file for a specific
2209 client, for example:
2210 /etc/postfix/master.cf:
2212 mylmtp ... lmtp -o lmtp_lhlo_name=foo.bar.com
2213 This feature is available in Postfix 2.3 and later.
2215
2217 The LMTP client time limit for sending the LHLO command, and for
2218 receiving the initial server response.
2219 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2221 The default time unit is s (seconds).
2222
2224 The LMTP-specific version of the smtp_line_length_limit configuration
2225 parameter. See there for details.
2226 This feature is available in Postfix 2.3 and later.
2228
2230 The LMTP client time limit for sending the MAIL FROM command, and for
2231 receiving the server response.
2232 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2234 The default time unit is s (seconds).
2235
2237 The LMTP-specific version of the smtp_mime_header_checks configuration
2238 parameter. See there for details.
2239 This feature is available in Postfix 2.5 and later.
2241
2243 The LMTP-specific version of the smtp_mx_address_limit configuration
2244 parameter. See there for details.
2245 This feature is available in Postfix 2.3 and later.
2247
2249 The LMTP-specific version of the smtp_mx_session_limit configuration
2250 parameter. See there for details.
2251 This feature is available in Postfix 2.3 and later.
2253
2255 The LMTP-specific version of the smtp_nested_header_checks configura‐
2256 tion parameter. See there for details.
2257 This feature is available in Postfix 2.5 and later.
2259
2261 The LMTP-specific version of the smtp_pix_workaround_delay_time config‐
2262 uration parameter. See there for details.
2263 This feature is available in Postfix 2.3 and later.
2265
2267 The LMTP-specific version of the smtp_pix_workaround_maps configuration
2268 parameter. See there for details.
2269 This feature is available in Postfix 2.4 and later.
2271
2273 The LMTP-specific version of the smtp_pix_workaround_threshold_time
2274 configuration parameter. See there for details.
2275 This feature is available in Postfix 2.3 and later.
2277
2279 The LMTP-specific version of the smtp_pix_workaround configuration
2280 parameter. See there for details.
2281 This feature is available in Postfix 2.4 and later.
2283
2285 The LMTP client time limit for sending the QUIT command, and for
2286 receiving the server response.
2287 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2289 The default time unit is s (seconds).
2290
2292 The LMTP-specific version of the smtp_quote_rfc821_envelope configura‐
2293 tion parameter. See there for details.
2294 This feature is available in Postfix 2.3 and later.
2296
2298 The LMTP-specific version of the smtp_randomize_addresses configuration
2299 parameter. See there for details.
2300 This feature is available in Postfix 2.3 and later.
2302
2304 The LMTP client time limit for sending the RCPT TO command, and for
2305 receiving the server response.
2306 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2308 The default time unit is s (seconds).
2309
2311 The LMTP-specific version of the smtp_reply_filter configuration param‐
2312 eter. See there for details.
2313 This feature is available in Postfix 2.7 and later.
2315
2317 The LMTP client time limit for sending the RSET command, and for
2318 receiving the server response. The LMTP client sends RSET in order to
2319 finish a recipient address probe, or to verify that a cached connection
2320 is still alive.
2321 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2323 The default time unit is s (seconds).
2324
2326 The LMTP-specific version of the smtp_sasl_auth_cache_name configura‐
2327 tion parameter. See there for details.
2328 This feature is available in Postfix 2.5 and later.
2330
2332 The LMTP-specific version of the smtp_sasl_auth_cache_time configura‐
2333 tion parameter. See there for details.
2334 This feature is available in Postfix 2.5 and later.
2336
2338 Enable SASL authentication in the Postfix LMTP client.
2339
2341 The LMTP-specific version of the smtp_sasl_auth_soft_bounce configura‐
2342 tion parameter. See there for details.
2343 This feature is available in Postfix 2.5 and later.
2345
2347 The LMTP-specific version of the smtp_sasl_mechanism_filter configura‐
2348 tion parameter. See there for details.
2349 This feature is available in Postfix 2.3 and later.
2351
2353 Optional LMTP client lookup tables with one username:password entry per
2354 host or domain. If a remote host or domain has no username:password
2355 entry, then the Postfix LMTP client will not attempt to authenticate to
2356 the remote host.
2357
2359 Implementation-specific information that is passed through to the SASL
2360 plug-in implementation that is selected with lmtp_sasl_type. Typically
2361 this specifies the name of a configuration file or rendezvous point.
2362 This feature is available in Postfix 2.3 and later.
2364
2366 SASL security options; as of Postfix 2.3 the list of available features
2367 depends on the SASL client implementation that is selected with
2368 lmtp_sasl_type.
2369 The following security features are defined for the cyrus client SASL
2371 implementation:
2372 noplaintext
2374 Disallow authentication methods that use plaintext passwords.
2375 noactive
2377 Disallow authentication methods that are vulnerable to non-dic‐
2378 tionary active attacks.
2379 nodictionary
2381 Disallow authentication methods that are vulnerable to passive
2382 dictionary attack.
2383 noanonymous
2385 Disallow anonymous logins.
2386 Example:
2388 lmtp_sasl_security_options = noplaintext
2390
2392 The LMTP-specific version of the smtp_sasl_tls_security_options config‐
2393 uration parameter. See there for details.
2394 This feature is available in Postfix 2.3 and later.
2396
2398 rity_options)
2399 The LMTP-specific version of the smtp_sasl_tls_verified_secu‐
2400 rity_options configuration parameter. See there for details.
2401 This feature is available in Postfix 2.3 and later.
2403
2405 The SASL plug-in type that the Postfix LMTP client should use for
2406 authentication. The available types are listed with the "postconf -A"
2407 command.
2408 This feature is available in Postfix 2.3 and later.
2410
2412 Send an XFORWARD command to the LMTP server when the LMTP LHLO server
2413 response announces XFORWARD support. This allows an lmtp(8) delivery
2414 agent, used for content filter message injection, to forward the name,
2415 address, protocol and HELO name of the original client to the content
2416 filter and downstream queuing LMTP server. Before you change the value
2417 to yes, it is best to make sure that your content filter supports this
2418 command.
2419 This feature is available in Postfix 2.1 and later.
2421
2423 The LMTP-specific version of the smtp_sender_dependent_authentication
2424 configuration parameter. See there for details.
2425 This feature is available in Postfix 2.3 and later.
2427
2429 The LMTP-specific version of the smtp_skip_5xx_greeting configuration
2430 parameter. See there for details.
2431 This feature is available in Postfix 2.3 and later.
2433
2435 Wait for the response to the LMTP QUIT command.
2436
2438 The LMTP-specific version of the smtp_starttls_timeout configuration
2439 parameter. See there for details.
2440 This feature is available in Postfix 2.3 and later.
2442
2444 The default TCP port that the Postfix LMTP client connects to.
2445
2447 The LMTP-specific version of the smtp_tls_CAfile configuration parame‐
2448 ter. See there for details.
2449 This feature is available in Postfix 2.3 and later.
2451
2453 The LMTP-specific version of the smtp_tls_CApath configuration parame‐
2454 ter. See there for details.
2455 This feature is available in Postfix 2.3 and later.
2457
2459 The LMTP-specific version of the smtp_tls_block_early_mail_reply con‐
2460 figuration parameter. See there for details.
2461 This feature is available in Postfix 2.7 and later.
2463
2465 The LMTP-specific version of the smtp_tls_cert_file configuration
2466 parameter. See there for details.
2467 This feature is available in Postfix 2.3 and later.
2469
2471 The LMTP-specific version of the smtp_tls_ciphers configuration parame‐
2472 ter. See there for details.
2473 This feature is available in Postfix 2.6 and later.
2475
2477 The LMTP-specific version of the smtp_tls_dcert_file configuration
2478 parameter. See there for details.
2479 This feature is available in Postfix 2.3 and later.
2481
2483 The LMTP-specific version of the smtp_tls_dkey_file configuration
2484 parameter. See there for details.
2485 This feature is available in Postfix 2.3 and later.
2487
2489 The LMTP-specific version of the smtp_tls_eccert_file configuration
2490 parameter. See there for details.
2491 This feature is available in Postfix 2.6 and later, when Postfix is
2493 compiled and linked with OpenSSL 1.0.0 or later.
2494
2496 The LMTP-specific version of the smtp_tls_eckey_file configuration
2497 parameter. See there for details.
2498 This feature is available in Postfix 2.6 and later, when Postfix is
2500 compiled and linked with OpenSSL 1.0.0 or later.
2501
2503 The LMTP-specific version of the smtp_tls_enforce_peername configura‐
2504 tion parameter. See there for details.
2505 This feature is available in Postfix 2.3 and later.
2507
2509 The LMTP-specific version of the smtp_tls_exclude_ciphers configuration
2510 parameter. See there for details.
2511 This feature is available in Postfix 2.3 and later.
2513
2515 The LMTP-specific version of the smtp_tls_fingerprint_cert_match con‐
2516 figuration parameter. See there for details.
2517 This feature is available in Postfix 2.5 and later.
2519
2521 The LMTP-specific version of the smtp_tls_fingerprint_digest configura‐
2522 tion parameter. See there for details.
2523 This feature is available in Postfix 2.5 and later.
2525
2527 The LMTP-specific version of the smtp_tls_key_file configuration param‐
2528 eter. See there for details.
2529 This feature is available in Postfix 2.3 and later.
2531
2533 The LMTP-specific version of the smtp_tls_loglevel configuration param‐
2534 eter. See there for details.
2535 This feature is available in Postfix 2.3 and later.
2537
2539 The LMTP-specific version of the smtp_tls_mandatory_ciphers configura‐
2540 tion parameter. See there for details.
2541 This feature is available in Postfix 2.3 and later.
2543
2545 The LMTP-specific version of the smtp_tls_mandatory_exclude_ciphers
2546 configuration parameter. See there for details.
2547 This feature is available in Postfix 2.3 and later.
2549
2551 The LMTP-specific version of the smtp_tls_mandatory_protocols configu‐
2552 ration parameter. See there for details.
2553 This feature is available in Postfix 2.3 and later.
2555
2557 The LMTP-specific version of the smtp_tls_note_starttls_offer configu‐
2558 ration parameter. See there for details.
2559 This feature is available in Postfix 2.3 and later.
2561
2563 The LMTP-specific version of the smtp_tls_per_site configuration param‐
2564 eter. See there for details.
2565 This feature is available in Postfix 2.3 and later.
2567
2569 The LMTP-specific version of the smtp_tls_policy_maps configuration
2570 parameter. See there for details.
2571 This feature is available in Postfix 2.3 and later.
2573
2575 The LMTP-specific version of the smtp_tls_protocols configuration
2576 parameter. See there for details.
2577 This feature is available in Postfix 2.6 and later.
2579
2581 The LMTP-specific version of the smtp_tls_scert_verifydepth configura‐
2582 tion parameter. See there for details.
2583 This feature is available in Postfix 2.3 and later.
2585
2587 The LMTP-specific version of the smtp_tls_secure_cert_match configura‐
2588 tion parameter. See there for details.
2589 This feature is available in Postfix 2.3 and later.
2591
2593 The LMTP-specific version of the smtp_tls_security_level configuration
2594 parameter. See there for details.
2595 This feature is available in Postfix 2.3 and later.
2597
2599 The LMTP-specific version of the smtp_tls_session_cache_database con‐
2600 figuration parameter. See there for details.
2601 This feature is available in Postfix 2.3 and later.
2603
2605 The LMTP-specific version of the smtp_tls_session_cache_timeout config‐
2606 uration parameter. See there for details.
2607 This feature is available in Postfix 2.3 and later.
2609
2611 The LMTP-specific version of the smtp_tls_verify_cert_match configura‐
2612 tion parameter. See there for details.
2613 This feature is available in Postfix 2.3 and later.
2615
2617 The LMTP-specific version of the smtp_use_tls configuration parameter.
2618 See there for details.
2619 This feature is available in Postfix 2.3 and later.
2621
2623 The LMTP client time limit for sending the XFORWARD command, and for
2624 receiving the server response.
2625 In case of problems the client does NOT try the next address on the
2627 mail exchanger list.
2628 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2630 The default time unit is s (seconds).
2631 This feature is available in Postfix 2.1 and later.
2633
2635 Optional shell program for local(8) delivery to non-Postfix command.
2636 By default, non-Postfix commands are executed directly; commands are
2637 given to given to /bin/sh only when they contain shell meta characters
2638 or shell built-in commands.
2639 "sendmail's restricted shell" (smrsh) is what most people will use in
2641 order to restrict what programs can be run from e.g. .forward files
2642 (smrsh is part of the Sendmail distribution).
2643 Note: when a shell program is specified, it is invoked even when the
2645 command contains no shell built-in commands or meta characters.
2646 Example:
2648 local_command_shell = /some/where/smrsh -c
2650
2652 The maximal number of parallel deliveries via the local mail delivery
2653 transport to the same recipient (when "local_destination_recipi‐
2654 ent_limit = 1") or the maximal number of parallel deliveries to the
2655 same local domain (when "local_destination_recipient_limit > 1"). This
2656 limit is enforced by the queue manager. The message delivery transport
2657 name is the first field in the entry in the master.cf file.
2658 A low limit of 2 is recommended, just in case someone has an expensive
2660 shell command in a .forward file or in an alias (e.g., a mailing list
2661 manager). You don't want to run lots of those at the same time.
2662
2664 The maximal number of recipients per message delivery via the local
2665 mail delivery transport. This limit is enforced by the queue manager.
2666 The message delivery transport name is the first field in the entry in
2667 the master.cf file.
2668 Setting this parameter to a value > 1 changes the meaning of local_des‐
2670 tination_concurrency_limit from concurrency per recipient into concur‐
2671 rency per domain.
2672
2674 Rewrite message header addresses in mail from these clients and update
2675 incomplete addresses with the domain name in $myorigin or $mydomain;
2676 either don't rewrite message headers from other clients at all, or re‐
2677 write message headers and update incomplete addresses with the domain
2678 specified in the remote_header_rewrite_domain parameter.
2679 See the append_at_myorigin and append_dot_mydomain parameters for
2681 details of how domain names are appended to incomplete addresses.
2682 Specify a list of zero or more of the following:
2684 permit_inet_interfaces
2686 Append the domain name in $myorigin or $mydomain when the client
2687 IP address matches $inet_interfaces. This is enabled by default.
2688 permit_mynetworks
2690 Append the domain name in $myorigin or $mydomain when the client
2691 IP address matches any network or network address listed in
2692 $mynetworks. This setting will not prevent remote mail header
2693 address rewriting when mail from a remote client is forwarded by
2694 a neighboring system.
2695 permit_sasl_authenticated
2697 Append the domain name in $myorigin or $mydomain when the client
2698 is successfully authenticated via the RFC 4954 (AUTH) protocol.
2699 permit_tls_clientcerts
2701 Append the domain name in $myorigin or $mydomain when the client
2702 TLS certificate fingerprint is listed in $relay_clientcerts.
2703 The fingerprint digest algorithm is configurable via the
2704 smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior
2705 to Postfix version 2.5).
2706 permit_tls_all_clientcerts
2708 Append the domain name in $myorigin or $mydomain when the client
2709 TLS certificate is successfully verified, regardless of whether
2710 it is listed on the server, and regardless of the certifying
2711 authority.
2712 check_address_map type:table
2714 type:table
2716 Append the domain name in $myorigin or $mydomain when the client
2717 IP address matches the specified lookup table. The lookup
2718 result is ignored, and no subnet lookup is done. This is suit‐
2719 able for, e.g., pop-before-smtp lookup tables.
2720 Examples:
2722 The Postfix < 2.2 backwards compatible setting: always rewrite message
2724 headers, and always append my own domain to incomplete header
2725 addresses.
2726 local_header_rewrite_clients = static:all
2728 The purist (and default) setting: rewrite headers only in mail from
2730 Postfix sendmail and in SMTP mail from this machine.
2731 local_header_rewrite_clients = permit_inet_interfaces
2733 The intermediate setting: rewrite header addresses and append $myorigin
2735 or $mydomain information only with mail from Postfix sendmail, from
2736 local clients, or from authorized SMTP clients.
2737 Note: this setting will not prevent remote mail header address rewrit‐
2739 ing when mail from a remote client is forwarded by a neighboring sys‐
2740 tem.
2741 local_header_rewrite_clients = permit_mynetworks,
2743 permit_sasl_authenticated permit_tls_clientcerts
2744 check_address_map hash:/etc/postfix/pop-before-smtp
2745
2747 Lookup tables with all names or addresses of local recipients: a recip‐
2748 ient address is local when its domain matches $mydestination,
2749 $inet_interfaces or $proxy_interfaces. Specify @domain as a wild-card
2750 for domains that do not have a valid recipient list. Technically,
2751 tables listed with $local_recipient_maps are used as lists: Postfix
2752 needs to know only if a lookup string is found or not, but it does not
2753 use the result from table lookup.
2754 If this parameter is non-empty (the default), then the Postfix SMTP
2756 server will reject mail for unknown local users.
2757 To turn off local recipient checking in the Postfix SMTP server, spec‐
2759 ify "local_recipient_maps =" (i.e. empty).
2760 The default setting assumes that you use the default Postfix local
2762 delivery agent for local delivery. You need to update the local_recipi‐
2763 ent_maps setting if:
2764 · You redefine the local delivery agent in master.cf.
2766 · You redefine the "local_transport" setting in main.cf.
2768 · You use the "luser_relay", "mailbox_transport", or "fall‐
2770 back_transport" feature of the Postfix local(8) delivery agent.
2771 Details are described in the LOCAL_RECIPIENT_README file.
2773 Beware: if the Postfix SMTP server runs chrooted, you need to access
2775 the passwd file via the proxymap(8) service, in order to overcome
2776 chroot access restrictions. The alternative, maintaining a copy of the
2777 system password file in the chroot jail is not practical.
2778 Examples:
2780 local_recipient_maps =
2782
2784 The default mail delivery transport and next-hop destination for final
2785 delivery to domains listed with mydestination, and for [ipaddress] des‐
2786 tinations that match $inet_interfaces or $proxy_interfaces. This
2787 information can be overruled with the transport(5) table.
2788 By default, local mail is delivered to the transport called "local",
2790 which is just the name of a service that is defined the master.cf file.
2791 Specify a string of the form transport:nexthop, where transport is the
2793 name of a mail delivery transport defined in master.cf. The :nexthop
2794 destination is optional; its syntax is documented in the manual page of
2795 the corresponding delivery agent.
2796 Beware: if you override the default local delivery agent then you need
2798 to review the LOCAL_RECIPIENT_README document, otherwise the SMTP
2799 server may reject mail for local recipients.
2800
2802 Optional catch-all destination for unknown local(8) recipients. By
2803 default, mail for unknown recipients in domains that match $mydestina‐
2804 tion, $inet_interfaces or $proxy_interfaces is returned as undeliver‐
2805 able.
2806 The following $name expansions are done on luser_relay:
2808 $domain
2810 The recipient domain.
2811 $extension
2813 The recipient address extension.
2814 $home The recipient's home directory.
2816 $local The entire recipient address localpart.
2818 $recipient
2820 The full recipient address.
2821 $recipient_delimiter
2823 The system-wide recipient address extension delimiter.
2824 $shell The recipient's login shell.
2826 $user The recipient username.
2828 ${name?value}
2830 Expands to value when $name has a non-empty value.
2831 ${name:value}
2833 Expands to value when $name has an empty value.
2834 Instead of $name you can also specify ${name} or $(name).
2836 Note: luser_relay works only for the Postfix local(8) delivery agent.
2838 Note: if you use this feature for accounts not in the UNIX password
2840 file, then you must specify "local_recipient_maps =" (i.e. empty) in
2841 the main.cf file, otherwise the Postfix SMTP server will reject mail
2842 for non-UNIX accounts with "User unknown in local recipient table".
2843 Examples:
2845 luser_relay = $user@other.host
2847 luser_relay = $local@other.host
2848 luser_relay = admin+$local
2849
2851 The mail system name that is displayed in Received: headers, in the
2852 SMTP greeting banner, and in bounced mail.
2853
2855 The UNIX system account that owns the Postfix queue and most Postfix
2856 daemon processes. Specify the name of a user account that does not
2857 share a group with other accounts and that owns no other files or pro‐
2858 cesses on the system. In particular, don't specify nobody or daemon.
2859 PLEASE USE A DEDICATED USER ID AND GROUP ID.
2860 When this parameter value is changed you need to re-run "postfix set-
2862 permissions" (with Postfix version 2.0 and earlier: "/etc/postfix/post-
2863 install set-permissions".
2864
2866 The Postfix release date, in "YYYYMMDD" format.
2867
2869 The directory where local(8) UNIX-style mailboxes are kept. The default
2870 setting depends on the system type. Specify a name ending in / for
2871 maildir-style delivery.
2872 Note: maildir delivery is done with the privileges of the recipient.
2874 If you use the mail_spool_directory setting for maildir style delivery,
2875 then you must create the top-level maildir directory in advance. Post‐
2876 fix will not create it.
2877 Examples:
2879 mail_spool_directory = /var/mail
2881 mail_spool_directory = /var/spool/mail
2882
2884 The version of the mail system. Stable releases are named
2885 major.minor.patchlevel. Experimental releases also include the release
2886 date. The version string can be used in, for example, the SMTP greeting
2887 banner.
2888
2890 Optional external command that the local(8) delivery agent should use
2891 for mailbox delivery. The command is run with the user ID and the pri‐
2892 mary group ID privileges of the recipient. Exception: command delivery
2893 for root executes with $default_privs privileges. This is not a prob‐
2894 lem, because 1) mail for root should always be aliased to a real user
2895 and 2) don't log in as root, use "su" instead.
2896 The following environment variables are exported to the command:
2898 CLIENT_ADDRESS
2900 Remote client network address. Available in Postfix version 2.2
2901 and later.
2902 CLIENT_HELO
2904 Remote client EHLO command parameter. Available in Postfix ver‐
2905 sion 2.2 and later.
2906 CLIENT_HOSTNAME
2908 Remote client hostname. Available in Postfix version 2.2 and
2909 later.
2910 CLIENT_PROTOCOL
2912 Remote client protocol. Available in Postfix version 2.2 and
2913 later.
2914 DOMAIN The domain part of the recipient address.
2916 EXTENSION
2918 The optional address extension.
2919 HOME The recipient home directory.
2921 LOCAL The recipient address localpart.
2923 LOGNAME
2925 The recipient's username.
2926 ORIGINAL_RECIPIENT
2928 The entire recipient address, before any address rewriting or
2929 aliasing.
2930 RECIPIENT
2932 The full recipient address.
2933 SASL_METHOD
2935 SASL authentication method specified in the remote client AUTH
2936 command. Available in Postfix version 2.2 and later.
2937 SASL_SENDER
2939 SASL sender address specified in the remote client MAIL FROM
2940 command. Available in Postfix version 2.2 and later.
2941 SASL_USER
2943 SASL username specified in the remote client AUTH command.
2944 Available in Postfix version 2.2 and later.
2945 SENDER The full sender address.
2947 SHELL The recipient's login shell.
2949 USER The recipient username.
2951 Unlike other Postfix configuration parameters, the mailbox_command
2953 parameter is not subjected to $name substitutions. This is to make it
2954 easier to specify shell syntax (see example below).
2955 If you can, avoid shell meta characters because they will force Postfix
2957 to run an expensive shell process. If you're delivering via Procmail
2958 then running a shell won't make a noticeable difference in the total
2959 cost.
2960 Note: if you use the mailbox_command feature to deliver mail system-
2962 wide, you must set up an alias that forwards mail for root to a real
2963 user.
2964 The precedence of local(8) delivery features from high to low is:
2966 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2967 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2968 tory, fallback_transport_maps, fallback_transport and luser_relay.
2969 Examples:
2971 mailbox_command = /some/where/procmail
2973 mailbox_command = /some/where/procmail -a "$EXTENSION"
2974 mailbox_command = /some/where/maildrop -d "$USER"
2975 -f "$SENDER" "$EXTENSION"
2976
2978 Optional lookup tables with per-recipient external commands to use for
2979 local(8) mailbox delivery. Behavior is as with mailbox_command.
2980 The precedence of local(8) delivery features from high to low is:
2982 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2983 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2984 tory, fallback_transport_maps, fallback_transport and luser_relay.
2985
2987 How to lock a UNIX-style local(8) mailbox before attempting delivery.
2988 For a list of available file locking methods, use the "postconf -l"
2989 command.
2990 This setting is ignored with maildir style delivery, because such
2992 deliveries are safe without explicit locks.
2993 Note: The dotlock method requires that the recipient UID or GID has
2995 write access to the parent directory of the mailbox file.
2996 Note: the default setting of this parameter is system dependent.
2998
3000 The maximal size of any local(8) individual mailbox or maildir file, or
3001 zero (no limit). In fact, this limits the size of any file that is
3002 written to upon local delivery, including files written by external
3003 commands that are executed by the local(8) delivery agent.
3004 This limit must not be smaller than the message size limit.
3006
3008 Optional message delivery transport that the local(8) delivery agent
3009 should use for mailbox delivery to all local recipients, whether or not
3010 they are found in the UNIX passwd database.
3011 The precedence of local(8) delivery features from high to low is:
3013 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3014 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3015 tory, fallback_transport_maps, fallback_transport and luser_relay.
3016
3018 Optional lookup tables with per-recipient message delivery transports
3019 to use for local(8) mailbox delivery, whether or not the recipients are
3020 found in the UNIX passwd database.
3021 The precedence of local(8) delivery features from high to low is:
3023 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3024 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3025 tory, fallback_transport_maps, fallback_transport and luser_relay.
3026 For safety reasons, this feature does not allow $number substitutions
3028 in regular expression maps.
3029 This feature is available in Postfix 2.3 and later.
3031
3033 Sendmail compatibility feature that specifies where the Postfix
3034 mailq(1) command is installed. This command can be used to list the
3035 Postfix mail queue.
3036
3038 Where the Postfix manual pages are installed.
3039
3041 Obsolete feature: use the reject_rbl_client feature instead.
3042
3044 The numerical Postfix SMTP server response code when a remote SMTP
3045 client request is blocked by the reject_rbl_client,
3046 reject_rhsbl_client, reject_rhsbl_sender or reject_rhsbl_recipient
3047 restriction.
3048 Do not change this unless you have a complete understanding of RFC
3050 2821.
3051
3053 What addresses are subject to address masquerading.
3055 By default, address masquerading is limited to envelope sender
3057 addresses, and to header sender and header recipient addresses. This
3058 allows you to use address masquerading on a mail gateway while still
3059 being able to forward mail to users on individual machines.
3060 Specify zero or more of: envelope_sender, envelope_recipient,
3062 header_sender, header_recipient
3063
3065 Optional list of domains whose subdomain structure will be stripped off
3066 in email addresses.
3067 The list is processed left to right, and processing stops at the first
3069 match. Thus,
3070 masquerade_domains = foo.example.com example.com
3072 strips "user@any.thing.foo.example.com" to "user@foo.example.com", but
3074 strips "user@any.thing.else.example.com" to "user@example.com".
3075 A domain name prefixed with ! means do not masquerade this domain or
3077 its subdomains. Thus,
3078 masquerade_domains = !foo.example.com example.com
3080 does not change "user@any.thing.foo.example.com" or "user@foo.exam‐
3082 ple.com", but strips "user@any.thing.else.example.com" to "user@exam‐
3083 ple.com".
3084 Note: with Postfix version 2.2, message header address masquerading
3086 happens only when message header address rewriting is enabled:
3087 · The message is received with the Postfix sendmail(1) command,
3089 · The message is received from a network client that matches
3091 $local_header_rewrite_clients,
3092 · The message is received from the network, and the
3094 remote_header_rewrite_domain parameter specifies a non-empty
3095 value.
3096 To get the behavior before Postfix version 2.2, specify
3098 "local_header_rewrite_clients = static:all".
3099 Example:
3101 masquerade_domains = $mydomain
3103
3105 Optional list of user names that are not subjected to address mas‐
3106 querading, even when their address matches $masquerade_domains.
3107 By default, address masquerading makes no exceptions.
3109 Specify a list of user names, "/file/name" or "type:table" patterns,
3111 separated by commas and/or whitespace. The list is matched left to
3112 right, and the search stops on the first match. A "/file/name" pattern
3113 is replaced by its contents; a "type:table" lookup table is matched
3114 when a name matches a lookup key (the lookup result is ignored). Con‐
3115 tinue long lines by starting the next line with whitespace. Specify
3116 "!pattern" to exclude a name from the list. The form "!/file/name" is
3117 supported only in Postfix version 2.4 and later.
3118 Examples:
3120 masquerade_exceptions = root, mailer-daemon
3122 masquerade_exceptions = root
3123
3125 Selectively disable master(8) listener ports by service type or by ser‐
3126 vice name and type. Specify a list of service types ("inet", "unix",
3127 "fifo", or "pass") or "name.type" tuples, where "name" is the first
3128 field of a master.cf entry and "type" is a service type. As with other
3129 Postfix matchlists, a search stops at the first match. Specify "!pat‐
3130 tern" to exclude a service from the list. By default, all master(8)
3131 listener ports are enabled.
3132 Note: this feature does not support "/file/name" or "type:table" pat‐
3134 terns, nor does it support wildcards such as "*" or "all". This is
3135 intentional.
3136 Examples:
3138 # Turn on all master(8) listener ports (the default).
3140 master_service_disable =
3141 # Turn off only the main SMTP listener port.
3142 master_service_disable = smtp.inet
3143 # Turn off all TCP/IP listener ports.
3144 master_service_disable = inet
3145 # Turn off all TCP/IP listener ports except "foo".
3146 master_service_disable = !foo.inet, inet
3147 This feature is available in Postfix 2.6 and later.
3149
3151 The maximum amount of time that an idle Postfix daemon process waits
3152 for an incoming connection before terminating voluntarily. This param‐
3153 eter is ignored by the Postfix queue manager and by other long-lived
3154 Postfix daemon processes.
3155 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3157 The default time unit is s (seconds).
3158
3160 The maximal number of incoming connections that a Postfix daemon
3161 process will service before terminating voluntarily. This parameter is
3162 ignored by the Postfix queue manager and by other long-lived Postfix
3163 daemon processes.
3164
3166 The maximal time between attempts to deliver a deferred message.
3167 This parameter should be set to a value greater than or equal to $mini‐
3169 mal_backoff_time. See also $queue_run_delay.
3170 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3172 The default time unit is s (seconds).
3173
3175 The maximal time a message is queued before it is sent back as undeliv‐
3176 erable.
3177 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3179 The default time unit is d (days).
3180 Specify 0 when mail delivery should be tried only once.
3182
3184 The set of characters that Postfix will reject in message content. The
3185 usual C-like escape sequences are recognized: \a \b \f \n \r \t \v \ddd
3186 (up to three octal digits) and \\.
3187 Example:
3189 message_reject_characters = \0
3191 This feature is available in Postfix 2.3 and later.
3193
3195 The maximal size in bytes of a message, including envelope information.
3196 Note: be careful when making changes. Excessively small values will
3198 result in the loss of non-delivery notifications, when a bounce message
3199 size exceeds the local or remote MTA's message size limit.
3200
3202 The set of characters that Postfix will remove from message content.
3203 The usual C-like escape sequences are recognized: \a \b \f \n \r \t \v
3204 \ddd (up to three octal digits) and \\.
3205 Example:
3207 message_strip_characters = \0
3209 This feature is available in Postfix 2.3 and later.
3211
3213 The time limit for sending an SMTP command to a Milter (mail filter)
3214 application, and for receiving the response.
3215 Specify a non-zero time value (an integral value plus an optional one-
3217 letter suffix that specifies the time unit).
3218 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3220 The default time unit is s (seconds).
3221 This feature is available in Postfix 2.3 and later.
3223
3225 The macros that are sent to Milter (mail filter) applications after
3226 completion of an SMTP connection. See MILTER_README for a list of
3227 available macro names and their meanings.
3228 This feature is available in Postfix 2.3 and later.
3230
3232 The time limit for connecting to a Milter (mail filter) application,
3233 and for negotiating protocol options.
3234 Specify a non-zero time value (an integral value plus an optional one-
3236 letter suffix that specifies the time unit).
3237 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3239 The default time unit is s (seconds).
3240 This feature is available in Postfix 2.3 and later.
3242
3244 The time limit for sending message content to a Milter (mail filter)
3245 application, and for receiving the response.
3246 Specify a non-zero time value (an integral value plus an optional one-
3248 letter suffix that specifies the time unit).
3249 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3251 The default time unit is s (seconds).
3252 This feature is available in Postfix 2.3 and later.
3254
3256 The macros that are sent to version 4 or higher Milter (mail filter)
3257 applications after the SMTP DATA command. See MILTER_README for a list
3258 of available macro names and their meanings.
3259 This feature is available in Postfix 2.3 and later.
3261
3263 The default action when a Milter (mail filter) application is unavail‐
3264 able or mis-configured. Specify one of the following:
3265 accept Proceed as if the mail filter was not present.
3267 reject Reject all further commands in this session with a permanent
3269 status code.
3270 tempfail
3272 Reject all further commands in this session with a temporary
3273 status code.
3274 quarantine
3276 Like "accept", but freeze the message in the "hold" queue.
3277 Available with Postfix 2.6 and later.
3278 This feature is available in Postfix 2.3 and later.
3280
3282 The macros that are sent to Milter (mail filter) applications after the
3283 message end-of-data. See MILTER_README for a list of available macro
3284 names and their meanings.
3285 This feature is available in Postfix 2.3 and later.
3287
3289 The macros that are sent to Milter (mail filter) applications after the
3290 end of the message header. See MILTER_README for a list of available
3291 macro names and their meanings.
3292 This feature is available in Postfix 2.5 and later.
3294
3296 Optional lookup tables for content inspection of message headers that
3297 are produced by Milter applications. See the header_checks(5) manual
3298 page available actions. Currently, PREPEND is not implemented.
3299 The following example sends all mail that is marked as SPAM to a spam
3301 handling machine. Note that matches are case-insensitive by default.
3302 /etc/postfix/main.cf:
3304 milter_header_checks = pcre:/etc/postfix/milter_header_checks
3305 /etc/postfix/milter_header_checks:
3307 /^X-SPAM-FLAG:\s+YES/ FILTER mysmtp:sanitizer.example.com:25
3308 The milter_header_checks mechanism could also be used for whitelisting.
3310 For example it could be used to skip heavy content inspection for DKIM-
3311 signed mail from known friendly domains.
3312 This feature is available in Postfix 2.7, and as an optional patch for
3314 Postfix 2.6.
3315
3317 The macros that are sent to Milter (mail filter) applications after the
3318 SMTP HELO or EHLO command. See MILTER_README for a list of available
3319 macro names and their meanings.
3320 This feature is available in Postfix 2.3 and later.
3322
3324 The {daemon_name} macro value for Milter (mail filter) applications.
3325 See MILTER_README for a list of available macro names and their mean‐
3326 ings.
3327 This feature is available in Postfix 2.3 and later.
3329
3331 The {v} macro value for Milter (mail filter) applications. See MIL‐
3332 TER_README for a list of available macro names and their meanings.
3333 This feature is available in Postfix 2.3 and later.
3335
3337 The macros that are sent to Milter (mail filter) applications after the
3338 SMTP MAIL FROM command. See MILTER_README for a list of available macro
3339 names and their meanings.
3340 This feature is available in Postfix 2.3 and later.
3342
3344 The mail filter protocol version and optional protocol extensions for
3345 communication with a Milter application; prior to Postfix 2.6 the
3346 default protocol is 2. Postfix sends this version number during the
3347 initial protocol handshake. It should match the version number that is
3348 expected by the mail filter application (or by its Milter library).
3349 Protocol versions:
3351 2 Use Sendmail 8 mail filter protocol version 2 (default with
3353 Sendmail version 8.11 .. 8.13 and Postfix version 2.3 .. 2.5).
3354 3 Use Sendmail 8 mail filter protocol version 3.
3356 4 Use Sendmail 8 mail filter protocol version 4.
3358 6 Use Sendmail 8 mail filter protocol version 6 (default with
3360 Sendmail version 8.14 and Postfix version 2.6).
3361 Protocol extensions:
3363 no_header_reply
3365 Specify this when the Milter application will not reply for each
3366 individual message header.
3367 This feature is available in Postfix 2.3 and later.
3369
3371 The macros that are sent to Milter (mail filter) applications after the
3372 SMTP RCPT TO command. See MILTER_README for a list of available macro
3373 names and their meanings.
3374 This feature is available in Postfix 2.3 and later.
3376
3378 The macros that are sent to version 3 or higher Milter (mail filter)
3379 applications after an unknown SMTP command. See MILTER_README for a
3380 list of available macro names and their meanings.
3381 This feature is available in Postfix 2.3 and later.
3383
3385 The maximal length of MIME multipart boundary strings. The MIME proces‐
3386 sor is unable to distinguish between boundary strings that do not dif‐
3387 fer in the first $mime_boundary_length_limit characters.
3388 This feature is available in Postfix 2.0 and later.
3390
3392 Optional lookup tables for content inspection of MIME related message
3393 headers, as described in the header_checks(5) manual page.
3394 This feature is available in Postfix 2.0 and later.
3396
3398 The maximal recursion level that the MIME processor will handle. Post‐
3399 fix refuses mail that is nested deeper than the specified limit.
3400 This feature is available in Postfix 2.0 and later.
3402
3404 The minimal time between attempts to deliver a deferred message; prior
3405 to Postfix 2.4 the default value was 1000s.
3406 This parameter also limits the time an unreachable destination is kept
3408 in the short-term, in-memory, destination status cache.
3409 This parameter should be set greater than or equal to $queue_run_delay.
3411 See also $maximal_backoff_time.
3412 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3414 The default time unit is s (seconds).
3415
3417 An optional list of non-default Postfix configuration directories;
3418 these directories belong to additional Postfix instances that share the
3419 Postfix executable files and documentation with the default Postfix
3420 instance, and that are started, stopped, etc., together with the
3421 default Postfix instance. Specify a list of pathnames separated by
3422 comma or whitespace.
3423 When $multi_instance_directories is empty, the postfix(1) command runs
3425 in single-instance mode and operates on a single Postfix instance only.
3426 Otherwise, the postfix(1) command runs in multi-instance mode and
3427 invokes the multi-instance manager specified with the
3428 multi_instance_wrapper parameter. The multi-instance manager in turn
3429 executes postfix(1) commands for the default instance and for all Post‐
3430 fix instances in $multi_instance_directories.
3431 Currently, this parameter setting is ignored except for the default
3433 main.cf file.
3434 This feature is available in Postfix 2.6 and later.
3436
3438 Allow this Postfix instance to be started, stopped, etc., by a multi-
3439 instance manager. By default, new instances are created in a safe
3440 state that prevents them from being started inadvertently. This param‐
3441 eter is reserved for the multi-instance manager.
3442 This feature is available in Postfix 2.6 and later.
3444
3446 The optional instance group name of this Postfix instance. A group
3447 identifies closely-related Postfix instances that the multi-instance
3448 manager can start, stop, etc., as a unit. This parameter is reserved
3449 for the multi-instance manager.
3450 This feature is available in Postfix 2.6 and later.
3452
3454 The optional instance name of this Postfix instance. This name becomes
3455 also the default value for the syslog_name parameter.
3456 This feature is available in Postfix 2.6 and later.
3458
3460 The pathname of a multi-instance manager command that the postfix(1)
3461 command invokes when the multi_instance_directories parameter value is
3462 non-empty. The pathname may be followed by initial command arguments
3463 separated by whitespace; shell metacharacters such as quotes are not
3464 supported in this context.
3465 The postfix(1) command invokes the manager command with the postfix(1)
3467 non-option command arguments on the manager command line, and with all
3468 installation configuration parameters exported into the manager command
3469 process environment. The manager command in turn invokes the postfix(1)
3470 command for individual Postfix instances as "postfix -c config_direc‐
3471 tory command".
3472 This feature is available in Postfix 2.6 and later.
3474
3476 The numerical Postfix SMTP server response code when a remote SMTP
3477 client request is blocked by the reject_multi_recipient_bounce restric‐
3478 tion.
3479 Do not change this unless you have a complete understanding of RFC
3481 2821.
3482 This feature is available in Postfix 2.1 and later.
3484
3486 The list of domains that are delivered via the $local_transport mail
3487 delivery transport. By default this is the Postfix local(8) delivery
3488 agent which looks up all recipients in /etc/passwd and /etc/aliases.
3489 The SMTP server validates recipient addresses with $local_recipi‐
3490 ent_maps and rejects non-existent recipients. See also the local domain
3491 class in the ADDRESS_CLASS_README file.
3492 The default mydestination value specifies names for the local machine
3494 only. On a mail domain gateway, you should also include $mydomain.
3495 The $local_transport delivery method is also selected for mail
3497 addressed to user@[the.net.work.address] of the mail system (the IP
3498 addresses specified with the inet_interfaces and proxy_interfaces
3499 parameters).
3500 Warnings:
3502 · Do not specify the names of virtual domains - those domains are
3504 specified elsewhere. See VIRTUAL_README for more information.
3505 · Do not specify the names of domains that this machine is backup
3507 MX host for. See STANDARD_CONFIGURATION_README for how to set up
3508 backup MX hosts.
3509 · By default, the Postfix SMTP server rejects mail for recipients
3511 not listed with the local_recipient_maps parameter. See the
3512 postconf(5) manual for a description of the local_recipient_maps
3513 and unknown_local_recipient_reject_code parameters.
3514 Specify a list of host or domain names, "/file/name" or "type:table"
3516 patterns, separated by commas and/or whitespace. A "/file/name" pattern
3517 is replaced by its contents; a "type:table" lookup table is matched
3518 when a name matches a lookup key (the lookup result is ignored). Con‐
3519 tinue long lines by starting the next line with whitespace.
3520 Examples:
3522 mydestination = $myhostname, localhost.$mydomain $mydomain
3524 mydestination = $myhostname, localhost.$mydomain www.$mydomain, ftp.$mydomain
3525
3527 The internet domain name of this mail system. The default is to use
3528 $myhostname minus the first component. $mydomain is used as a default
3529 value for many other configuration parameters.
3530 Example:
3532 mydomain = domain.tld
3534
3536 The internet hostname of this mail system. The default is to use the
3537 fully-qualified domain name from gethostname(). $myhostname is used as
3538 a default value for many other configuration parameters.
3539 Example:
3541 myhostname = host.example.com
3543
3545 The list of "trusted" SMTP clients that have more privileges than
3546 "strangers".
3547 In particular, "trusted" SMTP clients are allowed to relay mail through
3549 Postfix. See the smtpd_recipient_restrictions parameter description in
3550 the postconf(5) manual.
3551 You can specify the list of "trusted" network addresses by hand or you
3553 can let Postfix do it for you (which is the default). See the descrip‐
3554 tion of the mynetworks_style parameter for more information.
3555 If you specify the mynetworks list by hand, Postfix ignores the mynet‐
3557 works_style setting.
3558 Specify a list of network addresses or network/netmask patterns, sepa‐
3560 rated by commas and/or whitespace. Continue long lines by starting the
3561 next line with whitespace.
3562 The netmask specifies the number of bits in the network part of a host
3564 address. You can also specify "/file/name" or "type:table" patterns.
3565 A "/file/name" pattern is replaced by its contents; a "type:table"
3566 lookup table is matched when a table entry matches a lookup string (the
3567 lookup result is ignored).
3568 The list is matched left to right, and the search stops on the first
3570 match. Specify "!pattern" to exclude an address or network block from
3571 the list. The form "!/file/name" is supported only in Postfix version
3572 2.4 and later.
3573 Note: IP version 6 address information must be specified inside [] in
3575 the mynetworks value, and in files specified with "/file/name". IP
3576 version 6 addresses contain the ":" character, and would otherwise be
3577 confused with a "type:table" pattern.
3578 Examples:
3580 mynetworks = 127.0.0.0/8 168.100.189.0/28
3582 mynetworks = !192.168.0.1, 192.168.0.0/28
3583 mynetworks = 127.0.0.0/8 168.100.189.0/28 [::1]/128 [2001:240:587::]/64
3584 mynetworks = $config_directory/mynetworks
3585 mynetworks = hash:/etc/postfix/network_table
3586
3588 The method to generate the default value for the mynetworks parameter.
3589 This is the list of trusted networks for relay access control etc.
3590 · Specify "mynetworks_style = host" when Postfix should "trust"
3592 only the local machine.
3593 · Specify "mynetworks_style = subnet" when Postfix should "trust"
3595 SMTP clients in the same IP subnetworks as the local machine.
3596 On Linux, this works correctly only with interfaces specified
3597 with the "ifconfig" command.
3598 · Specify "mynetworks_style = class" when Postfix should "trust"
3600 SMTP clients in the same IP class A/B/C networks as the local
3601 machine. Don't do this with a dialup site - it would cause
3602 Postfix to "trust" your entire provider's network. Instead,
3603 specify an explicit mynetworks list by hand, as described with
3604 the mynetworks configuration parameter.
3605
3607 The domain name that locally-posted mail appears to come from, and that
3608 locally posted mail is delivered to. The default, $myhostname, is ade‐
3609 quate for small sites. If you run a domain with multiple machines, you
3610 should (1) change this to $mydomain and (2) set up a domain-wide alias
3611 database that aliases each user to user@that.users.mailhost.
3612 Example:
3614 myorigin = $mydomain
3616
3618 Optional lookup tables for content inspection of non-MIME message head‐
3619 ers in attached messages, as described in the header_checks(5) manual
3620 page.
3621 This feature is available in Postfix 2.0 and later.
3623
3625 Sendmail compatibility feature that specifies the location of the
3626 newaliases(1) command. This command can be used to rebuild the local(8)
3627 aliases(5) database.
3628
3630 The numerical Postfix SMTP server reply code when a client request is
3631 rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender
3632 or reject_non_fqdn_recipient restriction.
3633
3635 A list of Milter (mail filter) applications for new mail that does not
3636 arrive via the Postfix smtpd(8) server. This includes local submission
3637 via the sendmail(1) command line, new mail that arrives via the Postfix
3638 qmqpd(8) server, and old mail that is re-injected into the queue with
3639 "postsuper -r". See the MILTER_README document for details.
3640 This feature is available in Postfix 2.3 and later.
3642
3644 The list of error classes that are reported to the postmaster. The
3645 default is to report only the most serious problems. The paranoid may
3646 wish to turn on the policy (UCE and mail relaying) and protocol error
3647 (broken mail software) reports.
3648 NOTE: postmaster notifications may contain confidential information
3650 such as SASL passwords or message content. It is the system adminis‐
3651 trator's responsibility to treat such information with care.
3652 The error classes are:
3654 bounce (also implies 2bounce)
3656 Send the postmaster copies of the headers of bounced mail, and
3657 send transcripts of SMTP sessions when Postfix rejects mail. The
3658 notification is sent to the address specified with the
3659 bounce_notice_recipient configuration parameter (default: post‐
3660 master).
3661 2bounce
3663 Send undeliverable bounced mail to the postmaster. The notifica‐
3664 tion is sent to the address specified with the
3665 2bounce_notice_recipient configuration parameter (default: post‐
3666 master).
3667 delay Send the postmaster copies of the headers of delayed mail. The
3669 notification is sent to the address specified with the
3670 delay_notice_recipient configuration parameter (default: post‐
3671 master).
3672 policy Send the postmaster a transcript of the SMTP session when a
3674 client request was rejected because of (UCE) policy. The notifi‐
3675 cation is sent to the address specified with the
3676 error_notice_recipient configuration parameter (default: post‐
3677 master).
3678 protocol
3680 Send the postmaster a transcript of the SMTP session in case of
3681 client or server protocol errors. The notification is sent to
3682 the address specified with the error_notice_recipient configura‐
3683 tion parameter (default: postmaster).
3684 resource
3686 Inform the postmaster of mail not delivered due to resource
3687 problems. The notification is sent to the address specified
3688 with the error_notice_recipient configuration parameter
3689 (default: postmaster).
3690 software
3692 Inform the postmaster of mail not delivered due to software
3693 problems. The notification is sent to the address specified
3694 with the error_notice_recipient configuration parameter
3695 (default: postmaster).
3696 Examples:
3698 notify_classes = bounce, delay, policy, protocol, resource, software
3700 notify_classes = 2bounce, resource, software
3701
3703 Give special treatment to owner-listname and listname-request address
3704 localparts: don't split such addresses when the recipient_delimiter is
3705 set to "-". This feature is useful for mailing lists.
3706
3708 What Postfix features match subdomains of "domain.tld" automatically,
3709 instead of requiring an explicit ".domain.tld" pattern. This is
3710 planned backwards compatibility: eventually, all Postfix features are
3711 expected to require explicit ".domain.tld" style patterns when you
3712 really want to match subdomains.
3713
3715 Restrict the use of the permit_mx_backup SMTP access feature to only
3716 domains whose primary MX hosts match the listed networks. The parame‐
3717 ter value syntax is the same as with the mynetworks parameter; note,
3718 however, that the default value is empty.
3719
3721 The name of the pickup(8) service. This service picks up local mail
3722 submissions from the Postfix maildrop queue.
3723 This feature is available in Postfix 2.0 and later.
3725
3727 The numerical Postfix SMTP server response code when a request is
3728 rejected by the reject_plaintext_session restriction.
3729 This feature is available in Postfix 2.3 and later.
3731
3733 The postfix(1) commands that the postmulti(1) instance manager treats
3734 as "control" commands, that operate on running instances. For these
3735 commands, disabled instances are skipped.
3736 This feature is available in Postfix 2.6 and later.
3738
3740 The postfix(1) commands that the postmulti(1) instance manager treats
3741 as "start" commands. For these commands, disabled instances are
3742 "checked" rather than "started", and failure to "start" a member
3743 instance of an instance group will abort the start-up of later
3744 instances.
3745 This feature is available in Postfix 2.6 and later.
3747
3749 The postfix(1) commands that the postmulti(1) instance manager treats
3750 as "stop" commands. For these commands, disabled instances are skipped,
3751 and enabled instances are processed in reverse order.
3752 This feature is available in Postfix 2.6 and later.
3754
3756 The message delivery contexts where the Postfix local(8) delivery agent
3757 prepends a Delivered-To: message header with the address that the mail
3758 was delivered to. This information is used for mail delivery loop
3759 detection.
3760 By default, the Postfix local delivery agent prepends a Delivered-To:
3762 header when forwarding mail and when delivering to file (mailbox) and
3763 command. Turning off the Delivered-To: header when forwarding mail is
3764 not recommended.
3765 Specify zero or more of forward, file, or command.
3767 Example:
3769 prepend_delivered_header = forward
3771
3773 The process ID of a Postfix command or daemon process.
3774
3776 The location of Postfix PID files relative to $queue_directory. This
3777 is a read-only parameter.
3778
3780 The process name of a Postfix command or daemon process.
3781
3783 What address lookup tables copy an address extension from the lookup
3784 key to the lookup result.
3785 For example, with a virtual(5) mapping of "joe@example.com =>
3787 joe.user@example.net", the address "joe+foo@example.com" would rewrite
3788 to "joe.user+foo@example.net".
3789 Specify zero or more of canonical, virtual, alias, forward, include or
3791 generic. These cause address extension propagation with canonical(5),
3792 virtual(5), and aliases(5) maps, with local(8) .forward and :include:
3793 file lookups, and with smtp(8) generic maps, respectively.
3794 Note: enabling this feature for types other than canonical and virtual
3796 is likely to cause problems when mail is forwarded to other sites,
3797 especially with mail that is sent to a mailing list exploder address.
3798 Examples:
3800 propagate_unmatched_extensions = canonical, virtual, alias,
3802 forward, include
3803 propagate_unmatched_extensions = canonical, virtual
3804
3806 The network interface addresses that this mail system receives mail on
3807 by way of a proxy or network address translation unit.
3808 This feature is available in Postfix 2.0 and later.
3810 You must specify your "outside" proxy/NAT addresses when your system is
3812 a backup MX host for other domains, otherwise mail delivery loops will
3813 happen when the primary MX host is down.
3814 Example:
3816 proxy_interfaces = 1.2.3.4
3818
3820 The lookup tables that the proxymap(8) server is allowed to access for
3821 the read-only service. Table references that don't begin with proxy:
3822 are ignored.
3823 This feature is available in Postfix 2.0 and later.
3825
3827 The lookup tables that the proxymap(8) server is allowed to access for
3828 the read-write service. Postfix-owned local database files should be
3829 stored under the Postfix-owned data_directory. Table references that
3830 don't begin with proxy: are ignored.
3831 This feature is available in Postfix 2.5 and later.
3833
3835 The name of the proxymap read-only table lookup service. This service
3836 is normally implemented by the proxymap(8) daemon.
3837 This feature is available in Postfix 2.6 and later.
3839
3841 The name of the proxywrite read-write table lookup service. This ser‐
3842 vice is normally implemented by the proxymap(8) daemon.
3843 This feature is available in Postfix 2.6 and later.
3845
3847 The minimal delay between warnings that a specific destination is clog‐
3848 ging up the Postfix active queue. Specify 0 to disable.
3849 This feature is enabled with the helpful_warnings parameter.
3851 This feature is available in Postfix 2.0 and later.
3853
3855 Obsolete feature: the percentage of delivery resources that a busy mail
3856 system will use up for delivery of a large mailing list message.
3857 This feature exists only in the oqmgr(8) old queue manager. The current
3859 queue manager solves the problem in a better way.
3860
3862 The maximal number of messages in the active queue.
3863
3865 The maximal number of recipients held in memory by the Postfix queue
3866 manager, and the maximal size of the size of the short-term, in-memory
3867 "dead" destination status cache.
3868
3870 The minimal number of in-memory recipients for any message. This takes
3871 priority over any other in-memory recipient limits (i.e., the global
3872 qmgr_message_recipient_limit and the per transport _recipient_limit) if
3873 necessary. The minimum value allowed for this parameter is 1.
3874
3876 What clients are allowed to connect to the QMQP server port.
3877 By default, no client is allowed to use the service. This is because
3879 the QMQP server will relay mail to any destination.
3880 Specify a list of client patterns. A list pattern specifies a host
3882 name, a domain name, an internet address, or a network/mask pattern,
3883 where the mask specifies the number of bits in the network part. When
3884 a pattern specifies a file name, its contents are substituted for the
3885 file name; when a pattern is a "type:table" table specification, table
3886 lookup is used instead.
3887 Patterns are separated by whitespace and/or commas. In order to reverse
3889 the result, precede a pattern with an exclamation point (!). The form
3890 "!/file/name" is supported only in Postfix version 2.4 and later.
3891 Example:
3893 qmqpd_authorized_clients = !192.168.0.1, 192.168.0.0/24
3895
3897 Enable logging of the remote QMQP client port in addition to the host‐
3898 name and IP address. The logging format is "host[address]:port".
3899 This feature is available in Postfix 2.5 and later.
3901
3903 How long the QMQP server will pause before sending a negative reply to
3904 the client. The purpose is to slow down confused or malicious clients.
3905 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3907 The default time unit is s (seconds).
3908
3910 The time limit for sending or receiving information over the network.
3911 If a read or write operation blocks for more than $qmqpd_timeout sec‐
3912 onds the QMQP server gives up and disconnects.
3913 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3915 The default time unit is s (seconds).
3916
3918 The location of the Postfix top-level queue directory. This is the root
3919 directory of Postfix daemon processes that run chrooted.
3920
3922 The maximal number of (name=value) attributes that may be stored in a
3923 Postfix queue file. The limit is enforced by the cleanup(8) server.
3924 This feature is available in Postfix 2.0 and later.
3926
3928 The minimal amount of free space in bytes in the queue file system that
3929 is needed to receive mail. This is currently used by the SMTP server
3930 to decide if it will accept any mail at all.
3931 By default, the Postfix SMTP server rejects MAIL FROM commands when the
3933 amount of free space is less than 1.5*$message_size_limit (Postfix ver‐
3934 sion 2.1 and later). To specify a higher minimum free space limit,
3935 specify a queue_minfree value that is at least 1.5*$message_size_limit.
3936 With Postfix versions 2.0 and earlier, a queue_minfree value of zero
3938 means there is no minimum required amount of free space.
3939
3941 The time between deferred queue scans by the queue manager; prior to
3942 Postfix 2.4 the default value was 1000s.
3943 This parameter should be set less than or equal to $minimal_back‐
3945 off_time. See also $maximal_backoff_time.
3946 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3948 The default time unit is s (seconds).
3949
3951 The name of the qmgr(8) service. This service manages the Postfix queue
3952 and schedules delivery requests.
3953 This feature is available in Postfix 2.0 and later.
3955
3957 Optional lookup tables with RBL response templates. The tables are
3958 indexed by the RBL domain name. By default, Postfix uses the default
3959 template as specified with the default_rbl_reply configuration parame‐
3960 ter. See there for a discussion of the syntax of RBL reply templates.
3961 This feature is available in Postfix 2.0 and later.
3963
3965 The location of Postfix README files that describe how to build, con‐
3966 figure or operate a specific Postfix subsystem or feature.
3967
3969 Enable or disable recipient validation, built-in content filtering, or
3970 address mapping. Typically, these are specified in master.cf as com‐
3971 mand-line arguments for the smtpd(8), qmqpd(8) or pickup(8) daemons.
3972 Specify zero or more of the following options. The options override
3974 main.cf settings and are either implemented by smtpd(8), qmqpd(8), or
3975 pickup(8) themselves, or they are forwarded to the cleanup server.
3976 no_unknown_recipient_checks
3978 Do not try to reject unknown recipients (SMTP server only).
3979 This is typically specified AFTER an external content filter.
3980 no_address_mappings
3982 Disable canonical address mapping, virtual alias map expansion,
3983 address masquerading, and automatic BCC (blind carbon-copy)
3984 recipients. This is typically specified BEFORE an external con‐
3985 tent filter.
3986 no_header_body_checks
3988 Disable header/body_checks. This is typically specified AFTER an
3989 external content filter.
3990 no_milters
3992 Disable Milter (mail filter) applications. This is typically
3993 specified AFTER an external content filter.
3994 Note: when the "BEFORE content filter" receive_override_options setting
3996 is specified in the main.cf file, specify the "AFTER content filter"
3997 receive_override_options setting in master.cf (and vice versa).
3998 Examples:
4000 receive_override_options =
4002 no_unknown_recipient_checks, no_header_body_checks
4003 receive_override_options = no_address_mappings
4004 This feature is available in Postfix 2.1 and later.
4006
4008 Optional BCC (blind carbon-copy) address lookup tables, indexed by
4009 recipient address. The BCC address (multiple results are not sup‐
4010 ported) is added when mail enters from outside of Postfix.
4011 This feature is available in Postfix 2.1 and later.
4013 The table search order is as follows:
4015 · Look up the "user+extension@domain.tld" address including the
4017 optional address extension.
4018 · Look up the "user@domain.tld" address without the optional
4020 address extension.
4021 · Look up the "user+extension" address local part when the recipi‐
4023 ent domain equals $myorigin, $mydestination, $inet_interfaces or
4024 $proxy_interfaces.
4025 · Look up the "user" address local part when the recipient domain
4027 equals $myorigin, $mydestination, $inet_interfaces or
4028 $proxy_interfaces.
4029 · Look up the "@domain.tld" part.
4031 Specify the types and names of databases to use. After change, run
4033 "postmap /etc/postfix/recipient_bcc".
4034 Note: if mail to the BCC address bounces it will be returned to the
4036 sender.
4037 Note: automatic BCC recipients are produced only for new mail. To
4039 avoid mailer loops, automatic BCC recipients are not generated for mail
4040 that Postfix forwards internally, nor for mail that Postfix generates
4041 itself.
4042 Example:
4044 recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
4046
4048 What addresses are subject to recipient_canonical_maps address mapping.
4049 By default, recipient_canonical_maps address mapping is applied to
4050 envelope recipient addresses, and to header recipient addresses.
4051 Specify one or more of: envelope_recipient, header_recipient
4053 This feature is available in Postfix 2.2 and later.
4055
4057 Optional address mapping lookup tables for envelope and header recipi‐
4058 ent addresses. The table format and lookups are documented in canoni‐
4059 cal(5).
4060 Note: $recipient_canonical_maps is processed before $canonical_maps.
4062 Example:
4064 recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
4066
4068 The separator between user names and address extensions (user+foo).
4069 See canonical(5), local(8), relocated(5) and virtual(5) for the effects
4070 this has on aliases, canonical, virtual, relocated and on .forward file
4071 lookups. Basically, the software tries user+foo and .forward+foo
4072 before trying user and .forward.
4073 Example:
4075 recipient_delimiter = +
4077
4079 The numerical Postfix SMTP server response code when a remote SMTP
4080 client request is rejected by the "reject" restriction.
4081 Do not change this unless you have a complete understanding of RFC
4083 2821.
4084
4086 The Postfix SMTP server's action when a reject-type restriction fails
4087 due to a temporary error condition. Specify "defer" to defer the remote
4088 SMTP client request immediately. With the default "defer_if_permit"
4089 action, the Postfix SMTP server continues to look for opportunities to
4090 reject mail, and defers the client request only if it would otherwise
4091 be accepted.
4092 For finer control, see: unverified_recipient_tempfail_action, unveri‐
4094 fied_sender_tempfail_action, unknown_address_tempfail_action, and
4095 unknown_helo_hostname_tempfail_action.
4096 This feature is available in Postfix 2.6 and later.
4098
4100 List of tables with remote SMTP client-certificate fingerprints for
4101 which the Postfix SMTP server will allow access with the per‐
4102 mit_tls_clientcerts feature. The fingerprint digest algorithm is con‐
4103 figurable via the smtpd_tls_fingerprint_digest parameter (hard-coded as
4104 md5 prior to Postfix version 2.5).
4105 Postfix lookup tables are in the form of (key, value) pairs. Since we
4107 only need the key, the value can be chosen freely, e.g. the name of
4108 the user or host: D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80
4109 lutzpc.at.home
4110 Example:
4112 relay_clientcerts = hash:/etc/postfix/relay_clientcerts
4114 For more fine-grained control, use check_ccert_access to select an
4116 appropriate access(5) policy for each client. See RESTRIC‐
4117 TION_CLASS_README.
4118 This feature is available with Postfix version 2.2.
4120
4122 rency_limit)
4123 The maximal number of parallel deliveries to the same destination via
4124 the relay message delivery transport. This limit is enforced by the
4125 queue manager. The message delivery transport name is the first field
4126 in the entry in the master.cf file.
4127 This feature is available in Postfix 2.0 and later.
4129
4131 ent_limit)
4132 The maximal number of recipients per message for the relay message
4133 delivery transport. This limit is enforced by the queue manager. The
4134 message delivery transport name is the first field in the entry in the
4135 master.cf file.
4136 Setting this parameter to a value of 1 changes the meaning of
4138 relay_destination_concurrency_limit from concurrency per domain into
4139 concurrency per recipient.
4140 This feature is available in Postfix 2.0 and later.
4142
4144 What destination domains (and subdomains thereof) this system will
4145 relay mail to. Subdomain matching is controlled with the par‐
4146 ent_domain_matches_subdomains parameter. For details about how the
4147 relay_domains value is used, see the description of the per‐
4148 mit_auth_destination and reject_unauth_destination SMTP recipient
4149 restrictions.
4150 Domains that match $relay_domains are delivered with the $relay_trans‐
4152 port mail delivery transport. The SMTP server validates recipient
4153 addresses with $relay_recipient_maps and rejects non-existent recipi‐
4154 ents. See also the relay domains address class in the
4155 ADDRESS_CLASS_README file.
4156 Note: Postfix will not automatically forward mail for domains that list
4158 this system as their primary or backup MX host. See the per‐
4159 mit_mx_backup restriction in the postconf(5) manual page.
4160 Specify a list of host or domain names, "/file/name" patterns or
4162 "type:table" lookup tables, separated by commas and/or whitespace.
4163 Continue long lines by starting the next line with whitespace. A
4164 "/file/name" pattern is replaced by its contents; a "type:table" lookup
4165 table is matched when a (parent) domain appears as lookup key. Specify
4166 "!pattern" to exclude a domain from the list. The form "!/file/name" is
4167 supported only in Postfix version 2.4 and later.
4168
4170 The numerical Postfix SMTP server response code when a client request
4171 is rejected by the reject_unauth_destination recipient restriction.
4172 Do not change this unless you have a complete understanding of RFC
4174 2821.
4175
4177 Optional lookup tables with all valid addresses in the domains that
4178 match $relay_domains. Specify @domain as a wild-card for domains that
4179 have no valid recipient list, and become a source of backscatter mail:
4180 Postfix accepts spam for non-existent recipients and then floods inno‐
4181 cent people with undeliverable mail. Technically, tables listed with
4182 $relay_recipient_maps are used as lists: Postfix needs to know only if
4183 a lookup string is found or not, but it does not use the result from
4184 table lookup.
4185 If this parameter is non-empty, then the Postfix SMTP server will
4187 reject mail to unknown relay users. This feature is off by default.
4188 See also the relay domains address class in the ADDRESS_CLASS_README
4190 file.
4191 Example:
4193 relay_recipient_maps = hash:/etc/postfix/relay_recipients
4195 This feature is available in Postfix 2.0 and later.
4197
4199 The default mail delivery transport and next-hop destination for remote
4200 delivery to domains listed with $relay_domains. In order of decreasing
4201 precedence, the nexthop destination is taken from $relay_transport,
4202 $sender_dependent_relayhost_maps, $relayhost, or from the recipient
4203 domain. This information can be overruled with the transport(5) table.
4204 Specify a string of the form transport:nexthop, where transport is the
4206 name of a mail delivery transport defined in master.cf. The :nexthop
4207 destination is optional; its syntax is documented in the manual page of
4208 the corresponding delivery agent.
4209 See also the relay domains address class in the ADDRESS_CLASS_README
4211 file.
4212 This feature is available in Postfix 2.0 and later.
4214
4216 The next-hop destination of non-local mail; overrides non-local domains
4217 in recipient addresses. This information is overruled with relay_trans‐
4218 port, sender_dependent_default_transport_maps, default_transport,
4219 sender_dependent_relayhost_maps and with the transport(5) table.
4220 On an intranet, specify the organizational domain name. If your inter‐
4222 nal DNS uses no MX records, specify the name of the intranet gateway
4223 host instead.
4224 In the case of SMTP, specify a domain name, hostname, hostname:port,
4226 [hostname]:port, [hostaddress] or [hostaddress]:port. The form [host‐
4227 name] turns off MX lookups.
4228 If you're connected via UUCP, see the UUCP_README file for useful
4230 information.
4231 Examples:
4233 relayhost = $mydomain
4235 relayhost = [gateway.example.com]
4236 relayhost = uucphost
4237 relayhost = [an.ip.add.ress]
4238
4240 Optional lookup tables with new contact information for users or
4241 domains that no longer exist. The table format and lookups are docu‐
4242 mented in relocated(5).
4243 If you use this feature, run "postmap /etc/postfix/relocated" to build
4245 the necessary DBM or DB file after change, then "postfix reload" to
4246 make the changes visible.
4247 Examples:
4249 relocated_maps = dbm:/etc/postfix/relocated
4251 relocated_maps = hash:/etc/postfix/relocated
4252
4254 Don't rewrite message headers from remote clients at all when this
4255 parameter is empty; otherwise, rewrite message headers and append the
4256 specified domain name to incomplete addresses. The local_header_re‐
4257 write_clients parameter controls what clients Postfix considers local.
4258 Examples:
4260 The safe setting: append "domain.invalid" to incomplete header
4262 addresses from remote SMTP clients, so that those addresses cannot be
4263 confused with local addresses.
4264 remote_header_rewrite_domain = domain.invalid
4266 The default, purist, setting: don't rewrite headers from remote clients
4268 at all.
4269 remote_header_rewrite_domain =
4271
4273 Require that a local(8) recipient's home directory exists before mail
4274 delivery is attempted. By default this test is disabled. It can be
4275 useful for environments that import home directories to the mail server
4276 (IMPORTING HOME DIRECTORIES IS NOT RECOMMENDED).
4277
4279 Resolve a recipient address safely instead of correctly, by looking
4280 inside quotes.
4281 By default, the Postfix address resolver does not quote the address
4283 localpart as per RFC 822, so that additional @ or % or ! operators
4284 remain visible. This behavior is safe but it is also technically incor‐
4285 rect.
4286 If you specify "resolve_dequoted_address = no", then the Postfix
4288 resolver will not know about additional @ etc. operators in the address
4289 localpart. This opens opportunities for obscure mail relay attacks with
4290 user@domain@domain addresses when Postfix provides backup MX service
4291 for Sendmail systems.
4292
4294 Resolve an address that ends in the "@" null domain as if the local
4295 hostname were specified, instead of rejecting the address as invalid.
4296 This feature is available in Postfix 2.1 and later. Earlier versions
4298 always resolve the null domain as the local hostname.
4299 The Postfix SMTP server uses this feature to reject mail from or to
4301 addresses that end in the "@" null domain, and from addresses that re‐
4302 write into a form that ends in the "@" null domain.
4303
4305 Resolve "user@ipaddress" as "user@[ipaddress]", instead of rejecting
4306 the address as invalid.
4307 This feature is available in Postfix 2.3 and later.
4309
4311 The name of the address rewriting service. This service rewrites
4312 addresses to standard form and resolves them to a (delivery method,
4313 next-hop host, recipient) triple.
4314 This feature is available in Postfix 2.0 and later.
4316
4318 The name of the directory with example Postfix configuration files.
4319 Starting with Postfix 2.1, these files have been replaced with the
4320 postconf(5) manual page.
4321
4323 When authenticating to a remote SMTP or LMTP server with the default
4324 setting "no", send no SASL authoriZation ID (authzid); send only the
4325 SASL authentiCation ID (authcid) plus the authcid's password.
4326 The non-default setting "yes" enables the behavior of older Postfix
4328 versions. These always send a SASL authzid that is equal to the SASL
4329 authcid, but this causes inter-operability problems with some SMTP
4330 servers.
4331 This feature is available in Postfix 2.4.4 and later.
4333
4335 This parameter should not be used. It was replaced by sender_depen‐
4336 dent_relayhost_maps in Postfix version 2.3.
4337
4339 Optional BCC (blind carbon-copy) address lookup tables, indexed by
4340 sender address. The BCC address (multiple results are not supported)
4341 is added when mail enters from outside of Postfix.
4342 This feature is available in Postfix 2.1 and later.
4344 The table search order is as follows:
4346 · Look up the "user+extension@domain.tld" address including the
4348 optional address extension.
4349 · Look up the "user@domain.tld" address without the optional
4351 address extension.
4352 · Look up the "user+extension" address local part when the sender
4354 domain equals $myorigin, $mydestination, $inet_interfaces or
4355 $proxy_interfaces.
4356 · Look up the "user" address local part when the sender domain
4358 equals $myorigin, $mydestination, $inet_interfaces or
4359 $proxy_interfaces.
4360 · Look up the "@domain.tld" part.
4362 Specify the types and names of databases to use. After change, run
4364 "postmap /etc/postfix/sender_bcc".
4365 Note: if mail to the BCC address bounces it will be returned to the
4367 sender.
4368 Note: automatic BCC recipients are produced only for new mail. To
4370 avoid mailer loops, automatic BCC recipients are not generated for mail
4371 that Postfix forwards internally, nor for mail that Postfix generates
4372 itself.
4373 Example:
4375 sender_bcc_maps = hash:/etc/postfix/sender_bcc
4377
4379 What addresses are subject to sender_canonical_maps address mapping.
4380 By default, sender_canonical_maps address mapping is applied to enve‐
4381 lope sender addresses, and to header sender addresses.
4382 Specify one or more of: envelope_sender, header_sender
4384 This feature is available in Postfix 2.2 and later.
4386
4388 Optional address mapping lookup tables for envelope and header sender
4389 addresses. The table format and lookups are documented in canoni‐
4390 cal(5).
4391 Example: you want to rewrite the SENDER address "user@ugly.domain" to
4393 "user@pretty.domain", while still being able to send mail to the RECIP‐
4394 IENT address "user@ugly.domain".
4395 Note: $sender_canonical_maps is processed before $canonical_maps.
4397 Example:
4399 sender_canonical_maps = hash:/etc/postfix/sender_canonical
4401
4403 A sender-dependent override for the global default_transport parameter
4404 setting. The tables are searched by the envelope sender address and
4405 @domain. A lookup result of DUNNO terminates the search without over‐
4406 riding the global default_transport parameter setting. This informa‐
4407 tion is overruled with the transport(5) table.
4408 Note: this overrides default_transport, not transport_maps, and there‐
4410 fore the expected syntax is that of default_transport, not the syntax
4411 of transport_maps. Specifically, this does not support the trans‐
4412 port_maps syntax for null transport, null nexthop, or null email
4413 addresses.
4414 For safety reasons, this feature does not allow $number substitutions
4416 in regular expression maps.
4417 This feature is available in Postfix 2.7 and later.
4419
4421 A sender-dependent override for the global relayhost parameter setting.
4422 The tables are searched by the envelope sender address and @domain. A
4423 lookup result of DUNNO terminates the search without overriding the
4424 global relayhost parameter setting (Postfix 2.6 and later). This infor‐
4425 mation is overruled with relay_transport, sender_depen‐
4426 dent_default_transport_maps, default_transport and with the trans‐
4427 port(5) table.
4428 For safety reasons, this feature does not allow $number substitutions
4430 in regular expression maps.
4431 This feature is available in Postfix 2.3 and later.
4433
4435 A Sendmail compatibility feature that specifies the location of the
4436 Postfix sendmail(1) command. This command can be used to submit mail
4437 into the Postfix queue.
4438
4440 How long the Postfix master(8) waits before forking a server that
4441 appears to be malfunctioning.
4442 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4444 The default time unit is s (seconds).
4445
4447 The group ownership of set-gid Postfix commands and of group-writable
4448 Postfix directories. When this parameter value is changed you need to
4449 re-run "postfix set-permissions" (with Postfix version 2.0 and earlier:
4450 "/etc/postfix/post-install set-permissions".
4451
4453 Display the name of the recipient table in the "User unknown"
4454 responses. The extra detail makes trouble shooting easier but also
4455 reveals information that is nobody elses business.
4456 This feature is available in Postfix 2.0 and later.
4458
4460 The name of the showq(8) service. This service produces mail queue sta‐
4461 tus reports.
4462 This feature is available in Postfix 2.0 and later.
4464
4466 Always send EHLO at the start of an SMTP session.
4467 With "smtp_always_send_ehlo = no", Postfix sends EHLO only when the
4469 word "ESMTP" appears in the server greeting banner (example: 220
4470 spike.porcupine.org ESMTP Postfix).
4471
4473 An optional numerical network address that the Postfix SMTP client
4474 should bind to when making an IPv4 connection.
4475 This can be specified in the main.cf file for all SMTP clients, or it
4477 can be specified in the master.cf file for a specific client, for exam‐
4478 ple:
4479 /etc/postfix/master.cf:
4481 smtp ... smtp -o smtp_bind_address=11.22.33.44
4482 Note 1: when inet_interfaces specifies no more than one IPv4 address,
4484 and that address is a non-loopback address, it is automatically used as
4485 the smtp_bind_address. This supports virtual IP hosting, but can be a
4486 problem on multi-homed firewalls. See the inet_interfaces documentation
4487 for more detail.
4488 Note 2: address information may be enclosed inside [], but this form is
4490 not required here.
4491
4493 An optional numerical network address that the Postfix SMTP client
4494 should bind to when making an IPv6 connection.
4495 This feature is available in Postfix 2.2 and later.
4497 This can be specified in the main.cf file for all SMTP clients, or it
4499 can be specified in the master.cf file for a specific client, for exam‐
4500 ple:
4501 /etc/postfix/master.cf:
4503 smtp ... smtp -o smtp_bind_address6=1:2:3:4:5:6:7:8
4504 Note 1: when inet_interfaces specifies no more than one IPv6 address,
4506 and that address is a non-loopback address, it is automatically used as
4507 the smtp_bind_address6. This supports virtual IP hosting, but can be a
4508 problem on multi-homed firewalls. See the inet_interfaces documentation
4509 for more detail.
4510 Note 2: address information may be enclosed inside [], but this form is
4512 not recommended here.
4513
4515 Restricted body_checks(5) tables for the Postfix SMTP client. These
4516 tables are searched while mail is being delivered. Actions that change
4517 the delivery time or destination are not available.
4518 This feature is available in Postfix 2.5 and later.
4520
4522 Allow DNS CNAME records to override the servername that the Postfix
4523 SMTP client uses for logging, SASL password lookup, TLS policy deci‐
4524 sions, or TLS certificate verification. The value "no" hardens Postfix
4525 smtp_tls_per_site hostname-based policies against false hostname infor‐
4526 mation in DNS CNAME records, and makes SASL password file lookups more
4527 predictable. This is the default setting as of Postfix 2.3.
4528 This feature is available in Postfix 2.2.9 and later.
4530
4532 The SMTP client time limit for completing a TCP connection, or zero
4533 (use the operating system built-in time limit).
4534 When no connection can be made within the deadline, the Postfix SMTP
4536 client tries the next address on the mail exchanger list. Specify 0 to
4537 disable the time limit (i.e. use whatever timeout is implemented by the
4538 operating system).
4539 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4541 The default time unit is s (seconds).
4542
4544 Permanently enable SMTP connection caching for the specified destina‐
4545 tions. With SMTP connection caching, a connection is not closed imme‐
4546 diately after completion of a mail transaction. Instead, the connec‐
4547 tion is kept open for up to $smtp_connection_cache_time_limit seconds.
4548 This allows connections to be reused for other deliveries, and can
4549 improve mail delivery performance.
4550 Specify a comma or white space separated list of destinations or
4552 pseudo-destinations:
4553 · if mail is sent without a relay host: a domain name (the right-
4555 hand side of an email address, without the [] around a numeric
4556 IP address),
4557 · if mail is sent via a relay host: a relay host name (without []
4559 or non-default TCP port), as specified in main.cf or in the
4560 transport map,
4561 · if mail is sent via a UNIX-domain socket: a pathname (without
4563 the unix: prefix),
4564 · a /file/name with domain names and/or relay host names as
4566 defined above,
4567 · a "type:table" with domain names and/or relay host names on the
4569 left-hand side. The right-hand side result from "type:table"
4570 lookups is ignored.
4571 This feature is available in Postfix 2.2 and later.
4573
4575 Temporarily enable SMTP connection caching while a destination has a
4576 high volume of mail in the active queue. With SMTP connection caching,
4577 a connection is not closed immediately after completion of a mail
4578 transaction. Instead, the connection is kept open for up to $smtp_con‐
4579 nection_cache_time_limit seconds. This allows connections to be reused
4580 for other deliveries, and can improve mail delivery performance.
4581 This feature is available in Postfix 2.2 and later.
4583
4585 When SMTP connection caching is enabled, the number of times that an
4586 SMTP session may be reused before it is closed.
4587 This feature is available in Postfix 2.2. In Postfix 2.3 it is replaced
4589 by $smtp_connection_reuse_time_limit.
4590
4592 When SMTP connection caching is enabled, the amount of time that an
4593 unused SMTP client socket is kept open before it is closed. Do not
4594 specify larger values without permission from the remote sites.
4595 This feature is available in Postfix 2.2 and later.
4597
4599 The amount of time during which Postfix will use an SMTP connection
4600 repeatedly. The timer starts when the connection is initiated (i.e. it
4601 includes the connect, greeting and helo latency, in addition to the
4602 latencies of subsequent mail delivery transactions).
4603 This feature addresses a performance stability problem with remote SMTP
4605 servers. This problem is not specific to Postfix: it can happen when
4606 any MTA sends large amounts of SMTP email to a site that has multiple
4607 MX hosts.
4608 The problem starts when one of a set of MX hosts becomes slower than
4610 the rest. Even though SMTP clients connect to fast and slow MX hosts
4611 with equal probability, the slow MX host ends up with more simultaneous
4612 inbound connections than the faster MX hosts, because the slow MX host
4613 needs more time to serve each client request.
4614 The slow MX host becomes a connection attractor. If one MX host
4616 becomes N times slower than the rest, it dominates mail delivery
4617 latency unless there are more than N fast MX hosts to counter the
4618 effect. And if the number of MX hosts is smaller than N, the mail
4619 delivery latency becomes effectively that of the slowest MX host
4620 divided by the total number of MX hosts.
4621 The solution uses connection caching in a way that differs from Postfix
4623 version 2.2. By limiting the amount of time during which a connection
4624 can be used repeatedly (instead of limiting the number of deliveries
4625 over that connection), Postfix not only restores fairness in the dis‐
4626 tribution of simultaneous connections across a set of MX hosts, it also
4627 favors deliveries over connections that perform well, which is exactly
4628 what we want.
4629 The default reuse time limit, 300s, is comparable to the various smtp
4631 transaction timeouts which are fair estimates of maximum excess latency
4632 for a slow delivery. Note that hosts may accept thousands of messages
4633 over a single connection within the default connection reuse time
4634 limit. This number is much larger than the default Postfix version 2.2
4635 limit of 10 messages per cached connection. It may prove necessary to
4636 lower the limit to avoid interoperability issues with MTAs that exhibit
4637 bugs when many messages are delivered via a single connection. A lower
4638 reuse time limit risks losing the benefit of connection reuse when the
4639 average connection and mail delivery latency exceeds the reuse time
4640 limit.
4641 This feature is available in Postfix 2.3 and later.
4643
4645 The SMTP client time limit for sending the SMTP ".", and for receiving
4646 the server response.
4647 When no response is received within the deadline, a warning is logged
4649 that the mail may be delivered multiple times.
4650 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4652 The default time unit is s (seconds).
4653
4655 The SMTP client time limit for sending the SMTP DATA command, and for
4656 receiving the server response.
4657 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4659 The default time unit is s (seconds).
4660
4662 The SMTP client time limit for sending the SMTP message content. When
4663 the connection makes no progress for more than $smtp_data_xfer_timeout
4664 seconds the Postfix SMTP client terminates the transfer.
4665 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4667 The default time unit is s (seconds).
4668
4670 Defer mail delivery when no MX record resolves to an IP address.
4671 The default (no) is to return the mail as undeliverable. With older
4673 Postfix versions the default was to keep trying to deliver the mail
4674 until someone fixed the MX record or until the mail was too old.
4675 Note: Postfix always ignores MX records with equal or worse preference
4677 than the local MTA itself.
4678 This feature is available in Postfix 2.1 and later.
4680
4682 rency_limit)
4683 The maximal number of parallel deliveries to the same destination via
4684 the smtp message delivery transport. This limit is enforced by the
4685 queue manager. The message delivery transport name is the first field
4686 in the entry in the master.cf file.
4687
4689 ent_limit)
4690 The maximal number of recipients per message for the smtp message
4691 delivery transport. This limit is enforced by the queue manager. The
4692 message delivery transport name is the first field in the entry in the
4693 master.cf file.
4694 Setting this parameter to a value of 1 changes the meaning of smtp_des‐
4696 tination_concurrency_limit from concurrency per domain into concurrency
4697 per recipient.
4698
4700 Lookup tables, indexed by the remote SMTP server address, with case
4701 insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
4702 that the Postfix SMTP client will ignore in the EHLO response from a
4703 remote SMTP server. See smtp_discard_ehlo_keywords for details. The ta‐
4704 ble is not indexed by hostname for consistency with smtpd_dis‐
4705 card_ehlo_keyword_address_maps.
4706 This feature is available in Postfix 2.2 and later.
4708
4710 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
4711 etc.) that the Postfix SMTP client will ignore in the EHLO response
4712 from a remote SMTP server.
4713 This feature is available in Postfix 2.2 and later.
4715 Notes:
4717 · Specify the silent-discard pseudo keyword to prevent this action
4719 from being logged.
4720 · Use the smtp_discard_ehlo_keyword_address_maps feature to dis‐
4722 card EHLO keywords selectively.
4723
4725 Enforcement mode: require that remote SMTP servers use TLS encryption,
4726 and never send mail in the clear. This also requires that the remote
4727 SMTP server hostname matches the information in the remote server cer‐
4728 tificate, and that the remote SMTP server certificate was issued by a
4729 CA that is trusted by the Postfix SMTP client. If the certificate
4730 doesn't verify or the hostname doesn't match, delivery is deferred and
4731 mail stays in the queue.
4732 The server hostname is matched against all names provided as dNSNames
4734 in the SubjectAlternativeName. If no dNSNames are specified, the Com‐
4735 monName is checked. The behavior may be changed with the
4736 smtp_tls_enforce_peername option.
4737 This option is useful only if you are definitely sure that you will
4739 only connect to servers that support RFC 2487 _and_ that provide valid
4740 server certificates. Typical use is for clients that send all their
4741 email to a dedicated mailhub.
4742 This feature is available in Postfix 2.2 and later. With Postfix 2.3
4744 and later use smtp_tls_security_level instead.
4745
4747 Optional list of relay hosts for SMTP destinations that can't be found
4748 or that are unreachable. With Postfix 2.2 and earlier this parameter is
4749 called fallback_relay.
4750 By default, mail is returned to the sender when a destination is not
4752 found, and delivery is deferred when a destination is unreachable.
4753 The fallback relays must be SMTP destinations. Specify a domain, host,
4755 host:port, [host]:port, [address] or [address]:port; the form [host]
4756 turns off MX lookups. If you specify multiple SMTP destinations, Post‐
4757 fix will try them in the specified order.
4758 To prevent mailer loops between MX hosts and fall-back hosts, Postfix
4760 version 2.2 and later will not use the fallback relays for destinations
4761 that it is MX host for (assuming DNS lookup is turned on).
4762
4764 Optional lookup tables that perform address rewriting in the SMTP
4765 client, typically to transform a locally valid address into a globally
4766 valid address when sending mail across the Internet. This is needed
4767 when the local machine does not have its own Internet domain name, but
4768 uses something like localdomain.local instead.
4769 The table format and lookups are documented in generic(5); examples are
4771 shown in the ADDRESS_REWRITING_README and STANDARD_CONFIGURATION_README
4772 documents.
4773 This feature is available in Postfix 2.2 and later.
4775
4777 Restricted header_checks(5) tables for the Postfix SMTP client. These
4778 tables are searched while mail is being delivered. Actions that change
4779 the delivery time or destination are not available.
4780 This feature is available in Postfix 2.5 and later.
4782
4784 The hostname to send in the SMTP EHLO or HELO command.
4785 The default value is the machine hostname. Specify a hostname or
4787 [ip.add.re.ss].
4788 This information can be specified in the main.cf file for all SMTP
4790 clients, or it can be specified in the master.cf file for a specific
4791 client, for example:
4792 /etc/postfix/master.cf:
4794 mysmtp ... smtp -o smtp_helo_name=foo.bar.com
4795 This feature is available in Postfix 2.0 and later.
4797
4799 The SMTP client time limit for sending the HELO or EHLO command, and
4800 for receiving the initial server response.
4801 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4803 The default time unit is s (seconds).
4804
4806 What mechanisms the Postfix SMTP client uses to look up a host's IP
4807 address. This parameter is ignored when DNS lookups are disabled (see:
4808 disable_dns_lookups).
4809 Specify one of the following:
4811 dns Hosts can be found in the DNS (preferred).
4813 native Use the native naming service only (nsswitch.conf, or equivalent
4815 mechanism).
4816 dns, native
4818 Use the native service for hosts not found in the DNS.
4819 This feature is available in Postfix 2.1 and later.
4821
4823 The maximal length of message header and body lines that Postfix will
4824 send via SMTP. Longer lines are broken by inserting "<CR><LF><SPACE>".
4825 This minimizes the damage to MIME formatted mail.
4826 By default, the line length is limited to 990 characters, because some
4828 server implementations cannot receive mail with long lines.
4829
4831 The SMTP client time limit for sending the MAIL FROM command, and for
4832 receiving the server response.
4833 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4835 The default time unit is s (seconds).
4836
4838 Restricted mime_header_checks(5) tables for the Postfix SMTP client.
4839 These tables are searched while mail is being delivered. Actions that
4840 change the delivery time or destination are not available.
4841 This feature is available in Postfix 2.5 and later.
4843
4845 The maximal number of MX (mail exchanger) IP addresses that can result
4846 from mail exchanger lookups, or zero (no limit). Prior to Postfix ver‐
4847 sion 2.3, this limit was disabled by default.
4848 This feature is available in Postfix 2.1 and later.
4850
4852 The maximal number of SMTP sessions per delivery request before giving
4853 up or delivering to a fall-back relay host, or zero (no limit). This
4854 restriction ignores sessions that fail to complete the SMTP initial
4855 handshake (Postfix version 2.2 and earlier) or that fail to complete
4856 the EHLO and TLS handshake (Postfix version 2.3 and later).
4857 This feature is available in Postfix 2.1 and later.
4859
4861 Restricted nested_header_checks(5) tables for the Postfix SMTP client.
4862 These tables are searched while mail is being delivered. Actions that
4863 change the delivery time or destination are not available.
4864 This feature is available in Postfix 2.5 and later.
4866
4868 Never send EHLO at the start of an SMTP session. See also the
4869 smtp_always_send_ehlo parameter.
4870
4872 How long the Postfix SMTP client pauses before sending ".<CR><LF>" in
4873 order to work around the PIX firewall "<CR><LF>.<CR><LF>" bug.
4874 Choosing a too short time makes this workaround ineffective when send‐
4876 ing large messages over slow network connections.
4877
4879 Lookup tables, indexed by the remote SMTP server address, with per-des‐
4880 tination workarounds for CISCO PIX firewall bugs. The table is not
4881 indexed by hostname for consistency with smtp_discard_ehlo_key‐
4882 word_address_maps.
4883 This feature is available in Postfix 2.4 and later.
4885
4887 How long a message must be queued before the Postfix SMTP client turns
4888 on the PIX firewall "<CR><LF>.<CR><LF>" bug workaround for delivery
4889 through firewalls with "smtp fixup" mode turned on.
4890 By default, the workaround is turned off for mail that is queued for
4892 less than 500 seconds. In other words, the workaround is normally
4893 turned off for the first delivery attempt.
4894 Specify 0 to enable the PIX firewall "<CR><LF>.<CR><LF>" bug workaround
4896 upon the first delivery attempt.
4897
4899 A list that specifies zero or more workarounds for CISCO PIX firewall
4900 bugs. These workarounds are implemented by the Postfix SMTP client.
4901 Workaround names are separated by comma or space, and are case insensi‐
4902 tive. This parameter setting can be overruled with per-destination
4903 smtp_pix_workaround_maps settings.
4904 delay_dotcrlf
4906 Insert a delay before sending ".<CR><LF>" after the end of the
4907 message content. The delay is subject to the smtp_pix_work‐
4908 around_delay_time and smtp_pix_workaround_threshold_time parame‐
4909 ter settings.
4910 disable_esmtp
4912 Disable all extended SMTP commands: send HELO instead of EHLO.
4913 This feature is available in Postfix 2.4 and later. The default set‐
4915 tings are backwards compatible with earlier Postfix versions.
4916
4918 The SMTP client time limit for sending the QUIT command, and for
4919 receiving the server response.
4920 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4922 The default time unit is s (seconds).
4923
4925 Quote addresses in SMTP MAIL FROM and RCPT TO commands as required by
4926 RFC 2821. This includes putting quotes around an address localpart that
4927 ends in ".".
4928 The default is to comply with RFC 2821. If you have to send mail to a
4930 broken SMTP server, configure a special SMTP client in master.cf:
4931 /etc/postfix/master.cf:
4933 broken-smtp . . . smtp -o smtp_quote_rfc821_envelope=no
4934 and route mail for the destination in question to the "broken-smtp"
4936 message delivery with a transport(5) table.
4937 This feature is available in Postfix 2.1 and later.
4939
4941 Randomize the order of equal-preference MX host addresses. This is a
4942 performance feature of the Postfix SMTP client.
4943
4945 The SMTP client time limit for sending the SMTP RCPT TO command, and
4946 for receiving the server response.
4947 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4949 The default time unit is s (seconds).
4950
4952 A mechanism to transform replies from remote SMTP servers one line at a
4953 time. This is a last-resort tool to work around server replies that
4954 break inter-operability with the Postfix SMTP client. Other uses
4955 involve fault injection to test Postfix's handling of invalid
4956 responses.
4957 Notes:
4959 · In the case of a multi-line reply, the Postfix SMTP client uses
4961 the final reply line's numerical SMTP reply code and enhanced
4962 status code.
4963 · The numerical SMTP reply code (XYZ) takes precedence over the
4965 enhanced status code (X.Y.Z). When the enhanced status code
4966 initial digit differs from the SMTP reply code initial digit, or
4967 when no enhanced status code is present, the Postfix SMTP client
4968 uses a generic enhanced status code (X.0.0) instead.
4969 Specify the name of a "type:table" lookup table. The search string is a
4971 single SMTP reply line as received from the remote SMTP server, except
4972 that the trailing <CR><LF> are removed.
4973 Examples:
4975 /etc/postfix/main.cf:
4977 smtp_reply_filter = pcre:/etc/postfix/reply_filter
4978 /etc/postfix/reply_filter:
4980 # Transform garbage into "250-filler..." so that it looks like
4981 # one line from a multi-line reply. It does not matter what we
4982 # substitute here as long it has the right syntax. The Postfix
4983 # SMTP client will use the final line's numerical SMTP reply
4984 # code and enhanced status code.
4985 !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage
4986 This feature is available in Postfix 2.7.
4988
4990 The SMTP client time limit for sending the RSET command, and for
4991 receiving the server response. The SMTP client sends RSET in order to
4992 finish a recipient address probe, or to verify that a cached session is
4993 still usable.
4994 This feature is available in Postfix 2.1 and later.
4996
4998 An optional table to prevent repeated SASL authentication failures with
4999 the same remote SMTP server hostname, username and password. Each table
5000 (key, value) pair contains a server name, a username and password, and
5001 the full server response. This information is stored when a remote SMTP
5002 server rejects an authentication attempt with a 535 reply code. As
5003 long as the smtp_sasl_password_maps information does no change, and as
5004 long as the smtp_sasl_auth_cache_name information does not expire (see
5005 smtp_sasl_auth_cache_time) the Postfix SMTP client avoids SASL authen‐
5006 tication attempts with the same server, username and password, and
5007 instead bounces or defers mail as controlled with the
5008 smtp_sasl_auth_soft_bounce configuration parameter.
5009 Use a per-destination delivery concurrency of 1 (for example,
5011 "smtp_destination_concurrency_limit = 1", "relay_destination_concur‐
5012 rency_limit = 1", etc.), otherwise multiple delivery agents may experi‐
5013 ence a login failure at the same time.
5014 The table must be accessed via the proxywrite service, i.e. the map
5016 name must start with "proxy:". The table should be stored under the
5017 directory specified with the data_directory parameter.
5018 This feature uses cryptographic hashing to protect plain-text pass‐
5020 words, and requires that Postfix is compiled with TLS support.
5021 Example:
5023 smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
5025 This feature is available in Postfix 2.5 and later.
5027
5029 The maximal age of an smtp_sasl_auth_cache_name entry before it is
5030 removed.
5031 This feature is available in Postfix 2.5 and later.
5033
5035 Enable SASL authentication in the Postfix SMTP client. By default, the
5036 Postfix SMTP client uses no authentication.
5037 Example:
5039 smtp_sasl_auth_enable = yes
5041
5043 When a remote SMTP server rejects a SASL authentication request with a
5044 535 reply code, defer mail delivery instead of returning mail as unde‐
5045 liverable. The latter behavior was hard-coded prior to Postfix version
5046 2.5.
5047 Note: the setting "yes" overrides the global soft_bounce parameter, but
5049 the setting "no" does not.
5050 Example:
5052 # Default as of Postfix 2.5
5054 smtp_sasl_auth_soft_bounce = yes
5055 # The old hard-coded default
5056 smtp_sasl_auth_soft_bounce = no
5057 This feature is available in Postfix 2.5 and later.
5059
5061 If non-empty, a Postfix SMTP client filter for the remote SMTP server's
5062 list of offered SASL mechanisms. Different client and server implemen‐
5063 tations may support different mechanism lists. By default, the Postfix
5064 SMTP client will use the intersection of the two. smtp_sasl_mecha‐
5065 nism_filter further restricts what server mechanisms the client will
5066 take into consideration.
5067 Specify mechanism names, "/file/name" patterns or "type:table" lookup
5069 tables. The right-hand side result from "type:table" lookups is
5070 ignored. Specify "!pattern" to exclude a mechanism name from the list.
5071 The form "!/file/name" is supported only in Postfix version 2.4 and
5072 later.
5073 This feature is available in Postfix 2.2 and later.
5075 Examples:
5077 smtp_sasl_mechanism_filter = plain, login
5079 smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs
5080 smtp_sasl_mechanism_filter = !gssapi, !login, static:rest
5081
5083 Optional SMTP client lookup tables with one username:password entry per
5084 remote hostname or domain, or sender address when sender-dependent
5085 authentication is enabled. If no username:password entry is found,
5086 then the Postfix SMTP client will not attempt to authenticate to the
5087 remote host.
5088 The Postfix SMTP client opens the lookup table before going to chroot
5090 jail, so you can leave the password file in /etc/postfix.
5091
5093 Implementation-specific information that the Postfix SMTP client passes
5094 through to the SASL plug-in implementation that is selected with
5095 smtp_sasl_type. Typically this specifies the name of a configuration
5096 file or rendezvous point.
5097 This feature is available in Postfix 2.3 and later.
5099
5101 Postfix SMTP client SASL security options; as of Postfix 2.3 the list
5102 of available features depends on the SASL client implementation that is
5103 selected with smtp_sasl_type.
5104 The following security features are defined for the cyrus client SASL
5106 implementation:
5107 Specify zero or more of the following:
5109 noplaintext
5111 Disallow methods that use plaintext passwords.
5112 noactive
5114 Disallow methods subject to active (non-dictionary) attack.
5115 nodictionary
5117 Disallow methods subject to passive (dictionary) attack.
5118 noanonymous
5120 Disallow methods that allow anonymous authentication.
5121 mutual_auth
5123 Only allow methods that provide mutual authentication (not
5124 available with SASL version 1).
5125 Example:
5127 smtp_sasl_security_options = noplaintext
5129
5131 The SASL authentication security options that the Postfix SMTP client
5132 uses for TLS encrypted SMTP sessions.
5133 This feature is available in Postfix 2.2 and later.
5135
5137 rity_options)
5138 The SASL authentication security options that the Postfix SMTP client
5139 uses for TLS encrypted SMTP sessions with a verified server certifi‐
5140 cate.
5141 When mail is sent to the public MX host for the recipient's domain,
5143 server certificates are by default optional, and delivery proceeds even
5144 if certificate verification fails. For delivery via a submission ser‐
5145 vice that requires SASL authentication, it may be appropriate to send
5146 plaintext passwords only when the connection to the server is strongly
5147 encrypted and the server identity is verified.
5148 The smtp_sasl_tls_verified_security_options parameter makes it possible
5150 to only enable plaintext mechanisms when a secure connection to the
5151 server is available. Submission servers subject to this policy must
5152 either have verifiable certificates or offer suitable non-plaintext
5153 SASL mechanisms.
5154 This feature is available in Postfix 2.6 and later.
5156
5158 The SASL plug-in type that the Postfix SMTP client should use for
5159 authentication. The available types are listed with the "postconf -A"
5160 command.
5161 This feature is available in Postfix 2.3 and later.
5163
5165 Send the non-standard XFORWARD command when the Postfix SMTP server
5166 EHLO response announces XFORWARD support.
5167 This allows an "smtp" delivery agent, used for injecting mail into a
5169 content filter, to forward the name, address, protocol and HELO name of
5170 the original client to the content filter and downstream queuing SMTP
5171 server. This can produce more useful logging than localhost[127.0.0.1]
5172 etc.
5173 This feature is available in Postfix 2.1 and later.
5175
5177 Enable sender-dependent authentication in the Postfix SMTP client; this
5178 is available only with SASL authentication, and disables SMTP connec‐
5179 tion caching to ensure that mail from different senders will use the
5180 appropriate credentials.
5181 This feature is available in Postfix 2.3 and later.
5183
5185 Skip SMTP servers that greet with a 4XX status code (go away, try again
5186 later).
5187 By default, Postfix moves on the next mail exchanger. Specify
5189 "smtp_skip_4xx_greeting = no" if Postfix should defer delivery immedi‐
5190 ately.
5191 This feature is available in Postfix 2.0 and earlier. Later Postfix
5193 versions always skip SMTP servers that greet with a 4XX status code.
5194
5196 Skip SMTP servers that greet with a 5XX status code (go away, do not
5197 try again later).
5198 By default, the Postfix SMTP client moves on the next mail exchanger.
5200 Specify "smtp_skip_5xx_greeting = no" if Postfix should bounce the mail
5201 immediately. The default setting is incorrect, but it is what a lot of
5202 people expect to happen.
5203
5205 Do not wait for the response to the SMTP QUIT command.
5206
5208 Time limit for Postfix SMTP client write and read operations during TLS
5209 startup and shutdown handshake procedures.
5210 This feature is available in Postfix 2.2 and later.
5212
5214 A file containing CA certificates of root CAs trusted to sign either
5215 remote SMTP server certificates or intermediate CA certificates. These
5216 are loaded into memory before the smtp(8) client enters the chroot
5217 jail. If the number of trusted roots is large, consider using
5218 smtp_tls_CApath instead, but note that the latter directory must be
5219 present in the chroot jail if the smtp(8) client is chrooted. This file
5220 may also be used to augment the client certificate trust chain, but it
5221 is best to include all the required certificates directly in
5222 $smtp_tls_cert_file.
5223 Specify "tls_append_default_CA = no" to prevent Postfix from appending
5225 the system-supplied default CAs and trusting third-party certificates.
5226 Example:
5228 smtp_tls_CAfile = /etc/postfix/CAcert.pem
5230 This feature is available in Postfix 2.2 and later.
5232
5234 Directory with PEM format certificate authority certificates that the
5235 Postfix SMTP client uses to verify a remote SMTP server certificate.
5236 Don't forget to create the necessary "hash" links with, for example,
5237 "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
5238 To use this option in chroot mode, this directory (or a copy) must be
5240 inside the chroot jail.
5241 Specify "tls_append_default_CA = no" to prevent Postfix from appending
5243 the system-supplied default CAs and trusting third-party certificates.
5244 Example:
5246 smtp_tls_CApath = /etc/postfix/certs
5248 This feature is available in Postfix 2.2 and later.
5250
5252 Try to detect a mail hijacking attack based on a TLS protocol vulnera‐
5253 bility (CVE-2009-3555), where an attacker prepends malicious HELO,
5254 MAIL, RCPT, DATA commands to a Postfix SMTP client TLS session. The
5255 attack would succeed with non-Postfix SMTP servers that reply to the
5256 malicious HELO, MAIL, RCPT, DATA commands after negotiating the Postfix
5257 SMTP client TLS session.
5258 This feature is available in Postfix 2.7.
5260
5262 File with the Postfix SMTP client RSA certificate in PEM format. This
5263 file may also contain the Postfix SMTP client private RSA key, and
5264 these may be the same as the Postfix SMTP server RSA certificate and
5265 key file.
5266 Do not configure client certificates unless you must present client TLS
5268 certificates to one or more servers. Client certificates are not usu‐
5269 ally needed, and can cause problems in configurations that work well
5270 without them. The recommended setting is to let the defaults stand:
5271 smtp_tls_cert_file =
5273 smtp_tls_key_file =
5274 smtp_tls_dcert_file =
5275 smtp_tls_dkey_file =
5276 smtp_tls_eccert_file =
5277 smtp_tls_eckey_file =
5278 The best way to use the default settings is to comment out the above
5280 parameters in main.cf if present.
5281 To enable remote SMTP servers to verify the Postfix SMTP client cer‐
5283 tificate, the issuing CA certificates must be made available to the
5284 server. You should include the required certificates in the client cer‐
5285 tificate file, the client certificate first, then the issuing CA(s)
5286 (bottom-up order).
5287 Example: the certificate for "client.example.com" was issued by "inter‐
5289 mediate CA" which itself has a certificate issued by "root CA". Create
5290 the client.pem file with "cat client_cert.pem intermediate_CA.pem
5291 root_CA.pem > client.pem".
5292 If you also want to verify remote SMTP server certificates issued by
5294 these CAs, you can add the CA certificates to the smtp_tls_CAfile, in
5295 which case it is not necessary to have them in the smtp_tls_cert_file,
5296 smtp_tls_dcert_file or smtp_tls_eccert_file.
5297 A certificate supplied here must be usable as an SSL client certificate
5299 and hence pass the "openssl verify -purpose sslclient ..." test.
5300 Example:
5302 smtp_tls_cert_file = /etc/postfix/client.pem
5304 This feature is available in Postfix 2.2 and later.
5306
5308 Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS cipher
5309 list. As this feature applies to all TLS security levels, it is easy to
5310 create inter-operability problems by choosing a non-default cipher
5311 list. Do not use a non-default TLS cipher list on hosts that deliver
5312 email to the public Internet: you will be unable to send email to
5313 servers that only support the ciphers you exclude. Using a restricted
5314 cipher list may be more appropriate for an internal MTA, where one can
5315 exert some control over the TLS software and settings of the peer
5316 servers.
5317 Note: do not use "" quotes around the parameter value.
5319 This feature is available in Postfix version 2.2. It is not used with
5321 Postfix 2.3 and later; use smtp_tls_mandatory_ciphers instead.
5322
5324 The minimum TLS cipher grade that the Postfix SMTP client will use with
5325 opportunistic TLS encryption. Cipher types listed in
5326 smtp_tls_exclude_ciphers are excluded from the base definition of the
5327 selected cipher grade. The default value "export" ensures maximum
5328 inter-operability. Because encryption is optional, stronger controls
5329 are not appropriate, and this setting SHOULD NOT be changed unless the
5330 change is essential.
5331 When TLS is mandatory the cipher grade is chosen via the
5333 smtp_tls_mandatory_ciphers configuration parameter, see there for syn‐
5334 tax details. See smtp_tls_policy_maps for information on how to config‐
5335 ure ciphers on a per-destination basis.
5336 Example:
5338 smtp_tls_ciphers = export
5339 This feature is available in Postfix 2.6 and later. With earlier Post‐
5341 fix releases only the smtp_tls_mandatory_ciphers parameter is imple‐
5342 mented, and opportunistic TLS always uses "export" or better (i.e. all)
5343 ciphers.
5344
5346 File with the Postfix SMTP client DSA certificate in PEM format. This
5347 file may also contain the Postfix SMTP client private DSA key.
5348 See the discussion under smtp_tls_cert_file for more details.
5350 Example:
5352 smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
5354 This feature is available in Postfix 2.2 and later.
5356
5358 File with the Postfix SMTP client DSA private key in PEM format. This
5359 file may be combined with the Postfix SMTP client DSA certificate file
5360 specified with $smtp_tls_dcert_file.
5361 The private key must be accessible without a pass-phrase, i.e. it must
5363 not be encrypted. File permissions should grant read-only access to the
5364 system superuser account ("root"), and no access to anyone else.
5365 This feature is available in Postfix 2.2 and later.
5367
5369 File with the Postfix SMTP client ECDSA certificate in PEM format.
5370 This file may also contain the Postfix SMTP client ECDSA private key.
5371 See the discussion under smtp_tls_cert_file for more details.
5373 Example:
5375 smtp_tls_eccert_file = /etc/postfix/ecdsa-ccert.pem
5377 This feature is available in Postfix 2.6 and later, when Postfix is
5379 compiled and linked with OpenSSL 1.0.0 or later.
5380
5382 File with the Postfix SMTP client ECDSA private key in PEM format.
5383 This file may be combined with the Postfix SMTP client ECDSA certifi‐
5384 cate file specified with $smtp_tls_eccert_file.
5385 The private key must be accessible without a pass-phrase, i.e. it must
5387 not be encrypted. File permissions should grant read-only access to the
5388 system superuser account ("root"), and no access to anyone else.
5389 This feature is available in Postfix 2.6 and later, when Postfix is
5391 compiled and linked with OpenSSL 1.0.0 or later.
5392
5394 With mandatory TLS encryption, require that the remote SMTP server
5395 hostname matches the information in the remote SMTP server certificate.
5396 As of RFC 2487 the requirements for hostname checking for MTA clients
5397 are not specified.
5398 This option can be set to "no" to disable strict peer name checking.
5400 This setting has no effect on sessions that are controlled via the
5401 smtp_tls_per_site table.
5402 Disabling the hostname verification can make sense in closed environ‐
5404 ment where special CAs are created. If not used carefully, this option
5405 opens the danger of a "man-in-the-middle" attack (the CommonName of
5406 this attacker will be logged).
5407 This feature is available in Postfix 2.2 and later. With Postfix 2.3
5409 and later use smtp_tls_security_level instead.
5410
5412 List of ciphers or cipher types to exclude from the Postfix SMTP client
5413 cipher list at all TLS security levels. This is not an OpenSSL
5414 cipherlist, it is a simple list separated by whitespace and/or commas.
5415 The elements are a single cipher, or one or more "+" separated cipher
5416 properties, in which case only ciphers matching all the properties are
5417 excluded.
5418 Examples (some of these will cause problems):
5420 smtp_tls_exclude_ciphers = aNULL
5422 smtp_tls_exclude_ciphers = MD5, DES
5423 smtp_tls_exclude_ciphers = DES+MD5
5424 smtp_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
5425 smtp_tls_exclude_ciphers = kEDH+aRSA
5426 The first setting, disables anonymous ciphers. The next setting dis‐
5428 ables ciphers that use the MD5 digest algorithm or the (single) DES
5429 encryption algorithm. The next setting disables ciphers that use MD5
5430 and DES together. The next setting disables the two ciphers
5431 "AES256-SHA" and "DES-CBC3-MD5". The last setting disables ciphers that
5432 use "EDH" key exchange with RSA authentication.
5433 This feature is available in Postfix 2.3 and later.
5435
5437 List of acceptable remote SMTP server certificate fingerprints for the
5438 "fingerprint" TLS security level (smtp_tls_security_level = finger‐
5439 print). At this security level, certificate authorities are not used,
5440 and certificate expiration times are ignored. Instead, server certifi‐
5441 cates are verified directly via their "fingerprint". The fingerprint is
5442 a message digest of the server certificate. The digest algorithm is
5443 selected via the smtp_tls_fingerprint_digest parameter.
5444 When an smtp_tls_policy_maps table entry specifies the "fingerprint"
5446 security level, any "match" attributes in that entry specify the list
5447 of valid fingerprints for the corresponding destination. Multiple fin‐
5448 gerprints can be combined with a "|" delimiter in a single match
5449 attribute, or multiple match attributes can be employed.
5450 Example: Certificate fingerprint verification with internal mailhub.
5452 Two matching fingerprints are listed. The relayhost may be multiple
5453 physical hosts behind a load-balancer, each with its own private/public
5454 key and self-signed certificate. Alternatively, a single relayhost may
5455 be in the process of switching from one set of private/public keys to
5456 another, and both keys are trusted just prior to the transition.
5457 relayhost = [mailhub.example.com]
5459 smtp_tls_security_level = fingerprint
5460 smtp_tls_fingerprint_digest = md5
5461 smtp_tls_fingerprint_cert_match =
5462 3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
5463 EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
5464 Example: Certificate fingerprint verification with selected destina‐
5466 tions. As in the example above, we show two matching fingerprints:
5467 /etc/postfix/main.cf:
5469 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
5470 smtp_tls_fingerprint_digest = md5
5471 /etc/postfix/tls_policy:
5473 example.com fingerprint
5474 match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
5475 match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
5476 This feature is available in Postfix 2.5 and later.
5478
5480 The message digest algorithm used to construct remote SMTP server cer‐
5481 tificate fingerprints. At the "fingerprint" TLS security level
5482 (smtp_tls_security_level = fingerprint), the server certificate is ver‐
5483 ified by directly matching its fingerprint. The fingerprint is the mes‐
5484 sage digest of the server certificate using the selected algorithm.
5485 With a digest algorithm resistant to "second pre-image" attacks, it is
5486 not feasible to create a new public key and a matching certificate that
5487 has the same fingerprint.
5488 The default algorithm is md5; this is consistent with the backwards
5490 compatible setting of the digest used to verify client certificates in
5491 the SMTP server.
5492 The best practice algorithm is now sha1. Recent advances in hash func‐
5494 tion cryptanalysis have led to md5 being deprecated in favor of sha1.
5495 However, as long as there are no known "second pre-image" attacks
5496 against md5, its use in this context can still be considered safe.
5497 While additional digest algorithms are often available with OpenSSL's
5499 libcrypto, only those used by libssl in SSL cipher suites are available
5500 to Postfix. For now this means just md5 or sha1.
5501 To find the fingerprint of a specific certificate file, with a specific
5503 digest algorithm, run:
5504 $ openssl x509 -noout -fingerprint -digest -in certfile.pem
5506 The text to the right of "=" sign is the desired fingerprint. For
5508 example:
5509 $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
5511 SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
5512 This feature is available in Postfix 2.5 and later.
5514
5516 File with the Postfix SMTP client RSA private key in PEM format. This
5517 file may be combined with the Postfix SMTP client RSA certificate file
5518 specified with $smtp_tls_cert_file.
5519 The private key must be accessible without a pass-phrase, i.e. it must
5521 not be encrypted. File permissions should grant read-only access to the
5522 system superuser account ("root"), and no access to anyone else.
5523 Example:
5525 smtp_tls_key_file = $smtp_tls_cert_file
5527 This feature is available in Postfix 2.2 and later.
5529
5531 Enable additional Postfix SMTP client logging of TLS activity. Each
5532 logging level also includes the information that is logged at a lower
5533 logging level.
5534 0 Disable logging of TLS activity.
5536 1 Log TLS handshake and certificate information.
5538 2 Log levels during TLS negotiation.
5540 3 Log hexadecimal and ASCII dump of TLS negotiation process.
5542 4 Log hexadecimal and ASCII dump of complete transmission after
5544 STARTTLS.
5545 Use "smtp_tls_loglevel = 3" only in case of problems. Use of loglevel 4
5547 is strongly discouraged.
5548 This feature is available in Postfix 2.2 and later.
5550
5552 The minimum TLS cipher grade that the Postfix SMTP client will use with
5553 mandatory TLS encryption. The default value "medium" is suitable for
5554 most destinations with which you may want to enforce TLS, and is beyond
5555 the reach of today's cryptanalytic methods. See smtp_tls_policy_maps
5556 for information on how to configure ciphers on a per-destination basis.
5557 The following cipher grades are supported:
5559 export Enable "EXPORT" grade or better OpenSSL ciphers. This is the
5561 default for opportunistic encryption. It is not recommended for
5562 mandatory encryption unless you must enforce TLS with "crippled"
5563 peers. The underlying cipherlist is specified via the
5564 tls_export_cipherlist configuration parameter, which you are
5565 strongly encouraged to not change.
5566 low Enable "LOW" grade or better OpenSSL ciphers. This setting is
5568 only appropriate for internal mail servers. The underlying
5569 cipherlist is specified via the tls_low_cipherlist configuration
5570 parameter, which you are strongly encouraged to not change.
5571 medium Enable "MEDIUM" grade or better OpenSSL ciphers. The underlying
5573 cipherlist is specified via the tls_medium_cipherlist configura‐
5574 tion parameter, which you are strongly encouraged to not change.
5575 high Enable only "HIGH" grade OpenSSL ciphers. This setting may be
5577 appropriate when all mandatory TLS destinations (e.g. when all
5578 mail is routed to a suitably capable relayhost) support at least
5579 one "HIGH" grade cipher. The underlying cipherlist is specified
5580 via the tls_high_cipherlist configuration parameter, which you
5581 are strongly encouraged to not change.
5582 null Enable only the "NULL" OpenSSL ciphers, these provide authenti‐
5584 cation without encryption. This setting is only appropriate in
5585 the rare case that all servers are prepared to use NULL ciphers
5586 (not normally enabled in TLS servers). A plausible use-case is
5587 an LMTP server listening on a UNIX-domain socket that is config‐
5588 ured to support "NULL" ciphers. The underlying cipherlist is
5589 specified via the tls_null_cipherlist configuration parameter,
5590 which you are strongly encouraged to not change.
5591 The underlying cipherlists for grades other than "null" include anony‐
5593 mous ciphers, but these are automatically filtered out if the Postfix
5594 SMTP client is configured to verify server certificates. You are very
5595 unlikely to need to take any steps to exclude anonymous ciphers, they
5596 are excluded automatically as necessary. If you must exclude anonymous
5597 ciphers at the "may" or "encrypt" security levels, when the Postfix
5598 SMTP client does not need or use peer certificates, set
5599 "smtp_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers only
5600 when TLS is enforced, set "smtp_tls_mandatory_exclude_ciphers = aNULL".
5601 This feature is available in Postfix 2.3 and later.
5603
5605 Additional list of ciphers or cipher types to exclude from the SMTP
5606 client cipher list at mandatory TLS security levels. This list works in
5607 addition to the exclusions listed with smtp_tls_exclude_ciphers (see
5608 there for syntax details).
5609 Starting with Postfix 2.6, the mandatory cipher exclusions can be spec‐
5611 ified on a per-destination basis via the TLS policy "exclude"
5612 attribute. See smtp_tls_policy_maps for notes and examples.
5613 This feature is available in Postfix 2.3 and later.
5615
5617 List of SSL/TLS protocols that the Postfix SMTP client will use with
5618 mandatory TLS encryption. In main.cf the values are separated by
5619 whitespace, commas or colons. In the policy table "protocols" attribute
5620 (see smtp_tls_policy_maps) the only valid separator is colon. An empty
5621 value means allow all protocols. The valid protocol names, (see \fBfB‐
5622 SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".
5623 With Postfix >= 2.5 the parameter syntax is expanded to support proto‐
5625 col exclusions. One can now explicitly exclude SSLv2 by setting
5626 "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and
5627 SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing the
5628 protocols to include, rather than protocols to exclude, is still sup‐
5629 ported; use the form you find more intuitive.
5630 Since SSL version 2 has known protocol weaknesses and is now depre‐
5632 cated, the default setting excludes "SSLv2". This means that by
5633 default, SSL version 2 will not be used at the "encrypt" security level
5634 and higher.
5635 See the documentation of the smtp_tls_policy_maps parameter and
5637 TLS_README for more information about security levels.
5638 Example:
5640 smtp_tls_mandatory_protocols = TLSv1
5642 # Alternative form with Postfix >= 2.5:
5643 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
5644 This feature is available in Postfix 2.3 and later.
5646
5648 Log the hostname of a remote SMTP server that offers STARTTLS, when TLS
5649 is not already enabled for that server.
5650 The logfile record looks like:
5652 postfix/smtp[pid]: Host offered STARTTLS: [name.of.host]
5654 This feature is available in Postfix 2.2 and later.
5656
5658 Optional lookup tables with the Postfix SMTP client TLS usage policy by
5659 next-hop destination and by remote SMTP server hostname. When both
5660 lookups succeed, the more specific per-site policy (NONE, MUST, etc)
5661 overrides the less specific one (MAY), and the more secure per-site
5662 policy (MUST, etc) overrides the less secure one (NONE). With Postfix
5663 2.3 and later smtp_tls_per_site is strongly discouraged: use
5664 smtp_tls_policy_maps instead.
5665 Use of the bare hostname as the per-site table lookup key is discour‐
5667 aged. Always use the full destination nexthop (enclosed in [] with a
5668 possible ":port" suffix). A recipient domain or MX-enabled transport
5669 next-hop with no port suffix may look like a bare hostname, but is
5670 still a suitable destination.
5671 Specify a next-hop destination or server hostname on the left-hand
5673 side; no wildcards are allowed. The next-hop destination is either the
5674 recipient domain, or the destination specified with a transport(5) ta‐
5675 ble, the relayhost parameter, or the relay_transport parameter. On the
5676 right hand side specify one of the following keywords:
5677 NONE Don't use TLS at all. This overrides a less specific MAY lookup
5679 result from the alternate host or next-hop lookup key, and over‐
5680 rides the global smtp_use_tls, smtp_enforce_tls, and
5681 smtp_tls_enforce_peername settings.
5682 MAY Try to use TLS if the server announces support, otherwise use
5684 the unencrypted connection. This has less precedence than a more
5685 specific result (including NONE) from the alternate host or
5686 next-hop lookup key, and has less precedence than the more spe‐
5687 cific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peer‐
5688 name = yes".
5689 MUST_NOPEERMATCH
5691 Require TLS encryption, but do not require that the remote SMTP
5692 server hostname matches the information in the remote SMTP
5693 server certificate, or that the server certificate was issued by
5694 a trusted CA. This overrides a less secure NONE or a less spe‐
5695 cific MAY lookup result from the alternate host or next-hop
5696 lookup key, and overrides the global smtp_use_tls,
5697 smtp_enforce_tls and smtp_tls_enforce_peername settings.
5698 MUST Require TLS encryption, require that the remote SMTP server
5700 hostname matches the information in the remote SMTP server cer‐
5701 tificate, and require that the remote SMTP server certificate
5702 was issued by a trusted CA. This overrides a less secure NONE
5703 and MUST_NOPEERMATCH or a less specific MAY lookup result from
5704 the alternate host or next-hop lookup key, and overrides the
5705 global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peer‐
5706 name settings.
5707 The above keywords correspond to the "none", "may", "encrypt" and "ver‐
5709 ify" security levels for the new smtp_tls_security_level parameter
5710 introduced in Postfix 2.3. Starting with Postfix 2.3, and independently
5711 of how the policy is specified, the smtp_tls_mandatory_ciphers and
5712 smtp_tls_mandatory_protocols parameters apply when TLS encryption is
5713 mandatory. Connections for which encryption is optional typically
5714 enable all "export" grade and better ciphers (see smtp_tls_ciphers and
5715 smtp_tls_protocols).
5716 As long as no secure DNS lookup mechanism is available, false hostnames
5718 in MX or CNAME responses can change the server hostname that Postfix
5719 uses for TLS policy lookup and server certificate verification. Even
5720 with a perfect match between the server hostname and the server cer‐
5721 tificate, there is no guarantee that Postfix is connected to the right
5722 server. See TLS_README (Closing a DNS loophole with obsolete per-site
5723 TLS policies) for a possible work-around.
5724 This feature is available in Postfix 2.2 and later. With Postfix 2.3
5726 and later use smtp_tls_policy_maps instead.
5727
5729 Optional lookup tables with the Postfix SMTP client TLS security policy
5730 by next-hop destination; when a non-empty value is specified, this
5731 overrides the obsolete smtp_tls_per_site parameter. See TLS_README for
5732 a more detailed discussion of TLS security levels.
5733 The TLS policy table is indexed by the full next-hop destination, which
5735 is either the recipient domain, or the verbatim next-hop specified in
5736 the transport table, $local_transport, $virtual_transport,
5737 $relay_transport or $default_transport. This includes any enclosing
5738 square brackets and any non-default destination server port suffix. The
5739 LMTP socket type prefix (inet: or unix:) is not included in the lookup
5740 key.
5741 Only the next-hop domain, or $myhostname with LMTP over UNIX-domain
5743 sockets, is used as the nexthop name for certificate verification. The
5744 port and any enclosing square brackets are used in the table lookup
5745 key, but are not used for server name verification.
5746 When the lookup key is a domain name without enclosing square brackets
5748 or any :port suffix (typically the recipient domain), and the full
5749 domain is not found in the table, just as with the transport(5) table,
5750 the parent domain starting with a leading "." is matched recursively.
5751 This allows one to specify a security policy for a recipient domain and
5752 all its sub-domains.
5753 The lookup result is a security level, followed by an optional list of
5755 whitespace and/or comma separated name=value attributes that override
5756 related main.cf settings. The TLS security levels in order of increas‐
5757 ing security are:
5758 none No TLS. No additional attributes are supported at this level.
5760 may Opportunistic TLS. Since sending in the clear is acceptable,
5762 demanding stronger than default TLS security merely reduces
5763 inter-operability. The optional "ciphers", "exclude" and "proto‐
5764 cols" attributes (available for opportunistic TLS with Postfix
5765 >= 2.6) override the "smtp_tls_ciphers",
5766 "smtp_tls_exclude_ciphers" and "smtp_tls_protocols" configura‐
5767 tion parameters. When opportunistic TLS handshakes fail, Postfix
5768 retries the connection with TLS disabled. This allows mail
5769 delivery to sites with non-interoperable TLS implementations.
5770 encrypt
5772 Mandatory TLS encryption. At this level and higher, the optional
5773 "protocols" attribute overrides the main.cf smtp_tls_manda‐
5774 tory_protocols parameter, the optional "ciphers" attribute over‐
5775 rides the main.cf smtp_tls_mandatory_ciphers parameter, and the
5776 optional "exclude" attribute (Postfix >= 2.6) overrides the
5777 main.cf smtp_tls_mandatory_exclude_ciphers parameter. In the
5778 policy table, multiple protocols or excluded ciphers must be
5779 separated by colons, as attribute values may not contain white‐
5780 space or commas.
5781 fingerprint
5783 Certificate fingerprint verification. Available with Postfix 2.5
5784 and later. At this security level, there are no trusted certifi‐
5785 cate authorities. The certificate trust chain, expiration date,
5786 ... are not checked. Instead, the optional match attribute, or
5787 else the main.cf smtp_tls_fingerprint_cert_match parameter,
5788 lists the valid "fingerprints" of the server certificate. The
5789 digest algorithm used to calculate the fingerprint is selected
5790 by the smtp_tls_fingerprint_digest parameter. Multiple finger‐
5791 prints can be combined with a "|" delimiter in a single match
5792 attribute, or multiple match attributes can be employed. The ":"
5793 character is not used as a delimiter as it occurs between each
5794 pair of fingerprint (hexadecimal) digits.
5795 verify Mandatory TLS verification. At this security level, DNS MX
5797 lookups are trusted to be secure enough, and the name verified
5798 in the server certificate is usually obtained indirectly via
5799 unauthenticated DNS MX lookups. The optional "match" attribute
5800 overrides the main.cf smtp_tls_verify_cert_match parameter. In
5801 the policy table, multiple match patterns and strategies must be
5802 separated by colons. In practice explicit control over matching
5803 is more common with the "secure" policy, described below.
5804 secure Secure-channel TLS. At this security level, DNS MX lookups,
5806 though potentially used to determine the candidate next-hop
5807 gateway IP addresses, are not trusted to be secure enough for
5808 TLS peername verification. Instead, the default name verified in
5809 the server certificate is obtained directly from the next-hop,
5810 or is explicitly specified via the optional match attribute
5811 which overrides the main.cf smtp_tls_secure_cert_match parame‐
5812 ter. In the policy table, multiple match patterns and strategies
5813 must be separated by colons. The match attribute is most useful
5814 when multiple domains are supported by common server, the policy
5815 entries for additional domains specify matching rules for the
5816 primary domain certificate. While transport table overrides
5817 routing the secondary domains to the primary nexthop also allow
5818 secure verification, they risk delivery to the wrong destination
5819 when domains change hands or are re-assigned to new gateways.
5820 With the "match" attribute approach, routing is not perturbed,
5821 and mail is deferred if verification of a new MX host fails.
5822 Example:
5824 /etc/postfix/main.cf:
5826 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
5827 # Postfix 2.5 and later
5828 smtp_tls_fingerprint_digest = md5
5829 /etc/postfix/tls_policy:
5831 example.edu none
5832 example.mil may
5833 example.gov encrypt protocols=TLSv1
5834 example.com verify ciphers=high
5835 example.net secure
5836 .example.net secure match=.example.net:example.net
5837 [mail.example.org]:587 secure match=nexthop
5838 # Postfix 2.5 and later
5839 [thumb.example.org] fingerprint
5840 match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
5841 match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
5842 Note: The hostname strategy if listed in a non-default setting of
5844 smtp_tls_secure_cert_match or in the match attribute in the policy ta‐
5845 ble can render the secure level vulnerable to DNS forgery. Do not use
5846 the hostname strategy for secure-channel configurations in environments
5847 where DNS security is not assured.
5848 This feature is available in Postfix 2.3 and later.
5850
5852 List of TLS protocols that the Postfix SMTP client will exclude or
5853 include with opportunistic TLS encryption. Starting with Postfix 2.6,
5854 the Postfix SMTP client will by default not use the obsolete SSLv2 pro‐
5855 tocol.
5856 In main.cf the values are separated by whitespace, commas or colons. In
5858 the policy table (see smtp_tls_policy_maps) the only valid separator is
5859 colon. An empty value means allow all protocols. The valid protocol
5860 names, (see \fBfBSSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".
5861 To include a protocol list its name, to exclude it, prefix the name
5863 with a "!" character. To exclude SSLv2 even for opportunistic TLS set
5864 "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
5865 "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols
5866 to include, is supported, but not recommended. OpenSSL provides no
5867 mechanisms for excluding protocols not known at compile-time. If Post‐
5868 fix is linked against an OpenSSL library that supports additional pro‐
5869 tocol versions, they cannot be excluded using either syntax.
5870 Example:
5872 # TLSv1 only!
5873 smtp_tls_protocols = !SSLv2, !SSLv3
5874 This feature is available in Postfix 2.6 and later.
5876
5878 The verification depth for remote SMTP server certificates. A depth of
5879 1 is sufficient if the issuing CA is listed in a local CA file.
5880 The default verification depth is 9 (the OpenSSL default) for compati‐
5882 bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
5883 value was 5, but the limit was not actually enforced. If you have set
5884 this to a lower non-default value, certificates with longer trust
5885 chains may now fail to verify. Certificate chains with 1 or 2 CAs are
5886 common, deeper chains are more rare and any number between 5 and 9
5887 should suffice in practice. You can choose a lower number if, for exam‐
5888 ple, you trust certificates directly signed by an issuing CA but not
5889 any CAs it delegates to.
5890 This feature is available in Postfix 2.2 and later.
5892
5894 The server certificate peername verification method for the "secure"
5895 TLS security level. In a "secure" TLS policy table ($smtp_tls_pol‐
5896 icy_maps) entry the optional "match" attribute overrides this main.cf
5897 setting.
5898 This parameter specifies one or more patterns or strategies separated
5900 by commas, whitespace or colons. In the policy table the only valid
5901 separator is the colon character.
5902 For a description of the pattern and strategy syntax see the
5904 smtp_tls_verify_cert_match parameter. The "hostname" strategy should be
5905 avoided in this context, as in the absence of a secure global DNS,
5906 using the results of MX lookups in certificate verification is not
5907 immune to active (man-in-the-middle) attacks on DNS.
5908 Sample main.cf setting:
5910 smtp_tls_secure_cert_match = nexthop
5912 Sample policy table override:
5914 example.net secure match=example.com:.example.com
5916 .example.net secure match=example.com:.example.com
5917 This feature is available in Postfix 2.3 and later.
5919
5921 The default SMTP TLS security level for the Postfix SMTP client; when a
5922 non-empty value is specified, this overrides the obsolete parameters
5923 smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
5924 Specify one of the following security levels:
5926 none TLS will not be used unless enabled for specific destinations
5928 via smtp_tls_policy_maps.
5929 may Opportunistic TLS. Use TLS if this is supported by the remote
5931 SMTP server, otherwise use plaintext. Since sending in the clear
5932 is acceptable, demanding stronger than default TLS security
5933 merely reduces inter-operability. The "smtp_tls_ciphers" and
5934 "smtp_tls_protocols" (Postfix >= 2.6) configuration parameters
5935 provide control over the protocols and cipher grade used with
5936 opportunistic TLS. With earlier releases the opportunistic TLS
5937 cipher grade is always "export" and no protocols are disabled.
5938 When TLS handshakes fail, the connection is retried with TLS
5939 disabled. This allows mail delivery to sites with non-interop‐
5940 erable TLS implementations.
5941 encrypt
5943 Mandatory TLS encryption. Since a minimum level of security is
5944 intended, it is reasonable to be specific about sufficiently
5945 secure protocol versions and ciphers. At this security level and
5946 higher, the main.cf parameters smtp_tls_mandatory_protocols and
5947 smtp_tls_mandatory_ciphers specify the TLS protocols and minimum
5948 cipher grade which the administrator considers secure enough for
5949 mandatory encrypted sessions. This security level is not an
5950 appropriate default for systems delivering mail to the Internet.
5951 fingerprint
5953 Certificate fingerprint verification. Available with Postfix 2.5
5954 and later. At this security level, there are no trusted certifi‐
5955 cate authorities. The certificate trust chain, expiration date,
5956 ... are not checked. Instead, the smtp_tls_finger‐
5957 print_cert_match parameter lists the valid "fingerprints" of the
5958 server certificate. The digest algorithm used to calculate the
5959 fingerprint is selected by the smtp_tls_fingerprint_digest
5960 parameter.
5961 verify Mandatory TLS verification. At this security level, DNS MX
5963 lookups are trusted to be secure enough, and the name verified
5964 in the server certificate is usually obtained indirectly via
5965 unauthenticated DNS MX lookups. The smtp_tls_verify_cert_match
5966 parameter controls how the server name is verified. In practice
5967 explicit control over matching is more common at the "secure"
5968 level, described below. This security level is not an appropri‐
5969 ate default for systems delivering mail to the Internet.
5970 secure Secure-channel TLS. At this security level, DNS MX lookups,
5972 though potentially used to determine the candidate next-hop
5973 gateway IP addresses, are not trusted to be secure enough for
5974 TLS peername verification. Instead, the default name verified in
5975 the server certificate is obtained from the next-hop domain as
5976 specified in the smtp_tls_secure_cert_match configuration param‐
5977 eter. The default matching rule is that a server certificate
5978 matches when its name is equal to or is a sub-domain of the nex‐
5979 thop domain. This security level is not an appropriate default
5980 for systems delivering mail to the Internet.
5981 Examples:
5983 # No TLS. Formerly: smtp_use_tls=no and smtp_enforce_tls=no.
5985 smtp_tls_security_level = none
5986 # Opportunistic TLS.
5988 smtp_tls_security_level = may
5989 # Postfix >= 2.6:
5990 # Do not tweak opportunistic ciphers or protocol unless it is essential
5991 # to do so (if a security vulnerability is found in the SSL library that
5992 # can be mitigated by disabling a particular protocol or raising the
5993 # cipher grade from "export" to "low" or "medium").
5994 smtp_tls_ciphers = export
5995 smtp_tls_protocols = !SSLv2
5996 # Mandatory (high-grade) TLS encryption.
5998 smtp_tls_security_level = encrypt
5999 smtp_tls_mandatory_ciphers = high
6000 # Mandatory TLS verification of hostname or nexthop domain.
6002 smtp_tls_security_level = verify
6003 smtp_tls_mandatory_ciphers = high
6004 smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
6005 # Secure channel TLS with exact nexthop name match.
6007 smtp_tls_security_level = secure
6008 smtp_tls_mandatory_protocols = TLSv1
6009 smtp_tls_mandatory_ciphers = high
6010 smtp_tls_secure_cert_match = nexthop
6011 # Certificate fingerprint verification (Postfix >= 2.5).
6013 # The CA-less "fingerprint" security level only scales to a limited
6014 # number of destinations. As a global default rather than a per-site
6015 # setting, this is practical when mail for all recipients is sent
6016 # to a central mail hub.
6017 relayhost = [mailhub.example.com]
6018 smtp_tls_security_level = fingerprint
6019 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
6020 smtp_tls_mandatory_ciphers = high
6021 smtp_tls_fingerprint_cert_match =
6022 3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
6023 EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
6024 This feature is available in Postfix 2.3 and later.
6026
6028 Name of the file containing the optional Postfix SMTP client TLS ses‐
6029 sion cache. Specify a database type that supports enumeration, such as
6030 btree or sdbm; there is no need to support concurrent access. The file
6031 is created if it does not exist. The smtp(8) daemon does not use this
6032 parameter directly, rather the cache is implemented indirectly in the
6033 tlsmgr(8) daemon. This means that per-smtp-instance master.cf overrides
6034 of this parameter are not effective. Note, that each of the cache
6035 databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
6036 base, $smtp_tls_session_cache_database (and with Postfix 2.3 and later
6037 $lmtp_tls_session_cache_database), needs to be stored separately. It is
6038 not at this time possible to store multiple caches in a single data‐
6039 base.
6040 Note: dbm databases are not suitable. TLS session objects are too
6042 large.
6043 As of version 2.5, Postfix no longer uses root privileges when opening
6045 this file. The file should now be stored under the Postfix-owned
6046 data_directory. As a migration aid, an attempt to open the file under a
6047 non-Postfix directory is redirected to the Postfix-owned data_direc‐
6048 tory, and a warning is logged.
6049 Example:
6051 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
6053 This feature is available in Postfix 2.2 and later.
6055
6057 The expiration time of Postfix SMTP client TLS session cache informa‐
6058 tion. A cache cleanup is performed periodically every $smtp_tls_ses‐
6059 sion_cache_timeout seconds. As with $smtp_tls_session_cache_database,
6060 this parameter is implemented in the tlsmgr(8) daemon and therefore
6061 per-smtp-instance master.cf overrides are not possible.
6062 This feature is available in Postfix 2.2 and later.
6064
6066 The server certificate peername verification method for the "verify"
6067 TLS security level. In a "verify" TLS policy table ($smtp_tls_pol‐
6068 icy_maps) entry the optional "match" attribute overrides this main.cf
6069 setting.
6070 This parameter specifies one or more patterns or strategies separated
6072 by commas, whitespace or colons. In the policy table the only valid
6073 separator is the colon character.
6074 Patterns specify domain names, or domain name suffixes:
6076 example.com
6078 Match the example.com domain, i.e. one of the names the server
6079 certificate must be example.com, upper and lower case distinc‐
6080 tions are ignored.
6081 .example.com
6083 Match subdomains of the example.com domain, i.e. match a name in
6084 the server certificate that consists of a non-zero number of
6085 labels followed by a .example.com suffix. Case distinctions are
6086 ignored.
6087 Strategies specify a transformation from the next-hop domain to the
6089 expected name in the server certificate:
6090 nexthop
6092 Match against the next-hop domain, which is either the recipient
6093 domain, or the transport next-hop configured for the domain
6094 stripped of any optional socket type prefix, enclosing square
6095 brackets and trailing port. When MX lookups are not suppressed,
6096 this is the original nexthop domain prior to the MX lookup, not
6097 the result of the MX lookup. For LMTP delivery via UNIX-domain
6098 sockets, the verified next-hop name is $myhostname. This strat‐
6099 egy is suitable for use with the "secure" policy. Case is
6100 ignored.
6101 dot-nexthop
6103 As above, but match server certificate names that are subdomains
6104 of the next-hop domain. Case is ignored.
6105 hostname
6107 Match against the hostname of the server, often obtained via an
6108 unauthenticated DNS MX lookup. For LMTP delivery via UNIX-domain
6109 sockets, the verified name is $myhostname. This matches the ver‐
6110 ification strategy of the "MUST" keyword in the obsolete
6111 smtp_tls_per_site table, and is suitable for use with the "ver‐
6112 ify" security level. When the next-hop name is enclosed in
6113 square brackets to suppress MX lookups, the "hostname" strategy
6114 is the same as the "nexthop" strategy. Case is ignored.
6115 Sample main.cf setting:
6117 smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
6119 Sample policy table override:
6121 example.com verify match=hostname:nexthop
6123 .example.com verify match=example.com:.example.com:hostname
6124 This feature is available in Postfix 2.3 and later.
6126
6128 Opportunistic mode: use TLS when a remote SMTP server announces START‐
6129 TLS support, otherwise send the mail in the clear. Beware: some SMTP
6130 servers offer STARTTLS even if it is not configured. With Postfix <
6131 2.3, if the TLS handshake fails, and no other server is available,
6132 delivery is deferred and mail stays in the queue. If this is a concern
6133 for you, use the smtp_tls_per_site feature instead.
6134 This feature is available in Postfix 2.2 and later. With Postfix 2.3
6136 and later use smtp_tls_security_level instead.
6137
6139 The SMTP client time limit for sending the XFORWARD command, and for
6140 receiving the server response.
6141 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6143 The default time unit is s (seconds).
6144 This feature is available in Postfix 2.1 and later.
6146
6148 What SMTP clients are allowed to specify the XVERP command. This com‐
6149 mand requests that mail be delivered one recipient at a time with a per
6150 recipient return address.
6151 By default, no clients are allowed to specify XVERP.
6153 This parameter was renamed with Postfix version 2.1. The default value
6155 is backwards compatible with Postfix version 2.0.
6156 Specify a list of network/netmask patterns, separated by commas and/or
6158 whitespace. The mask specifies the number of bits in the network part
6159 of a host address. You can also specify hostnames or .domain names (the
6160 initial dot causes the domain to match any name below it),
6161 "/file/name" or "type:table" patterns. A "/file/name" pattern is
6162 replaced by its contents; a "type:table" lookup table is matched when a
6163 table entry matches a lookup string (the lookup result is ignored).
6164 Continue long lines by starting the next line with whitespace. Specify
6165 "!pattern" to exclude an address or network block from the list. The
6166 form "!/file/name" is supported only in Postfix version 2.4 and later.
6167 Note: IP version 6 address information must be specified inside [] in
6169 the smtpd_authorized_verp_clients value, and in files specified with
6170 "/file/name". IP version 6 addresses contain the ":" character, and
6171 would otherwise be confused with a "type:table" pattern.
6172
6174 What SMTP clients are allowed to use the XCLIENT feature. This command
6175 overrides SMTP client information that is used for access control. Typ‐
6176 ical use is for SMTP-based content filters, fetchmail-like programs, or
6177 SMTP server access rule testing. See the XCLIENT_README document for
6178 details.
6179 This feature is available in Postfix 2.1 and later.
6181 By default, no clients are allowed to specify XCLIENT.
6183 Specify a list of network/netmask patterns, separated by commas and/or
6185 whitespace. The mask specifies the number of bits in the network part
6186 of a host address. You can also specify hostnames or .domain names (the
6187 initial dot causes the domain to match any name below it),
6188 "/file/name" or "type:table" patterns. A "/file/name" pattern is
6189 replaced by its contents; a "type:table" lookup table is matched when a
6190 table entry matches a lookup string (the lookup result is ignored).
6191 Continue long lines by starting the next line with whitespace. Specify
6192 "!pattern" to exclude an address or network block from the list. The
6193 form "!/file/name" is supported only in Postfix version 2.4 and later.
6194 Note: IP version 6 address information must be specified inside [] in
6196 the smtpd_authorized_xclient_hosts value, and in files specified with
6197 "/file/name". IP version 6 addresses contain the ":" character, and
6198 would otherwise be confused with a "type:table" pattern.
6199
6201 What SMTP clients are allowed to use the XFORWARD feature. This com‐
6202 mand forwards information that is used to improve logging after SMTP-
6203 based content filters. See the XFORWARD_README document for details.
6204 This feature is available in Postfix 2.1 and later.
6206 By default, no clients are allowed to specify XFORWARD.
6208 Specify a list of network/netmask patterns, separated by commas and/or
6210 whitespace. The mask specifies the number of bits in the network part
6211 of a host address. You can also specify hostnames or .domain names (the
6212 initial dot causes the domain to match any name below it),
6213 "/file/name" or "type:table" patterns. A "/file/name" pattern is
6214 replaced by its contents; a "type:table" lookup table is matched when a
6215 table entry matches a lookup string (the lookup result is ignored).
6216 Continue long lines by starting the next line with whitespace. Specify
6217 "!pattern" to exclude an address or network block from the list. The
6218 form "!/file/name" is supported only in Postfix version 2.4 and later.
6219 Note: IP version 6 address information must be specified inside [] in
6221 the smtpd_authorized_xforward_hosts value, and in files specified with
6222 "/file/name". IP version 6 addresses contain the ":" character, and
6223 would otherwise be confused with a "type:table" pattern.
6224
6226 The text that follows the 220 status code in the SMTP greeting banner.
6227 Some people like to see the mail version advertised. By default, Post‐
6228 fix shows no version.
6229 You MUST specify $myhostname at the start of the text. This is required
6231 by the SMTP protocol.
6232 Example:
6234 smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
6236
6238 How many simultaneous connections any client is allowed to make to this
6239 service. By default, the limit is set to half the default process
6240 limit value.
6241 To disable this feature, specify a limit of 0.
6243 WARNING: The purpose of this feature is to limit abuse. It must not be
6245 used to regulate legitimate mail traffic.
6246 This feature is available in Postfix 2.2 and later.
6248
6250 The maximal number of connection attempts any client is allowed to make
6251 to this service per time unit. The time unit is specified with the
6252 anvil_rate_time_unit configuration parameter.
6253 By default, a client can make as many connections per time unit as
6255 Postfix can accept.
6256 To disable this feature, specify a limit of 0.
6258 WARNING: The purpose of this feature is to limit abuse. It must not be
6260 used to regulate legitimate mail traffic.
6261 This feature is available in Postfix 2.2 and later.
6263 Example:
6265 smtpd_client_connection_rate_limit = 1000
6267
6269 Clients that are excluded from connection count, connection rate, or
6270 SMTP request rate restrictions. See the mynetworks parameter descrip‐
6271 tion for the parameter value syntax.
6272 By default, clients in trusted networks are excluded. Specify a list of
6274 network blocks, hostnames or .domain names (the initial dot causes the
6275 domain to match any name below it).
6276 Note: IP version 6 address information must be specified inside [] in
6278 the smtpd_client_event_limit_exceptions value, and in files specified
6279 with "/file/name". IP version 6 addresses contain the ":" character,
6280 and would otherwise be confused with a "type:table" pattern.
6281 This feature is available in Postfix 2.2 and later.
6283
6285 The maximal number of message delivery requests that any client is
6286 allowed to make to this service per time unit, regardless of whether or
6287 not Postfix actually accepts those messages. The time unit is speci‐
6288 fied with the anvil_rate_time_unit configuration parameter.
6289 By default, a client can send as many message delivery requests per
6291 time unit as Postfix can accept.
6292 To disable this feature, specify a limit of 0.
6294 WARNING: The purpose of this feature is to limit abuse. It must not be
6296 used to regulate legitimate mail traffic.
6297 This feature is available in Postfix 2.2 and later.
6299 Example:
6301 smtpd_client_message_rate_limit = 1000
6303
6305 The maximal number of new (i.e., uncached) TLS sessions that a remote
6306 SMTP client is allowed to negotiate with this service per time unit.
6307 The time unit is specified with the anvil_rate_time_unit configuration
6308 parameter.
6309 By default, a remote SMTP client can negotiate as many new TLS sessions
6311 per time unit as Postfix can accept.
6312 To disable this feature, specify a limit of 0. Otherwise, specify a
6314 limit that is at least the per-client concurrent session limit, or else
6315 legitimate client sessions may be rejected.
6316 WARNING: The purpose of this feature is to limit abuse. It must not be
6318 used to regulate legitimate mail traffic.
6319 This feature is available in Postfix 2.3 and later.
6321 Example:
6323 smtpd_client_new_tls_session_rate_limit = 100
6325
6327 Enable logging of the remote SMTP client port in addition to the host‐
6328 name and IP address. The logging format is "host[address]:port".
6329 This feature is available in Postfix 2.5 and later.
6331
6333 The maximal number of recipient addresses that any client is allowed to
6334 send to this service per time unit, regardless of whether or not Post‐
6335 fix actually accepts those recipients. The time unit is specified with
6336 the anvil_rate_time_unit configuration parameter.
6337 By default, a client can send as many recipient addresses per time unit
6339 as Postfix can accept.
6340 To disable this feature, specify a limit of 0.
6342 WARNING: The purpose of this feature is to limit abuse. It must not be
6344 used to regulate legitimate mail traffic.
6345 This feature is available in Postfix 2.2 and later.
6347 Example:
6349 smtpd_client_recipient_rate_limit = 1000
6351
6353 Optional SMTP server access restrictions in the context of a client
6354 SMTP connection request. See SMTPD_ACCESS_README, section "Delayed
6355 evaluation of SMTP access restriction lists" for a discussion of evalu‐
6356 ation context and time.
6357 The default is to allow all connection requests.
6359 Specify a list of restrictions, separated by commas and/or whitespace.
6361 Continue long lines by starting the next line with whitespace.
6362 Restrictions are applied in the order as specified; the first restric‐
6363 tion that matches wins.
6364 The following restrictions are specific to client hostname or client
6366 network address information.
6367 check_ccert_access type:table
6369 Use the client certificate fingerprint as lookup key for the
6370 specified access(5) database; with Postfix version 2.2, also
6371 require that the SMTP client certificate is verified success‐
6372 fully. The fingerprint digest algorithm is configurable via the
6373 smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior
6374 to Postfix version 2.5). This feature is available with Postfix
6375 version 2.2 and later.
6376 check_client_access type:table
6378 Search the specified access database for the client hostname,
6379 parent domains, client IP address, or networks obtained by
6380 stripping least significant octets. See the access(5) manual
6381 page for details.
6382 check_client_mx_access type:table
6384 Search the specified access(5) database for the MX hosts for the
6385 client hostname, and execute the corresponding action. Note: a
6386 result of "OK" is not allowed for safety reasons. Instead, use
6387 DUNNO in order to exclude specific hosts from blacklists. This
6388 feature is available in Postfix 2.7 and later.
6389 check_client_ns_access type:table
6391 Search the specified access(5) database for the DNS servers for
6392 the client hostname, and execute the corresponding action.
6393 Note: a result of "OK" is not allowed for safety reasons.
6394 Instead, use DUNNO in order to exclude specific hosts from
6395 blacklists. This feature is available in Postfix 2.7 and later.
6396 check_reverse_client_hostname_access type:table
6398 Search the specified access database for the unverified reverse
6399 client hostname, parent domains, client IP address, or networks
6400 obtained by stripping least significant octets. See the
6401 access(5) manual page for details. Note: a result of "OK" is
6402 not allowed for safety reasons. Instead, use DUNNO in order to
6403 exclude specific hosts from blacklists. This feature is avail‐
6404 able in Postfix 2.6 and later.
6405 check_reverse_client_hostname_mx_access type:table
6407 Search the specified access(5) database for the MX hosts for the
6408 unverified reverse client hostname, and execute the correspond‐
6409 ing action. Note: a result of "OK" is not allowed for safety
6410 reasons. Instead, use DUNNO in order to exclude specific hosts
6411 from blacklists. This feature is available in Postfix 2.7 and
6412 later.
6413 check_reverse_client_hostname_ns_access type:table
6415 Search the specified access(5) database for the DNS servers for
6416 the unverified reverse client hostname, and execute the corre‐
6417 sponding action. Note: a result of "OK" is not allowed for
6418 safety reasons. Instead, use DUNNO in order to exclude specific
6419 hosts from blacklists. This feature is available in Postfix 2.7
6420 and later.
6421 permit_inet_interfaces
6423 Permit the request when the client IP address matches
6424 $inet_interfaces.
6425 permit_mynetworks
6427 Permit the request when the client IP address matches any net‐
6428 work or network address listed in $mynetworks.
6429 permit_sasl_authenticated
6431 Permit the request when the client is successfully authenticated
6432 via the RFC 4954 (AUTH) protocol.
6433 permit_tls_all_clientcerts
6435 Permit the request when the remote SMTP client certificate is
6436 verified successfully. This option must be used only if a spe‐
6437 cial CA issues the certificates and only this CA is listed as
6438 trusted CA. Otherwise, clients with a third-party certificate
6439 would also be allowed to relay. Specify "tls_append_default_CA
6440 = no" when the trusted CA is specified with smtpd_tls_CAfile or
6441 smtpd_tls_CApath, to prevent Postfix from appending the system-
6442 supplied default CAs. This feature is available with Postfix
6443 version 2.2.
6444 permit_tls_clientcerts
6446 Permit the request when the remote SMTP client certificate fin‐
6447 gerprint is listed in $relay_clientcerts. The fingerprint
6448 digest algorithm is configurable via the smtpd_tls_finger‐
6449 print_digest parameter (hard-coded as md5 prior to Postfix ver‐
6450 sion 2.5). This feature is available with Postfix version 2.2.
6451 reject_rbl_client rbl_domain=d.d.d.d
6453 Reject the request when the reversed client network address is
6454 listed with the A record "d.d.d.d" under rbl_domain (Postfix
6455 version 2.1 and later only). If no "=d.d.d.d" is specified,
6456 reject the request when the reversed client network address is
6457 listed with any A record under rbl_domain.
6458 The maps_rbl_reject_code parameter specifies the response code
6459 for rejected requests (default: 554), the default_rbl_reply
6460 parameter specifies the default server reply, and the
6461 rbl_reply_maps parameter specifies tables with server replies
6462 indexed by rbl_domain. This feature is available in Postfix 2.0
6463 and later.
6464 reject_rhsbl_client rbl_domain=d.d.d.d
6466 Reject the request when the client hostname is listed with the A
6467 record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
6468 only). If no "=d.d.d.d" is specified, reject the request when
6469 the client hostname is listed with any A record under
6470 rbl_domain. See the reject_rbl_client description above for
6471 additional RBL related configuration parameters. This feature
6472 is available in Postfix 2.0 and later.
6473 reject_unknown_client_hostname (with Postfix < 2.3:
6475 reject_unknown_client)
6476 Reject the request when 1) the client IP address->name mapping
6477 fails, 2) the name->address mapping fails, or 3) the
6478 name->address mapping does not match the client IP address.
6479 This is a stronger restriction than the
6480 reject_unknown_reverse_client_hostname feature, which triggers
6481 only under condition 1) above.
6482 The unknown_client_reject_code parameter specifies the response
6483 code for rejected requests (default: 450). The reply is always
6484 450 in case the address->name or name->address lookup failed due
6485 to a temporary problem.
6486 reject_unknown_reverse_client_hostname
6488 Reject the request when the client IP address has no
6489 address->name mapping.
6490 This is a weaker restriction than the
6491 reject_unknown_client_hostname feature, which requires not only
6492 that the address->name and name->address mappings exist, but
6493 also that the two mappings reproduce the client IP address.
6494 The unknown_client_reject_code parameter specifies the response
6495 code for rejected requests (default: 450). The reply is always
6496 450 in case the address->name lookup failed due to a temporary
6497 problem.
6498 This feature is available in Postfix 2.3 and later.
6499 In addition, you can use any of the following generic restrictions.
6501 These restrictions are applicable in any SMTP command context.
6502 check_policy_service servername
6504 Query the specified policy server. See the SMTPD_POLICY_README
6505 document for details. This feature is available in Postfix 2.1
6506 and later.
6507 defer Defer the request. The client is told to try again later. This
6509 restriction is useful at the end of a restriction list, to make
6510 the default policy explicit.
6511 The defer_code parameter specifies the SMTP server reply code
6512 (default: 450).
6513 defer_if_permit
6515 Defer the request if some later restriction would result in an
6516 explicit or implicit PERMIT action. This is useful when a
6517 blacklisting feature fails due to a temporary problem. This
6518 feature is available in Postfix version 2.1 and later.
6519 defer_if_reject
6521 Defer the request if some later restriction would result in a
6522 REJECT action. This is useful when a whitelisting feature fails
6523 due to a temporary problem. This feature is available in Post‐
6524 fix version 2.1 and later.
6525 permit Permit the request. This restriction is useful at the end of a
6527 restriction list, to make the default policy explicit.
6528 reject_multi_recipient_bounce
6530 Reject the request when the envelope sender is the null address,
6531 and the message has multiple envelope recipients. This usage has
6532 rare but legitimate applications: under certain conditions,
6533 multi-recipient mail that was posted with the DSN option
6534 NOTIFY=NEVER may be forwarded with the null sender address.
6535 Note: this restriction can only work reliably when used in
6536 smtpd_data_restrictions or smtpd_end_of_data_restrictions,
6537 because the total number of recipients is not known at an ear‐
6538 lier stage of the SMTP conversation. Use at the RCPT stage will
6539 only reject the second etc. recipient.
6540 The multi_recipient_bounce_reject_code parameter specifies the
6541 response code for rejected requests (default: 550). This fea‐
6542 ture is available in Postfix 2.1 and later.
6543 reject_plaintext_session
6545 Reject the request when the connection is not encrypted. This
6546 restriction should not be used before the client has had a
6547 chance to negotiate encryption with the AUTH or STARTTLS com‐
6548 mands.
6549 The plaintext_reject_code parameter specifies the response code
6550 for rejected requests (default: 450). This feature is avail‐
6551 able in Postfix 2.3 and later.
6552 reject_unauth_pipelining
6554 Reject the request when the client sends SMTP commands ahead of
6555 time where it is not allowed, or when the client sends SMTP com‐
6556 mands ahead of time without knowing that Postfix actually sup‐
6557 ports ESMTP command pipelining. This stops mail from bulk mail
6558 software that improperly uses ESMTP command pipelining in order
6559 to speed up deliveries.
6560 With Postfix 2.6 and later, the SMTP server sets a per-session
6561 flag whenever it detects illegal pipelining, including pipelined
6562 EHLO or HELO commands. The reject_unauth_pipelining feature sim‐
6563 ply tests whether the flag was set at any point in time during
6564 the session.
6565 With older Postfix versions, reject_unauth_pipelining checks the
6566 current status of the input read queue, and its usage is not
6567 recommended in contexts other than smtpd_data_restrictions.
6568 reject Reject the request. This restriction is useful at the end of a
6570 restriction list, to make the default policy explicit. The
6571 reject_code configuration parameter specifies the response code
6572 for rejected requests (default: 554).
6573 sleep seconds
6575 Pause for the specified number of seconds and proceed with the
6576 next restriction in the list, if any. This may stop zombie mail
6577 when used as:
6578 /etc/postfix/main.cf:
6579 smtpd_client_restrictions =
6580 sleep 1, reject_unauth_pipelining
6581 smtpd_delay_reject = no
6582 This feature is available in Postfix 2.3.
6583 warn_if_reject
6585 Change the meaning of the next restriction, so that it logs a
6586 warning instead of rejecting a request (look for logfile records
6587 that contain "reject_warning"). This is useful for testing new
6588 restrictions in a "live" environment without risking unnecessary
6589 loss of mail.
6590 Other restrictions that are valid in this context:
6592 · SMTP command specific restrictions that are described under the
6594 smtpd_helo_restrictions, smtpd_sender_restrictions or
6595 smtpd_recipient_restrictions parameters. When helo, sender or
6596 recipient restrictions are listed under smtpd_client_restric‐
6597 tions, they have effect only with "smtpd_delay_reject = yes", so
6598 that $smtpd_client_restrictions is evaluated at the time of the
6599 RCPT TO command.
6600 Example:
6602 smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname
6604
6606 A mechanism to transform commands from remote SMTP clients. This is a
6607 last-resort tool to work around client commands that break inter-oper‐
6608 ability with the Postfix SMTP server. Other uses involve fault injec‐
6609 tion to test Postfix's handling of invalid commands.
6610 Specify the name of a "type:table" lookup table. The search string is
6612 the SMTP command as received from the remote SMTP client, except that
6613 initial whitespace and the trailing <CR><LF> are removed. The result
6614 value is executed by the Postfix SMTP server.
6615 Postfix already implements a number of workarounds for malformed client
6617 commands.
6618 · Use "resolve_numeric_domain = yes" to accept "user@ipaddress".
6620 · Postfix already accepts the correct form "user@[ipaddress]".
6622 · Use "strict_rfc821_envelopes = no" to accept "User Name
6624 <user@example.com>". Postfix will ignore the "User Name" part
6625 before delivering the mail.
6626 Examples:
6628 /etc/postfix/main.cf:
6630 smtpd_command_filter = pcre:/etc/postfix/command_filter
6631 /etc/postfix/command_filter:
6633 # Work around clients that send malformed HELO commands.
6634 /^HELO\s*$/ HELO domain.invalid
6635 # Work around clients that send empty lines.
6637 /^\s*$/ NOOP
6638 # Work around clients that send RCPT TO:<'user@domain'>.
6640 # WARNING: do not lose the parameters that follow the address.
6641 /^RCPT\s+TO:\s*<'([^[:space:]]+)'>(.*)/ RCPT TO:<$1>$2
6642 This feature is available in Postfix 2.7.
6644
6646 Optional access restrictions that the Postfix SMTP server applies in
6647 the context of the SMTP DATA command. See SMTPD_ACCESS_README, section
6648 "Delayed evaluation of SMTP access restriction lists" for a discussion
6649 of evaluation context and time.
6650 This feature is available in Postfix 2.0 and later.
6652 Specify a list of restrictions, separated by commas and/or whitespace.
6654 Continue long lines by starting the next line with whitespace.
6655 Restrictions are applied in the order as specified; the first restric‐
6656 tion that matches wins.
6657 The following restrictions are valid in this context:
6659 · Generic restrictions that can be used in any SMTP command con‐
6661 text, described under smtpd_client_restrictions.
6662 · SMTP command specific restrictions described under
6664 smtpd_client_restrictions, smtpd_helo_restrictions,
6665 smtpd_sender_restrictions or smtpd_recipient_restrictions.
6666 Examples:
6668 smtpd_data_restrictions = reject_unauth_pipelining
6670 smtpd_data_restrictions = reject_multi_recipient_bounce
6671
6673 Postpone the start of an SMTP mail transaction until a valid RCPT TO
6674 command is received. Specify "no" to create a mail transaction as soon
6675 as the SMTP server receives a valid MAIL FROM command.
6676 With sites that reject lots of mail, the default setting reduces the
6678 use of disk, CPU and memory resources. The downside is that rejected
6679 recipients are logged with NOQUEUE instead of a mail transaction ID.
6680 This complicates the logfile analysis of multi-recipient mail.
6681 This feature is available in Postfix 2.3 and later.
6683
6685 Wait until the RCPT TO command before evaluating $smtpd_client_restric‐
6686 tions, $smtpd_helo_restrictions and $smtpd_sender_restrictions, or wait
6687 until the ETRN command before evaluating $smtpd_client_restrictions and
6688 $smtpd_helo_restrictions.
6689 This feature is turned on by default because some clients apparently
6691 mis-behave when the Postfix SMTP server rejects commands before RCPT
6692 TO.
6693 The default setting has one major benefit: it allows Postfix to log
6695 recipient address information when rejecting a client name/address or
6696 sender address, so that it is possible to find out whose mail is being
6697 rejected.
6698
6700 Lookup tables, indexed by the remote SMTP client address, with case
6701 insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
6702 that the SMTP server will not send in the EHLO response to a remote
6703 SMTP client. See smtpd_discard_ehlo_keywords for details. The table is
6704 not searched by hostname for robustness reasons.
6705 This feature is available in Postfix 2.2 and later.
6707
6709 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
6710 etc.) that the SMTP server will not send in the EHLO response to a
6711 remote SMTP client.
6712 This feature is available in Postfix 2.2 and later.
6714 Notes:
6716 · Specify the silent-discard pseudo keyword to prevent this action
6718 from being logged.
6719 · Use the smtpd_discard_ehlo_keyword_address_maps feature to dis‐
6721 card EHLO keywords selectively.
6722
6724 Optional access restrictions that the Postfix SMTP server applies in
6725 the context of the SMTP END-OF-DATA command. See SMTPD_ACCESS_README,
6726 section "Delayed evaluation of SMTP access restriction lists" for a
6727 discussion of evaluation context and time.
6728 This feature is available in Postfix 2.2 and later.
6730 See smtpd_data_restrictions for syntax details.
6732
6734 Mandatory TLS: announce STARTTLS support to SMTP clients, and require
6735 that clients use TLS encryption. According to RFC 2487 this MUST NOT
6736 be applied in case of a publicly-referenced SMTP server. This option
6737 is off by default and should be used only on dedicated servers.
6738 Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes".
6740 Note 2: when invoked via "sendmail -bs", Postfix will never offer
6742 STARTTLS due to insufficient privileges to access the server private
6743 key. This is intended behavior.
6744 This feature is available in Postfix 2.2 and later. With Postfix 2.3
6746 and later use smtpd_tls_security_level instead.
6747
6749 With Postfix version 2.1 and later: the SMTP server response delay
6750 after a client has made more than $smtpd_soft_error_limit errors, and
6751 fewer than $smtpd_hard_error_limit errors, without delivering mail.
6752 With Postfix version 2.0 and earlier: the SMTP server delay before
6754 sending a reject (4xx or 5xx) response, when the client has made fewer
6755 than $smtpd_soft_error_limit errors without delivering mail.
6756
6758 Optional SMTP server access restrictions in the context of a client
6759 ETRN request. See SMTPD_ACCESS_README, section "Delayed evaluation of
6760 SMTP access restriction lists" for a discussion of evaluation context
6761 and time.
6762 The Postfix ETRN implementation accepts only destinations that are eli‐
6764 gible for the Postfix "fast flush" service. See the ETRN_README file
6765 for details.
6766 Specify a list of restrictions, separated by commas and/or whitespace.
6768 Continue long lines by starting the next line with whitespace.
6769 Restrictions are applied in the order as specified; the first restric‐
6770 tion that matches wins.
6771 The following restrictions are specific to the domain name information
6773 received with the ETRN command.
6774 check_etrn_access type:table
6776 Search the specified access database for the ETRN domain name or
6777 its parent domains. See the access(5) manual page for details.
6778 Other restrictions that are valid in this context:
6780 · Generic restrictions that can be used in any SMTP command con‐
6782 text, described under smtpd_client_restrictions.
6783 · SMTP command specific restrictions described under
6785 smtpd_client_restrictions and smtpd_helo_restrictions.
6786 Example:
6788 smtpd_etrn_restrictions = permit_mynetworks, reject
6790
6792 What characters are allowed in $name expansions of RBL reply templates.
6793 Characters not in the allowed set are replaced by "_". Use C like
6794 escapes to specify special characters such as whitespace.
6795 This parameter is not subjected to $parameter expansion.
6797 This feature is available in Postfix 2.0 and later.
6799
6801 List of commands that causes the Postfix SMTP server to immediately
6802 terminate the session with a 221 code. This can be used to disconnect
6803 clients that obviously attempt to abuse the system. In addition to the
6804 commands listed in this parameter, commands that follow the "Label:"
6805 format of message headers will also cause a disconnect.
6806 This feature is available in Postfix 2.2 and later.
6808
6810 The maximal number of errors a remote SMTP client is allowed to make
6811 without delivering mail. The Postfix SMTP server disconnects when the
6812 limit is exceeded. Normally the default limit is 20, but it changes
6813 under overload to just 1 with Postfix 2.6 and later.
6814
6816 Require that a remote SMTP client introduces itself with the HELO or
6817 EHLO command before sending the MAIL command or other commands that
6818 require EHLO negotiation.
6819 Example:
6821 smtpd_helo_required = yes
6823
6825 Optional restrictions that the Postfix SMTP server applies in the con‐
6826 text of the SMTP HELO command. See SMTPD_ACCESS_README, section
6827 "Delayed evaluation of SMTP access restriction lists" for a discussion
6828 of evaluation context and time.
6829 The default is to permit everything.
6831 Specify a list of restrictions, separated by commas and/or whitespace.
6833 Continue long lines by starting the next line with whitespace.
6834 Restrictions are applied in the order as specified; the first restric‐
6835 tion that matches wins.
6836 The following restrictions are specific to the hostname information
6838 received with the HELO or EHLO command.
6839 check_helo_access type:table
6841 Search the specified access(5) database for the HELO or EHLO
6842 hostname or parent domains, and execute the corresponding
6843 action.
6844 check_helo_mx_access type:table
6846 Search the specified access(5) database for the MX hosts for the
6847 HELO or EHLO hostname, and execute the corresponding action.
6848 Note: a result of "OK" is not allowed for safety reasons.
6849 Instead, use DUNNO in order to exclude specific hosts from
6850 blacklists. This feature is available in Postfix 2.1 and later.
6851 check_helo_ns_access type:table
6853 Search the specified access(5) database for the DNS servers for
6854 the HELO or EHLO hostname, and execute the corresponding action.
6855 Note: a result of "OK" is not allowed for safety reasons.
6856 Instead, use DUNNO in order to exclude specific hosts from
6857 blacklists. This feature is available in Postfix 2.1 and later.
6858 reject_invalid_helo_hostname (with Postfix < 2.3: reject_invalid_host‐
6860 name)
6861 Reject the request when the HELO or EHLO hostname syntax is
6862 invalid.
6863 The invalid_hostname_reject_code specifies the response code for
6864 rejected requests (default: 501).
6865 reject_non_fqdn_helo_hostname (with Postfix < 2.3:
6867 reject_non_fqdn_hostname)
6868 Reject the request when the HELO or EHLO hostname is not in
6869 fully-qualified domain form, as required by the RFC.
6870 The non_fqdn_reject_code parameter specifies the response code
6871 for rejected requests (default: 504).
6872 reject_rhsbl_helo rbl_domain=d.d.d.d
6874 Reject the request when the HELO or EHLO hostname hostname is
6875 listed with the A record "d.d.d.d" under rbl_domain (Postfix
6876 version 2.1 and later only). If no "=d.d.d.d" is specified,
6877 reject the request when the HELO or EHLO hostname is listed with
6878 any A record under rbl_domain. See the reject_rbl_client
6879 description for additional RBL related configuration parameters.
6880 This feature is available in Postfix 2.0 and later.
6881 reject_unknown_helo_hostname (with Postfix < 2.3: reject_unknown_host‐
6883 name)
6884 Reject the request when the HELO or EHLO hostname has no DNS A
6885 or MX record.
6886 The unknown_hostname_reject_code parameter specifies the numeri‐
6887 cal response code for rejected requests (default: 450).
6888 The unknown_helo_hostname_tempfail_action parameter specifies
6889 the action after a temporary DNS error (default: defer_if_per‐
6890 mit).
6891 Other restrictions that are valid in this context:
6893 · Generic restrictions that can be used in any SMTP command con‐
6895 text, described under smtpd_client_restrictions.
6896 · Client hostname or network address specific restrictions
6898 described under smtpd_client_restrictions.
6899 · SMTP command specific restrictions described under
6901 smtpd_sender_restrictions or smtpd_recipient_restrictions. When
6902 sender or recipient restrictions are listed under
6903 smtpd_helo_restrictions, they have effect only with
6904 "smtpd_delay_reject = yes", so that $smtpd_helo_restrictions is
6905 evaluated at the time of the RCPT TO command.
6906 Examples:
6908 smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname
6910 smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname
6911
6913 The maximal number of lines in the Postfix SMTP server command history
6914 before it is flushed upon receipt of EHLO, RSET, or end of DATA.
6915
6917 The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote
6918 SMTP client can send before the Postfix SMTP server starts to increment
6919 the error counter with each junk command. The junk command count is
6920 reset after mail is delivered. See also the smtpd_error_sleep_time and
6921 smtpd_soft_error_limit configuration parameters. Normally the default
6922 limit is 100, but it changes under overload to just 1 with Postfix 2.6
6923 and later.
6924
6926 A list of Milter (mail filter) applications for new mail that arrives
6927 via the Postfix smtpd(8) server. See the MILTER_README document for
6928 details.
6929 This feature is available in Postfix 2.3 and later.
6931
6933 List of commands that the Postfix SMTP server replies to with "250 Ok",
6934 without doing any syntax checks and without changing state. This list
6935 overrides any commands built into the Postfix SMTP server.
6936
6938 The lookup key to be used in SMTP access(5) tables instead of the null
6939 sender address.
6940
6942 Attempt to look up the remote SMTP client hostname, and verify that the
6943 name matches the client IP address. A client name is set to "unknown"
6944 when it cannot be looked up or verified, or when name lookup is dis‐
6945 abled. Turning off name lookup reduces delays due to DNS lookup and
6946 increases the maximal inbound delivery rate.
6947 This feature is available in Postfix 2.3 and later.
6949
6951 The time after which an idle SMTPD policy service connection is closed.
6952 This feature is available in Postfix 2.1 and later.
6954
6956 The time after which an active SMTPD policy service connection is
6957 closed.
6958 This feature is available in Postfix 2.1 and later.
6960
6962 The time limit for connecting to, writing to or receiving from a dele‐
6963 gated SMTPD policy server.
6964 This feature is available in Postfix 2.1 and later.
6966
6968 How the Postfix SMTP server announces itself to the proxy filter. By
6969 default, the Postfix hostname is used.
6970 This feature is available in Postfix 2.1 and later.
6972
6974 The hostname and TCP port of the mail filtering proxy server. The
6975 proxy receives all mail from the Postfix SMTP server, and is supposed
6976 to give the result to another Postfix SMTP server process.
6977 Specify "host:port" or "inet:host:port" for a TCP endpoint, or
6979 "unix:pathname" for a UNIX-domain endpoint. The host can be specified
6980 as an IP address or as a symbolic name; no MX lookups are done. When
6981 no "host" or "host:" are specified, the local machine is assumed.
6982 Pathname interpretation is relative to the Postfix queue directory.
6983 This feature is available in Postfix 2.1 and later.
6985 The "inet:" and "unix:" prefixes are available in Postfix 2.3 and
6987 later.
6988
6990 List of options that control how the Postfix SMTP server communicates
6991 with a before-queue content filter. Specify zero or more of the follow‐
6992 ing, separated by comma or whitespace.
6993 speed_adjust
6995 Do not connect to a before-queue content filter until an entire
6996 message has been received. This reduces the number of simultane‐
6997 ous before-queue content filter processes.
6998 NOTE 1: A filter must not selectively reject recipients of a multi-
7000 recipient message. Rejecting all recipients is OK, as is accepting all
7001 recipients.
7002 NOTE 2: This feature increases the minimum amount of free queue space
7004 by $message_size_limit. The extra space is needed to save the message
7005 to a temporary file.
7006 This feature is available in Postfix 2.7 and later.
7008
7010 The time limit for connecting to a proxy filter and for sending or
7011 receiving information. When a connection fails the client gets a
7012 generic error message while more detailed information is logged to the
7013 maillog file.
7014 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
7016 The default time unit is s (seconds).
7017 This feature is available in Postfix 2.1 and later.
7019
7021 The maximal number of recipients that the Postfix SMTP server accepts
7022 per message delivery request.
7023
7025 The number of recipients that a remote SMTP client can send in excess
7026 of the limit specified with $smtpd_recipient_limit, before the Postfix
7027 SMTP server increments the per-session error count for each excess
7028 recipient.
7029
7031 nation)
7032 The access restrictions that the Postfix SMTP server applies in the
7033 context of the RCPT TO command. See SMTPD_ACCESS_README, section
7034 "Delayed evaluation of SMTP access restriction lists" for a discussion
7035 of evaluation context and time.
7036 By default, the Postfix SMTP server accepts:
7038 · Mail from clients whose IP address matches $mynetworks, or:
7040 · Mail to remote destinations that match $relay_domains, except
7042 for addresses that contain sender-specified routing (user@else‐
7043 where@domain), or:
7044 · Mail to local destinations that match $inet_interfaces or
7046 $proxy_interfaces, $mydestination, $virtual_alias_domains, or
7047 $virtual_mailbox_domains.
7048 IMPORTANT: If you change this parameter setting, you must specify at
7050 least one of the following restrictions. Otherwise Postfix will refuse
7051 to receive mail:
7052 reject, defer, defer_if_permit, reject_unauth_destination
7054 Specify a list of restrictions, separated by commas and/or whitespace.
7056 Continue long lines by starting the next line with whitespace.
7057 Restrictions are applied in the order as specified; the first restric‐
7058 tion that matches wins.
7059 The following restrictions are specific to the recipient address that
7061 is received with the RCPT TO command.
7062 check_recipient_access type:table
7064 Search the specified access(5) database for the resolved RCPT TO
7065 address, domain, parent domains, or localpart@, and execute the
7066 corresponding action.
7067 check_recipient_mx_access type:table
7069 Search the specified access(5) database for the MX hosts for the
7070 RCPT TO domain, and execute the corresponding action. Note: a
7071 result of "OK" is not allowed for safety reasons. Instead, use
7072 DUNNO in order to exclude specific hosts from blacklists. This
7073 feature is available in Postfix 2.1 and later.
7074 check_recipient_ns_access type:table
7076 Search the specified access(5) database for the DNS servers for
7077 the RCPT TO domain, and execute the corresponding action. Note:
7078 a result of "OK" is not allowed for safety reasons. Instead, use
7079 DUNNO in order to exclude specific hosts from blacklists. This
7080 feature is available in Postfix 2.1 and later.
7081 permit_auth_destination
7083 Permit the request when one of the following is true:
7084 · Postfix is mail forwarder: the resolved RCPT TO domain matches
7086 $relay_domains or a subdomain thereof, and the address contains
7087 no sender-specified routing (user@elsewhere@domain),
7088 · Postfix is the final destination: the resolved RCPT TO domain
7090 matches $mydestination, $inet_interfaces, $proxy_interfaces,
7091 $virtual_alias_domains, or $virtual_mailbox_domains, and the
7092 address contains no sender-specified routing (user@else‐
7093 where@domain).
7094 permit_mx_backup
7096 Permit the request when the local mail system is backup MX for
7097 the RCPT TO domain, or when the domain is an authorized destina‐
7098 tion (see permit_auth_destination for definition).
7099 · Safety: permit_mx_backup does not accept addresses that have
7101 sender-specified routing information (example: user@else‐
7102 where@domain).
7103 · Safety: permit_mx_backup can be vulnerable to mis-use when
7105 access is not restricted with permit_mx_backup_networks.
7106 · Safety: as of Postfix version 2.3, permit_mx_backup no longer
7108 accepts the address when the local mail system is primary MX for
7109 the recipient domain. Exception: permit_mx_backup accepts the
7110 address when it specifies an authorized destination (see per‐
7111 mit_auth_destination for definition).
7112 · Limitation: mail may be rejected in case of a temporary DNS
7114 lookup problem with Postfix prior to version 2.0.
7115 reject_non_fqdn_recipient
7117 Reject the request when the RCPT TO address is not in fully-
7118 qualified domain form, as required by the RFC.
7119 The non_fqdn_reject_code parameter specifies the response code
7120 for rejected requests (default: 504).
7121 reject_rhsbl_recipient rbl_domain=d.d.d.d
7123 Reject the request when the RCPT TO domain is listed with the A
7124 record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
7125 only). If no "=d.d.d.d" is specified, reject the request when
7126 the RCPT TO domain is listed with any A record under rbl_domain.
7127 The maps_rbl_reject_code parameter specifies the response code
7128 for rejected requests (default: 554); the default_rbl_reply
7129 parameter specifies the default server reply; and the
7130 rbl_reply_maps parameter specifies tables with server replies
7131 indexed by rbl_domain. This feature is available in Postfix
7132 version 2.0 and later.
7133 reject_unauth_destination
7135 Reject the request unless one of the following is true:
7136 · Postfix is mail forwarder: the resolved RCPT TO domain matches
7138 $relay_domains or a subdomain thereof, and contains no sender-
7139 specified routing (user@elsewhere@domain),
7140 · Postfix is the final destination: the resolved RCPT TO domain
7142 matches $mydestination, $inet_interfaces, $proxy_interfaces,
7143 $virtual_alias_domains, or $virtual_mailbox_domains, and con‐
7144 tains no sender-specified routing (user@elsewhere@domain).
7145 The relay_domains_reject_code parameter specifies the response
7146 code for rejected requests (default: 554).
7147 reject_unknown_recipient_domain
7149 Reject the request when Postfix is not final destination for the
7150 recipient domain, and the RCPT TO domain has no DNS A or MX
7151 record, or when it has a malformed MX record such as a record
7152 with a zero-length MX hostname (Postfix version 2.3 and later).
7153 The unknown_address_reject_code parameter specifies the numeri‐
7154 cal response code for rejected requests (default: 450). The
7155 response is always 450 in case of a temporary DNS error.
7156 The unknown_address_tempfail_action parameter specifies the
7157 action after a temporary DNS error (default: defer_if_permit).
7158 reject_unlisted_recipient (with Postfix version 2.0: check_recipi‐
7160 ent_maps)
7161 Reject the request when the RCPT TO address is not listed in the
7162 list of valid recipients for its domain class. See the
7163 smtpd_reject_unlisted_recipient parameter description for
7164 details. This feature is available in Postfix 2.1 and later.
7165 reject_unverified_recipient
7167 Reject the request when mail to the RCPT TO address is known to
7168 bounce, or when the recipient address destination is not reach‐
7169 able. Address verification information is managed by the ver‐
7170 ify(8) server; see the ADDRESS_VERIFICATION_README file for
7171 details.
7172 The unverified_recipient_reject_code parameter specifies the
7173 numerical response code when an address is known to bounce
7174 (default: 450, change into 550 when you are confident that it is
7175 safe to do so).
7176 The unverified_recipient_defer_code parameter specifies the
7177 numerical response code when an address probe failed due to a
7178 temporary problem (default: 450).
7179 The unverified_recipient_tempfail_action parameter specifies the
7180 action after addres probe failure due to a temporary problem
7181 (default: defer_if_permit).
7182 This feature is available in Postfix 2.1 and later.
7183 Other restrictions that are valid in this context:
7185 · Generic restrictions that can be used in any SMTP command con‐
7187 text, described under smtpd_client_restrictions.
7188 · SMTP command specific restrictions described under
7190 smtpd_client_restrictions, smtpd_helo_restrictions and
7191 smtpd_sender_restrictions.
7192 Example:
7194 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
7196
7198 Request that the Postfix SMTP server rejects mail for unknown recipient
7199 addresses, even when no explicit reject_unlisted_recipient access
7200 restriction is specified. This prevents the Postfix queue from filling
7201 up with undeliverable MAILER-DAEMON messages.
7202 An address is always considered "known" when it matches a virtual(5)
7204 alias or a canonical(5) mapping.
7205 · The recipient domain matches $mydestination, $inet_interfaces or
7207 $proxy_interfaces, but the recipient is not listed in
7208 $local_recipient_maps, and $local_recipient_maps is not null.
7209 · The recipient domain matches $virtual_alias_domains but the
7211 recipient is not listed in $virtual_alias_maps.
7212 · The recipient domain matches $virtual_mailbox_domains but the
7214 recipient is not listed in $virtual_mailbox_maps, and $vir‐
7215 tual_mailbox_maps is not null.
7216 · The recipient domain matches $relay_domains but the recipient is
7218 not listed in $relay_recipient_maps, and $relay_recipient_maps
7219 is not null.
7220 This feature is available in Postfix 2.1 and later.
7222
7224 Request that the Postfix SMTP server rejects mail from unknown sender
7225 addresses, even when no explicit reject_unlisted_sender access restric‐
7226 tion is specified. This can slow down an explosion of forged mail from
7227 worms or viruses.
7228 An address is always considered "known" when it matches a virtual(5)
7230 alias or a canonical(5) mapping.
7231 · The sender domain matches $mydestination, $inet_interfaces or
7233 $proxy_interfaces, but the sender is not listed in $local_recip‐
7234 ient_maps, and $local_recipient_maps is not null.
7235 · The sender domain matches $virtual_alias_domains but the sender
7237 is not listed in $virtual_alias_maps.
7238 · The sender domain matches $virtual_mailbox_domains but the
7240 sender is not listed in $virtual_mailbox_maps, and $vir‐
7241 tual_mailbox_maps is not null.
7242 · The sender domain matches $relay_domains but the sender is not
7244 listed in $relay_recipient_maps, and $relay_recipient_maps is
7245 not null.
7246 This feature is available in Postfix 2.1 and later.
7248
7250 User-defined aliases for groups of access restrictions. The aliases can
7251 be specified in smtpd_recipient_restrictions etc., and on the right-
7252 hand side of a Postfix access(5) table.
7253 One major application is for implementing per-recipient UCE control.
7255 See the RESTRICTION_CLASS_README document for other examples.
7256
7258 The application name that the Postfix SMTP server uses for SASL server
7259 initialization. This controls the name of the SASL configuration file.
7260 The default value is smtpd, corresponding to a SASL configuration file
7261 named smtpd.conf.
7262 This feature is available in Postfix 2.1 and 2.2. With Postfix 2.3 it
7264 was renamed to smtpd_sasl_path.
7265
7267 Enable SASL authentication in the Postfix SMTP server. By default, the
7268 Postfix SMTP server does not use authentication.
7269 If a remote SMTP client is authenticated, the permit_sasl_authenticated
7271 access restriction can be used to permit relay access, like this:
7272 smtpd_recipient_restrictions =
7274 permit_mynetworks, permit_sasl_authenticated, ...
7275 To reject all SMTP connections from unauthenticated clients, specify
7277 "smtpd_delay_reject = yes" (which is the default) and use:
7278 smtpd_client_restrictions = permit_sasl_authenticated, reject
7280 See the SASL_README file for SASL configuration and operation details.
7282
7284 Report the SASL authenticated user name in the smtpd(8) Received mes‐
7285 sage header.
7286 This feature is available in Postfix 2.3 and later.
7288
7290 What remote SMTP clients the Postfix SMTP server will not offer AUTH
7291 support to.
7292 Some clients (Netscape 4 at least) have a bug that causes them to
7294 require a login and password whenever AUTH is offered, whether it's
7295 necessary or not. To work around this, specify, for example, $mynet‐
7296 works to prevent Postfix from offering AUTH to local clients.
7297 Specify a list of network/netmask patterns, separated by commas and/or
7299 whitespace. The mask specifies the number of bits in the network part
7300 of a host address. You can also "/file/name" or "type:table" patterns.
7301 A "/file/name" pattern is replaced by its contents; a "type:table"
7302 lookup table is matched when a table entry matches a lookup string (the
7303 lookup result is ignored). Continue long lines by starting the next
7304 line with whitespace. Specify "!pattern" to exclude an address or net‐
7305 work block from the list. The form "!/file/name" is supported only in
7306 Postfix version 2.4 and later.
7307 Note: IP version 6 address information must be specified inside [] in
7309 the smtpd_sasl_exceptions_networks value, and in files specified with
7310 "/file/name". IP version 6 addresses contain the ":" character, and
7311 would otherwise be confused with a "type:table" pattern.
7312 Example:
7314 smtpd_sasl_exceptions_networks = $mynetworks
7316 This feature is available in Postfix 2.1 and later.
7318
7320 The name of the Postfix SMTP server's local SASL authentication realm.
7321 By default, the local authentication realm name is the null string.
7323 Examples:
7325 smtpd_sasl_local_domain = $mydomain
7327 smtpd_sasl_local_domain = $myhostname
7328
7330 Implementation-specific information that the Postfix SMTP server passes
7331 through to the SASL plug-in implementation that is selected with
7332 smtpd_sasl_type. Typically this specifies the name of a configuration
7333 file or rendezvous point.
7334 This feature is available in Postfix 2.3 and later. In earlier releases
7336 it was called smtpd_sasl_application_name.
7337
7339 Postfix SMTP server SASL security options; as of Postfix 2.3 the list
7340 of available features depends on the SASL server implementation that is
7341 selected with smtpd_sasl_type.
7342 The following security features are defined for the cyrus server SASL
7344 implementation:
7345 Restrict what authentication mechanisms the Postfix SMTP server will
7347 offer to the client. The list of available authentication mechanisms
7348 is system dependent.
7349 Specify zero or more of the following:
7351 noplaintext
7353 Disallow methods that use plaintext passwords.
7354 noactive
7356 Disallow methods subject to active (non-dictionary) attack.
7357 nodictionary
7359 Disallow methods subject to passive (dictionary) attack.
7360 noanonymous
7362 Disallow methods that allow anonymous authentication.
7363 forward_secrecy
7365 Only allow methods that support forward secrecy (Dovecot only).
7366 mutual_auth
7368 Only allow methods that provide mutual authentication (not
7369 available with Cyrus SASL version 1).
7370 By default, the Postfix SMTP server accepts plaintext passwords but not
7372 anonymous logins.
7373 Warning: it appears that clients try authentication methods in the
7375 order as advertised by the server (e.g., PLAIN ANONYMOUS CRAM-MD5)
7376 which means that if you disable plaintext passwords, clients will log
7377 in anonymously, even when they should be able to use CRAM-MD5. So, if
7378 you disable plaintext logins, disable anonymous logins too. Postfix
7379 treats anonymous login as no authentication.
7380 Example:
7382 smtpd_sasl_security_options = noanonymous, noplaintext
7384
7386 The SASL authentication security options that the Postfix SMTP server
7387 uses for TLS encrypted SMTP sessions.
7388 This feature is available in Postfix 2.2 and later.
7390
7392 The SASL plug-in type that the Postfix SMTP server should use for
7393 authentication. The available types are listed with the "postconf -a"
7394 command.
7395 This feature is available in Postfix 2.3 and later.
7397
7399 Optional lookup table with the SASL login names that own sender (MAIL
7400 FROM) addresses.
7401 Specify zero or more "type:table" lookup tables. With lookups from
7403 indexed files such as DB or DBM, or from networked tables such as NIS,
7404 LDAP or SQL, the following search operations are done with a sender
7405 address of user@domain:
7406 1) user@domain
7408 This table lookup is always done and has the highest precedence.
7409 2) user
7411 This table lookup is done only when the domain part of the
7412 sender address matches $myorigin, $mydestination, $inet_inter‐
7413 faces or $proxy_interfaces.
7414 3) @domain
7416 This table lookup is done last and has the lowest precedence.
7417 In all cases the result of table lookup must be either "not found" or a
7419 list of SASL login names separated by comma and/or whitespace.
7420
7422 Optional restrictions that the Postfix SMTP server applies in the con‐
7423 text of the MAIL FROM command. See SMTPD_ACCESS_README, section
7424 "Delayed evaluation of SMTP access restriction lists" for a discussion
7425 of evaluation context and time.
7426 The default is to permit everything.
7428 Specify a list of restrictions, separated by commas and/or whitespace.
7430 Continue long lines by starting the next line with whitespace.
7431 Restrictions are applied in the order as specified; the first restric‐
7432 tion that matches wins.
7433 The following restrictions are specific to the sender address received
7435 with the MAIL FROM command.
7436 check_sender_access type:table
7438 Search the specified access(5) database for the MAIL FROM
7439 address, domain, parent domains, or localpart@, and execute the
7440 corresponding action.
7441 check_sender_mx_access type:table
7443 Search the specified access(5) database for the MX hosts for the
7444 MAIL FROM address, and execute the corresponding action. Note:
7445 a result of "OK" is not allowed for safety reasons. Instead, use
7446 DUNNO in order to exclude specific hosts from blacklists. This
7447 feature is available in Postfix 2.1 and later.
7448 check_sender_ns_access type:table
7450 Search the specified access(5) database for the DNS servers for
7451 the MAIL FROM address, and execute the corresponding action.
7452 Note: a result of "OK" is not allowed for safety reasons.
7453 Instead, use DUNNO in order to exclude specific hosts from
7454 blacklists. This feature is available in Postfix 2.1 and later.
7455 reject_authenticated_sender_login_mismatch
7457 Enforces the reject_sender_login_mismatch restriction for
7458 authenticated clients only. This feature is available in Postfix
7459 version 2.1 and later.
7460 reject_non_fqdn_sender
7462 Reject the request when the MAIL FROM address is not in fully-
7463 qualified domain form, as required by the RFC.
7464 The non_fqdn_reject_code parameter specifies the response code
7465 for rejected requests (default: 504).
7466 reject_rhsbl_sender rbl_domain=d.d.d.d
7468 Reject the request when the MAIL FROM domain is listed with the
7469 A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and
7470 later only). If no "=d.d.d.d" is specified, reject the request
7471 when the MAIL FROM domain is listed with any A record under
7472 rbl_domain.
7473 The maps_rbl_reject_code parameter specifies the response code
7474 for rejected requests (default: 554); the default_rbl_reply
7475 parameter specifies the default server reply; and the
7476 rbl_reply_maps parameter specifies tables with server replies
7477 indexed by rbl_domain. This feature is available in Postfix 2.0
7478 and later.
7479 reject_sender_login_mismatch
7481 Reject the request when $smtpd_sender_login_maps specifies an
7482 owner for the MAIL FROM address, but the client is not (SASL)
7483 logged in as that MAIL FROM address owner; or when the client is
7484 (SASL) logged in, but the client login name doesn't own the MAIL
7485 FROM address according to $smtpd_sender_login_maps.
7486 reject_unauthenticated_sender_login_mismatch
7488 Enforces the reject_sender_login_mismatch restriction for unau‐
7489 thenticated clients only. This feature is available in Postfix
7490 version 2.1 and later.
7491 reject_unknown_sender_domain
7493 Reject the request when Postfix is not final destination for the
7494 sender address, and the MAIL FROM address has no DNS A or MX
7495 record, or when it has a malformed MX record such as a record
7496 with a zero-length MX hostname (Postfix version 2.3 and later).
7497 The unknown_address_reject_code parameter specifies the numeri‐
7498 cal response code for rejected requests (default: 450). The
7499 response is always 450 in case of a temporary DNS error.
7500 The unknown_address_tempfail_action parameter specifies the
7501 action after a temporary DNS error (default: defer_if_permit).
7502 reject_unlisted_sender
7504 Reject the request when the MAIL FROM address is not listed in
7505 the list of valid recipients for its domain class. See the
7506 smtpd_reject_unlisted_sender parameter description for details.
7507 This feature is available in Postfix 2.1 and later.
7508 reject_unverified_sender
7510 Reject the request when mail to the MAIL FROM address is known
7511 to bounce, or when the sender address destination is not reach‐
7512 able. Address verification information is managed by the ver‐
7513 ify(8) server; see the ADDRESS_VERIFICATION_README file for
7514 details.
7515 The unverified_sender_reject_code parameter specifies the numer‐
7516 ical response code when an address is known to bounce (default:
7517 450, change into 550 when you are confident that it is safe to
7518 do so).
7519 The unverified_sender_defer_code specifies the numerical
7520 response code when an address address probe failed due to a tem‐
7521 porary problem (default: 450).
7522 The unverified_sender_tempfail_action parameter specifies the
7523 action after address probe failure due to a temporary problem
7524 (default: defer_if_permit).
7525 This feature is available in Postfix 2.1 and later.
7526 Other restrictions that are valid in this context:
7528 · Generic restrictions that can be used in any SMTP command con‐
7530 text, described under smtpd_client_restrictions.
7531 · SMTP command specific restrictions described under
7533 smtpd_client_restrictions and smtpd_helo_restrictions.
7534 · SMTP command specific restrictions described under smtpd_recipi‐
7536 ent_restrictions. When recipient restrictions are listed under
7537 smtpd_sender_restrictions, they have effect only with
7538 "smtpd_delay_reject = yes", so that $smtpd_sender_restrictions
7539 is evaluated at the time of the RCPT TO command.
7540 Examples:
7542 smtpd_sender_restrictions = reject_unknown_sender_domain
7544 smtpd_sender_restrictions = reject_unknown_sender_domain,
7545 check_sender_access hash:/etc/postfix/access
7546
7548 The number of errors a remote SMTP client is allowed to make without
7549 delivering mail before the Postfix SMTP server slows down all its
7550 responses.
7551 · With Postfix version 2.1 and later, the Postfix SMTP server
7553 delays all responses by $smtpd_error_sleep_time seconds.
7554 · With Postfix versions 2.0 and earlier, the Postfix SMTP server
7556 delays all responses by (number of errors) seconds.
7557
7559 The time limit for Postfix SMTP server write and read operations during
7560 TLS startup and shutdown handshake procedures.
7561 This feature is available in Postfix 2.2 and later.
7563
7565 The time limit for sending a Postfix SMTP server response and for
7566 receiving a remote SMTP client request. Normally the default limit is
7567 300s, but it changes under overload to just 10s with Postfix 2.6 and
7568 later.
7569 Note: if you set SMTP time limits to very large values you may have to
7571 update the global ipc_timeout parameter.
7572 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
7574 The default time unit is s (seconds).
7575
7577 A file containing (PEM format) CA certificates of root CAs trusted to
7578 sign either remote SMTP client certificates or intermediate CA certifi‐
7579 cates. These are loaded into memory before the smtpd(8) server enters
7580 the chroot jail. If the number of trusted roots is large, consider
7581 using smtpd_tls_CApath instead, but note that the latter directory must
7582 be present in the chroot jail if the smtpd(8) server is chrooted. This
7583 file may also be used to augment the server certificate trust chain,
7584 but it is best to include all the required certificates directly in the
7585 server certificate file.
7586 Specify "tls_append_default_CA = no" to prevent Postfix from appending
7588 the system-supplied default CAs and trusting third-party certificates.
7589 By default (see smtpd_tls_ask_ccert), client certificates are not
7591 requested, and smtpd_tls_CAfile should remain empty. If you do make use
7592 of client certificates, the distinguished names (DNs) of the certifi‐
7593 cate authorities listed in smtpd_tls_CAfile are sent to the remote SMTP
7594 client in the client certificate request message. MUAs with multiple
7595 client certificates may use the list of preferred certificate authori‐
7596 ties to select the correct client certificate. You may want to put
7597 your "preferred" CA or CAs in this file, and install other trusted CAs
7598 in $smtpd_tls_CApath.
7599 Example:
7601 smtpd_tls_CAfile = /etc/postfix/CAcert.pem
7603 This feature is available in Postfix 2.2 and later.
7605
7607 A directory containing (PEM format) CA certificates of root CAs trusted
7608 to sign either remote SMTP client certificates or intermediate CA cer‐
7609 tificates. Do not forget to create the necessary "hash" links with, for
7610 example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
7611 smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
7612 inside the chroot jail.
7613 Specify "tls_append_default_CA = no" to prevent Postfix from appending
7615 the system-supplied default CAs and trusting third-party certificates.
7616 By default (see smtpd_tls_ask_ccert), client certificates are not
7618 requested, and smtpd_tls_CApath should remain empty. In contrast to
7619 smtpd_tls_CAfile, DNs of certificate authorities installed in
7620 $smtpd_tls_CApath are not included in the client certificate request
7621 message. MUAs with multiple client certificates may use the list of
7622 preferred certificate authorities to select the correct client certifi‐
7623 cate. You may want to put your "preferred" CA or CAs in
7624 $smtpd_tls_CAfile, and install the remaining trusted CAs in
7625 $smtpd_tls_CApath.
7626 Example:
7628 smtpd_tls_CApath = /etc/postfix/certs
7630 This feature is available in Postfix 2.2 and later.
7632
7634 Force the Postfix SMTP server to issue a TLS session id, even when TLS
7635 session caching is turned off (smtpd_tls_session_cache_database is
7636 empty). This behavior is compatible with Postfix < 2.3.
7637 With Postfix 2.3 and later the Postfix SMTP server can disable session
7639 id generation when TLS session caching is turned off. This keeps
7640 clients from caching sessions that almost certainly cannot be re-used.
7641 By default, the Postfix SMTP server always generates TLS session ids.
7643 This works around a known defect in mail client applications such as MS
7644 Outlook, and may also prevent interoperability issues with other MTAs.
7645 Example:
7647 smtpd_tls_always_issue_session_ids = no
7649 This feature is available in Postfix 2.3 and later.
7651
7653 Ask a remote SMTP client for a client certificate. This information is
7654 needed for certificate based mail relaying with, for example, the per‐
7655 mit_tls_clientcerts feature.
7656 Some clients such as Netscape will either complain if no certificate is
7658 available (for the list of CAs in $smtpd_tls_CAfile) or will offer mul‐
7659 tiple client certificates to choose from. This may be annoying, so this
7660 option is "off" by default.
7661 This feature is available in Postfix 2.2 and later.
7663
7665 When TLS encryption is optional in the Postfix SMTP server, do not
7666 announce or accept SASL authentication over unencrypted connections.
7667 This feature is available in Postfix 2.2 and later.
7669
7671 The verification depth for remote SMTP client certificates. A depth of
7672 1 is sufficient if the issuing CA is listed in a local CA file.
7673 The default verification depth is 9 (the OpenSSL default) for compati‐
7675 bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
7676 value was 5, but the limit was not actually enforced. If you have set
7677 this to a lower non-default value, certificates with longer trust
7678 chains may now fail to verify. Certificate chains with 1 or 2 CAs are
7679 common, deeper chains are more rare and any number between 5 and 9
7680 should suffice in practice. You can choose a lower number if, for exam‐
7681 ple, you trust certificates directly signed by an issuing CA but not
7682 any CAs it delegates to.
7683 This feature is available in Postfix 2.2 and later.
7685
7687 File with the Postfix SMTP server RSA certificate in PEM format. This
7688 file may also contain the Postfix SMTP server private RSA key.
7689 Public Internet MX hosts without certificates signed by a "reputable"
7691 CA must generate, and be prepared to present to most clients, a self-
7692 signed or private-CA signed certificate. The client will not be able to
7693 authenticate the server, but unless it is running Postfix 2.3 or simi‐
7694 lar software, it will still insist on a server certificate.
7695 For servers that are not public Internet MX hosts, Postfix 2.3 supports
7697 configurations with no certificates. This entails the use of just the
7698 anonymous TLS ciphers, which are not supported by typical SMTP clients.
7699 Since such clients will not, as a rule, fall back to plain text after a
7700 TLS handshake failure, the server will be unable to receive email from
7701 TLS enabled clients. To avoid accidental configurations with no cer‐
7702 tificates, Postfix 2.3 enables certificate-less operation only when the
7703 administrator explicitly sets "smtpd_tls_cert_file = none". This
7704 ensures that new Postfix configurations will not accidentally run with
7705 no certificates.
7706 Both RSA and DSA certificates are supported. When both types are
7708 present, the cipher used determines which certificate will be presented
7709 to the client. For Netscape and OpenSSL clients without special cipher
7710 choices the RSA certificate is preferred.
7711 To enable a remote SMTP client to verify the Postfix SMTP server cer‐
7713 tificate, the issuing CA certificates must be made available to the
7714 client. You should include the required certificates in the server cer‐
7715 tificate file, the server certificate first, then the issuing CA(s)
7716 (bottom-up order).
7717 Example: the certificate for "server.example.com" was issued by "inter‐
7719 mediate CA" which itself has a certificate of "root CA". Create the
7720 server.pem file with "cat server_cert.pem intermediate_CA.pem
7721 root_CA.pem > server.pem".
7722 If you also want to verify client certificates issued by these CAs, you
7724 can add the CA certificates to the smtpd_tls_CAfile, in which case it
7725 is not necessary to have them in the smtpd_tls_cert_file or
7726 smtpd_tls_dcert_file.
7727 A certificate supplied here must be usable as an SSL server certificate
7729 and hence pass the "openssl verify -purpose sslserver ..." test.
7730 Example:
7732 smtpd_tls_cert_file = /etc/postfix/server.pem
7734 This feature is available in Postfix 2.2 and later.
7736
7738 Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS cipher
7739 list. It is easy to create inter-operability problems by choosing a
7740 non-default cipher list. Do not use a non-default TLS cipherlist for MX
7741 hosts on the public Internet. Clients that begin the TLS handshake, but
7742 are unable to agree on a common cipher, may not be able to send any
7743 email to the SMTP server. Using a restricted cipher list may be more
7744 appropriate for a dedicated MSA or an internal mailhub, where one can
7745 exert some control over the TLS software and settings of the connecting
7746 clients.
7747 Note: do not use "" quotes around the parameter value.
7749 This feature is available with Postfix version 2.2. It is not used with
7751 Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead.
7752
7754 The minimum TLS cipher grade that the Postfix SMTP server will use with
7755 opportunistic TLS encryption. Cipher types listed in
7756 smtpd_tls_exclude_ciphers are excluded from the base definition of the
7757 selected cipher grade. The default value "export" ensures maximum
7758 inter-operability. Because encryption is optional, stronger controls
7759 are not appropriate, and this setting SHOULD NOT be changed unless the
7760 change is essential.
7761 When TLS is mandatory the cipher grade is chosen via the
7763 smtpd_tls_mandatory_ciphers configuration parameter, see there for syn‐
7764 tax details.
7765 Example:
7767 smtpd_tls_ciphers = export
7768 This feature is available in Postfix 2.6 and later. With earlier Post‐
7770 fix releases only the smtpd_tls_mandatory_ciphers parameter is imple‐
7771 mented, and opportunistic TLS always uses "export" or better (i.e. all)
7772 ciphers.
7773
7775 File with the Postfix SMTP server DSA certificate in PEM format. This
7776 file may also contain the Postfix SMTP server private DSA key.
7777 See the discussion under smtpd_tls_cert_file for more details.
7779 Example:
7781 smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
7783 This feature is available in Postfix 2.2 and later.
7785
7787 File with DH parameters that the Postfix SMTP server should use with
7788 EDH ciphers.
7789 Instead of using the exact same parameter sets as distributed with
7791 other TLS packages, it is more secure to generate your own set of
7792 parameters with something like the following command:
7793 openssl gendh -out /etc/postfix/dh_1024.pem -2 1024
7795 Your actual source for entropy may differ. Some systems have /dev/ran‐
7797 dom; on other system you may consider using the "Entropy Gathering Dae‐
7798 mon EGD", available at http://egd.sourceforge.net/
7799 Example:
7801 smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
7803 This feature is available with Postfix version 2.2.
7805
7807 File with DH parameters that the Postfix SMTP server should use with
7808 EDH ciphers.
7809 See also the discussion under the smtpd_tls_dh1024_param_file configu‐
7811 ration parameter.
7812 Example:
7814 smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
7816 This feature is available with Postfix version 2.2.
7818
7820 File with the Postfix SMTP server DSA private key in PEM format. This
7821 file may be combined with the Postfix SMTP server DSA certificate file
7822 specified with $smtpd_tls_dcert_file.
7823 The private key must be accessible without a pass-phrase, i.e. it must
7825 not be encrypted. File permissions should grant read-only access to the
7826 system superuser account ("root"), and no access to anyone else.
7827 This feature is available in Postfix 2.2 and later.
7829
7831 File with the Postfix SMTP server ECDSA certificate in PEM format.
7832 This file may also contain the Postfix SMTP server private ECDSA key.
7833 See the discussion under smtpd_tls_cert_file for more details.
7835 Example:
7837 smtpd_tls_eccert_file = /etc/postfix/ecdsa-scert.pem
7839 This feature is available in Postfix 2.6 and later, when Postfix is
7841 compiled and linked with OpenSSL 1.0.0 or later.
7842
7844 File with the Postfix SMTP server ECDSA private key in PEM format.
7845 This file may be combined with the Postfix SMTP server ECDSA certifi‐
7846 cate file specified with $smtpd_tls_eccert_file.
7847 The private key must be accessible without a pass-phrase, i.e. it must
7849 not be encrypted. File permissions should grant read-only access to the
7850 system superuser account ("root"), and no access to anyone else.
7851 This feature is available in Postfix 2.6 and later, when Postfix is
7853 compiled and linked with OpenSSL 1.0.0 or later.
7854
7856 The Postfix SMTP server security grade for ephemeral elliptic-curve
7857 Diffie-Hellman (EECDH) key exchange.
7858 The available choices are:
7860 none Don't use EECDH. Ciphers based on EECDH key exchange will be
7862 disabled. This is the default in official Postfix releases
7863 (mail_version = major.minor.patchlevel).
7864 strong Use EECDH with approximately 128 bits of security at a reason‐
7866 able computational cost. This is the current best-practice
7867 trade-off between security and computational efficiency. This is
7868 the default in Postfix snapshot releases (mail_version =
7869 major.minor-releasedate).
7870 ultra Use EECDH with approximately 192 bits of security at computa‐
7872 tional cost that is approximately twice as high as 128 bit
7873 strength ECC. Barring significant progress in attacks on ellip‐
7874 tic curve crypto-systems, the "strong" curve is sufficient for
7875 most users.
7876 This feature is available in Postfix 2.6 and later, when it is compiled
7878 and linked with OpenSSL 1.0.0 or later.
7879
7881 List of ciphers or cipher types to exclude from the SMTP server cipher
7882 list at all TLS security levels. Excluding valid ciphers can create
7883 interoperability problems. DO NOT exclude ciphers unless it is essen‐
7884 tial to do so. This is not an OpenSSL cipherlist; it is a simple list
7885 separated by whitespace and/or commas. The elements are a single
7886 cipher, or one or more "+" separated cipher properties, in which case
7887 only ciphers matching all the properties are excluded.
7888 Examples (some of these will cause problems):
7890 smtpd_tls_exclude_ciphers = aNULL
7892 smtpd_tls_exclude_ciphers = MD5, DES
7893 smtpd_tls_exclude_ciphers = DES+MD5
7894 smtpd_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
7895 smtpd_tls_exclude_ciphers = kEDH+aRSA
7896 The first setting disables anonymous ciphers. The next setting disables
7898 ciphers that use the MD5 digest algorithm or the (single) DES encryp‐
7899 tion algorithm. The next setting disables ciphers that use MD5 and DES
7900 together. The next setting disables the two ciphers "AES256-SHA" and
7901 "DES-CBC3-MD5". The last setting disables ciphers that use "EDH" key
7902 exchange with RSA authentication.
7903 This feature is available in Postfix 2.3 and later.
7905
7907 The message digest algorithm used to construct client-certificate fin‐
7908 gerprints for check_ccert_access and permit_tls_clientcerts. The
7909 default algorithm is md5, for backwards compatibility with Postfix
7910 releases prior to 2.5.
7911 The best practice algorithm is now sha1. Recent advances in hash func‐
7913 tion cryptanalysis have led to md5 being deprecated in favor of sha1.
7914 However, as long as there are no known "second pre-image" attacks
7915 against md5, its use in this context can still be considered safe.
7916 While additional digest algorithms are often available with OpenSSL's
7918 libcrypto, only those used by libssl in SSL cipher suites are available
7919 to Postfix. For now this means just md5 or sha1.
7920 To find the fingerprint of a specific certificate file, with a specific
7922 digest algorithm, run:
7923 $ openssl x509 -noout -fingerprint -digest -in certfile.pem
7925 The text to the right of "=" sign is the desired fingerprint. For
7927 example:
7928 $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
7930 SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
7931 Example: client-certificate access table, with sha1 fingerprints:
7933 /etc/postfix/main.cf:
7935 smtpd_tls_fingerprint_digest = sha1
7936 smtpd_client_restrictions =
7937 check_ccert_access hash:/etc/postfix/access,
7938 reject
7939 /etc/postfix/access:
7940 # Action folded to next line...
7941 AF:88:7C:AD:51:95:6F:36:96:F6:01:FB:2E:48:CD:AB:49:25:A2:3B
7942 OK
7943 85:16:78:FD:73:6E:CE:70:E0:31:5F:0D:3C:C8:6D:C4:2C:24:59:E1
7944 permit_auth_destination
7945 This feature is available in Postfix 2.5 and later.
7947
7949 File with the Postfix SMTP server RSA private key in PEM format. This
7950 file may be combined with the Postfix SMTP server RSA certificate file
7951 specified with $smtpd_tls_cert_file.
7952 The private key must be accessible without a pass-phrase, i.e. it must
7954 not be encrypted. File permissions should grant read-only access to the
7955 system superuser account ("root"), and no access to anyone else.
7956
7958 Enable additional Postfix SMTP server logging of TLS activity. Each
7959 logging level also includes the information that is logged at a lower
7960 logging level.
7961 0 Disable logging of TLS activity.
7963 1 Log TLS handshake and certificate information.
7965 2 Log levels during TLS negotiation.
7967 3 Log hexadecimal and ASCII dump of TLS negotiation process.
7969 4 Also log hexadecimal and ASCII dump of complete transmission
7971 after STARTTLS.
7972 Use "smtpd_tls_loglevel = 3" only in case of problems. Use of loglevel
7974 4 is strongly discouraged.
7975 This feature is available in Postfix 2.2 and later.
7977
7979 The minimum TLS cipher grade that the Postfix SMTP server will use with
7980 mandatory TLS encryption. The default grade ("medium") is sufficiently
7981 strong that any benefit from globally restricting TLS sessions to a
7982 more stringent grade is likely negligible, especially given the fact
7983 that many implementations still do not offer any stronger ("high"
7984 grade) ciphers, while those that do, will always use "high" grade
7985 ciphers. So insisting on "high" grade ciphers is generally counter-pro‐
7986 ductive. Allowing "export" or "low" ciphers is typically not a good
7987 idea, as systems limited to just these are limited to obsolete
7988 browsers. No known SMTP clients fail to support at least one "medium"
7989 or "high" grade cipher.
7990 The following cipher grades are supported:
7992 export Enable "EXPORT" grade or stronger OpenSSL ciphers. This is the
7994 most appropriate setting for public MX hosts, and is always used
7995 with opportunistic TLS encryption. The underlying cipherlist is
7996 specified via the tls_export_cipherlist configuration parameter,
7997 which you are strongly encouraged to not change.
7998 low Enable "LOW" grade or stronger OpenSSL ciphers. The underlying
8000 cipherlist is specified via the tls_low_cipherlist configuration
8001 parameter, which you are strongly encouraged to not change.
8002 medium Enable "MEDIUM" grade or stronger OpenSSL ciphers. These use
8004 128-bit or longer symmetric bulk-encryption keys. This is the
8005 default minimum strength for mandatory TLS encryption. The
8006 underlying cipherlist is specified via the tls_medium_cipherlist
8007 configuration parameter, which you are strongly encouraged to
8008 not change.
8009 high Enable only "HIGH" grade OpenSSL ciphers. The underlying
8011 cipherlist is specified via the tls_high_cipherlist configura‐
8012 tion parameter, which you are strongly encouraged to not change.
8013 null Enable only the "NULL" OpenSSL ciphers, these provide authenti‐
8015 cation without encryption. This setting is only appropriate in
8016 the rare case that all clients are prepared to use NULL ciphers
8017 (not normally enabled in TLS clients). The underlying cipherlist
8018 is specified via the tls_null_cipherlist configuration parame‐
8019 ter, which you are strongly encouraged to not change.
8020 Cipher types listed in smtpd_tls_mandatory_exclude_ciphers or
8022 smtpd_tls_exclude_ciphers are excluded from the base definition of the
8023 selected cipher grade. See smtpd_tls_ciphers for cipher controls that
8024 apply to opportunistic TLS.
8025 The underlying cipherlists for grades other than "null" include anony‐
8027 mous ciphers, but these are automatically filtered out if the server is
8028 configured to ask for client certificates. You are very unlikely to
8029 need to take any steps to exclude anonymous ciphers, they are excluded
8030 automatically as required. If you must exclude anonymous ciphers even
8031 when Postfix does not need or use peer certificates, set
8032 "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers only
8033 when TLS is enforced, set "smtpd_tls_mandatory_exclude_ciphers =
8034 aNULL".
8035 This feature is available in Postfix 2.3 and later.
8037
8039 Additional list of ciphers or cipher types to exclude from the SMTP
8040 server cipher list at mandatory TLS security levels. This list works in
8041 addition to the exclusions listed with smtpd_tls_exclude_ciphers (see
8042 there for syntax details).
8043 This feature is available in Postfix 2.3 and later.
8045
8047 The SSL/TLS protocols accepted by the Postfix SMTP server with manda‐
8048 tory TLS encryption. If the list is empty, the server supports all
8049 available SSL/TLS protocol versions. A non-empty value is a list of
8050 protocol names separated by whitespace, commas or colons. The supported
8051 protocol names are "SSLv2", "SSLv3" and "TLSv1", and are not case sen‐
8052 sitive.
8053 With Postfix >= 2.5 the parameter syntax is expanded to support proto‐
8055 col exclusions. One can now explicitly exclude SSLv2 by setting
8056 "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and
8057 SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing the
8058 protocols to include, rather than protocols to exclude, is still sup‐
8059 ported, use the form you find more intuitive.
8060 Since SSL version 2 has known protocol weaknesses and is now depre‐
8062 cated, the default setting excludes "SSLv2". This means that by
8063 default, SSL version 2 will not be used at the "encrypt" security
8064 level.
8065 Example:
8067 smtpd_tls_mandatory_protocols = TLSv1
8069 # Alternative form with Postfix >= 2.5:
8070 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
8071 This feature is available in Postfix 2.3 and later.
8073
8075 List of TLS protocols that the Postfix SMTP server will exclude or
8076 include with opportunistic TLS encryption. This parameter SHOULD be
8077 left at its default empty value, allowing all protocols to be used with
8078 opportunistic TLS.
8079 In main.cf the values are separated by whitespace, commas or colons. An
8081 empty value means allow all protocols. The valid protocol names, (see
8082 \fBfBSSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1". In
8083 smtp_tls_policy_maps table entries, "protocols" attribute values are
8084 separated by a colon.
8085 To include a protocol list its name, to exclude it, prefix the name
8087 with a "!" character. To exclude SSLv2 even for opportunistic TLS set
8088 "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
8089 "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the proto‐
8090 cols to include, is supported, but not recommended. OpenSSL provides no
8091 mechanisms for excluding protocols not known at compile-time. If Post‐
8092 fix is linked against an OpenSSL library that supports additional pro‐
8093 tocol versions, they cannot be excluded using either syntax.
8094 Example:
8096 smtpd_tls_protocols = !SSLv2
8097 This feature is available in Postfix 2.6 and later.
8099
8101 Request that the Postfix SMTP server produces Received: message head‐
8102 ers that include information about the protocol and cipher used, as
8103 well as the client CommonName and client certificate issuer CommonName.
8104 This is disabled by default, as the information may be modified in
8105 transit through other mail servers. Only information that was recorded
8106 by the final destination can be trusted.
8107 This feature is available in Postfix 2.2 and later.
8109
8111 With mandatory TLS encryption, require a trusted remote SMTP client
8112 certificate in order to allow TLS connections to proceed. This option
8113 implies "smtpd_tls_ask_ccert = yes".
8114 When TLS encryption is optional, this setting is ignored with a warning
8116 written to the mail log.
8117 This feature is available in Postfix 2.2 and later.
8119
8121 The SMTP TLS security level for the Postfix SMTP server; when a non-
8122 empty value is specified, this overrides the obsolete parameters
8123 smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with
8124 "smtpd_tls_wrappermode = yes".
8125 Specify one of the following security levels:
8127 none TLS will not be used.
8129 may Opportunistic TLS: announce STARTTLS support to SMTP clients,
8131 but do not require that clients use TLS encryption.
8132 encrypt
8134 Mandatory TLS encryption: announce STARTTLS support to SMTP
8135 clients, and require that clients use TLS encryption. According
8136 to RFC 2487 this MUST NOT be applied in case of a publicly-ref‐
8137 erenced SMTP server. Instead, this option should be used only on
8138 dedicated servers.
8139 Note 1: the "fingerprint", "verify" and "secure" levels are not sup‐
8141 ported here. The Postfix SMTP server logs a warning and uses "encrypt"
8142 instead. To verify SMTP client certificates, see TLS_README for a dis‐
8143 cussion of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and per‐
8144 mit_tls_clientcerts features.
8145 Note 2: The parameter setting "smtpd_tls_security_level = encrypt"
8147 implies "smtpd_tls_auth_only = yes".
8148 Note 3: when invoked via "sendmail -bs", Postfix will never offer
8150 STARTTLS due to insufficient privileges to access the server private
8151 key. This is intended behavior.
8152 This feature is available in Postfix 2.3 and later.
8154
8156 Name of the file containing the optional Postfix SMTP server TLS ses‐
8157 sion cache. Specify a database type that supports enumeration, such as
8158 btree or sdbm; there is no need to support concurrent access. The file
8159 is created if it does not exist. The smtpd(8) daemon does not use this
8160 parameter directly, rather the cache is implemented indirectly in the
8161 tlsmgr(8) daemon. This means that per-smtpd-instance master.cf over‐
8162 rides of this parameter are not effective. Note, that each of the cache
8163 databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
8164 base, $smtp_tls_session_cache_database (and with Postfix 2.3 and later
8165 $lmtp_tls_session_cache_database), needs to be stored separately. It is
8166 not at this time possible to store multiple caches in a single data‐
8167 base.
8168 Note: dbm databases are not suitable. TLS session objects are too
8170 large.
8171 As of version 2.5, Postfix no longer uses root privileges when opening
8173 this file. The file should now be stored under the Postfix-owned
8174 data_directory. As a migration aid, an attempt to open the file under a
8175 non-Postfix directory is redirected to the Postfix-owned data_direc‐
8176 tory, and a warning is logged.
8177 Example:
8179 smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
8181 This feature is available in Postfix 2.2 and later.
8183
8185 The expiration time of Postfix SMTP server TLS session cache informa‐
8186 tion. A cache cleanup is performed periodically every $smtpd_tls_ses‐
8187 sion_cache_timeout seconds. As with $smtpd_tls_session_cache_database,
8188 this parameter is implemented in the tlsmgr(8) daemon and therefore
8189 per-smtpd-instance master.cf overrides are not possible.
8190 This feature is available in Postfix 2.2 and later.
8192
8194 Run the Postfix SMTP server in the non-standard "wrapper" mode, instead
8195 of using the STARTTLS command.
8196 If you want to support this service, enable a special port in mas‐
8198 ter.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP server's
8199 command line. Port 465 (smtps) was once chosen for this purpose.
8200 This feature is available in Postfix 2.2 and later.
8202
8204 Opportunistic TLS: announce STARTTLS support to SMTP clients, but do
8205 not require that clients use TLS encryption.
8206 Note: when invoked via "sendmail -bs", Postfix will never offer START‐
8208 TLS due to insufficient privileges to access the server private key.
8209 This is intended behavior.
8210 This feature is available in Postfix 2.2 and later. With Postfix 2.3
8212 and later use smtpd_tls_security_level instead.
8213
8215 Safety net to keep mail queued that would otherwise be returned to the
8216 sender. This parameter disables locally-generated bounces, and pre‐
8217 vents the Postfix SMTP server from rejecting mail permanently, by
8218 changing 5xx reply codes into 4xx. However, soft_bounce is no cure for
8219 address rewriting mistakes or mail routing mistakes.
8220 Example:
8222 soft_bounce = yes
8224
8226 The time after which a stale exclusive mailbox lockfile is removed.
8227 This is used for delivery to file or mailbox.
8228 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
8230 The default time unit is s (seconds).
8231
8233 This feature is documented in the STRESS_README document.
8234 This feature is available in Postfix 2.5 and later.
8236
8238 Reject mail with 8-bit text in message headers. This blocks mail from
8239 poorly written applications.
8240 This feature should not be enabled on a general purpose mail server,
8242 because it is likely to reject legitimate email.
8243 This feature is available in Postfix 2.0 and later.
8245
8247 Enable both strict_7bit_headers and strict_8bitmime_body.
8248 This feature should not be enabled on a general purpose mail server,
8250 because it is likely to reject legitimate email.
8251 This feature is available in Postfix 2.0 and later.
8253
8255 Reject 8-bit message body text without 8-bit MIME content encoding
8256 information. This blocks mail from poorly written applications.
8257 Unfortunately, this also rejects majordomo approval requests when the
8259 included request contains valid 8-bit MIME mail, and it rejects bounces
8260 from mailers that do not MIME encapsulate 8-bit content (for example,
8261 bounces from qmail or from old versions of Postfix).
8262 This feature should not be enabled on a general purpose mail server,
8264 because it is likely to reject legitimate email.
8265 This feature is available in Postfix 2.0 and later.
8267
8269 Defer delivery when a mailbox file is not owned by its recipient. The
8270 default setting is not backwards compatible.
8271 This feature is available in Postfix 2.5.3 and later.
8273
8275 Reject mail with invalid Content-Transfer-Encoding: information for the
8276 message/* or multipart/* MIME content types. This blocks mail from
8277 poorly written software.
8278 This feature should not be enabled on a general purpose mail server,
8280 because it will reject mail after a single violation.
8281 This feature is available in Postfix 2.0 and later.
8283
8285 Require that addresses received in SMTP MAIL FROM and RCPT TO commands
8286 are enclosed with <>, and that those addresses do not contain RFC 822
8287 style comments or phrases. This stops mail from poorly written soft‐
8288 ware.
8289 By default, the Postfix SMTP server accepts RFC 822 syntax in MAIL FROM
8291 and RCPT TO addresses.
8292
8294 Obsolete SUN mailtool compatibility feature. Instead, use "mail‐
8295 box_delivery_lock = dotlock".
8296
8298 Enable the rewriting of "site!user" into "user@site". This is neces‐
8299 sary if your machine is connected to UUCP networks. It is enabled by
8300 default.
8301 Note: with Postfix version 2.2, message header address rewriting hap‐
8303 pens only when one of the following conditions is true:
8304 · The message is received with the Postfix sendmail(1) command,
8306 · The message is received from a network client that matches
8308 $local_header_rewrite_clients,
8309 · The message is received from the network, and the
8311 remote_header_rewrite_domain parameter specifies a non-empty
8312 value.
8313 To get the behavior before Postfix version 2.2, specify
8315 "local_header_rewrite_clients = static:all".
8316 Example:
8318 swap_bangpath = no
8320
8322 The syslog facility of Postfix logging. Specify a facility as defined
8323 in syslog.conf(5). The default facility is "mail".
8324 Warning: a non-default syslog_facility setting takes effect only after
8326 a Postfix process has completed initialization. Errors during process
8327 initialization will be logged with the default facility. Examples are
8328 errors while parsing the command line arguments, and errors while
8329 accessing the Postfix main.cf configuration file.
8330
8332 The mail system name that is prepended to the process name in syslog
8333 records, so that "smtpd" becomes, for example, "postfix/smtpd".
8334 Warning: a non-default syslog_name setting takes effect only after a
8336 Postfix process has completed initialization. Errors during process
8337 initialization will be logged with the default name. Examples are
8338 errors while parsing the command line arguments, and errors while
8339 accessing the Postfix main.cf configuration file.
8340
8342 An optional workaround for routers that break TCP window scaling.
8343 Specify a value > 0 and < 65536 to enable this feature. With Postfix
8344 TCP servers (smtpd(8), qmqpd(8)), this feature is implemented by the
8345 Postfix master(8) daemon.
8346 To change this parameter without stopping Postfix, you need to first
8348 terminate all Postfix TCP servers:
8349 # postconf -e master_service_disable=inet
8351 # postfix reload
8352 This immediately terminates all processes that accept network connec‐
8354 tions. Next, you enable Postfix TCP servers with the updated tcp_win‐
8355 dowsize setting:
8356 # postconf -e tcp_windowsize=65535 master_service_disable=
8358 # postfix reload
8359 If you skip these steps with a running Postfix system, then the
8361 tcp_windowsize change will work only for Postfix TCP clients (smtp(8),
8362 lmtp(8)).
8363 This feature is available in Postfix 2.6 and later.
8365
8367 Append the system-supplied default certificate authority certificates
8368 to the ones specified with *_tls_CApath or *_tls_CAfile. The default
8369 is "no"; this prevents Postfix from trusting third-party certificates
8370 and giving them relay permission with permit_tls_all_clientcerts.
8371 This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8, 2.7.2 and
8373 later versions. Specify "tls_append_default_CA = yes" for backwards
8374 compatibility, to avoid breaking certificate verification with sites
8375 that don't use permit_tls_all_clientcerts.
8376
8378 The number of pseudo-random bytes that an smtp(8) or smtpd(8) process
8379 requests from the tlsmgr(8) server in order to seed its internal pseudo
8380 random number generator (PRNG). The default of 32 bytes (equivalent to
8381 256 bits) is sufficient to generate a 128bit (or 168bit) session key.
8382 This feature is available in Postfix 2.2 and later.
8384
8386 The elliptic curve used by the SMTP server for sensibly strong
8387 ephemeral ECDH key exchange. This curve is used by the Postfix SMTP
8388 server when "smtpd_tls_eecdh_grade = strong". The phrase "sensibly
8389 strong" means approximately 128-bit security based on best known
8390 attacks. The selected curve must be implemented by OpenSSL (as reported
8391 by ecparam(1) with the "-list_curves" option) and be one of the curves
8392 listed in Section 5.1.1 of RFC 4492. You should not generally change
8393 this setting.
8394 This default curve is specified in NSA "Suite B" Cryptography (see
8396 http://www.nsa.gov/ia/industry/crypto_suite_b.cfm) for information
8397 classified as SECRET.
8398 Note: elliptic curve names are poorly standardized; different standards
8400 groups are assigning different names to the same underlying curves.
8401 The curve with the X9.62 name "prime256v1" is also known under the SECG
8402 name "secp256r1", but OpenSSL does not recognize the latter name.
8403 This feature is available in Postfix 2.6 and later, when it is compiled
8405 and linked with OpenSSL 1.0.0 or later.
8406
8408 The elliptic curve used by the SMTP server for maximally strong
8409 ephemeral ECDH key exchange. This curve is used by the Postfix SMTP
8410 server when "smtpd_tls_eecdh_grade = ultra". The phrase "maximally
8411 strong" means approximately 192-bit security based on best known
8412 attacks. This additional strength comes at a significant computational
8413 cost, most users should instead set "smtpd_tls_eecdh_grade = strong".
8414 The selected curve must be implemented by OpenSSL (as reported by
8415 ecparam(1) with the "-list_curves" option) and be one of the curves
8416 listed in Section 5.1.1 of RFC 4492. You should not generally change
8417 this setting.
8418 This default "ultra" curve is specified in NSA "Suite B" Cryptography
8420 (see http://www.nsa.gov/ia/industry/crypto_suite_b.cfm) for information
8421 classified as TOP SECRET.
8422 This feature is available in Postfix 2.6 and later, when it is compiled
8424 and linked with OpenSSL 1.0.0 or later.
8425
8427 The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. This
8428 defines the meaning of the "export" setting in smtpd_tls_manda‐
8429 tory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_manda‐
8430 tory_ciphers. This is the cipherlist for the opportunistic ("may") TLS
8431 client security level and is the default cipherlist for the SMTP
8432 server. You are strongly encouraged to not change this setting. With
8433 OpenSSL 1.0.0 and later the cipherlist may start with an "aNULL:" pre‐
8434 fix, which restores the 0.9.8-compatible ordering of the aNULL ciphers
8435 to the top of the list when they are enabled. This prefix is not needed
8436 with previous OpenSSL releases.
8437 This feature is available in Postfix 2.3 and later.
8439
8441 The OpenSSL cipherlist for "HIGH" grade ciphers. This defines the mean‐
8442 ing of the "high" setting in smtpd_tls_mandatory_ciphers,
8443 smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are
8444 strongly encouraged to not change this setting. With OpenSSL 1.0.0 and
8445 later the cipherlist may start with an "aNULL:" prefix, which restores
8446 the 0.9.8-compatible ordering of the aNULL ciphers to the top of the
8447 list when they are enabled. This prefix is not needed with previous
8448 OpenSSL releases.
8449 This feature is available in Postfix 2.3 and later.
8451
8453 The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines
8454 the meaning of the "low" setting in smtpd_tls_mandatory_ciphers,
8455 smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are
8456 strongly encouraged to not change this setting. With OpenSSL 1.0.0 and
8457 later the cipherlist may start with an "aNULL:" prefix, which restores
8458 the 0.9.8-compatible ordering of the aNULL ciphers to the top of the
8459 list when they are enabled. This prefix is not needed with previous
8460 OpenSSL releases.
8461 This feature is available in Postfix 2.3 and later.
8463
8465 The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers. This
8466 defines the meaning of the "medium" setting in smtpd_tls_manda‐
8467 tory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_manda‐
8468 tory_ciphers. This is the default cipherlist for mandatory TLS encryp‐
8469 tion in the TLS client (with anonymous ciphers disabled when verifying
8470 server certificates). You are strongly encouraged to not change this
8471 setting. With OpenSSL 1.0.0 and later the cipherlist may start with an
8472 "aNULL:" prefix, which restores the 0.9.8-compatible ordering of the
8473 aNULL ciphers to the top of the list when they are enabled. This prefix
8474 is not needed with previous OpenSSL releases.
8475 This feature is available in Postfix 2.3 and later.
8477
8479 The OpenSSL cipherlist for "NULL" grade ciphers that provide authenti‐
8480 cation without encryption. This defines the meaning of the "null" set‐
8481 ting in smtpd_mandatory_tls_ciphers, smtp_tls_mandatory_ciphers and
8482 lmtp_tls_mandatory_ciphers. You are strongly encouraged to not change
8483 this setting.
8484 This feature is available in Postfix 2.3 and later.
8486
8488 The number of bytes that tlsmgr(8) reads from $tls_random_source when
8489 (re)seeding the in-memory pseudo random number generator (PRNG) pool.
8490 The default of 32 bytes (256 bits) is good enough for 128bit symmetric
8491 keys. If using EGD or a device file, a maximum of 255 bytes is read.
8492 This feature is available in Postfix 2.2 and later.
8494
8496 Name of the pseudo random number generator (PRNG) state file that is
8497 maintained by tlsmgr(8). The file is created when it does not exist,
8498 and its length is fixed at 1024 bytes.
8499 As of version 2.5, Postfix no longer uses root privileges when opening
8501 this file, and the default file location was changed from ${con‐
8502 fig_directory}/prng_exch to ${data_directory}/prng_exch. As a migra‐
8503 tion aid, an attempt to open the file under a non-Postfix directory is
8504 redirected to the Postfix-owned data_directory, and a warning is
8505 logged.
8506 This feature is available in Postfix 2.2 and later.
8508
8510 The time between attempts by tlsmgr(8) to save the state of the pseudo
8511 random number generator (PRNG) to the file specified with $tls_ran‐
8512 dom_exchange_name.
8513 This feature is available in Postfix 2.2 and later.
8515
8517 The maximal time between attempts by tlsmgr(8) to re-seed the in-memory
8518 pseudo random number generator (PRNG) pool from external sources. The
8519 actual time between re-seeding attempts is calculated using the PRNG,
8520 and is between 0 and the time specified.
8521 This feature is available in Postfix 2.2 and later.
8523
8525 The external entropy source for the in-memory tlsmgr(8) pseudo random
8526 number generator (PRNG) pool. Be sure to specify a non-blocking source.
8527 If this source is not a regular file, the entropy source type must be
8528 prepended: egd:/path/to/egd_socket for a source with EGD compatible
8529 socket interface, or dev:/path/to/device for a device file.
8530 Note: on OpenBSD systems specify /dev/arandom when /dev/urandom gives
8532 timeout errors.
8533 This feature is available in Postfix 2.2 and later.
8535
8537 The name of the trace service. This service is implemented by the
8538 bounce(8) daemon and maintains a record of mail deliveries and produces
8539 a mail delivery report when verbose delivery is requested with "send‐
8540 mail -v".
8541 This feature is available in Postfix 2.1 and later.
8543
8545 A transport-specific override for the default_delivery_slot_cost param‐
8546 eter value, where transport is the master.cf name of the message deliv‐
8547 ery transport.
8548
8550 A transport-specific override for the default_delivery_slot_discount
8551 parameter value, where transport is the master.cf name of the message
8552 delivery transport.
8553
8555 A transport-specific override for the default_delivery_slot_loan param‐
8556 eter value, where transport is the master.cf name of the message deliv‐
8557 ery transport.
8558
8560 tination_concurrency_failed_cohort_limit)
8561 A transport-specific override for the default_destination_concur‐
8562 rency_failed_cohort_limit parameter value, where transport is the mas‐
8563 ter.cf name of the message delivery transport.
8564 This feature is available in Postfix 2.5 and later.
8566
8568 rency_limit)
8569 A transport-specific override for the default_destination_concur‐
8570 rency_limit parameter value, where transport is the master.cf name of
8571 the message delivery transport.
8572
8574 nation_concurrency_negative_feedback)
8575 A transport-specific override for the default_destination_concur‐
8576 rency_negative_feedback parameter value, where transport is the mas‐
8577 ter.cf name of the message delivery transport.
8578 This feature is available in Postfix 2.5 and later.
8580
8582 nation_concurrency_positive_feedback)
8583 A transport-specific override for the default_destination_concur‐
8584 rency_positive_feedback parameter value, where transport is the mas‐
8585 ter.cf name of the message delivery transport.
8586 This feature is available in Postfix 2.5 and later.
8588
8590 A transport-specific override for the default_destination_rate_delay
8591 parameter value, where transport is the master.cf name of the message
8592 delivery transport.
8593 This feature is available in Postfix 2.5 and later.
8595
8597 ent_limit)
8598 A transport-specific override for the default_destination_recipi‐
8599 ent_limit parameter value, where transport is the master.cf name of the
8600 message delivery transport.
8601
8603 A transport-specific override for the default_extra_recipient_limit
8604 parameter value, where transport is the master.cf name of the message
8605 delivery transport.
8606
8608 currency)
8609 A transport-specific override for the initial_destination_concurrency
8610 parameter value, where transport is the master.cf name of the message
8611 delivery transport.
8612 This feature is available in Postfix 2.5 and later.
8614
8616 Optional lookup tables with mappings from recipient address to (message
8617 delivery transport, next-hop destination). See transport(5) for
8618 details.
8619 Specify zero or more "type:table" lookup tables. If you use this fea‐
8621 ture with local files, run "postmap /etc/postfix/transport" after mak‐
8622 ing a change.
8623 For safety reasons, as of Postfix 2.3 this feature does not allow $num‐
8625 ber substitutions in regular expression maps.
8626 Examples:
8628 transport_maps = dbm:/etc/postfix/transport
8630 transport_maps = hash:/etc/postfix/transport
8631
8633 A transport-specific override for the default_minimum_delivery_slots
8634 parameter value, where transport is the master.cf name of the message
8635 delivery transport.
8636
8638 A transport-specific override for the default_recipient_limit parameter
8639 value, where transport is the master.cf name of the message delivery
8640 transport.
8641
8643 A transport-specific override for the default_recipient_refill_delay
8644 parameter value, where transport is the master.cf name of the message
8645 delivery transport.
8646 This feature is available in Postfix 2.4 and later.
8648
8650 A transport-specific override for the default_recipient_refill_limit
8651 parameter value, where transport is the master.cf name of the message
8652 delivery transport.
8653 This feature is available in Postfix 2.4 and later.
8655
8657 The time between attempts by the Postfix queue manager to contact a
8658 malfunctioning message delivery transport.
8659 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
8661 The default time unit is s (seconds).
8662
8664 A transport-specific override for the command_time_limit parameter
8665 value, where transport is the master.cf name of the message delivery
8666 transport.
8667
8669 The time limit for sending a trigger to a Postfix daemon (for example,
8670 the pickup(8) or qmgr(8) daemon). This time limit prevents programs
8671 from getting stuck when the mail system is under heavy load.
8672 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
8674 The default time unit is s (seconds).
8675
8677 Message header that the Postfix cleanup(8) server inserts when a mes‐
8678 sage contains no To: or Cc: message header. With Postfix 2.4 and later,
8679 specify an empty value to disable this feature.
8680
8682 The numerical Postfix SMTP server response code when a sender or recip‐
8683 ient address is rejected by the reject_unknown_sender_domain or
8684 reject_unknown_recipient_domain restriction. The response is always
8685 450 in case of a temporary DNS error.
8686 Do not change this unless you have a complete understanding of RFC
8688 2821.
8689
8691 The Postfix SMTP server's action when reject_unknown_sender_domain or
8692 reject_unknown_recipient_domain fail due to a temporary error condi‐
8693 tion. Specify "defer" to defer the remote SMTP client request immedi‐
8694 ately. With the default "defer_if_permit" action, the Postfix SMTP
8695 server continues to look for opportunities to reject mail, and defers
8696 the client request only if it would otherwise be accepted.
8697 This feature is available in Postfix 2.6 and later.
8699
8701 The numerical Postfix SMTP server response code when a client without
8702 valid address <=> name mapping is rejected by the
8703 reject_unknown_client_hostname restriction. The SMTP server always
8704 replies with 450 when the mapping failed due to a temporary error con‐
8705 dition.
8706 Do not change this unless you have a complete understanding of RFC
8708 2821.
8709
8711 The Postfix SMTP server's action when reject_unknown_helo_hostname
8712 fails due to an temporary error condition. Specify "defer" to defer the
8713 remote SMTP client request immediately. With the default "defer_if_per‐
8714 mit" action, the Postfix SMTP server continues to look for opportuni‐
8715 ties to reject mail, and defers the client request only if it would
8716 otherwise be accepted.
8717 This feature is available in Postfix 2.6 and later.
8719
8721 The numerical Postfix SMTP server response code when the hostname spec‐
8722 ified with the HELO or EHLO command is rejected by the
8723 reject_unknown_helo_hostname restriction.
8724 Do not change this unless you have a complete understanding of RFC
8726 2821.
8727
8729 The numerical Postfix SMTP server response code when a recipient
8730 address is local, and $local_recipient_maps specifies a list of lookup
8731 tables that does not match the recipient. A recipient address is local
8732 when its domain matches $mydestination, $proxy_interfaces or
8733 $inet_interfaces.
8734 The default setting is 550 (reject mail) but it is safer to initially
8736 use 450 (try again later) so you have time to find out if your
8737 local_recipient_maps settings are OK.
8738 Example:
8740 unknown_local_recipient_reject_code = 450
8742 This feature is available in Postfix 2.0 and later.
8744
8746 The numerical Postfix SMTP server reply code when a recipient address
8747 matches $relay_domains, and relay_recipient_maps specifies a list of
8748 lookup tables that does not match the recipient address.
8749 This feature is available in Postfix 2.0 and later.
8751
8753 The SMTP server reply code when a recipient address matches $vir‐
8754 tual_alias_domains, and $virtual_alias_maps specifies a list of lookup
8755 tables that does not match the recipient address.
8756 This feature is available in Postfix 2.0 and later.
8758
8760 The SMTP server reply code when a recipient address matches $vir‐
8761 tual_mailbox_domains, and $virtual_mailbox_maps specifies a list of
8762 lookup tables that does not match the recipient address.
8763 This feature is available in Postfix 2.0 and later.
8765
8767 The numerical Postfix SMTP server response when a recipient address
8768 probe fails due to a temporary error condition.
8769 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
8771 address anyway.
8772 Do not change this unless you have a complete understanding of RFC
8774 2821.
8775 This feature is available in Postfix 2.6 and later.
8777
8779 The numerical Postfix SMTP server response when a recipient address is
8780 rejected by the reject_unverified_recipient restriction.
8781 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
8783 address anyway.
8784 Do not change this unless you have a complete understanding of RFC
8786 2821.
8787 This feature is available in Postfix 2.1 and later.
8789
8791 The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
8792 fied_recipient. Do not include the numeric SMTP reply code or the
8793 enhanced status code. By default, the response includes actual address
8794 verification details.
8795 Example:
8797 unverified_recipient_reject_reason = Recipient address lookup failed
8799 This feature is available in Postfix 2.6 and later.
8801
8803 The Postfix SMTP server's action when reject_unverified_recipient fails
8804 due to a temporary error condition. Specify "defer" to defer the remote
8805 SMTP client request immediately. With the default "defer_if_permit"
8806 action, the Postfix SMTP server continues to look for opportunities to
8807 reject mail, and defers the client request only if it would otherwise
8808 be accepted.
8809 This feature is available in Postfix 2.6 and later.
8811
8813 The numerical Postfix SMTP server response code when a sender address
8814 probe fails due to a temporary error condition.
8815 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
8817 address anyway.
8818 Do not change this unless you have a complete understanding of RFC
8820 2821.
8821 This feature is available in Postfix 2.6 and later.
8823
8825 The numerical Postfix SMTP server response code when a recipient
8826 address is rejected by the reject_unverified_sender restriction.
8827 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
8829 address anyway.
8830 Do not change this unless you have a complete understanding of RFC
8832 2821.
8833 This feature is available in Postfix 2.1 and later.
8835
8837 The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
8838 fied_sender. Do not include the numeric SMTP reply code or the enhanced
8839 status code. By default, the response includes actual address verifica‐
8840 tion details.
8841 Example:
8843 unverified_sender_reject_reason = Sender address lookup failed
8845 This feature is available in Postfix 2.6 and later.
8847
8849 The Postfix SMTP server's action when reject_unverified_sender fails
8850 due to a temporary error condition. Specify "defer" to defer the remote
8851 SMTP client request immediately. With the default "defer_if_permit"
8852 action, the Postfix SMTP server continues to look for opportunities to
8853 reject mail, and defers the client request only if it would otherwise
8854 be accepted.
8855 This feature is available in Postfix 2.6 and later.
8857
8859 The characters Postfix accepts as VERP delimiter characters on the
8860 Postfix sendmail(1) command line and in SMTP commands.
8861 This feature is available in Postfix 1.1 and later.
8863
8865 Postfix is final destination for the specified list of virtual alias
8866 domains, that is, domains for which all addresses are aliased to
8867 addresses in other local or remote domains. The SMTP server validates
8868 recipient addresses with $virtual_alias_maps and rejects non-existent
8869 recipients. See also the virtual alias domain class in the
8870 ADDRESS_CLASS_README file
8871 This feature is available in Postfix 2.0 and later. The default value
8873 is backwards compatible with Postfix version 1.1.
8874 The default value is $virtual_alias_maps so that you can keep all
8876 information about virtual alias domains in one place. If you have many
8877 users, it is better to separate information that changes more fre‐
8878 quently (virtual address -> local or remote address mapping) from
8879 information that changes less frequently (the list of virtual domain
8880 names).
8881 Specify a list of host or domain names, "/file/name" or "type:table"
8883 patterns, separated by commas and/or whitespace. A "/file/name" pattern
8884 is replaced by its contents; a "type:table" lookup table is matched
8885 when a table entry matches a lookup string (the lookup result is
8886 ignored). Continue long lines by starting the next line with white‐
8887 space. Specify "!pattern" to exclude a host or domain name from the
8888 list. The form "!/file/name" is supported only in Postfix version 2.4
8889 and later.
8890 See also the VIRTUAL_README and ADDRESS_CLASS_README documents for fur‐
8892 ther information.
8893 Example:
8895 virtual_alias_domains = virtual1.tld virtual2.tld
8897
8899 The maximal number of addresses that virtual alias expansion produces
8900 from each original recipient.
8901 This feature is available in Postfix 2.1 and later.
8903
8905 Optional lookup tables that alias specific mail addresses or domains to
8906 other local or remote address. The table format and lookups are docu‐
8907 mented in virtual(5). For an overview of Postfix address manipulations
8908 see the ADDRESS_REWRITING_README document.
8909 This feature is available in Postfix 2.0 and later. The default value
8911 is backwards compatible with Postfix version 1.1.
8912 If you use this feature with indexed files, run "postmap /etc/post‐
8914 fix/virtual" after changing the file.
8915 Examples:
8917 virtual_alias_maps = dbm:/etc/postfix/virtual
8919 virtual_alias_maps = hash:/etc/postfix/virtual
8920
8922 The maximal nesting depth of virtual alias expansion. Currently the
8923 recursion limit is applied only to the left branch of the expansion
8924 graph, so the depth of the tree can in the worst case reach the sum of
8925 the expansion and recursion limits. This may change in the future.
8926 This feature is available in Postfix 2.1 and later.
8928
8930 rency_limit)
8931 The maximal number of parallel deliveries to the same destination via
8932 the virtual message delivery transport. This limit is enforced by the
8933 queue manager. The message delivery transport name is the first field
8934 in the entry in the master.cf file.
8935
8937 ent_limit)
8938 The maximal number of recipients per message for the virtual message
8939 delivery transport. This limit is enforced by the queue manager. The
8940 message delivery transport name is the first field in the entry in the
8941 master.cf file.
8942 Setting this parameter to a value of 1 changes the meaning of vir‐
8944 tual_destination_concurrency_limit from concurrency per domain into
8945 concurrency per recipient.
8946
8948 Lookup tables with the per-recipient group ID for virtual(8) mailbox
8949 delivery.
8950 In a lookup table, specify a left-hand side of "@domain.tld" to match
8952 any user in the specified domain that does not have a specific
8953 "user@domain.tld" entry.
8954 When a recipient address has an optional address extension
8956 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
8957 address first, and when the lookup fails, it looks up the unextended
8958 address (user@domain.tld).
8959 Note 1: for security reasons, the virtual(8) delivery agent disallows
8961 regular expression substitution of $1 etc. in regular expression lookup
8962 tables, because that would open a security hole.
8963 Note 2: for security reasons, the virtual(8) delivery agent will
8965 silently ignore requests to use the proxymap(8) server. Instead it will
8966 open the table directly. Before Postfix version 2.2, the virtual(8)
8967 delivery agent will terminate with a fatal error.
8968
8970 A prefix that the virtual(8) delivery agent prepends to all pathname
8971 results from $virtual_mailbox_maps table lookups. This is a safety
8972 measure to ensure that an out of control map doesn't litter the file
8973 system with mailboxes. While virtual_mailbox_base could be set to "/",
8974 this setting isn't recommended.
8975 Example:
8977 virtual_mailbox_base = /var/mail
8979
8981 Postfix is final destination for the specified list of domains; mail is
8982 delivered via the $virtual_transport mail delivery transport. By
8983 default this is the Postfix virtual(8) delivery agent. The SMTP server
8984 validates recipient addresses with $virtual_mailbox_maps and rejects
8985 mail for non-existent recipients. See also the virtual mailbox domain
8986 class in the ADDRESS_CLASS_README file.
8987 This parameter expects the same syntax as the mydestination configura‐
8989 tion parameter.
8990 This feature is available in Postfix 2.0 and later. The default value
8992 is backwards compatible with Postfix version 1.1.
8993
8995 The maximal size in bytes of an individual virtual(8) mailbox or
8996 maildir file, or zero (no limit).
8997
8999 How to lock a UNIX-style virtual(8) mailbox before attempting delivery.
9000 For a list of available file locking methods, use the "postconf -l"
9001 command.
9002 This setting is ignored with maildir style delivery, because such
9004 deliveries are safe without application-level locks.
9005 Note 1: the dotlock method requires that the recipient UID or GID has
9007 write access to the parent directory of the recipient's mailbox file.
9008 Note 2: the default setting of this parameter is system dependent.
9010
9012 Optional lookup tables with all valid addresses in the domains that
9013 match $virtual_mailbox_domains.
9014 In a lookup table, specify a left-hand side of "@domain.tld" to match
9016 any user in the specified domain that does not have a specific
9017 "user@domain.tld" entry.
9018 The virtual(8) delivery agent uses this table to look up the per-recip‐
9020 ient mailbox or maildir pathname. If the lookup result ends in a slash
9021 ("/"), maildir-style delivery is carried out, otherwise the path is
9022 assumed to specify a UNIX-style mailbox file. Note that $virtual_mail‐
9023 box_base is unconditionally prepended to this path.
9024 When a recipient address has an optional address extension
9026 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
9027 address first, and when the lookup fails, it looks up the unextended
9028 address (user@domain.tld).
9029 Note 1: for security reasons, the virtual(8) delivery agent disallows
9031 regular expression substitution of $1 etc. in regular expression lookup
9032 tables, because that would open a security hole.
9033 Note 2: for security reasons, the virtual(8) delivery agent will
9035 silently ignore requests to use the proxymap(8) server. Instead it will
9036 open the table directly. Before Postfix version 2.2, the virtual(8)
9037 delivery agent will terminate with a fatal error.
9038
9040 Optional lookup tables with a) names of domains for which all addresses
9041 are aliased to addresses in other local or remote domains, and b)
9042 addresses that are aliased to addresses in other local or remote
9043 domains. Available before Postfix version 2.0. With Postfix version
9044 2.0 and later, this is replaced by separate controls: vir‐
9045 tual_alias_domains and virtual_alias_maps.
9046
9048 The minimum user ID value that the virtual(8) delivery agent accepts as
9049 a result from $virtual_uid_maps table lookup. Returned values less
9050 than this will be rejected, and the message will be deferred.
9051
9053 The default mail delivery transport and next-hop destination for final
9054 delivery to domains listed with $virtual_mailbox_domains. This infor‐
9055 mation can be overruled with the transport(5) table.
9056 Specify a string of the form transport:nexthop, where transport is the
9058 name of a mail delivery transport defined in master.cf. The :nexthop
9059 destination is optional; its syntax is documented in the manual page of
9060 the corresponding delivery agent.
9061 This feature is available in Postfix 2.0 and later.
9063
9065 Lookup tables with the per-recipient user ID that the virtual(8) deliv‐
9066 ery agent uses while writing to the recipient's mailbox.
9067 In a lookup table, specify a left-hand side of "@domain.tld" to match
9069 any user in the specified domain that does not have a specific
9070 "user@domain.tld" entry.
9071 When a recipient address has an optional address extension
9073 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
9074 address first, and when the lookup fails, it looks up the unextended
9075 address (user@domain.tld).
9076 Note 1: for security reasons, the virtual(8) delivery agent disallows
9078 regular expression substitution of $1 etc. in regular expression lookup
9079 tables, because that would open a security hole.
9080 Note 2: for security reasons, the virtual(8) delivery agent will
9082 silently ignore requests to use the proxymap(8) server. Instead it will
9083 open the table directly. Before Postfix version 2.2, the virtual(8)
9084 delivery agent will terminate with a fatal error.
9085
9087 postconf(1), Postfix configuration parameter maintenance
9088 master(5), Postfix daemon configuration maintenance
9089
9091 The Secure Mailer license must be distributed with this software.
9092
9094 Wietse Venema
9095 IBM T.J. Watson Research
9096 P.O. Box 704
9097 Yorktown Heights, NY 10598, USA
9098 POSTCONF(5)