1POSTCONF(5) File Formats Manual POSTCONF(5)
2
6 postconf - Postfix configuration parameters
7
9 postconf parameter ...
10 postconf -e "parameter=value" ...
12
14 The Postfix main.cf configuration file specifies parameters that con‐
15 trol the operation of the Postfix mail system. Typically the file con‐
16 tains only a small subset of all parameters; parameters not specified
17 are left at their default values.
18 The general format of the main.cf file is as follows:
20 · Each logical line has the form "parameter = value". Whitespace
22 around the "=" is ignored, as is whitespace at the end of a log‐
23 ical line.
24 · Empty lines and whitespace-only lines are ignored, as are lines
26 whose first non-whitespace character is a `#'.
27 · A logical line starts with non-whitespace text. A line that
29 starts with whitespace continues a logical line.
30 · A parameter value may refer to other parameters.
32 · The expressions "$name" and "${name}" are recursively
34 replaced with the value of the named parameter. The
35 parameter name must contain only characters from the set
36 [a-zA-Z0-9_]. An undefined parameter value is replaced
37 with the empty value.
38 · The expressions "${name?value}" and "${name?{value}}" are
40 replaced with "value" when "$name" is non-empty. The
41 parameter name must contain only characters from the set
42 [a-zA-Z0-9_]. These forms are supported with Postfix ver‐
43 sions >= 2.2 and >= 3.0, respectively.
44 · The expressions "${name:value}" and "${name:{value}}" are
46 replaced with "value" when "$name" is empty. The parame‐
47 ter name must contain only characters from the set [a-zA-
48 Z0-9_]. These forms are supported with Postfix versions
49 >= 2.2 and >= 3.0, respectively.
50 · The expression "${name?{value1}:{value2}}" is replaced
52 with "value1" when "$name" is non-empty, and with
53 "value2" when "$name" is empty. The "{}" is required for
54 "value1", optional for "value2". The parameter name must
55 contain only characters from the set [a-zA-Z0-9_]. This
56 form is supported with Postfix versions >= 3.0.
57 · The first item inside "${...}" may be a relational
59 expression of the form: "{value3} == {value4}". Besides
60 the "==" (equality) operator Postfix supports "!="
61 (inequality), "<", "<=", ">=", and ">". The comparison is
62 numerical when both operands are all digits, otherwise
63 the comparison is lexicographical. These forms are sup‐
64 ported with Postfix versions >= 3.0.
65 · Each "value" is subject to recursive named parameter and
67 relational expression evaluation, except where noted.
68 · Whitespace before or after each "{value}" is ignored.
70 · Specify "$$" to produce a single "$" character.
72 · The legacy form "$(...)" is equivalent to the preferred
74 form "${...}".
75 · When the same parameter is defined multiple times, only the last
77 instance is remembered.
78 · Otherwise, the order of main.cf parameter definitions does not
80 matter.
81 The remainder of this document is a description of all Postfix configu‐
83 ration parameters. Default values are shown after the parameter name in
84 parentheses, and can be looked up with the "postconf -d" command.
85 Note: this is not an invitation to make changes to Postfix configura‐
87 tion parameters. Unnecessary changes can impair the operation of the
88 mail system.
89
91 The recipient of undeliverable mail that cannot be returned to the
92 sender. This feature is enabled with the notify_classes parameter.
93
95 The numerical Postfix SMTP server response code for an access(5) map
96 "defer" action, including "defer_if_permit" or "defer_if_reject". Prior
97 to Postfix 2.6, the response is hard-coded as "450".
98 Do not change this unless you have a complete understanding of RFC
100 5321.
101 This feature is available in Postfix 2.6 and later.
103
105 The numerical Postfix SMTP server response code for an access(5) map
106 "reject" action.
107 Do not change this unless you have a complete understanding of RFC
109 5321.
110
112 The amount of time between verify(8) address verification database
113 cleanup runs. This feature requires that the database supports the
114 "delete" and "sequence" operators. Specify a zero interval to disable
115 database cleanup.
116 After each database cleanup run, the verify(8) daemon logs the number
118 of entries that were retained and dropped. A cleanup run is logged as
119 "partial" when the daemon terminates early after "postfix reload",
120 "postfix stop", or no requests for $max_idle seconds.
121 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
123 This feature is available in Postfix 2.7.
125
127 Overrides the default_transport parameter setting for address verifica‐
128 tion probes.
129 This feature is available in Postfix 2.1 and later.
131
133 Overrides the local_transport parameter setting for address verifica‐
134 tion probes.
135 This feature is available in Postfix 2.1 and later.
137
139 Lookup table for persistent address verification status storage. The
140 table is maintained by the verify(8) service, and is opened before the
141 process releases privileges.
142 The lookup table is persistent by default (Postfix 2.7 and later).
144 Specify an empty table name to keep the information in volatile memory
145 which is lost after "postfix reload" or "postfix stop". This is the
146 default with Postfix version 2.6 and earlier.
147 Specify a location in a file system that will not fill up. If the data‐
149 base becomes corrupted, the world comes to an end. To recover delete
150 (NOT: truncate) the file and do "postfix reload".
151 Postfix daemon processes do not use root privileges when opening this
153 file (Postfix 2.5 and later). The file must therefore be stored under
154 a Postfix-owned directory such as the data_directory. As a migration
155 aid, an attempt to open the file under a non-Postfix directory is redi‐
156 rected to the Postfix-owned data_directory, and a warning is logged.
157 Examples:
159 address_verify_map = hash:/var/lib/postfix/verify
161 address_verify_map = btree:/var/lib/postfix/verify
162 This feature is available in Postfix 2.1 and later.
164
166 Enable caching of failed address verification probe results. When this
167 feature is enabled, the cache may pollute quickly with garbage. When
168 this feature is disabled, Postfix will generate an address probe for
169 every lookup.
170 This feature is available in Postfix 2.1 and later.
172
174 The time after which a failed probe expires from the address verifica‐
175 tion cache.
176 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
178 This feature is available in Postfix 2.1 and later.
180
182 The time after which a failed address verification probe needs to be
183 refreshed.
184 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
186 This feature is available in Postfix 2.1 and later.
188
190 A safety limit that prevents address verification requests from over‐
191 whelming the Postfix queue. By default, the number of pending requests
192 is limited to 1/4 of the active queue maximum size (qmgr_mes‐
193 sage_active_limit). The queue manager enforces the limit by tempfailing
194 requests that exceed the limit. This affects only unknown addresses and
195 inactive addresses that have expired, because the verify(8) daemon
196 automatically refreshes an active address before it expires.
197 This feature is available in Postfix 3.1 and later.
199
201 How many times to query the verify(8) service for the completion of an
202 address verification request in progress.
203 By default, the Postfix SMTP server polls the verify(8) service up to
205 three times under non-overload conditions, and only once when under
206 overload. With Postfix version 2.5 and earlier, the SMTP server always
207 polls the verify(8) service up to three times by default.
208 Specify 1 to implement a crude form of greylisting, that is, always
210 defer the first delivery request for a new address.
211 Examples:
213 # Postfix <= 2.6 default
215 address_verify_poll_count = 3
216 # Poor man's greylisting
217 address_verify_poll_count = 1
218 This feature is available in Postfix 2.1 and later.
220
222 The delay between queries for the completion of an address verification
223 request in progress.
224 The default polling delay is 3 seconds.
226 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
228 This feature is available in Postfix 2.1 and later.
230
232 The time after which a successful probe expires from the address veri‐
233 fication cache.
234 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
236 This feature is available in Postfix 2.1 and later.
238
240 The time after which a successful address verification probe needs to
241 be refreshed. The address verification status is not updated when the
242 probe fails (optimistic caching).
243 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
245 This feature is available in Postfix 2.1 and later.
247
249 Overrides the relay_transport parameter setting for address verifica‐
250 tion probes.
251 This feature is available in Postfix 2.1 and later.
253
255 Overrides the relayhost parameter setting for address verification
256 probes. This information can be overruled with the transport(5) table.
257 This feature is available in Postfix 2.1 and later.
259
261 The sender address to use in address verification probes; prior to
262 Postfix 2.5 the default was "postmaster". To avoid problems with
263 address probes that are sent in response to address probes, the Postfix
264 SMTP server excludes the probe sender address from all SMTPD access
265 blocks.
266 Specify an empty value (address_verify_sender =) or <> if you want to
268 use the null sender address. Beware, some sites reject mail from <>,
269 even though RFCs require that such addresses be accepted.
270 Examples:
272 address_verify_sender = <>
274 address_verify_sender = postmaster@my.domain
275 This feature is available in Postfix 2.1 and later.
277
279 $sender_dependent_default_transport_maps)
280 Overrides the sender_dependent_default_transport_maps parameter setting
281 for address verification probes.
282 This feature is available in Postfix 2.7 and later.
284
286 dent_relayhost_maps)
287 Overrides the sender_dependent_relayhost_maps parameter setting for
288 address verification probes.
289 This feature is available in Postfix 2.3 and later.
291
293 The time between changes in the time-dependent portion of address veri‐
294 fication probe sender addresses. The time-dependent portion is appended
295 to the localpart of the address specified with the address_ver‐
296 ify_sender parameter. This feature is ignored when the probe sender
297 addresses is the null sender, i.e. the address_verify_sender value is
298 empty or <>.
299 Historically, the probe sender address was fixed. This has caused such
301 addresses to end up on spammer mailing lists, and has resulted in
302 wasted network and processing resources.
303 To enable time-dependent probe sender addresses, specify a non-zero
305 time value (an integral value plus an optional one-letter suffix that
306 specifies the time unit). Specify a value of at least several hours,
307 to avoid problems with senders that use greylisting. Avoid nice TTL
308 values, to make the result less predictable. Time units are: s (sec‐
309 onds), m (minutes), h (hours), d (days), w (weeks).
310 This feature is available in Postfix 2.9 and later.
312
314 The name of the verify(8) address verification service. This service
315 maintains the status of sender and/or recipient address verification
316 probes, and generates probes on request by other Postfix processes.
317
319 Overrides the transport_maps parameter setting for address verification
320 probes.
321 This feature is available in Postfix 2.1 and later.
323
325 Overrides the virtual_transport parameter setting for address verifica‐
326 tion probes.
327 This feature is available in Postfix 2.1 and later.
329
331 The alias databases for local(8) delivery that are updated with
332 "newaliases" or with "sendmail -bi".
333 This is a separate configuration parameter because not all the tables
335 specified with $alias_maps have to be local files.
336 Examples:
338 alias_database = hash:/etc/aliases
340 alias_database = hash:/etc/mail/aliases
341
343 The alias databases that are used for local(8) delivery. See aliases(5)
344 for syntax details. Specify zero or more "type:name" lookup tables,
345 separated by whitespace or comma. Tables will be searched in the speci‐
346 fied order until a match is found. Note: these lookups are recursive.
347 The default list is system dependent. On systems with NIS, the default
349 is to search the local alias database, then the NIS alias database.
350 If you change the alias database, run "postalias /etc/aliases" (or
352 wherever your system stores the mail alias file), or simply run
353 "newaliases" to build the necessary DBM or DB file.
354 The local(8) delivery agent disallows regular expression substitution
356 of $1 etc. in alias_maps, because that would open a security hole.
357 The local(8) delivery agent will silently ignore requests to use the
359 proxymap(8) server within alias_maps. Instead it will open the table
360 directly. Before Postfix version 2.2, the local(8) delivery agent will
361 terminate with a fatal error.
362 Examples:
364 alias_maps = hash:/etc/aliases, nis:mail.aliases
366 alias_maps = hash:/etc/aliases
367
369 Restrict local(8) mail delivery to external commands. The default is
370 to disallow delivery to "|command" in :include: files (see aliases(5)
371 for the text that defines this terminology).
372 Specify zero or more of: alias, forward or include, in order to allow
374 commands in aliases(5), .forward files or in :include: files, respec‐
375 tively.
376 Example:
378 allow_mail_to_commands = alias,forward,include
380
382 Restrict local(8) mail delivery to external files. The default is to
383 disallow "/file/name" destinations in :include: files (see aliases(5)
384 for the text that defines this terminology).
385 Specify zero or more of: alias, forward or include, in order to allow
387 "/file/name" destinations in aliases(5), .forward files and in
388 :include: files, respectively.
389 Example:
391 allow_mail_to_files = alias,forward,include
393
395 Allow a sender or recipient address to have `-' as the first character.
396 By default, this is not allowed, to avoid accidents with software that
397 passes email addresses via the command line. Such software would not be
398 able to distinguish a malicious address from a bona fide command-line
399 option. Although this can be prevented by inserting a "--" option ter‐
400 minator into the command line, this is difficult to enforce consis‐
401 tently and globally.
402 As of Postfix version 2.5, this feature is implemented by trivial-re‐
404 write(8). With earlier versions this feature was implemented by
405 qmgr(8) and was limited to recipient addresses only.
406
408 Enable the rewriting of the form "user%domain" to "user@domain". This
409 is enabled by default.
410 Note: as of Postfix version 2.2, message header address rewriting hap‐
412 pens only when one of the following conditions is true:
413 · The message is received with the Postfix sendmail(1) command,
415 · The message is received from a network client that matches
417 $local_header_rewrite_clients,
418 · The message is received from the network, and the
420 remote_header_rewrite_domain parameter specifies a non-empty
421 value.
422 To get the behavior before Postfix version 2.2, specify
424 "local_header_rewrite_clients = static:all".
425 Example:
427 allow_percent_hack = no
429
431 Forward mail with sender-specified routing (user[@%!]remote[@%!]site)
432 from untrusted clients to destinations matching $relay_domains.
433 By default, this feature is turned off. This closes a nasty open relay
435 loophole where a backup MX host can be tricked into forwarding junk
436 mail to a primary MX host which then spams it out to the world.
437 This parameter also controls if non-local addresses with sender-speci‐
439 fied routing can match Postfix access tables. By default, such
440 addresses cannot match Postfix access tables, because the address is
441 ambiguous.
442
444 A list of non-default Postfix configuration directories that may be
445 specified with "-c config_directory" on the command line (in the case
446 of sendmail(1), with the "-C" option), or via the MAIL_CONFIG environ‐
447 ment parameter.
448 This list must be specified in the default Postfix main.cf file, and
450 will be used by set-gid Postfix commands such as postqueue(1) and post‐
451 drop(1).
452 Specify absolute pathnames, separated by comma or space. Note: $name
454 expansion is not supported.
455
457 Always add (Resent-) From:, To:, Date: or Message-ID: headers when not
458 present. Postfix 2.6 and later add these headers only when clients
459 match the local_header_rewrite_clients parameter setting. Earlier
460 Postfix versions always add these headers; this may break DKIM signa‐
461 tures that cover non-existent headers. The undisclosed_recipi‐
462 ents_header parameter setting determines whether a To: header will be
463 added.
464
466 Optional address that receives a "blind carbon copy" of each message
467 that is received by the Postfix mail system.
468 Note: with Postfix 2.3 and later the BCC address is added as if it was
470 specified with NOTIFY=NONE. The sender will not be notified when the
471 BCC address is undeliverable, as long as all down-stream software
472 implements RFC 3461.
473 Note: with Postfix 2.2 and earlier the sender will be notified when the
475 BCC address is undeliverable.
476 Note: automatic BCC recipients are produced only for new mail. To
478 avoid mailer loops, automatic BCC recipients are not generated after
479 Postfix forwards mail internally, or after Postfix generates mail
480 itself.
481
483 The time unit over which client connection rates and other rates are
484 calculated.
485 This feature is implemented by the anvil(8) service which is available
487 in Postfix version 2.2 and later.
488 The default interval is relatively short. Because of the high frequency
490 of updates, the anvil(8) server uses volatile memory only. Thus, infor‐
491 mation is lost whenever the process terminates.
492 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
494 The default time unit is s (seconds).
495
497 How frequently the anvil(8) connection and rate limiting server logs
498 peak usage information.
499 This feature is available in Postfix 2.2 and later.
501 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
503 The default time unit is s (seconds).
504
506 With locally submitted mail, append the string "@$myorigin" to mail
507 addresses without domain information. With remotely submitted mail,
508 append the string "@$remote_header_rewrite_domain" instead.
509 Note 1: this feature is enabled by default and must not be turned off.
511 Postfix does not support domain-less addresses.
512 Note 2: with Postfix version 2.2, message header address rewriting hap‐
514 pens only when one of the following conditions is true:
515 · The message is received with the Postfix sendmail(1) command,
517 · The message is received from a network client that matches
519 $local_header_rewrite_clients,
520 · The message is received from the network, and the
522 remote_header_rewrite_domain parameter specifies a non-empty
523 value.
524 To get the behavior before Postfix version 2.2, specify
526 "local_header_rewrite_clients = static:all".
527
529 With locally submitted mail, append the string ".$mydomain" to
530 addresses that have no ".domain" information. With remotely submitted
531 mail, append the string ".$remote_header_rewrite_domain" instead.
532 Note 1: this feature is enabled by default. If disabled, users will not
534 be able to send mail to "user@partialdomainname" but will have to spec‐
535 ify full domain names instead.
536 Note 2: with Postfix version 2.2, message header address rewriting hap‐
538 pens only when one of the following conditions is true:
539 · The message is received with the Postfix sendmail(1) command,
541 · The message is received from a network client that matches
543 $local_header_rewrite_clients,
544 · The message is received from the network, and the
546 remote_header_rewrite_domain parameter specifies a non-empty
547 value.
548 To get the behavior before Postfix version 2.2, specify
550 "local_header_rewrite_clients = static:all".
551
553 How long the postkick(1) command waits for a request to enter the Post‐
554 fix daemon process input buffer before giving up.
555 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
557 The default time unit is s (seconds).
558 This feature is available in Postfix 2.1 and later.
560
562 List of users who are authorized to flush the queue.
563 By default, all users are allowed to flush the queue. Access is always
565 granted if the invoking user is the super-user or the $mail_owner user.
566 Otherwise, the real UID of the process is looked up in the system pass‐
567 word file, and access is granted only if the corresponding login name
568 is on the access list. The username "unknown" is used for processes
569 whose real UID is not found in the password file.
570 Specify a list of user names, "/file/name" or "type:table" patterns,
572 separated by commas and/or whitespace. The list is matched left to
573 right, and the search stops on the first match. A "/file/name" pattern
574 is replaced by its contents; a "type:table" lookup table is matched
575 when a name matches a lookup key (the lookup result is ignored). Con‐
576 tinue long lines by starting the next line with whitespace. Specify
577 "!pattern" to exclude a name from the list. The form "!/file/name" is
578 supported only in Postfix version 2.4 and later.
579 This feature is available in Postfix 2.2 and later.
581
583 List of users who are authorized to view the queue.
584 By default, all users are allowed to view the queue. Access is always
586 granted if the invoking user is the super-user or the $mail_owner user.
587 Otherwise, the real UID of the process is looked up in the system pass‐
588 word file, and access is granted only if the corresponding login name
589 is on the access list. The username "unknown" is used for processes
590 whose real UID is not found in the password file.
591 Specify a list of user names, "/file/name" or "type:table" patterns,
593 separated by commas and/or whitespace. The list is matched left to
594 right, and the search stops on the first match. A "/file/name" pattern
595 is replaced by its contents; a "type:table" lookup table is matched
596 when a name matches a lookup key (the lookup result is ignored). Con‐
597 tinue long lines by starting the next line with whitespace. Specify
598 "!pattern" to exclude a user name from the list. The form "!/file/name"
599 is supported only in Postfix version 2.4 and later.
600 This feature is available in Postfix 2.2 and later.
602
604 List of users who are authorized to submit mail with the sendmail(1)
605 command (and with the privileged postdrop(1) helper command).
606 By default, all users are allowed to submit mail. Otherwise, the real
608 UID of the process is looked up in the system password file, and access
609 is granted only if the corresponding login name is on the access list.
610 The username "unknown" is used for processes whose real UID is not
611 found in the password file. To deny mail submission access to all users
612 specify an empty list.
613 Specify a list of user names, "/file/name" or "type:table" patterns,
615 separated by commas and/or whitespace. The list is matched left to
616 right, and the search stops on the first match. A "/file/name" pattern
617 is replaced by its contents; a "type:table" lookup table is matched
618 when a name matches a lookup key (the lookup result is ignored). Con‐
619 tinue long lines by starting the next line with whitespace. Specify
620 "!pattern" to exclude a user name from the list. The form "!/file/name"
621 is supported only in Postfix version 2.4 and later.
622 Example:
624 authorized_submit_users = !www, static:all
626 This feature is available in Postfix 2.2 and later.
628
630 What remote SMTP clients are allowed to specify the XVERP command.
631 This command requests that mail be delivered one recipient at a time
632 with a per recipient return address.
633 By default, only trusted clients are allowed to specify XVERP.
635 This parameter was introduced with Postfix version 1.1. Postfix ver‐
637 sion 2.1 renamed this parameter to smtpd_authorized_verp_clients and
638 changed the default to none.
639 Specify a list of network/netmask patterns, separated by commas and/or
641 whitespace. The mask specifies the number of bits in the network part
642 of a host address. You can also specify hostnames or .domain names (the
643 initial dot causes the domain to match any name below it),
644 "/file/name" or "type:table" patterns. A "/file/name" pattern is
645 replaced by its contents; a "type:table" lookup table is matched when a
646 table entry matches a lookup string (the lookup result is ignored).
647 Continue long lines by starting the next line with whitespace. Specify
648 "!pattern" to exclude an address or network block from the list. The
649 form "!/file/name" is supported only in Postfix version 2.4 and later.
650 Note: IP version 6 address information must be specified inside [] in
652 the authorized_verp_clients value, and in files specified with
653 "/file/name". IP version 6 addresses contain the ":" character, and
654 would otherwise be confused with a "type:table" pattern.
655
657 Produce additional bounce(8) logfile records that can be read by Post‐
658 fix versions before 2.0. The current and more extensible "name = value"
659 format is needed in order to implement more sophisticated functional‐
660 ity.
661 This feature is available in Postfix 2.1 and later.
663
665 The per-table I/O buffer size for programs that create Berkeley DB hash
666 or btree tables. Specify a byte count.
667 This feature is available in Postfix 2.0 and later.
669
671 The per-table I/O buffer size for programs that read Berkeley DB hash
672 or btree tables. Specify a byte count.
673 This feature is available in Postfix 2.0 and later.
675
677 Where the Postfix SMTP client should deliver mail when it detects a
678 "mail loops back to myself" error condition. This happens when the
679 local MTA is the best SMTP mail exchanger for a destination not listed
680 in $mydestination, $inet_interfaces, $proxy_interfaces, $vir‐
681 tual_alias_domains, or $virtual_mailbox_domains. By default, the Post‐
682 fix SMTP client returns such mail as undeliverable.
683 Specify, for example, "best_mx_transport = local" to pass the mail from
685 the Postfix SMTP client to the local(8) delivery agent. You can specify
686 any message delivery "transport" or "transport:nexthop" that is defined
687 in the master.cf file. See the transport(5) manual page for the syntax
688 and meaning of "transport" or "transport:nexthop".
689 However, this feature is expensive because it ties up a Postfix SMTP
691 client process while the local(8) delivery agent is doing its work. It
692 is more efficient (for Postfix) to list all hosted domains in a table
693 or database.
694
696 Whether or not to use the local biff service. This service sends "new
697 mail" notifications to users who have requested new mail notification
698 with the UNIX command "biff y".
699 For compatibility reasons this feature is on by default. On systems
701 with lots of interactive users, the biff service can be a performance
702 drain. Specify "biff = no" in main.cf to disable.
703
705 Optional lookup tables for content inspection as specified in the
706 body_checks(5) manual page.
707 Note: with Postfix versions before 2.0, these rules inspect all content
709 after the primary message headers.
710
712 How much text in a message body segment (or attachment, if you prefer
713 to use that term) is subjected to body_checks inspection. The amount
714 of text is limited to avoid scanning huge attachments.
715 This feature is available in Postfix 2.0 and later.
717
719 The recipient of postmaster notifications with the message headers of
720 mail that Postfix did not deliver and of SMTP conversation transcripts
721 of mail that Postfix did not receive. This feature is enabled with the
722 notify_classes parameter.
723
725 Consider a bounce message as undeliverable, when delivery fails with a
726 temporary error, and the time in the queue has reached the
727 bounce_queue_lifetime limit. By default, this limit is the same as for
728 regular mail.
729 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
731 The default time unit is d (days).
732 Specify 0 when mail delivery should be tried only once.
734 This feature is available in Postfix 2.1 and later.
736
738 The name of the bounce(8) service. This service maintains a record of
739 failed delivery attempts and generates non-delivery notifications.
740 This feature is available in Postfix 2.0 and later.
742
744 The maximal amount of original message text that is sent in a
745 non-delivery notification. Specify a byte count. A message is returned
746 as either message/rfc822 (the complete original) or as
747 text/rfc822-headers (the headers only). With Postfix version 2.4 and
748 earlier, a message is always returned as message/rfc822 and is trun‐
749 cated when it exceeds the size limit.
750 Notes:
752 · If you increase this limit, then you should increase the
754 mime_nesting_limit value proportionally.
755 · Be careful when making changes. Excessively large values will
757 result in the loss of non-delivery notifications, when a bounce
758 message size exceeds a local or remote MTA's message size limit.
759
761 Pathname of a configuration file with bounce message templates. These
762 override the built-in templates of delivery status notification (DSN)
763 messages for undeliverable mail, for delayed mail, successful delivery,
764 or delivery verification. The bounce(5) manual page describes how to
765 edit and test template files.
766 Template message body text may contain $name references to Postfix con‐
768 figuration parameters. The result of $name expansion can be previewed
769 with "postconf -b file_name" before the file is placed into the Postfix
770 configuration directory.
771 This feature is available in Postfix 2.3 and later.
773
775 Enable interoperability with remote SMTP clients that implement an
776 obsolete version of the AUTH command (RFC 4954). Examples of such
777 clients are MicroSoft Outlook Express version 4 and MicroSoft Exchange
778 version 5.0.
779 Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH
781 support in a non-standard way.
782
784 header_sender, header_recipient)
785 What addresses are subject to canonical_maps address mapping. By
786 default, canonical_maps address mapping is applied to envelope sender
787 and recipient addresses, and to header sender and header recipient
788 addresses.
789 Specify one or more of: envelope_sender, envelope_recipient,
791 header_sender, header_recipient
792 This feature is available in Postfix 2.2 and later.
794
796 Optional address mapping lookup tables for message headers and
797 envelopes. The mapping is applied to both sender and recipient
798 addresses, in both envelopes and in headers, as controlled with the
799 canonical_classes parameter. This is typically used to clean up dirty
800 addresses from legacy mail systems, or to replace login names by First‐
801 name.Lastname. The table format and lookups are documented in canoni‐
802 cal(5). For an overview of Postfix address manipulations see the
803 ADDRESS_REWRITING_README document.
804 Specify zero or more "type:name" lookup tables, separated by whitespace
806 or comma. Tables will be searched in the specified order until a match
807 is found. Note: these lookups are recursive.
808 If you use this feature, run "postmap /etc/postfix/canonical" to build
810 the necessary DBM or DB file after every change. The changes will
811 become visible after a minute or so. Use "postfix reload" to eliminate
812 the delay.
813 Note: with Postfix version 2.2, message header address mapping happens
815 only when message header address rewriting is enabled:
816 · The message is received with the Postfix sendmail(1) command,
818 · The message is received from a network client that matches
820 $local_header_rewrite_clients,
821 · The message is received from the network, and the
823 remote_header_rewrite_domain parameter specifies a non-empty
824 value.
825 To get the behavior before Postfix version 2.2, specify
827 "local_header_rewrite_clients = static:all".
828 Examples:
830 canonical_maps = dbm:/etc/postfix/canonical
832 canonical_maps = hash:/etc/postfix/canonical
833
835 The name of the cleanup(8) service. This service rewrites addresses
836 into the standard form, and performs canonical(5) address mapping and
837 virtual(5) aliasing.
838 This feature is available in Postfix 2.0 and later.
840
842 The location of all postfix administrative commands.
843
845 The local(8) delivery agent working directory for delivery to external
846 command. Failure to change directory causes the delivery to be
847 deferred.
848 The following $name expansions are done on command_execution_directory
850 before the directory is changed. Expansion happens in the context of
851 the delivery request. The result of $name expansion is filtered with
852 the character set that is specified with the execution_directory_expan‐
853 sion_filter parameter.
854 $user The recipient's username.
856 $shell The recipient's login shell pathname.
858 $home The recipient's home directory.
860 $recipient
862 The full recipient address.
863 $extension
865 The optional recipient address extension.
866 $domain
868 The recipient domain.
869 $local The entire recipient localpart.
871 $recipient_delimiter
873 The address extension delimiter that was found in the recipient
874 address (Postfix 2.11 and later), or the system-wide recipient
875 address extension delimiter (Postfix 2.10 and earlier).
876 ${name?value}
878 Expands to value when $name is non-empty.
879 ${name:value}
881 Expands to value when $name is empty.
882 Instead of $name you can also specify ${name} or $(name).
884 This feature is available in Postfix 2.2 and later.
886
888 Restrict the characters that the local(8) delivery agent allows in
889 $name expansions of $mailbox_command and $command_execution_directory.
890 Characters outside the allowed set are replaced by underscores.
891
893 Time limit for delivery to external commands. This limit is used by the
894 local(8) delivery agent, and is the default time limit for delivery by
895 the pipe(8) delivery agent.
896 Note: if you set this time limit to a large value you must update the
898 global ipc_timeout parameter as well.
899
901 A safety net that causes Postfix to run with backwards-compatible
902 default settings after an upgrade to a newer Postfix version.
903 With backwards compatibility turned on (the main.cf compatibility_level
905 value is less than the Postfix built-in value), Postfix looks for set‐
906 tings that are left at their implicit default value, and logs a message
907 when a backwards-compatible default setting is required.
908 using backwards-compatible default setting name=value
910 to [accept a specific client request]
911 using backwards-compatible default setting name=value
913 to [enable specific Postfix behavior]
914 See COMPATIBILITY_README for specific message details. If such a mes‐
916 sage is logged in the context of a legitimate request, the system
917 administrator should make the backwards-compatible setting permanent in
918 main.cf or master.cf, for example:
919 # postconf name=value
921 # postfix reload
922 When no more backwards-compatible settings need to be made permanent,
924 the administrator should turn off backwards compatibility by updating
925 the compatibility_level setting in main.cf:
926 # postconf compatibility_level=N
928 # postfix reload
929 For N specify the number that is logged in your postfix(1) warning mes‐
931 sage:
932 warning: To disable backwards compatibility use "postconf
934 compatibility_level=N" and "postfix reload"
935 This feature is available in Postfix 3.0 and later.
937
939 The default location of the Postfix main.cf and master.cf configuration
940 files. This can be overruled via the following mechanisms:
941 · The MAIL_CONFIG environment variable (daemon processes and com‐
943 mands).
944 · The "-c" command-line option (commands only).
946 With Postfix command that run with set-gid privileges, a config_direc‐
948 tory override requires either root privileges, or it requires that the
949 directory is listed with the alternate_config_directories parameter in
950 the default main.cf file.
951
953 After sending a "your message is delayed" notification, inform the
954 sender when the delay clears up. This can result in a sudden burst of
955 notifications at the end of a prolonged network outage, and is there‐
956 fore disabled by default.
957 See also: delay_warning_time.
959 This feature is available in Postfix 3.0 and later.
961
963 Time limit for connection cache connect, send or receive operations.
964 The time limit is enforced in the client.
965 This feature is available in Postfix 2.3 and later.
967
969 The name of the scache(8) connection cache service. This service main‐
970 tains a limited pool of cached sessions.
971 This feature is available in Postfix 2.2 and later.
973
975 How frequently the scache(8) server logs usage statistics with connec‐
976 tion cache hit and miss rates for logical destinations and for physical
977 endpoints.
978
980 The maximal time-to-live value that the scache(8) connection cache
981 server allows. Requests that specify a larger TTL will be stored with
982 the maximum allowed TTL. The purpose of this additional control is to
983 protect the infrastructure against careless people. The cache TTL is
984 already bounded by $max_idle.
985
987 After the message is queued, send the entire message to the specified
988 transport:destination. The transport name specifies the first field of
989 a mail delivery agent definition in master.cf; the syntax of the
990 next-hop destination is described in the manual page of the correspond‐
991 ing delivery agent. More information about external content filters is
992 in the Postfix FILTER_README file.
993 Notes:
995 · This setting has lower precedence than a FILTER action that is
997 specified in an access(5), header_checks(5) or body_checks(5)
998 table.
999 · The meaning of an empty next-hop filter destination is version
1001 dependent. Postfix 2.7 and later will use the recipient domain;
1002 earlier versions will use $myhostname. Specify "default_fil‐
1003 ter_nexthop = $myhostname" for compatibility with Postfix 2.6 or
1004 earlier, or specify a content_filter value with an explicit
1005 next-hop destination.
1006
1008 Search path for Cyrus SASL application configuration files, currently
1009 used only to locate the $smtpd_sasl_path.conf file. Specify zero or
1010 more directories separated by a colon character, or an empty value to
1011 use Cyrus SASL's built-in search path.
1012 This feature is available in Postfix 2.5 and later when compiled with
1014 Cyrus SASL 2.1.22 or later.
1015
1017 The directory with Postfix support programs and daemon programs. These
1018 should not be invoked directly by humans. The directory must be owned
1019 by root.
1020
1022 How a Postfix daemon process handles errors while opening lookup
1023 tables: gradual degradation or immediate termination.
1024 no (default)
1026 Gradual degradation: a daemon process logs a message of type
1027 "error" and continues execution with reduced functionality. Fea‐
1028 tures that do not depend on the unavailable table will work nor‐
1029 mally, while features that depend on the table will result in a
1030 type "warning" message.
1031 When the notify_classes parameter value contains the "data"
1032 class, the Postfix SMTP server and client will report tran‐
1033 scripts of sessions with an error because a table is unavail‐
1034 able.
1035 yes (historical behavior)
1037 Immediate termination: a daemon process logs a type "fatal" mes‐
1038 sage and terminates immediately. This option reduces the number
1039 of possible code paths through Postfix, and may therefore be
1040 slightly more secure than the default.
1041 For the sake of sanity, the number of type "error" messages is limited
1043 to 13 over the lifetime of a daemon process.
1044 This feature is available in Postfix 2.9 and later.
1046
1048 How much time a Postfix daemon process may take to handle a request
1049 before it is terminated by a built-in watchdog timer.
1050 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1052 The default time unit is s (seconds).
1053
1055 The directory with Postfix-writable data files (for example: caches,
1056 pseudo-random numbers). This directory must be owned by the mail_owner
1057 account, and must not be shared with non-Postfix software.
1058 This feature is available in Postfix 2.5 and later.
1060
1062 The increment in verbose logging level when a remote client or server
1063 matches a pattern in the debug_peer_list parameter.
1064
1066 Optional list of remote client or server hostname or network address
1067 patterns that cause the verbose logging level to increase by the amount
1068 specified in $debug_peer_level.
1069 Specify domain names, network/netmask patterns, "/file/name" patterns
1071 or "type:table" lookup tables. The right-hand side result from
1072 "type:table" lookups is ignored.
1073 Pattern matching of domain names is controlled by the presence or
1075 absence of "debug_peer_list" in the parent_domain_matches_subdomains
1076 parameter value.
1077 Examples:
1079 debug_peer_list = 127.0.0.1
1081 debug_peer_list = example.com
1082
1084 The external command to execute when a Postfix daemon program is
1085 invoked with the -D option.
1086 Use "command .. & sleep 5" so that the debugger can attach before the
1088 process marches on. If you use an X-based debugger, be sure to set up
1089 your XAUTHORITY environment variable before starting Postfix.
1090 Note: the command is subject to $name expansion, before it is passed to
1092 the default command interpreter. Specify "$$" to produce a single "$"
1093 character.
1094 Example:
1096 debugger_command =
1098 PATH=/usr/bin:/usr/X11R6/bin
1099 ddd $daemon_directory/$process_name $process_id & sleep 5
1100
1102 The default database type for use in newaliases(1), postalias(1) and
1103 postmap(1) commands. On many UNIX systems the default type is either
1104 dbm or hash. The default setting is frozen when the Postfix system is
1105 built.
1106 Examples:
1108 default_database_type = hash
1110 default_database_type = dbm
1111
1113 How often the Postfix queue manager's scheduler is allowed to preempt
1114 delivery of one message with another.
1115 Each transport maintains a so-called "available delivery slot counter"
1117 for each message. One message can be preempted by another one when the
1118 other message can be delivered using no more delivery slots (i.e.,
1119 invocations of delivery agents) than the current message counter has
1120 accumulated (or will eventually accumulate - see about slot loans
1121 below). This parameter controls how often is the counter incremented -
1122 it happens after each default_delivery_slot_cost recipients have been
1123 delivered.
1124 The cost of 0 is used to disable the preempting scheduling completely.
1126 The minimum value the scheduling algorithm can use is 2 - use it if you
1127 want to maximize the message throughput rate. Although there is no max‐
1128 imum, it doesn't make much sense to use values above say 50.
1129 The only reason why the value of 2 is not the default is the way this
1131 parameter affects the delivery of mailing-list mail. In the worst case,
1132 their delivery can take somewhere between (cost+1/cost) and
1133 (cost/cost-1) times more than if the preemptive scheduler was disabled.
1134 The default value of 5 turns out to provide reasonable message response
1135 times while making sure the mailing-list deliveries are not extended by
1136 more than 20-25 percent even in the worst case.
1137 Use transport_delivery_slot_cost to specify a transport-specific over‐
1139 ride, where transport is the master.cf name of the message delivery
1140 transport.
1141 Examples:
1143 default_delivery_slot_cost = 0
1145 default_delivery_slot_cost = 2
1146
1148 The default value for transport-specific _delivery_slot_discount set‐
1149 tings.
1150 This parameter speeds up the moment when a message preemption can hap‐
1152 pen. Instead of waiting until the full amount of delivery slots
1153 required is available, the preemption can happen when transport_deliv‐
1154 ery_slot_discount percent of the required amount plus transport_deliv‐
1155 ery_slot_loan still remains to be accumulated. Note that the full
1156 amount will still have to be accumulated before another preemption can
1157 take place later.
1158 Use transport_delivery_slot_discount to specify a transport-specific
1160 override, where transport is the master.cf name of the message delivery
1161 transport.
1162
1164 The default value for transport-specific _delivery_slot_loan settings.
1165 This parameter speeds up the moment when a message preemption can hap‐
1167 pen. Instead of waiting until the full amount of delivery slots
1168 required is available, the preemption can happen when transport_deliv‐
1169 ery_slot_discount percent of the required amount plus transport_deliv‐
1170 ery_slot_loan still remains to be accumulated. Note that the full
1171 amount will still have to be accumulated before another preemption can
1172 take place later.
1173 Use transport_delivery_slot_loan to specify a transport-specific over‐
1175 ride, where transport is the master.cf name of the message delivery
1176 transport.
1177
1179 Optional filter to replace the delivery status code or explanatory text
1180 of successful or unsuccessful deliveries. This does not allow the
1181 replacement of a successful status code (2.X.X) with an unsuccessful
1182 status code (4.X.X or 5.X.X) or vice versa.
1183 Note: the (smtp|lmtp)_delivery_status_filter is applied only once per
1185 recipient: when delivery is successful, when delivery is rejected with
1186 5XX, or when there are no more alternate MX or A destinations. Use
1187 smtp_reply_filter or lmtp_reply_filter to inspect responses for all
1188 delivery attempts.
1189 The following parameters can be used to implement a filter for specific
1191 delivery agents: lmtp_delivery_status_filter, local_delivery_sta‐
1192 tus_filter, pipe_delivery_status_filter, smtp_delivery_status_filter or
1193 virtual_delivery_status_filter. These parameters support the same fil‐
1194 ter syntax as described here.
1195 Specify zero or more "type:table" lookup table names, separated by
1197 comma or whitespace. For each successful or unsuccessful delivery to a
1198 recipient, the tables are queried in the specified order with one line
1199 of text that is structured as follows:
1200 enhanced-status-code SPACE explanatory-text
1202 The first table match wins. The lookup result must have the same struc‐
1204 ture as the query, a successful status code (2.X.X) must be replaced
1205 with a successful status code, an unsuccessful status code (4.X.X or
1206 5.X.X) must be replaced with an unsuccessful status code, and the
1207 explanatory text field must be non-empty. Other results will result in
1208 a warning.
1209 Example 1: convert specific soft TLS errors into hard errors, by over‐
1211 riding the first number in the enhanced status code.
1212 /etc/postfix/main.cf:
1214 smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter
1215 /etc/postfix/smtp_dsn_filter:
1217 /^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/
1218 5$1
1219 /^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/
1220 5$1
1221 # Do not change the following into hard bounces. They may
1222 # result from a local configuration problem.
1223 # 4.\d+.\d+ TLS is required, but our TLS engine is unavailable
1224 # 4.\d+.\d+ TLS is required, but unavailable
1225 # 4.\d+.\d+ Cannot start TLS: handshake failure
1226 Example 2: censor the per-recipient delivery status text so that it
1228 does not reveal the destination command or filename when a remote
1229 sender requests confirmation of successful delivery.
1230 /etc/postfix/main.cf:
1232 local_delivery_status_filter = pcre:/etc/postfix/local_dsn_filter
1233 /etc/postfix/local_dsn_filter:
1235 /^(2\S+ delivered to file).+/ $1
1236 /^(2\S+ delivered to command).+/ $1
1237 Notes:
1239 · This feature will NOT override the soft_bounce safety net.
1241 · This feature will change the enhanced status code and text that
1243 is logged to the maillog file, and that is reported to the
1244 sender in delivery confirmation or non-delivery notifications.
1245 This feature is available in Postfix 3.0 and later.
1247
1249 How many pseudo-cohorts must suffer connection or handshake failure
1250 before a specific destination is considered unavailable (and further
1251 delivery is suspended). Specify zero to disable this feature. A desti‐
1252 nation's pseudo-cohort failure count is reset each time a delivery com‐
1253 pletes without connection or handshake failure for that specific desti‐
1254 nation.
1255 A pseudo-cohort is the number of deliveries equal to a destination's
1257 delivery concurrency.
1258 Use transport_destination_concurrency_failed_cohort_limit to specify a
1260 transport-specific override, where transport is the master.cf name of
1261 the message delivery transport.
1262 This feature is available in Postfix 2.5. The default setting is com‐
1264 patible with earlier Postfix versions.
1265
1267 The default maximal number of parallel deliveries to the same destina‐
1268 tion. This is the default limit for delivery via the lmtp(8), pipe(8),
1269 smtp(8) and virtual(8) delivery agents. With per-destination recipient
1270 limit > 1, a destination is a domain, otherwise it is a recipient.
1271 Use transport_destination_concurrency_limit to specify a transport-spe‐
1273 cific override, where transport is the master.cf name of the message
1274 delivery transport.
1275
1277 The per-destination amount of delivery concurrency negative feedback,
1278 after a delivery completes with a connection or handshake failure.
1279 Feedback values are in the range 0..1 inclusive. With negative feed‐
1280 back, concurrency is decremented at the beginning of a sequence of
1281 length 1/feedback. This is unlike positive feedback, where concurrency
1282 is incremented at the end of a sequence of length 1/feedback.
1283 As of Postfix version 2.5, negative feedback cannot reduce delivery
1285 concurrency to zero. Instead, a destination is marked dead (further
1286 delivery suspended) after the failed pseudo-cohort count reaches
1287 $default_destination_concurrency_failed_cohort_limit (or $trans‐
1288 port_destination_concurrency_failed_cohort_limit). To make the sched‐
1289 uler completely immune to connection or handshake failures, specify a
1290 zero feedback value and a zero failed pseudo-cohort limit.
1291 Specify one of the following forms:
1293 number
1295 number / number
1297 Constant feedback. The value must be in the range 0..1 inclu‐
1298 sive. The default setting of "1" is compatible with Postfix
1299 versions before 2.5, where a destination's delivery concurrency
1300 is throttled down to zero (and further delivery suspended) after
1301 a single failed pseudo-cohort.
1302 number / concurrency
1304 Variable feedback of "number / (delivery concurrency)". The
1305 number must be in the range 0..1 inclusive. With number equal to
1306 "1", a destination's delivery concurrency is decremented by 1
1307 after each failed pseudo-cohort.
1308 A pseudo-cohort is the number of deliveries equal to a destination's
1310 delivery concurrency.
1311 Use transport_destination_concurrency_negative_feedback to specify a
1313 transport-specific override, where transport is the master.cf name of
1314 the message delivery transport.
1315 This feature is available in Postfix 2.5. The default setting is com‐
1317 patible with earlier Postfix versions.
1318
1320 The per-destination amount of delivery concurrency positive feedback,
1321 after a delivery completes without connection or handshake failure.
1322 Feedback values are in the range 0..1 inclusive. The concurrency
1323 increases until it reaches the per-destination maximal concurrency
1324 limit. With positive feedback, concurrency is incremented at the end of
1325 a sequence with length 1/feedback. This is unlike negative feedback,
1326 where concurrency is decremented at the start of a sequence of length
1327 1/feedback.
1328 Specify one of the following forms:
1330 number
1332 number / number
1334 Constant feedback. The value must be in the range 0..1 inclu‐
1335 sive. The default setting of "1" is compatible with Postfix ver‐
1336 sions before 2.5, where a destination's delivery concurrency
1337 doubles after each successful pseudo-cohort.
1338 number / concurrency
1340 Variable feedback of "number / (delivery concurrency)". The
1341 number must be in the range 0..1 inclusive. With number equal to
1342 "1", a destination's delivery concurrency is incremented by 1
1343 after each successful pseudo-cohort.
1344 A pseudo-cohort is the number of deliveries equal to a destination's
1346 delivery concurrency.
1347 Use transport_destination_concurrency_positive_feedback to specify a
1349 transport-specific override, where transport is the master.cf name of
1350 the message delivery transport.
1351 This feature is available in Postfix 2.5 and later.
1353
1355 The default amount of delay that is inserted between individual deliv‐
1356 eries to the same destination; the resulting behavior depends on the
1357 value of the corresponding per-destination recipient limit.
1358 · With a corresponding per-destination recipient limit > 1, the
1360 rate delay specifies the time between deliveries to the same
1361 domain. Different domains are delivered in parallel, subject to
1362 the process limits specified in master.cf.
1363 · With a corresponding per-destination recipient limit equal to 1,
1365 the rate delay specifies the time between deliveries to the same
1366 recipient. Different recipients are delivered in parallel, sub‐
1367 ject to the process limits specified in master.cf.
1368 To enable the delay, specify a non-zero time value (an integral value
1370 plus an optional one-letter suffix that specifies the time unit).
1371 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1373 The default time unit is s (seconds).
1374 NOTE: the delay is enforced by the queue manager. The delay timer state
1376 does not survive "postfix reload" or "postfix stop".
1377 Use transport_destination_rate_delay to specify a transport-specific
1379 override, where transport is the master.cf name of the message delivery
1380 transport.
1381 NOTE: with a non-zero _destination_rate_delay, specify a transport_des‐
1383 tination_concurrency_failed_cohort_limit of 10 or more to prevent Post‐
1384 fix from deferring all mail for the same destination after only one
1385 connection or handshake error.
1386 This feature is available in Postfix 2.5 and later.
1388
1390 The default maximal number of recipients per message delivery. This is
1391 the default limit for delivery via the lmtp(8), pipe(8), smtp(8) and
1392 virtual(8) delivery agents.
1393 Setting this parameter to a value of 1 affects email deliveries as fol‐
1395 lows:
1396 · It changes the meaning of the corresponding per-destination con‐
1398 currency limit, from concurrency of deliveries to the same
1399 domain into concurrency of deliveries to the same recipient.
1400 Different recipients are delivered in parallel, subject to the
1401 process limits specified in master.cf.
1402 · It changes the meaning of the corresponding per-destination rate
1404 delay, from the delay between deliveries to the same domain into
1405 the delay between deliveries to the same recipient. Again, dif‐
1406 ferent recipients are delivered in parallel, subject to the
1407 process limits specified in master.cf.
1408 · It changes the meaning of other corresponding per-destination
1410 settings in a similar manner, from settings for delivery to the
1411 same domain into settings for delivery to the same recipient.
1412 Use transport_destination_recipient_limit to specify a transport-spe‐
1414 cific override, where transport is the master.cf name of the message
1415 delivery transport.
1416
1418 The default value for the extra per-transport limit imposed on the num‐
1419 ber of in-memory recipients. This extra recipient space is reserved
1420 for the cases when the Postfix queue manager's scheduler preempts one
1421 message with another and suddenly needs some extra recipients slots for
1422 the chosen message in order to avoid performance degradation.
1423 Use transport_extra_recipient_limit to specify a transport-specific
1425 override, where transport is the master.cf name of the message delivery
1426 transport.
1427
1429 When a content_filter or FILTER request specifies no explicit next-hop
1430 destination, use $default_filter_nexthop instead; when that value is
1431 empty, use the domain in the recipient address. Specify "default_fil‐
1432 ter_nexthop = $myhostname" for compatibility with Postfix version 2.6
1433 and earlier, or specify an explicit next-hop destination with each con‐
1434 tent_filter value or FILTER action.
1435 This feature is available in Postfix 2.7 and later.
1437
1439 How many recipients a message must have in order to invoke the Postfix
1440 queue manager's scheduling algorithm at all. Messages which would
1441 never accumulate at least this many delivery slots (subject to slot
1442 cost parameter as well) are never preempted.
1443 Use transport_minimum_delivery_slots to specify a transport-specific
1445 override, where transport is the master.cf name of the message delivery
1446 transport.
1447
1449 The default rights used by the local(8) delivery agent for delivery to
1450 external file or command. These rights are used when delivery is
1451 requested from an aliases(5) file that is owned by root, or when deliv‐
1452 ery is done on behalf of root. DO NOT SPECIFY A PRIVILEGED USER OR THE
1453 POSTFIX OWNER.
1454
1456 The default maximal number of Postfix child processes that provide a
1457 given service. This limit can be overruled for specific services in the
1458 master.cf file.
1459
1461 The default Postfix SMTP server response template for a request that is
1462 rejected by an RBL-based restriction. This template can be overruled by
1463 specific entries in the optional rbl_reply_maps lookup table.
1464 This feature is available in Postfix 2.0 and later.
1466 The template is subject to exactly one level of $name substitution:
1468 $client
1470 The client hostname and IP address, formatted as name[address].
1471 $client_address
1473 The client IP address.
1474 $client_name
1476 The client hostname or "unknown". See
1477 reject_unknown_client_hostname for more details.
1478 $reverse_client_name
1480 The client hostname from address->name lookup, or "unknown".
1481 See reject_unknown_reverse_client_hostname for more details.
1482 $helo_name
1484 The hostname given in HELO or EHLO command or empty string.
1485 $rbl_class
1487 The blacklisted entity type: Client host, Helo command, Sender
1488 address, or Recipient address.
1489 $rbl_code
1491 The numerical SMTP response code, as specified with the
1492 maps_rbl_reject_code configuration parameter. Note: The numeri‐
1493 cal SMTP response code is required, and must appear at the start
1494 of the reply. With Postfix version 2.3 and later this informa‐
1495 tion may be followed by an RFC 3463 enhanced status code.
1496 $rbl_domain
1498 The RBL domain where $rbl_what is blacklisted.
1499 $rbl_reason
1501 The reason why $rbl_what is blacklisted, or an empty string.
1502 $rbl_what
1504 The entity that is blacklisted (an IP address, a hostname, a
1505 domain name, or an email address whose domain was blacklisted).
1506 $recipient
1508 The recipient address or <> in case of the null address.
1509 $recipient_domain
1511 The recipient domain or empty string.
1512 $recipient_name
1514 The recipient address localpart or <> in case of null address.
1515 $sender
1517 The sender address or <> in case of the null address.
1518 $sender_domain
1520 The sender domain or empty string.
1521 $sender_name
1523 The sender address localpart or <> in case of the null address.
1524 ${name?text}
1526 Expands to `text' if $name is not empty.
1527 ${name:text}
1529 Expands to `text' if $name is empty.
1530 Instead of $name you can also specify ${name} or $(name).
1532 Note: when an enhanced status code is specified in an RBL reply tem‐
1534 plate, it is subject to modification. The following transformations
1535 are needed when the same RBL reply template is used for client, helo,
1536 sender, or recipient access restrictions.
1537 · When rejecting a sender address, the Postfix SMTP server will
1539 transform a recipient DSN status (e.g., 4.1.1-4.1.6) into the
1540 corresponding sender DSN status, and vice versa.
1541 · When rejecting non-address information (such as the HELO command
1543 argument or the client hostname/address), the Postfix SMTP
1544 server will transform a sender or recipient DSN status into a
1545 generic non-address DSN status (e.g., 4.0.0).
1546
1548 The default per-transport upper limit on the number of in-memory recip‐
1549 ients. These limits take priority over the global qmgr_message_recipi‐
1550 ent_limit after the message has been assigned to the respective trans‐
1551 ports. See also default_extra_recipient_limit and qmgr_message_recipi‐
1552 ent_minimum.
1553 Use transport_recipient_limit to specify a transport-specific override,
1555 where transport is the master.cf name of the message delivery trans‐
1556 port.
1557
1559 The default per-transport maximum delay between recipients refills.
1560 When not all message recipients fit into the memory at once, keep load‐
1561 ing more of them at least once every this many seconds. This is used
1562 to make sure the recipients are refilled in timely manner even when
1563 $default_recipient_refill_limit is too high for too slow deliveries.
1564 Use transport_recipient_refill_delay to specify a transport-specific
1566 override, where transport is the master.cf name of the message delivery
1567 transport.
1568 This feature is available in Postfix 2.4 and later.
1570
1572 The default per-transport limit on the number of recipients refilled at
1573 once. When not all message recipients fit into the memory at once,
1574 keep loading more of them in batches of at least this many at a time.
1575 See also $default_recipient_refill_delay, which may result in recipient
1576 batches lower than this when this limit is too high for too slow deliv‐
1577 eries.
1578 Use transport_recipient_refill_limit to specify a transport-specific
1580 override, where transport is the master.cf name of the message delivery
1581 transport.
1582 This feature is available in Postfix 2.4 and later.
1584
1586 The default mail delivery transport and next-hop destination for desti‐
1587 nations that do not match $mydestination, $inet_interfaces,
1588 $proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, or
1589 $relay_domains. This information can be overruled with the
1590 sender_dependent_default_transport_maps parameter and with the trans‐
1591 port(5) table.
1592 In order of decreasing precedence, the nexthop destination is taken
1594 from $sender_dependent_default_transport_maps, $default_transport,
1595 $sender_dependent_relayhost_maps, $relayhost, or from the recipient
1596 domain.
1597 Specify a string of the form transport:nexthop, where transport is the
1599 name of a mail delivery transport defined in master.cf. The :nexthop
1600 destination is optional; its syntax is documented in the manual page of
1601 the corresponding delivery agent.
1602 Example:
1604 default_transport = uucp:relayhostname
1606
1608 The default amount of delay that is inserted between individual deliv‐
1609 eries over the same message delivery transport, regardless of destina‐
1610 tion. If non-zero, all deliveries over the same message delivery trans‐
1611 port will happen one at a time.
1612 Use transport_transport_rate_delay to specify a transport-specific
1614 override, where the initial transport is the master.cf name of the mes‐
1615 sage delivery transport.
1616 Example: throttle outbound SMTP mail to at most 3 deliveries per
1618 minute.
1619 /etc/postfix/main.cf:
1621 smtp_transport_rate_delay = 20s
1622 To enable the delay, specify a non-zero time value (an integral value
1624 plus an optional one-letter suffix that specifies the time unit).
1625 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1627 The default time unit is s (seconds).
1628 NOTE: the delay is enforced by the queue manager.
1630 This feature is available in Postfix 3.1 and later.
1632
1634 The two default VERP delimiter characters. These are used when no
1635 explicit delimiters are specified with the SMTP XVERP command or with
1636 the "sendmail -V" command-line option. Specify characters that are
1637 allowed by the verp_delimiter_filter setting.
1638 This feature is available in Postfix 1.1 and later.
1640
1642 The numerical Postfix SMTP server response code when a remote SMTP
1643 client request is rejected by the "defer" restriction.
1644 Do not change this unless you have a complete understanding of RFC
1646 5321.
1647
1649 The name of the defer service. This service is implemented by the
1650 bounce(8) daemon and maintains a record of failed delivery attempts and
1651 generates non-delivery notifications.
1652 This feature is available in Postfix 2.0 and later.
1654
1656 The names of message delivery transports that should not deliver mail
1657 unless someone issues "sendmail -q" or equivalent. Specify zero or more
1658 names of mail delivery transports names that appear in the first field
1659 of master.cf.
1660 Example:
1662 defer_transports = smtp
1664
1666 The maximal number of digits after the decimal point when logging
1667 sub-second delay values. Specify a number in the range 0..6.
1668 Large delay values are rounded off to an integral number seconds; delay
1670 values below the delay_logging_resolution_limit are logged as "0", and
1671 delay values under 100s are logged with at most two-digit precision.
1672 The format of the "delays=a/b/c/d" logging is as follows:
1674 · a = time from message arrival to last active queue entry
1676 · b = time from last active queue entry to connection setup
1678 · c = time in connection setup, including DNS, EHLO and STARTTLS
1680 · d = time in message transmission
1682 This feature is available in Postfix 2.3 and later.
1684
1686 The recipient of postmaster notifications with the message headers of
1687 mail that cannot be delivered within $delay_warning_time time units.
1688 See also: delay_warning_time, notify_classes.
1690
1692 The time after which the sender receives a copy of the message headers
1693 of mail that is still queued. The confirm_delay_cleared parameter con‐
1694 trols sender notification when the delay clears up.
1695 To enable this feature, specify a non-zero time value (an integral
1697 value plus an optional one-letter suffix that specifies the time unit).
1698 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1700 The default time unit is h (hours).
1701 See also: delay_notice_recipient, notify_classes, con‐
1703 firm_delay_cleared.
1704
1706 The maximal number of attempts to acquire an exclusive lock on a mail‐
1707 box file or bounce(8) logfile.
1708
1710 The time between attempts to acquire an exclusive lock on a mailbox
1711 file or bounce(8) logfile.
1712 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1714 The default time unit is s (seconds).
1715
1717 Make the queue manager's feedback algorithm verbose for performance
1718 analysis purposes.
1719 This feature is available in Postfix 2.5 and later.
1721
1723 Automatically detect 8BITMIME body content by looking at Content-Trans‐
1724 fer-Encoding: message headers; historically, this behavior was
1725 hard-coded to be "always on".
1726 This feature is available in Postfix 2.5 and later.
1728
1730 Disable DNS lookups in the Postfix SMTP and LMTP clients. When dis‐
1731 abled, hosts are looked up with the getaddrinfo() system library rou‐
1732 tine which normally also looks in /etc/hosts. As of Postfix 2.11, this
1733 parameter is deprecated; use smtp_dns_support_level instead.
1734 DNS lookups are enabled by default.
1736
1738 Turn off MIME processing while receiving mail. This means that no spe‐
1739 cial treatment is given to Content-Type: message headers, and that all
1740 text after the initial message headers is considered to be part of the
1741 message body.
1742 This feature is available in Postfix 2.0 and later.
1744 Mime input processing is enabled by default, and is needed in order to
1746 recognize MIME headers in message content.
1747
1749 Disable the conversion of 8BITMIME format to 7BIT format. Mime output
1750 conversion is needed when the destination does not advertise 8BITMIME
1751 support.
1752 This feature is available in Postfix 2.0 and later.
1754
1756 Disable sending one bounce report per recipient.
1757 The default, one per recipient, is what ezmlm needs.
1759 This feature is available in Postfix 1.1 and later.
1761
1763 Disable the SMTP VRFY command. This stops some techniques used to har‐
1764 vest email addresses.
1765 Example:
1767 disable_vrfy_command = no
1769
1771 Enable a workaround for future libc incompatibility. The Postfix imple‐
1772 mentation of RFC 2308 negative reply caching relies on the promise that
1773 res_query() and res_search() invoke res_send(), which returns the
1774 server response in an application buffer even if the requested record
1775 does not exist. If this promise is broken, specify "yes" to enable a
1776 workaround for DNS reputation lookups.
1777 This feature is available in Postfix 3.1 and later.
1779
1781 A debugging aid to artificially delay DNS responses.
1782 This feature is available in Postfix 2.8.
1784
1786 The name of the dnsblog(8) service entry in master.cf. This service
1787 performs DNS white/blacklist lookups.
1788 This feature is available in Postfix 2.8 and later.
1790
1792 Don't remove queue files and save them to the "saved" mail queue. This
1793 is a debugging aid. To inspect the envelope information and content of
1794 a Postfix queue file, use the postcat(1) command.
1795
1797 The sender address of postmaster notifications that are generated by
1798 the mail system. All mail to this address is silently discarded, in
1799 order to terminate mail bounce loops.
1800
1802 The maximal number of addresses remembered by the address duplicate
1803 filter for aliases(5) or virtual(5) alias expansion, or for showq(8)
1804 queue displays.
1805
1807 The sender_dependent_default_transport_maps search string that will be
1808 used instead of the null sender address.
1809 This feature is available in Postfix 2.7 and later.
1811
1813 The recipient of mail addressed to the null address. Postfix does not
1814 accept such addresses in SMTP commands, but they may still be created
1815 locally as the result of configuration or software error.
1816
1818 The sender_dependent_relayhost_maps search string that will be used
1819 instead of the null sender address.
1820 This feature is available in Postfix 2.5 and later. With earlier ver‐
1822 sions, sender_dependent_relayhost_maps lookups were skipped for the
1823 null sender address.
1824
1826 Report mail delivery errors to the address specified with the non-stan‐
1827 dard Errors-To: message header, instead of the envelope sender address
1828 (this feature is removed with Postfix version 2.2, is turned off by
1829 default with Postfix version 2.1, and is always turned on with older
1830 Postfix versions).
1831
1833 Enable 'transitional' compatibility between IDNA2003 and IDNA2008, when
1834 converting UTF-8 domain names to/from the ASCII form that is used for
1835 DNS lookups. Specify "yes" for compatibility with Postfix <= 3.1 (not
1836 recommended). This affects the conversion of domain names that contain
1837 for example the German sz and the Greek zeta. See http://uni‐
1838 code.org/cldr/utility/idna.jsp for more examples.
1839 This feature is available in Postfix 3.2 and later.
1841
1843 Enable long, non-repeating, queue IDs (queue file names). The benefit
1844 of non-repeating names is simpler logfile analysis and easier queue
1845 migration (there is no need to run "postsuper" to change queue file
1846 names that don't match their message file inode number).
1847 Note: see below for how to convert long queue file names to Postfix <=
1849 2.8.
1850 Changing the parameter value to "yes" has the following effects:
1852 · Existing queue file names are not affected.
1854 · New queue files are created with names such as 3Pt2mN2VXxznjll.
1856 These are encoded in a 52-character alphabet that contains dig‐
1857 its (0-9), upper-case letters (B-Z) and lower-case letters
1858 (b-z). For safety reasons the vowels (AEIOUaeiou) are excluded
1859 from the alphabet. The name format is: 6 or more characters for
1860 the time in seconds, 4 characters for the time in microseconds,
1861 the 'z'; the remainder is the file inode number encoded in the
1862 first 51 characters of the 52-character alphabet.
1863 · New messages have a Message-ID header with queueID@myhostname.
1865 · The mailq (postqueue -p) output has a wider Queue ID column.
1867 The number of whitespace-separated fields is not changed.
1868 · The hash_queue_depth algorithm uses the first characters of the
1870 queue file creation time in microseconds, after conversion into
1871 hexadecimal representation. This produces the same queue hashing
1872 behavior as if the queue file name was created with
1873 "enable_long_queue_ids = no".
1874 Changing the parameter value to "no" has the following effects:
1876 · Existing long queue file names are renamed to the short form
1878 (while running "postfix reload" or "postsuper").
1879 · New queue files are created with names such as C3CD21F3E90 from
1881 a hexadecimal alphabet that contains digits (0-9) and upper-case
1882 letters (A-F). The name format is: 5 characters for the time in
1883 microseconds; the remainder is the file inode number.
1884 · New messages have a Message-ID header with YYYYMMDDHH‐
1886 MMSS.queueid@myhostname, where YYYYMMDDHHMMSS are the year,
1887 month, day, hour, minute and second.
1888 · The mailq (postqueue -p) output has the same format as with
1890 Postfix <= 2.8.
1891 · The hash_queue_depth algorithm uses the first characters of the
1893 queue file name, with the hexadecimal representation of the file
1894 creation time in microseconds.
1895 Before migration to Postfix <= 2.8, the following commands are required
1897 to convert long queue file names into short names:
1898 # postfix stop
1900 # postconf enable_long_queue_ids=no
1901 # postsuper
1902 Repeat the postsuper command until it reports no more queue file name
1904 changes.
1905 This feature is available in Postfix 2.9 and later.
1907
1909 Enable support for the original recipient address after an address is
1910 rewritten to a different address (for example with aliasing or with
1911 canonical mapping).
1912 The original recipient address is used as follows:
1914 Final delivery
1916 With "enable_original_recipient = yes", the original recipient
1917 address is stored in the X-Original-To message header. This
1918 header may be used to distinguish between different recipients
1919 that share the same mailbox.
1920 Recipient deduplication
1922 With "enable_original_recipient = yes", the cleanup(8) daemon
1923 performs duplicate recipient elimination based on the content of
1924 (original recipient, maybe-rewritten recipient) pairs. Other‐
1925 wise, the cleanup(8) daemon performs duplicate recipient elimi‐
1926 nation based only on the maybe-rewritten recipient address.
1927 Note: with Postfix <= 3.2 the "setting enable_original_recipient = no"
1929 breaks address verification for addresses that are aliased or otherwise
1930 rewritten (Postfix is unable to store the address verification result
1931 under the original probe destination address; instead, it can store the
1932 result only under the rewritten address).
1933 This feature is available in Postfix 2.1 and later. Postfix version 2.0
1935 behaves as if this parameter is always set to yes. Postfix versions
1936 before 2.0 have no support for the original recipient address.
1937
1939 The recipient of postmaster notifications about mail delivery problems
1940 that are caused by policy, resource, software or protocol errors.
1941 These notifications are enabled with the notify_classes parameter.
1942
1944 The name of the error(8) pseudo delivery agent. This service always
1945 returns mail as undeliverable.
1946 This feature is available in Postfix 2.0 and later.
1948
1950 Restrict the characters that the local(8) delivery agent allows in
1951 $name expansions of $command_execution_directory. Characters outside
1952 the allowed set are replaced by underscores.
1953 This feature is available in Postfix 2.2 and later.
1955
1957 When delivering to an alias "aliasname" that has an "owner-aliasname"
1958 companion alias, set the envelope sender address to the expansion of
1959 the "owner-aliasname" alias. Normally, Postfix sets the envelope
1960 sender address to the name of the "owner-aliasname" alias.
1961
1963 The list of environment variables that a Postfix process will export to
1964 non-Postfix processes. The TZ variable is needed for sane time keeping
1965 on System-V-ish systems.
1966 Specify a list of names and/or name=value pairs, separated by white‐
1968 space or comma. Specify "{ name=value }" to protect whitespace or comma
1969 in parameter values (whitespace after "{" and before "}" is ignored).
1970 The form name=value is supported with Postfix version 2.1 and later;
1971 the use of {} is supported with Postfix 3.0 and later.
1972 Example:
1974 export_environment = TZ PATH=/bin:/usr/bin
1976
1978 The maximal number of recipient addresses that Postfix will extract
1979 from message headers when mail is submitted with "sendmail -t".
1980 This feature was removed in Postfix version 2.1.
1982
1984 Optional list of relay hosts for SMTP destinations that can't be found
1985 or that are unreachable. With Postfix 2.3 this parameter is renamed to
1986 smtp_fallback_relay.
1987 By default, mail is returned to the sender when a destination is not
1989 found, and delivery is deferred when a destination is unreachable.
1990 The fallback relays must be SMTP destinations. Specify a domain, host,
1992 host:port, [host]:port, [address] or [address]:port; the form [host]
1993 turns off MX lookups. If you specify multiple SMTP destinations, Post‐
1994 fix will try them in the specified order.
1995 Note: before Postfix 2.2, do not use the fallback_relay feature when
1997 relaying mail for a backup or primary MX domain. Mail would loop
1998 between the Postfix MX host and the fallback_relay host when the final
1999 destination is unavailable.
2000 · In main.cf specify "relay_transport = relay",
2002 · In master.cf specify "-o fallback_relay =" (i.e., empty) at the
2004 end of the relay entry.
2005 · In transport maps, specify "relay:nexthop..." as the right-hand
2007 side for backup or primary MX domain entries.
2008 Postfix version 2.2 and later will not use the fallback_relay feature
2010 for destinations that it is MX host for.
2011
2013 Optional message delivery transport that the local(8) delivery agent
2014 should use for names that are not found in the aliases(5) or UNIX pass‐
2015 word database.
2016 The precedence of local(8) delivery features from high to low is:
2018 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2019 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2020 tory, fallback_transport_maps, fallback_transport and luser_relay.
2021
2023 Optional lookup tables with per-recipient message delivery transports
2024 for recipients that the local(8) delivery agent could not find in the
2025 aliases(5) or UNIX password database.
2026 The precedence of local(8) delivery features from high to low is:
2028 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2029 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2030 tory, fallback_transport_maps, fallback_transport and luser_relay.
2031 For safety reasons, this feature does not allow $number substitutions
2033 in regular expression maps.
2034 This feature is available in Postfix 2.3 and later.
2036
2038 Optional list of destinations that are eligible for per-destination
2039 logfiles with mail that is queued to those destinations.
2040 By default, Postfix maintains "fast flush" logfiles only for destina‐
2042 tions that the Postfix SMTP server is willing to relay to (i.e. the
2043 default is: "fast_flush_domains = $relay_domains"; see the
2044 relay_domains parameter in the postconf(5) manual).
2045 Specify a list of hosts or domains, "/file/name" patterns or "type:ta‐
2047 ble" lookup tables, separated by commas and/or whitespace. Continue
2048 long lines by starting the next line with whitespace. A "/file/name"
2049 pattern is replaced by its contents; a "type:table" lookup table is
2050 matched when the domain or its parent domain appears as lookup key.
2051 Pattern matching of domain names is controlled by the presence or
2053 absence of "fast_flush_domains" in the parent_domain_matches_subdomains
2054 parameter value.
2055 Specify "fast_flush_domains =" (i.e., empty) to disable the feature
2057 altogether.
2058
2060 The time after which an empty per-destination "fast flush" logfile is
2061 deleted.
2062 You can specify the time as a number, or as a number followed by a let‐
2064 ter that indicates the time unit: s=seconds, m=minutes, h=hours,
2065 d=days, w=weeks. The default time unit is days.
2066
2068 The time after which a non-empty but unread per-destination "fast
2069 flush" logfile needs to be refreshed. The contents of a logfile are
2070 refreshed by requesting delivery of all messages listed in the logfile.
2071 You can specify the time as a number, or as a number followed by a let‐
2073 ter that indicates the time unit: s=seconds, m=minutes, h=hours,
2074 d=days, w=weeks. The default time unit is hours.
2075
2077 Force specific internal tests to fail, to test the handling of errors
2078 that are difficult to reproduce otherwise.
2079
2081 The name of the flush(8) service. This service maintains per-destina‐
2082 tion logfiles with the queue file names of mail that is queued for
2083 those destinations.
2084 This feature is available in Postfix 2.0 and later.
2086
2088 The maximal number of attempts to fork() a child process.
2089
2091 The delay between attempts to fork() a child process.
2092 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2094 The default time unit is s (seconds).
2095
2097 Restrict the characters that the local(8) delivery agent allows in
2098 $name expansions of $forward_path. Characters outside the allowed set
2099 are replaced by underscores.
2100
2102 The local(8) delivery agent search list for finding a .forward file
2103 with user-specified delivery methods. The first file that is found is
2104 used.
2105 The following $name expansions are done on forward_path before the
2107 search actually happens. The result of $name expansion is filtered with
2108 the character set that is specified with the forward_expansion_filter
2109 parameter.
2110 $user The recipient's username.
2112 $shell The recipient's login shell pathname.
2114 $home The recipient's home directory.
2116 $recipient
2118 The full recipient address.
2119 $extension
2121 The optional recipient address extension.
2122 $domain
2124 The recipient domain.
2125 $local The entire recipient localpart.
2127 $recipient_delimiter
2129 The address extension delimiter that was found in the recipient
2130 address (Postfix 2.11 and later), or the system-wide recipient
2131 address extension delimiter (Postfix 2.10 and earlier).
2132 ${name?value}
2134 Expands to value when $name is non-empty.
2135 ${name:value}
2137 Expands to value when $name is empty.
2138 Instead of $name you can also specify ${name} or $(name).
2140 Examples:
2142 forward_path = /var/forward/$user
2144 forward_path =
2145 /var/forward/$user/.forward$recipient_delimiter$extension,
2146 /var/forward/$user/.forward
2147
2149 Update the local(8) delivery agent's idea of the Delivered-To: address
2150 (see prepend_delivered_header) only once, at the start of a delivery
2151 attempt; do not update the Delivered-To: address while expanding
2152 aliases or .forward files.
2153 This feature is available in Postfix 2.3 and later. With older Postfix
2155 releases, the behavior is as if this parameter is set to "no". The old
2156 setting can be expensive with deeply nested aliases or .forward files.
2157 When an alias or .forward file changes the Delivered-To: address, it
2158 ties up one queue file and one cleanup process instance while mail is
2159 being forwarded.
2160
2162 The number of subdirectory levels for queue directories listed with the
2163 hash_queue_names parameter. Queue hashing is implemented by creating
2164 one or more levels of directories with one-character names. Origi‐
2165 nally, these directory names were equal to the first characters of the
2166 queue file name, with the hexadecimal representation of the file cre‐
2167 ation time in microseconds.
2168 With long queue file names, queue hashing produces the same results as
2170 with short names. The file creation time in microseconds is converted
2171 into hexadecimal form before the result is used for queue hashing. The
2172 base 16 encoding gives finer control over the number of subdirectories
2173 than is possible with the base 52 encoding of long queue file names.
2174 After changing the hash_queue_names or hash_queue_depth parameter, exe‐
2176 cute the command "postfix reload".
2177
2179 The names of queue directories that are split across multiple subdirec‐
2180 tory levels.
2181 Before Postfix version 2.2, the default list of hashed queues was sig‐
2183 nificantly larger. Claims about improvements in file system technology
2184 suggest that hashing of the incoming and active queues is no longer
2185 needed. Fewer hashed directories speed up the time needed to restart
2186 Postfix.
2187 After changing the hash_queue_names or hash_queue_depth parameter, exe‐
2189 cute the command "postfix reload".
2190
2192 The maximal number of address tokens are allowed in an address message
2193 header. Information that exceeds the limit is discarded. The limit is
2194 enforced by the cleanup(8) server.
2195
2197 Optional lookup tables for content inspection of primary non-MIME mes‐
2198 sage headers, as specified in the header_checks(5) manual page.
2199
2201 The format of the Postfix-generated From: header. This setting affects
2202 the appearance of 'full name' information when a local program such as
2203 /bin/mail submits a message without From: header through the Postfix
2204 sendmail(1) command.
2205 Specify one of the following:
2207 standard (default)
2209 Produce a header formatted as "From: name <address>". This is
2210 the default as of Postfix 3.3.
2211 obsolete
2213 Produce a header formatted as "From: address (name)". This is
2214 the behavior prior to Postfix 3.3.
2215 Notes:
2217 · Postfix generates the format "From: address" when name informa‐
2219 tion is unavailable or the envelope sender address is empty.
2220 This is the same behavior as prior to Postfix 3.3.
2221 · In the standard form, the name will be quoted if it contains
2223 specials as defined in RFC 5322, or the "!%" address operators.
2224 · The Postfix sendmail(1) command gets name information from the
2226 -F command-line option, from the NAME environment variable, or
2227 from the UNIX password file.
2228 This feature is available in Postfix 3.3 and later.
2230
2232 The maximal amount of memory in bytes for storing a message header. If
2233 a header is larger, the excess is discarded. The limit is enforced by
2234 the cleanup(8) server.
2235
2237 Log warnings about problematic configuration settings, and provide
2238 helpful suggestions.
2239 This feature is available in Postfix 2.0 and later.
2241
2243 Optional pathname of a mailbox file relative to a local(8) user's home
2244 directory.
2245 Specify a pathname ending in "/" for qmail-style delivery.
2247 The precedence of local(8) delivery features from high to low is:
2249 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2250 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2251 tory, fallback_transport_maps, fallback_transport and luser_relay.
2252 Examples:
2254 home_mailbox = Mailbox
2256 home_mailbox = Maildir/
2257
2259 The maximal number of Received: message headers that is allowed in the
2260 primary message headers. A message that exceeds the limit is bounced,
2261 in order to stop a mailer loop.
2262
2264 The location of Postfix HTML files that describe how to build, config‐
2265 ure or operate a specific Postfix subsystem or feature.
2266
2268 Ignore DNS MX lookups that produce no response. By default, the Post‐
2269 fix SMTP client defers delivery and tries again after some delay. This
2270 behavior is required by the SMTP standard.
2271 Specify "ignore_mx_lookup_error = yes" to force a DNS A record lookup
2273 instead. This violates the SMTP standard and can result in mis-delivery
2274 of mail.
2275
2277 The list of environment parameters that a privileged Postfix process
2278 will import from a non-Postfix parent process, or name=value environ‐
2279 ment overrides. Unprivileged utilities will enforce the name=value
2280 overrides, but otherwise will not change their process environment.
2281 Examples of relevant parameters:
2282 TZ May be needed for sane time keeping on most System-V-ish sys‐
2284 tems.
2285 DISPLAY
2287 Needed for debugging Postfix daemons with an X-windows debugger.
2288 XAUTHORITY
2290 Needed for debugging Postfix daemons with an X-windows debugger.
2291 MAIL_CONFIG
2293 Needed to make "postfix -c" work.
2294 Specify a list of names and/or name=value pairs, separated by white‐
2296 space or comma. Specify "{ name=value }" to protect whitespace or comma
2297 in parameter values (whitespace after "{" and before "}" is ignored).
2298 The form name=value is supported with Postfix version 2.1 and later;
2299 the use of {} is supported with Postfix 3.0 and later.
2300
2302 Time to pause before accepting a new message, when the message arrival
2303 rate exceeds the message delivery rate. This feature is turned on by
2304 default (it's disabled on SCO UNIX due to an SCO bug).
2305 With the default 100 Postfix SMTP server process limit, "in_flow_delay
2307 = 1s" limits the mail inflow to 100 messages per second above the num‐
2308 ber of messages delivered per second.
2309 Specify 0 to disable the feature. Valid delays are 0..10.
2311
2313 The network interface addresses that this mail system receives mail on.
2314 Specify "all" to receive mail on all network interfaces (default), and
2315 "loopback-only" to receive mail on loopback network interfaces only
2316 (Postfix version 2.2 and later). The parameter also controls delivery
2317 of mail to user@[ip.address].
2318 Note 1: you need to stop and start Postfix when this parameter changes.
2320 Note 2: address information may be enclosed inside [], but this form is
2322 not required here.
2323 When inet_interfaces specifies just one IPv4 and/or IPv6 address that
2325 is not a loopback address, the Postfix SMTP client will use this
2326 address as the IP source address for outbound mail. Support for IPv6 is
2327 available in Postfix version 2.2 and later.
2328 On a multi-homed firewall with separate Postfix instances listening on
2330 the "inside" and "outside" interfaces, this can prevent each instance
2331 from being able to reach remote SMTP servers on the "other side" of the
2332 firewall. Setting smtp_bind_address to 0.0.0.0 avoids the potential
2333 problem for IPv4, and setting smtp_bind_address6 to :: solves the prob‐
2334 lem for IPv6.
2335 A better solution for multi-homed firewalls is to leave inet_interfaces
2337 at the default value and instead use explicit IP addresses in the mas‐
2338 ter.cf SMTP server definitions. This preserves the Postfix SMTP
2339 client's loop detection, by ensuring that each side of the firewall
2340 knows that the other IP address is still the same host. Setting
2341 $inet_interfaces to a single IPv4 and/or IPV6 address is primarily use‐
2342 ful with virtual hosting of domains on secondary IP addresses, when
2343 each IP address serves a different domain (and has a different $myhost‐
2344 name setting).
2345 See also the proxy_interfaces parameter, for network addresses that are
2347 forwarded to Postfix by way of a proxy or address translator.
2348 Examples:
2350 inet_interfaces = all (DEFAULT)
2352 inet_interfaces = loopback-only (Postfix version 2.2 and later)
2353 inet_interfaces = 127.0.0.1
2354 inet_interfaces = 127.0.0.1, [::1] (Postfix version 2.2 and later)
2355 inet_interfaces = 192.168.1.2, 127.0.0.1
2356
2358 The Internet protocols Postfix will attempt to use when making or
2359 accepting connections. Specify one or more of "ipv4" or "ipv6", sepa‐
2360 rated by whitespace or commas. The form "all" is equivalent to "ipv4,
2361 ipv6" or "ipv4", depending on whether the operating system implements
2362 IPv6.
2363 With Postfix 2.8 and earlier the default is "ipv4". For backwards com‐
2365 patibility with these releases, the Postfix 2.9 and later upgrade pro‐
2366 cedure appends an explicit "inet_protocols = ipv4" setting to main.cf
2367 when no explicit setting is present. This compatibility workaround will
2368 be phased out as IPv6 deployment becomes more common.
2369 This feature is available in Postfix 2.2 and later.
2371 Note: you MUST stop and start Postfix after changing this parameter.
2373 On systems that pre-date IPV6_V6ONLY support (RFC 3493), an IPv6 server
2375 will also accept IPv4 connections, even when IPv4 is turned off with
2376 the inet_protocols parameter. On systems with IPV6_V6ONLY support,
2377 Postfix will use separate server sockets for IPv6 and IPv4, and each
2378 will accept only connections for the corresponding protocol.
2379 When IPv4 support is enabled via the inet_protocols parameter, Postfix
2381 will look up DNS type A records, and will convert IPv4-in-IPv6 client
2382 IP addresses (::ffff:1.2.3.4) to their original IPv4 form (1.2.3.4).
2383 The latter is needed on hosts that pre-date IPV6_V6ONLY support (RFC
2384 3493).
2385 When IPv6 support is enabled via the inet_protocols parameter, Postfix
2387 will do DNS type AAAA record lookups.
2388 When both IPv4 and IPv6 support are enabled, the Postfix SMTP client
2390 will choose the protocol as specified with the smtp_address_preference
2391 parameter. Postfix versions before 2.8 attempt to connect via IPv6
2392 before attempting to use IPv4.
2393 Examples:
2395 inet_protocols = ipv4
2397 inet_protocols = all (DEFAULT)
2398 inet_protocols = ipv6
2399 inet_protocols = ipv4, ipv6
2400
2402 The initial per-destination concurrency level for parallel delivery to
2403 the same destination. With per-destination recipient limit > 1, a des‐
2404 tination is a domain, otherwise it is a recipient.
2405 Use transport_initial_destination_concurrency to specify a trans‐
2407 port-specific override, where transport is the master.cf name of the
2408 message delivery transport (Postfix 2.5 and later).
2409 Warning: with concurrency of 1, one bad message can be enough to block
2411 all mail to a site.
2412
2414 What categories of Postfix-generated mail are subject to before-queue
2415 content inspection by non_smtpd_milters, header_checks and body_checks.
2416 Specify zero or more of the following, separated by whitespace or
2417 comma.
2418 bounce Inspect the content of delivery status notifications.
2420 notify Inspect the content of postmaster notifications by the smtp(8)
2422 and smtpd(8) processes.
2423 NOTE: It's generally not safe to enable content inspection of Post‐
2425 fix-generated email messages. The user is warned.
2426 This feature is available in Postfix 2.3 and later.
2428
2430 The numerical Postfix SMTP server response code when the client HELO or
2431 EHLO command parameter is rejected by the reject_invalid_helo_hostname
2432 restriction.
2433 Do not change this unless you have a complete understanding of RFC
2435 5321.
2436
2438 The time after which a client closes an idle internal communication
2439 channel. The purpose is to allow Postfix daemon processes to terminate
2440 voluntarily after they become idle. This is used, for example, by the
2441 Postfix address resolving and rewriting clients.
2442 With Postfix 2.4 the default value was reduced from 100s to 5s.
2444 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2446 The default time unit is s (seconds).
2447
2449 The time limit for sending or receiving information over an internal
2450 communication channel. The purpose is to break out of deadlock situa‐
2451 tions. If the time limit is exceeded the software aborts with a fatal
2452 error.
2453 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2455 The default time unit is s (seconds).
2456
2458 The time after which a client closes an active internal communication
2459 channel. The purpose is to allow Postfix daemon processes to terminate
2460 voluntarily after reaching their client limit. This is used, for exam‐
2461 ple, by the Postfix address resolving and rewriting clients.
2462 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2464 The default time unit is s (seconds).
2465 This feature is available in Postfix 2.1 and later.
2467
2469 Upon input, long lines are chopped up into pieces of at most this
2470 length; upon delivery, long lines are reconstructed.
2471
2473 The initial OpenLDAP LMDB database size limit in bytes. Each time a
2474 database becomes full, its size limit is doubled.
2475 This feature is available in Postfix 2.11 and later.
2477
2479 The LMTP-specific version of the smtp_address_preference configuration
2480 parameter. See there for details.
2481 This feature is available in Postfix 2.8 and later.
2483
2485 The LMTP-specific version of the smtp_address_verify_target configura‐
2486 tion parameter. See there for details.
2487 This feature is available in Postfix 3.0 and later.
2489
2491 When a remote LMTP server announces no DSN support, assume that the
2492 server performs final delivery, and send "delivered" delivery status
2493 notifications instead of "relayed". The default setting is backwards
2494 compatible to avoid the infinitesimal possibility of breaking existing
2495 LMTP-based content filters.
2496
2498 The LMTP-specific version of the smtp_balance_inet_protocols configura‐
2499 tion parameter. See there for details.
2500 This feature is available in Postfix 3.3 and later.
2502
2504 The LMTP-specific version of the smtp_bind_address configuration param‐
2505 eter. See there for details.
2506 This feature is available in Postfix 2.3 and later.
2508
2510 The LMTP-specific version of the smtp_bind_address6 configuration
2511 parameter. See there for details.
2512 This feature is available in Postfix 2.3 and later.
2514
2516 The LMTP-specific version of the smtp_body_checks configuration parame‐
2517 ter. See there for details.
2518 This feature is available in Postfix 2.5 and later.
2520
2522 Keep Postfix LMTP client connections open for up to $max_idle seconds.
2523 When the LMTP client receives a request for the same connection the
2524 connection is reused.
2525 This parameter is available in Postfix version 2.2 and earlier. With
2527 Postfix version 2.3 and later, see lmtp_connection_cache_on_demand,
2528 lmtp_connection_cache_destinations, or lmtp_connection_re‐
2529 use_time_limit.
2530 The effectiveness of cached connections will be determined by the num‐
2532 ber of remote LMTP servers in use, and the concurrency limit specified
2533 for the Postfix LMTP client. Cached connections are closed under any of
2534 the following conditions:
2535 · The Postfix LMTP client idle time limit is reached. This limit
2537 is specified with the Postfix max_idle configuration parameter.
2538 · A delivery request specifies a different destination than the
2540 one currently cached.
2541 · The per-process limit on the number of delivery requests is
2543 reached. This limit is specified with the Postfix max_use con‐
2544 figuration parameter.
2545 · Upon the onset of another delivery request, the remote LMTP
2547 server associated with the current session does not respond to
2548 the RSET command.
2549 Most of these limitations have been with the Postfix a connection cache
2551 that is shared among multiple LMTP client programs.
2552
2554 The LMTP-specific version of the smtp_cname_overrides_servername con‐
2555 figuration parameter. See there for details.
2556 This feature is available in Postfix 2.3 and later.
2558
2560 The Postfix LMTP client time limit for completing a TCP connection, or
2561 zero (use the operating system built-in time limit). When no connec‐
2562 tion can be made within the deadline, the LMTP client tries the next
2563 address on the mail exchanger list.
2564 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2566 The default time unit is s (seconds).
2567 Example:
2569 lmtp_connect_timeout = 30s
2571
2573 The LMTP-specific version of the smtp_connection_cache_destinations
2574 configuration parameter. See there for details.
2575 This feature is available in Postfix 2.3 and later.
2577
2579 The LMTP-specific version of the smtp_connection_cache_on_demand con‐
2580 figuration parameter. See there for details.
2581 This feature is available in Postfix 2.3 and later.
2583
2585 The LMTP-specific version of the smtp_connection_cache_time_limit con‐
2586 figuration parameter. See there for details.
2587 This feature is available in Postfix 2.3 and later.
2589
2591 The LMTP-specific version of the smtp_connection_reuse_count_limit con‐
2592 figuration parameter. See there for details.
2593 This feature is available in Postfix 2.11 and later.
2595
2597 The LMTP-specific version of the smtp_connection_reuse_time_limit con‐
2598 figuration parameter. See there for details.
2599 This feature is available in Postfix 2.3 and later.
2601
2603 The Postfix LMTP client time limit for sending the LMTP ".", and for
2604 receiving the remote LMTP server response. When no response is
2605 received within the deadline, a warning is logged that the mail may be
2606 delivered multiple times.
2607 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2609 The default time unit is s (seconds).
2610
2612 The Postfix LMTP client time limit for sending the LMTP DATA command,
2613 and for receiving the remote LMTP server response.
2614 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2616 The default time unit is s (seconds).
2617
2619 The Postfix LMTP client time limit for sending the LMTP message con‐
2620 tent. When the connection stalls for more than $lmtp_data_xfer_timeout
2621 the LMTP client terminates the transfer.
2622 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2624 The default time unit is s (seconds).
2625
2627 The LMTP-specific version of the smtp_defer_if_no_mx_address_found con‐
2628 figuration parameter. See there for details.
2629 This feature is available in Postfix 2.3 and later.
2631
2633 The LMTP-specific version of the smtp_delivery_status_filter configura‐
2634 tion parameter. See there for details.
2635 This feature is available in Postfix 3.0 and later.
2637
2639 rency_limit)
2640 The maximal number of parallel deliveries to the same destination via
2641 the lmtp message delivery transport. This limit is enforced by the
2642 queue manager. The message delivery transport name is the first field
2643 in the entry in the master.cf file.
2644
2646 ent_limit)
2647 The maximal number of recipients per message for the lmtp message
2648 delivery transport. This limit is enforced by the queue manager. The
2649 message delivery transport name is the first field in the entry in the
2650 master.cf file.
2651 Setting this parameter to a value of 1 changes the meaning of lmtp_des‐
2653 tination_concurrency_limit from concurrency per domain into concurrency
2654 per recipient.
2655
2657 Lookup tables, indexed by the remote LMTP server address, with case
2658 insensitive lists of LHLO keywords (pipelining, starttls, auth, etc.)
2659 that the Postfix LMTP client will ignore in the LHLO response from a
2660 remote LMTP server. See lmtp_discard_lhlo_keywords for details. The ta‐
2661 ble is not indexed by hostname for consistency with smtpd_dis‐
2662 card_ehlo_keyword_address_maps.
2663 This feature is available in Postfix 2.3 and later.
2665
2667 A case insensitive list of LHLO keywords (pipelining, starttls, auth,
2668 etc.) that the Postfix LMTP client will ignore in the LHLO response
2669 from a remote LMTP server.
2670 This feature is available in Postfix 2.3 and later.
2672 Notes:
2674 · Specify the silent-discard pseudo keyword to prevent this action
2676 from being logged.
2677 · Use the lmtp_discard_lhlo_keyword_address_maps feature to dis‐
2679 card LHLO keywords selectively.
2680
2682 Optional filter for Postfix LMTP client DNS lookup results. See
2683 smtp_dns_reply_filter for details including an example.
2684 This feature is available in Postfix 3.0 and later.
2686
2688 The LMTP-specific version of the smtp_dns_resolver_options configura‐
2689 tion parameter. See there for details.
2690 This feature is available in Postfix 2.8 and later.
2692
2694 The LMTP-specific version of the smtp_dns_support_level configuration
2695 parameter. See there for details.
2696 This feature is available in Postfix 2.11 and later.
2698
2700 The LMTP-specific version of the smtp_enforce_tls configuration parame‐
2701 ter. See there for details.
2702 This feature is available in Postfix 2.3 and later.
2704
2706 Optional list of relay hosts for LMTP destinations that can't be found
2707 or that are unreachable. In main.cf elements are separated by white‐
2708 space or commas.
2709 By default, mail is returned to the sender when a destination is not
2711 found, and delivery is deferred when a destination is unreachable.
2712 The fallback relays must be TCP destinations, specified without a lead‐
2714 ing "inet:" prefix. Specify a host or host:port. Since MX lookups do
2715 not apply with LMTP, there is no need to use the "[host]" or
2716 "[host]:port" forms. If you specify multiple LMTP destinations, Post‐
2717 fix will try them in the specified order.
2718 This feature is available in Postfix 3.1 and later.
2720
2722 The LMTP-specific version of the smtp_generic_maps configuration param‐
2723 eter. See there for details.
2724 This feature is available in Postfix 2.3 and later.
2726
2728 The LMTP-specific version of the smtp_header_checks configuration
2729 parameter. See there for details.
2730 This feature is available in Postfix 2.5 and later.
2732
2734 The LMTP-specific version of the smtp_host_lookup configuration parame‐
2735 ter. See there for details.
2736 This feature is available in Postfix 2.3 and later.
2738
2740 The hostname to send in the LMTP LHLO command.
2741 The default value is the machine hostname. Specify a hostname or
2743 [ip.add.re.ss].
2744 This information can be specified in the main.cf file for all LMTP
2746 clients, or it can be specified in the master.cf file for a specific
2747 client, for example:
2748 /etc/postfix/master.cf:
2750 mylmtp ... lmtp -o lmtp_lhlo_name=foo.bar.com
2751 This feature is available in Postfix 2.3 and later.
2753
2755 The Postfix LMTP client time limit for sending the LHLO command, and
2756 for receiving the initial remote LMTP server response.
2757 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2759 The default time unit is s (seconds).
2760
2762 The LMTP-specific version of the smtp_line_length_limit configuration
2763 parameter. See there for details.
2764 This feature is available in Postfix 2.3 and later.
2766
2768 The Postfix LMTP client time limit for sending the MAIL FROM command,
2769 and for receiving the remote LMTP server response.
2770 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2772 The default time unit is s (seconds).
2773
2775 The LMTP-specific version of the smtp_mime_header_checks configuration
2776 parameter. See there for details.
2777 This feature is available in Postfix 2.5 and later.
2779
2781 The LMTP-specific version of the smtp_mx_address_limit configuration
2782 parameter. See there for details.
2783 This feature is available in Postfix 2.3 and later.
2785
2787 The LMTP-specific version of the smtp_mx_session_limit configuration
2788 parameter. See there for details.
2789 This feature is available in Postfix 2.3 and later.
2791
2793 The LMTP-specific version of the smtp_nested_header_checks configura‐
2794 tion parameter. See there for details.
2795 This feature is available in Postfix 2.5 and later.
2797
2799 The LMTP-specific version of the smtp_per_record_deadline configuration
2800 parameter. See there for details.
2801 This feature is available in Postfix 2.9 and later.
2803
2805 The LMTP-specific version of the smtp_pix_workaround_delay_time config‐
2806 uration parameter. See there for details.
2807 This feature is available in Postfix 2.3 and later.
2809
2811 The LMTP-specific version of the smtp_pix_workaround_maps configuration
2812 parameter. See there for details.
2813 This feature is available in Postfix 2.4 and later.
2815
2817 The LMTP-specific version of the smtp_pix_workaround_threshold_time
2818 configuration parameter. See there for details.
2819 This feature is available in Postfix 2.3 and later.
2821
2823 The LMTP-specific version of the smtp_pix_workaround configuration
2824 parameter. See there for details.
2825 This feature is available in Postfix 2.4 and later.
2827
2829 The Postfix LMTP client time limit for sending the QUIT command, and
2830 for receiving the remote LMTP server response.
2831 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2833 The default time unit is s (seconds).
2834
2836 The LMTP-specific version of the smtp_quote_rfc821_envelope configura‐
2837 tion parameter. See there for details.
2838 This feature is available in Postfix 2.3 and later.
2840
2842 The LMTP-specific version of the smtp_randomize_addresses configuration
2843 parameter. See there for details.
2844 This feature is available in Postfix 2.3 and later.
2846
2848 The Postfix LMTP client time limit for sending the RCPT TO command, and
2849 for receiving the remote LMTP server response.
2850 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2852 The default time unit is s (seconds).
2853
2855 The LMTP-specific version of the smtp_reply_filter configuration param‐
2856 eter. See there for details.
2857 This feature is available in Postfix 2.7 and later.
2859
2861 The Postfix LMTP client time limit for sending the RSET command, and
2862 for receiving the remote LMTP server response. The LMTP client sends
2863 RSET in order to finish a recipient address probe, or to verify that a
2864 cached connection is still alive.
2865 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2867 The default time unit is s (seconds).
2868
2870 The LMTP-specific version of the smtp_sasl_auth_cache_name configura‐
2871 tion parameter. See there for details.
2872 This feature is available in Postfix 2.5 and later.
2874
2876 The LMTP-specific version of the smtp_sasl_auth_cache_time configura‐
2877 tion parameter. See there for details.
2878 This feature is available in Postfix 2.5 and later.
2880
2882 Enable SASL authentication in the Postfix LMTP client.
2883
2885 The LMTP-specific version of the smtp_sasl_auth_soft_bounce configura‐
2886 tion parameter. See there for details.
2887 This feature is available in Postfix 2.5 and later.
2889
2891 The LMTP-specific version of the smtp_sasl_mechanism_filter configura‐
2892 tion parameter. See there for details.
2893 This feature is available in Postfix 2.3 and later.
2895
2897 Optional Postfix LMTP client lookup tables with one username:password
2898 entry per host or domain. If a remote host or domain has no user‐
2899 name:password entry, then the Postfix LMTP client will not attempt to
2900 authenticate to the remote host.
2901
2903 Implementation-specific information that is passed through to the SASL
2904 plug-in implementation that is selected with lmtp_sasl_type. Typically
2905 this specifies the name of a configuration file or rendezvous point.
2906 This feature is available in Postfix 2.3 and later.
2908
2910 SASL security options; as of Postfix 2.3 the list of available features
2911 depends on the SASL client implementation that is selected with
2912 lmtp_sasl_type.
2913 The following security features are defined for the cyrus client SASL
2915 implementation:
2916 noplaintext
2918 Disallow authentication methods that use plaintext passwords.
2919 noactive
2921 Disallow authentication methods that are vulnerable to non-dic‐
2922 tionary active attacks.
2923 nodictionary
2925 Disallow authentication methods that are vulnerable to passive
2926 dictionary attack.
2927 noanonymous
2929 Disallow anonymous logins.
2930 Example:
2932 lmtp_sasl_security_options = noplaintext
2934
2936 The LMTP-specific version of the smtp_sasl_tls_security_options config‐
2937 uration parameter. See there for details.
2938 This feature is available in Postfix 2.3 and later.
2940
2942 rity_options)
2943 The LMTP-specific version of the smtp_sasl_tls_verified_secu‐
2944 rity_options configuration parameter. See there for details.
2945 This feature is available in Postfix 2.3 and later.
2947
2949 The SASL plug-in type that the Postfix LMTP client should use for
2950 authentication. The available types are listed with the "postconf -A"
2951 command.
2952 This feature is available in Postfix 2.3 and later.
2954
2956 The LMTP-specific version of the smtp_send_dummy_mail_auth configura‐
2957 tion parameter. See there for details.
2958 This feature is available in Postfix 2.9 and later.
2960
2962 Send an XFORWARD command to the remote LMTP server when the LMTP LHLO
2963 server response announces XFORWARD support. This allows an lmtp(8)
2964 delivery agent, used for content filter message injection, to forward
2965 the name, address, protocol and HELO name of the original client to the
2966 content filter and downstream queuing LMTP server. Before you change
2967 the value to yes, it is best to make sure that your content filter sup‐
2968 ports this command.
2969 This feature is available in Postfix 2.1 and later.
2971
2973 The LMTP-specific version of the smtp_sender_dependent_authentication
2974 configuration parameter. See there for details.
2975 This feature is available in Postfix 2.3 and later.
2977
2979 The LMTP-specific version of the smtp_skip_5xx_greeting configuration
2980 parameter. See there for details.
2981 This feature is available in Postfix 2.3 and later.
2983
2985 Wait for the response to the LMTP QUIT command.
2986
2988 The LMTP-specific version of the smtp_starttls_timeout configuration
2989 parameter. See there for details.
2990 This feature is available in Postfix 2.3 and later.
2992
2994 The default TCP port that the Postfix LMTP client connects to. Specify
2995 a symbolic name (see services(5)) or a numeric port.
2996
2998 The LMTP-specific version of the smtp_tls_CAfile configuration parame‐
2999 ter. See there for details.
3000 This feature is available in Postfix 2.3 and later.
3002
3004 The LMTP-specific version of the smtp_tls_CApath configuration parame‐
3005 ter. See there for details.
3006 This feature is available in Postfix 2.3 and later.
3008
3010 The LMTP-specific version of the smtp_tls_block_early_mail_reply con‐
3011 figuration parameter. See there for details.
3012 This feature is available in Postfix 2.7 and later.
3014
3016 The LMTP-specific version of the smtp_tls_cert_file configuration
3017 parameter. See there for details.
3018 This feature is available in Postfix 2.3 and later.
3020
3022 The LMTP-specific version of the smtp_tls_ciphers configuration parame‐
3023 ter. See there for details.
3024 This feature is available in Postfix 2.6 and later.
3026
3028 The LMTP-specific version of the smtp_tls_dcert_file configuration
3029 parameter. See there for details.
3030 This feature is available in Postfix 2.3 and later.
3032
3034 The LMTP-specific version of the smtp_tls_dkey_file configuration
3035 parameter. See there for details.
3036 This feature is available in Postfix 2.3 and later.
3038
3040 The LMTP-specific version of the smtp_tls_eccert_file configuration
3041 parameter. See there for details.
3042 This feature is available in Postfix 2.6 and later, when Postfix is
3044 compiled and linked with OpenSSL 1.0.0 or later.
3045
3047 The LMTP-specific version of the smtp_tls_eckey_file configuration
3048 parameter. See there for details.
3049 This feature is available in Postfix 2.6 and later, when Postfix is
3051 compiled and linked with OpenSSL 1.0.0 or later.
3052
3054 The LMTP-specific version of the smtp_tls_enforce_peername configura‐
3055 tion parameter. See there for details.
3056 This feature is available in Postfix 2.3 and later.
3058
3060 The LMTP-specific version of the smtp_tls_exclude_ciphers configuration
3061 parameter. See there for details.
3062 This feature is available in Postfix 2.3 and later.
3064
3066 The LMTP-specific version of the smtp_tls_fingerprint_cert_match con‐
3067 figuration parameter. See there for details.
3068 This feature is available in Postfix 2.5 and later.
3070
3072 The LMTP-specific version of the smtp_tls_fingerprint_digest configura‐
3073 tion parameter. See there for details.
3074 This feature is available in Postfix 2.5 and later.
3076
3078 The LMTP-specific version of the smtp_tls_force_inse‐
3079 cure_host_tlsa_lookup configuration parameter. See there for details.
3080 This feature is available in Postfix 2.11 and later.
3082
3084 The LMTP-specific version of the smtp_tls_key_file configuration param‐
3085 eter. See there for details.
3086 This feature is available in Postfix 2.3 and later.
3088
3090 The LMTP-specific version of the smtp_tls_loglevel configuration param‐
3091 eter. See there for details.
3092 This feature is available in Postfix 2.3 and later.
3094
3096 The LMTP-specific version of the smtp_tls_mandatory_ciphers configura‐
3097 tion parameter. See there for details.
3098 This feature is available in Postfix 2.3 and later.
3100
3102 The LMTP-specific version of the smtp_tls_mandatory_exclude_ciphers
3103 configuration parameter. See there for details.
3104 This feature is available in Postfix 2.3 and later.
3106
3108 The LMTP-specific version of the smtp_tls_mandatory_protocols configu‐
3109 ration parameter. See there for details.
3110 This feature is available in Postfix 2.3 and later.
3112
3114 The LMTP-specific version of the smtp_tls_note_starttls_offer configu‐
3115 ration parameter. See there for details.
3116 This feature is available in Postfix 2.3 and later.
3118
3120 The LMTP-specific version of the smtp_tls_per_site configuration param‐
3121 eter. See there for details.
3122 This feature is available in Postfix 2.3 and later.
3124
3126 The LMTP-specific version of the smtp_tls_policy_maps configuration
3127 parameter. See there for details.
3128 This feature is available in Postfix 2.3 and later.
3130
3132 The LMTP-specific version of the smtp_tls_protocols configuration
3133 parameter. See there for details.
3134 This feature is available in Postfix 2.6 and later.
3136
3138 The LMTP-specific version of the smtp_tls_scert_verifydepth configura‐
3139 tion parameter. See there for details.
3140 This feature is available in Postfix 2.3 and later.
3142
3144 The LMTP-specific version of the smtp_tls_secure_cert_match configura‐
3145 tion parameter. See there for details.
3146 This feature is available in Postfix 2.3 and later.
3148
3150 The LMTP-specific version of the smtp_tls_security_level configuration
3151 parameter. See there for details.
3152 This feature is available in Postfix 2.3 and later.
3154
3156 The LMTP-specific version of the smtp_tls_session_cache_database con‐
3157 figuration parameter. See there for details.
3158 This feature is available in Postfix 2.3 and later.
3160
3162 The LMTP-specific version of the smtp_tls_session_cache_timeout config‐
3163 uration parameter. See there for details.
3164 This feature is available in Postfix 2.3 and later.
3166
3168 The LMTP-specific version of the smtp_tls_trust_anchor_file configura‐
3169 tion parameter. See there for details.
3170 This feature is available in Postfix 2.11 and later.
3172
3174 The LMTP-specific version of the smtp_tls_verify_cert_match configura‐
3175 tion parameter. See there for details.
3176 This feature is available in Postfix 2.3 and later.
3178
3180 The LMTP-specific version of the smtp_use_tls configuration parameter.
3181 See there for details.
3182 This feature is available in Postfix 2.3 and later.
3184
3186 The Postfix LMTP client time limit for sending the XFORWARD command,
3187 and for receiving the remote LMTP server response.
3188 In case of problems the client does NOT try the next address on the
3190 mail exchanger list.
3191 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3193 The default time unit is s (seconds).
3194 This feature is available in Postfix 2.1 and later.
3196
3198 Optional shell program for local(8) delivery to non-Postfix command.
3199 By default, non-Postfix commands are executed directly; commands are
3200 given to given to the default shell (typically, /bin/sh) only when they
3201 contain shell meta characters or shell built-in commands.
3202 "sendmail's restricted shell" (smrsh) is what most people will use in
3204 order to restrict what programs can be run from e.g. .forward files
3205 (smrsh is part of the Sendmail distribution).
3206 Note: when a shell program is specified, it is invoked even when the
3208 command contains no shell built-in commands or meta characters.
3209 Example:
3211 local_command_shell = /some/where/smrsh -c
3213 local_command_shell = /bin/bash -c
3214
3216 Optional filter for the local(8) delivery agent to change the status
3217 code or explanatory text of successful or unsuccessful deliveries. See
3218 default_delivery_status_filter for details.
3219 This feature is available in Postfix 3.0 and later.
3221
3223 The maximal number of parallel deliveries via the local mail delivery
3224 transport to the same recipient (when "local_destination_recipi‐
3225 ent_limit = 1") or the maximal number of parallel deliveries to the
3226 same local domain (when "local_destination_recipient_limit > 1"). This
3227 limit is enforced by the queue manager. The message delivery transport
3228 name is the first field in the entry in the master.cf file.
3229 A low limit of 2 is recommended, just in case someone has an expensive
3231 shell command in a .forward file or in an alias (e.g., a mailing list
3232 manager). You don't want to run lots of those at the same time.
3233
3235 The maximal number of recipients per message delivery via the local
3236 mail delivery transport. This limit is enforced by the queue manager.
3237 The message delivery transport name is the first field in the entry in
3238 the master.cf file.
3239 Setting this parameter to a value > 1 changes the meaning of local_des‐
3241 tination_concurrency_limit from concurrency per recipient into concur‐
3242 rency per domain.
3243
3245 Rewrite message header addresses in mail from these clients and update
3246 incomplete addresses with the domain name in $myorigin or $mydomain;
3247 either don't rewrite message headers from other clients at all, or re‐
3248 write message headers and update incomplete addresses with the domain
3249 specified in the remote_header_rewrite_domain parameter.
3250 See the append_at_myorigin and append_dot_mydomain parameters for
3252 details of how domain names are appended to incomplete addresses.
3253 Specify a list of zero or more of the following:
3255 permit_inet_interfaces
3257 Append the domain name in $myorigin or $mydomain when the client
3258 IP address matches $inet_interfaces. This is enabled by default.
3259 permit_mynetworks
3261 Append the domain name in $myorigin or $mydomain when the client
3262 IP address matches any network or network address listed in
3263 $mynetworks. This setting will not prevent remote mail header
3264 address rewriting when mail from a remote client is forwarded by
3265 a neighboring system.
3266 permit_sasl_authenticated
3268 Append the domain name in $myorigin or $mydomain when the client
3269 is successfully authenticated via the RFC 4954 (AUTH) protocol.
3270 permit_tls_clientcerts
3272 Append the domain name in $myorigin or $mydomain when the remote
3273 SMTP client TLS certificate fingerprint or public key finger‐
3274 print (Postfix 2.9 and later) is listed in $relay_clientcerts.
3275 The fingerprint digest algorithm is configurable via the
3276 smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior
3277 to Postfix version 2.5).
3278 permit_tls_all_clientcerts
3280 Append the domain name in $myorigin or $mydomain when the remote
3281 SMTP client TLS certificate is successfully verified, regardless
3282 of whether it is listed on the server, and regardless of the
3283 certifying authority.
3284 check_address_map type:table
3286 type:table
3288 Append the domain name in $myorigin or $mydomain when the client
3289 IP address matches the specified lookup table. The lookup
3290 result is ignored, and no subnet lookup is done. This is suit‐
3291 able for, e.g., pop-before-smtp lookup tables.
3292 Examples:
3294 The Postfix < 2.2 backwards compatible setting: always rewrite message
3296 headers, and always append my own domain to incomplete header
3297 addresses.
3298 local_header_rewrite_clients = static:all
3300 The purist (and default) setting: rewrite headers only in mail from
3302 Postfix sendmail and in SMTP mail from this machine.
3303 local_header_rewrite_clients = permit_inet_interfaces
3305 The intermediate setting: rewrite header addresses and append $myorigin
3307 or $mydomain information only with mail from Postfix sendmail, from
3308 local clients, or from authorized SMTP clients.
3309 Note: this setting will not prevent remote mail header address rewrit‐
3311 ing when mail from a remote client is forwarded by a neighboring sys‐
3312 tem.
3313 local_header_rewrite_clients = permit_mynetworks,
3315 permit_sasl_authenticated permit_tls_clientcerts
3316 check_address_map hash:/etc/postfix/pop-before-smtp
3317
3319 Lookup tables with all names or addresses of local recipients: a recip‐
3320 ient address is local when its domain matches $mydestination,
3321 $inet_interfaces or $proxy_interfaces. Specify @domain as a wild-card
3322 for domains that do not have a valid recipient list. Technically,
3323 tables listed with $local_recipient_maps are used as lists: Postfix
3324 needs to know only if a lookup string is found or not, but it does not
3325 use the result from table lookup.
3326 Specify zero or more "type:name" lookup tables, separated by whitespace
3328 or comma. Tables will be searched in the specified order until a match
3329 is found.
3330 If this parameter is non-empty (the default), then the Postfix SMTP
3332 server will reject mail for unknown local users.
3333 To turn off local recipient checking in the Postfix SMTP server, spec‐
3335 ify "local_recipient_maps =" (i.e. empty).
3336 The default setting assumes that you use the default Postfix local
3338 delivery agent for local delivery. You need to update the local_recipi‐
3339 ent_maps setting if:
3340 · You redefine the local delivery agent in master.cf.
3342 · You redefine the "local_transport" setting in main.cf.
3344 · You use the "luser_relay", "mailbox_transport", or "fall‐
3346 back_transport" feature of the Postfix local(8) delivery agent.
3347 Details are described in the LOCAL_RECIPIENT_README file.
3349 Beware: if the Postfix SMTP server runs chrooted, you need to access
3351 the passwd file via the proxymap(8) service, in order to overcome
3352 chroot access restrictions. The alternative, maintaining a copy of the
3353 system password file in the chroot jail is not practical.
3354 Examples:
3356 local_recipient_maps =
3358
3360 The default mail delivery transport and next-hop destination for final
3361 delivery to domains listed with mydestination, and for [ipaddress] des‐
3362 tinations that match $inet_interfaces or $proxy_interfaces. This
3363 information can be overruled with the transport(5) table.
3364 By default, local mail is delivered to the transport called "local",
3366 which is just the name of a service that is defined the master.cf file.
3367 Specify a string of the form transport:nexthop, where transport is the
3369 name of a mail delivery transport defined in master.cf. The :nexthop
3370 destination is optional; its syntax is documented in the manual page of
3371 the corresponding delivery agent.
3372 Beware: if you override the default local delivery agent then you need
3374 to review the LOCAL_RECIPIENT_README document, otherwise the SMTP
3375 server may reject mail for local recipients.
3376
3378 Optional catch-all destination for unknown local(8) recipients. By
3379 default, mail for unknown recipients in domains that match $mydestina‐
3380 tion, $inet_interfaces or $proxy_interfaces is returned as undeliver‐
3381 able.
3382 The following $name expansions are done on luser_relay:
3384 $domain
3386 The recipient domain.
3387 $extension
3389 The recipient address extension.
3390 $home The recipient's home directory.
3392 $local The entire recipient address localpart.
3394 $recipient
3396 The full recipient address.
3397 $recipient_delimiter
3399 The address extension delimiter that was found in the recipient
3400 address (Postfix 2.11 and later), or the system-wide recipient
3401 address extension delimiter (Postfix 2.10 and earlier).
3402 $shell The recipient's login shell.
3404 $user The recipient username.
3406 ${name?value}
3408 Expands to value when $name has a non-empty value.
3409 ${name:value}
3411 Expands to value when $name has an empty value.
3412 Instead of $name you can also specify ${name} or $(name).
3414 Note: luser_relay works only for the Postfix local(8) delivery agent.
3416 Note: if you use this feature for accounts not in the UNIX password
3418 file, then you must specify "local_recipient_maps =" (i.e. empty) in
3419 the main.cf file, otherwise the Postfix SMTP server will reject mail
3420 for non-UNIX accounts with "User unknown in local recipient table".
3421 Examples:
3423 luser_relay = $user@other.host
3425 luser_relay = $local@other.host
3426 luser_relay = admin+$local
3427
3429 The mail system name that is displayed in Received: headers, in the
3430 SMTP greeting banner, and in bounced mail.
3431
3433 The UNIX system account that owns the Postfix queue and most Postfix
3434 daemon processes. Specify the name of an unprivileged user account
3435 that does not share a user or group ID with other accounts, and that
3436 owns no other files or processes on the system. In particular, don't
3437 specify nobody or daemon. PLEASE USE A DEDICATED USER ID AND GROUP ID.
3438 When this parameter value is changed you need to re-run "postfix
3440 set-permissions" (with Postfix version 2.0 and earlier: "/etc/post‐
3441 fix/post-install set-permissions".
3442
3444 The Postfix release date, in "YYYYMMDD" format.
3445
3447 The directory where local(8) UNIX-style mailboxes are kept. The default
3448 setting depends on the system type. Specify a name ending in / for
3449 maildir-style delivery.
3450 Note: maildir delivery is done with the privileges of the recipient.
3452 If you use the mail_spool_directory setting for maildir style delivery,
3453 then you must create the top-level maildir directory in advance. Post‐
3454 fix will not create it.
3455 Examples:
3457 mail_spool_directory = /var/mail
3459 mail_spool_directory = /var/spool/mail
3460
3462 The version of the mail system. Stable releases are named
3463 major.minor.patchlevel. Experimental releases also include the release
3464 date. The version string can be used in, for example, the SMTP greeting
3465 banner.
3466
3468 Optional external command that the local(8) delivery agent should use
3469 for mailbox delivery. The command is run with the user ID and the pri‐
3470 mary group ID privileges of the recipient. Exception: command delivery
3471 for root executes with $default_privs privileges. This is not a prob‐
3472 lem, because 1) mail for root should always be aliased to a real user
3473 and 2) don't log in as root, use "su" instead.
3474 The following environment variables are exported to the command:
3476 CLIENT_ADDRESS
3478 Remote client network address. Available in Postfix version 2.2
3479 and later.
3480 CLIENT_HELO
3482 Remote client EHLO command parameter. Available in Postfix ver‐
3483 sion 2.2 and later.
3484 CLIENT_HOSTNAME
3486 Remote client hostname. Available in Postfix version 2.2 and
3487 later.
3488 CLIENT_PROTOCOL
3490 Remote client protocol. Available in Postfix version 2.2 and
3491 later.
3492 DOMAIN The domain part of the recipient address.
3494 EXTENSION
3496 The optional address extension.
3497 HOME The recipient home directory.
3499 LOCAL The recipient address localpart.
3501 LOGNAME
3503 The recipient's username.
3504 ORIGINAL_RECIPIENT
3506 The entire recipient address, before any address rewriting or
3507 aliasing.
3508 RECIPIENT
3510 The full recipient address.
3511 SASL_METHOD
3513 SASL authentication method specified in the remote client AUTH
3514 command. Available in Postfix version 2.2 and later.
3515 SASL_SENDER
3517 SASL sender address specified in the remote client MAIL FROM
3518 command. Available in Postfix version 2.2 and later.
3519 SASL_USER
3521 SASL username specified in the remote client AUTH command.
3522 Available in Postfix version 2.2 and later.
3523 SENDER The full sender address.
3525 SHELL The recipient's login shell.
3527 USER The recipient username.
3529 Unlike other Postfix configuration parameters, the mailbox_command
3531 parameter is not subjected to $name substitutions. This is to make it
3532 easier to specify shell syntax (see example below).
3533 If you can, avoid shell meta characters because they will force Postfix
3535 to run an expensive shell process. If you're delivering via Procmail
3536 then running a shell won't make a noticeable difference in the total
3537 cost.
3538 Note: if you use the mailbox_command feature to deliver mail sys‐
3540 tem-wide, you must set up an alias that forwards mail for root to a
3541 real user.
3542 The precedence of local(8) delivery features from high to low is:
3544 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3545 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3546 tory, fallback_transport_maps, fallback_transport and luser_relay.
3547 Examples:
3549 mailbox_command = /some/where/procmail
3551 mailbox_command = /some/where/procmail -a "$EXTENSION"
3552 mailbox_command = /some/where/maildrop -d "$USER"
3553 -f "$SENDER" "$EXTENSION"
3554
3556 Optional lookup tables with per-recipient external commands to use for
3557 local(8) mailbox delivery. Behavior is as with mailbox_command.
3558 The precedence of local(8) delivery features from high to low is:
3560 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3561 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3562 tory, fallback_transport_maps, fallback_transport and luser_relay.
3563 Specify zero or more "type:name" lookup tables, separated by whitespace
3565 or comma. Tables will be searched in the specified order until a match
3566 is found.
3567
3569 How to lock a UNIX-style local(8) mailbox before attempting delivery.
3570 For a list of available file locking methods, use the "postconf -l"
3571 command.
3572 This setting is ignored with maildir style delivery, because such
3574 deliveries are safe without explicit locks.
3575 Note: The dotlock method requires that the recipient UID or GID has
3577 write access to the parent directory of the mailbox file.
3578 Note: the default setting of this parameter is system dependent.
3580
3582 The maximal size of any local(8) individual mailbox or maildir file, or
3583 zero (no limit). In fact, this limits the size of any file that is
3584 written to upon local delivery, including files written by external
3585 commands that are executed by the local(8) delivery agent.
3586 This limit must not be smaller than the message size limit.
3588
3590 Optional message delivery transport that the local(8) delivery agent
3591 should use for mailbox delivery to all local recipients, whether or not
3592 they are found in the UNIX passwd database.
3593 The precedence of local(8) delivery features from high to low is:
3595 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3596 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3597 tory, fallback_transport_maps, fallback_transport and luser_relay.
3598
3600 Optional lookup tables with per-recipient message delivery transports
3601 to use for local(8) mailbox delivery, whether or not the recipients are
3602 found in the UNIX passwd database.
3603 The precedence of local(8) delivery features from high to low is:
3605 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3606 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3607 tory, fallback_transport_maps, fallback_transport and luser_relay.
3608 Specify zero or more "type:name" lookup tables, separated by whitespace
3610 or comma. Tables will be searched in the specified order until a match
3611 is found.
3612 For safety reasons, this feature does not allow $number substitutions
3614 in regular expression maps.
3615 This feature is available in Postfix 2.3 and later.
3617
3619 Sendmail compatibility feature that specifies where the Postfix
3620 mailq(1) command is installed. This command can be used to list the
3621 Postfix mail queue.
3622
3624 Where the Postfix manual pages are installed.
3625
3627 Obsolete feature: use the reject_rbl_client feature instead.
3628
3630 The numerical Postfix SMTP server response code when a remote SMTP
3631 client request is blocked by the reject_rbl_client,
3632 reject_rhsbl_client, reject_rhsbl_reverse_client, reject_rhsbl_sender
3633 or reject_rhsbl_recipient restriction.
3634 Do not change this unless you have a complete understanding of RFC
3636 5321.
3637
3639 What addresses are subject to address masquerading.
3641 By default, address masquerading is limited to envelope sender
3643 addresses, and to header sender and header recipient addresses. This
3644 allows you to use address masquerading on a mail gateway while still
3645 being able to forward mail to users on individual machines.
3646 Specify zero or more of: envelope_sender, envelope_recipient,
3648 header_sender, header_recipient
3649
3651 Optional list of domains whose subdomain structure will be stripped off
3652 in email addresses.
3653 The list is processed left to right, and processing stops at the first
3655 match. Thus,
3656 masquerade_domains = foo.example.com example.com
3658 strips "user@any.thing.foo.example.com" to "user@foo.example.com", but
3660 strips "user@any.thing.else.example.com" to "user@example.com".
3661 A domain name prefixed with ! means do not masquerade this domain or
3663 its subdomains. Thus,
3664 masquerade_domains = !foo.example.com example.com
3666 does not change "user@any.thing.foo.example.com" or "user@foo.exam‐
3668 ple.com", but strips "user@any.thing.else.example.com" to "user@exam‐
3669 ple.com".
3670 Note: with Postfix version 2.2, message header address masquerading
3672 happens only when message header address rewriting is enabled:
3673 · The message is received with the Postfix sendmail(1) command,
3675 · The message is received from a network client that matches
3677 $local_header_rewrite_clients,
3678 · The message is received from the network, and the
3680 remote_header_rewrite_domain parameter specifies a non-empty
3681 value.
3682 To get the behavior before Postfix version 2.2, specify
3684 "local_header_rewrite_clients = static:all".
3685 Example:
3687 masquerade_domains = $mydomain
3689
3691 Optional list of user names that are not subjected to address mas‐
3692 querading, even when their address matches $masquerade_domains.
3693 By default, address masquerading makes no exceptions.
3695 Specify a list of user names, "/file/name" or "type:table" patterns,
3697 separated by commas and/or whitespace. The list is matched left to
3698 right, and the search stops on the first match. A "/file/name" pattern
3699 is replaced by its contents; a "type:table" lookup table is matched
3700 when a name matches a lookup key (the lookup result is ignored). Con‐
3701 tinue long lines by starting the next line with whitespace. Specify
3702 "!pattern" to exclude a name from the list. The form "!/file/name" is
3703 supported only in Postfix version 2.4 and later.
3704 Examples:
3706 masquerade_exceptions = root, mailer-daemon
3708 masquerade_exceptions = root
3709
3711 Selectively disable master(8) listener ports by service type or by ser‐
3712 vice name and type. Specify a list of service types ("inet", "unix",
3713 "fifo", or "pass") or "name/type" tuples, where "name" is the first
3714 field of a master.cf entry and "type" is a service type. As with other
3715 Postfix matchlists, a search stops at the first match. Specify "!pat‐
3716 tern" to exclude a service from the list. By default, all master(8)
3717 listener ports are enabled.
3718 Note: this feature does not support "/file/name" or "type:table" pat‐
3720 terns, nor does it support wildcards such as "*" or "all". This is
3721 intentional.
3722 Examples:
3724 # With Postfix 2.6..2.10 use '.' instead of '/'.
3726 # Turn on all master(8) listener ports (the default).
3727 master_service_disable =
3728 # Turn off only the main SMTP listener port.
3729 master_service_disable = smtp/inet
3730 # Turn off all TCP/IP listener ports.
3731 master_service_disable = inet
3732 # Turn off all TCP/IP listener ports except "foo".
3733 master_service_disable = !foo/inet, inet
3734 This feature is available in Postfix 2.6 and later.
3736
3738 The maximum amount of time that an idle Postfix daemon process waits
3739 for an incoming connection before terminating voluntarily. This param‐
3740 eter is ignored by the Postfix queue manager and by other long-lived
3741 Postfix daemon processes.
3742 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3744 The default time unit is s (seconds).
3745
3747 The maximal number of incoming connections that a Postfix daemon
3748 process will service before terminating voluntarily. This parameter is
3749 ignored by the Postfix queue manager and by other long-lived Postfix
3750 daemon processes.
3751
3753 The maximal time between attempts to deliver a deferred message.
3754 This parameter should be set to a value greater than or equal to $mini‐
3756 mal_backoff_time. See also $queue_run_delay.
3757 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3759 The default time unit is s (seconds).
3760
3762 Consider a message as undeliverable, when delivery fails with a tempo‐
3763 rary error, and the time in the queue has reached the maxi‐
3764 mal_queue_lifetime limit.
3765 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3767 The default time unit is d (days).
3768 Specify 0 when mail delivery should be tried only once.
3770
3772 Names of message headers that the cleanup(8) daemon will remove after
3773 applying header_checks(5) and before invoking Milter applications. The
3774 default setting is compatible with Postfix < 3.0.
3775 Specify a list of header names, separated by comma or space. Names are
3777 matched in a case-insensitive manner. The list of supported header
3778 names is limited only by available memory.
3779 This feature is available in Postfix 3.0 and later.
3781
3783 The set of characters that Postfix will reject in message content. The
3784 usual C-like escape sequences are recognized: \a \b \f \n \r \t \v \ddd
3785 (up to three octal digits) and \\.
3786 Note 1: this feature does not recognize text that requires MIME decod‐
3788 ing. It inspects raw message content, just like header_checks and
3789 body_checks.
3790 Note 2: this feature is disabled with "receive_override_options =
3792 no_header_body_checks".
3793 Example:
3795 message_reject_characters = \0
3797 This feature is available in Postfix 2.3 and later.
3799
3801 The maximal size in bytes of a message, including envelope information.
3802 Note: be careful when making changes. Excessively small values will
3804 result in the loss of non-delivery notifications, when a bounce message
3805 size exceeds the local or remote MTA's message size limit.
3806
3808 The set of characters that Postfix will remove from message content.
3809 The usual C-like escape sequences are recognized: \a \b \f \n \r \t \v
3810 \ddd (up to three octal digits) and \\.
3811 Note 1: this feature does not recognize text that requires MIME decod‐
3813 ing. It inspects raw message content, just like header_checks and
3814 body_checks.
3815 Note 2: this feature is disabled with "receive_override_options =
3817 no_header_body_checks".
3818 Example:
3820 message_strip_characters = \0
3822 This feature is available in Postfix 2.3 and later.
3824
3826 The location of non-executable files that are shared among multiple
3827 Postfix instances, such as postfix-files, dynamicmaps.cf, and the
3828 multi-instance template files main.cf.proto and master.cf.proto. This
3829 directory should contain only Postfix-related files. Typically, the
3830 meta_directory parameter has the same default as the config_directory
3831 parameter (/etc/postfix or /usr/local/etc/postfix).
3832 For backwards compatibility with Postfix versions 2.6..2.11, specify
3834 "meta_directory = $daemon_directory" in main.cf before installing or
3835 upgrading Postfix, or specify "meta_directory = /path/name" on the
3836 "make makefiles", "make install" or "make upgrade" command line.
3837 This feature is available in Postfix 3.0 and later.
3839
3841 The time limit for sending an SMTP command to a Milter (mail filter)
3842 application, and for receiving the response.
3843 Specify a non-zero time value (an integral value plus an optional
3845 one-letter suffix that specifies the time unit).
3846 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3848 The default time unit is s (seconds).
3849 This feature is available in Postfix 2.3 and later.
3851
3853 The macros that are sent to Milter (mail filter) applications after
3854 completion of an SMTP connection. See MILTER_README for a list of
3855 available macro names and their meanings.
3856 This feature is available in Postfix 2.3 and later.
3858
3860 The time limit for connecting to a Milter (mail filter) application,
3861 and for negotiating protocol options.
3862 Specify a non-zero time value (an integral value plus an optional
3864 one-letter suffix that specifies the time unit).
3865 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3867 The default time unit is s (seconds).
3868 This feature is available in Postfix 2.3 and later.
3870
3872 The time limit for sending message content to a Milter (mail filter)
3873 application, and for receiving the response.
3874 Specify a non-zero time value (an integral value plus an optional
3876 one-letter suffix that specifies the time unit).
3877 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3879 The default time unit is s (seconds).
3880 This feature is available in Postfix 2.3 and later.
3882
3884 The macros that are sent to version 4 or higher Milter (mail filter)
3885 applications after the SMTP DATA command. See MILTER_README for a list
3886 of available macro names and their meanings.
3887 This feature is available in Postfix 2.3 and later.
3889
3891 The default action when a Milter (mail filter) application is unavail‐
3892 able or mis-configured. Specify one of the following:
3893 accept Proceed as if the mail filter was not present.
3895 reject Reject all further commands in this session with a permanent
3897 status code.
3898 tempfail
3900 Reject all further commands in this session with a temporary
3901 status code.
3902 quarantine
3904 Like "accept", but freeze the message in the "hold" queue.
3905 Available with Postfix 2.6 and later.
3906 This feature is available in Postfix 2.3 and later.
3908
3910 The macros that are sent to Milter (mail filter) applications after the
3911 message end-of-data. See MILTER_README for a list of available macro
3912 names and their meanings.
3913 This feature is available in Postfix 2.3 and later.
3915
3917 The macros that are sent to Milter (mail filter) applications after the
3918 end of the message header. See MILTER_README for a list of available
3919 macro names and their meanings.
3920 This feature is available in Postfix 2.5 and later.
3922
3924 Optional lookup tables for content inspection of message headers that
3925 are produced by Milter applications. See the header_checks(5) manual
3926 page available actions. Currently, PREPEND is not implemented.
3927 The following example sends all mail that is marked as SPAM to a spam
3929 handling machine. Note that matches are case-insensitive by default.
3930 /etc/postfix/main.cf:
3932 milter_header_checks = pcre:/etc/postfix/milter_header_checks
3933 /etc/postfix/milter_header_checks:
3935 /^X-SPAM-FLAG:\s+YES/ FILTER mysmtp:sanitizer.example.com:25
3936 The milter_header_checks mechanism could also be used for whitelisting.
3938 For example it could be used to skip heavy content inspection for
3939 DKIM-signed mail from known friendly domains.
3940 This feature is available in Postfix 2.7, and as an optional patch for
3942 Postfix 2.6.
3943
3945 The macros that are sent to Milter (mail filter) applications after the
3946 SMTP HELO or EHLO command. See MILTER_README for a list of available
3947 macro names and their meanings.
3948 This feature is available in Postfix 2.3 and later.
3950
3952 The {daemon_name} macro value for Milter (mail filter) applications.
3953 See MILTER_README for a list of available macro names and their mean‐
3954 ings.
3955 This feature is available in Postfix 2.3 and later.
3957
3959 Optional list of name=value pairs that specify default values for arbi‐
3960 trary macros that Postfix may send to Milter applications. These
3961 defaults are used when there is no corresponding information from the
3962 message delivery context.
3963 Specify name=value or {name}=value pairs separated by comma or white‐
3965 space. Enclose a pair in "{}" when a value contains comma or white‐
3966 space (this form ignores whitespace after the enclosing "{", around the
3967 "=", and before the enclosing "}").
3968 This feature is available in Postfix 3.1 and later.
3970
3972 The {v} macro value for Milter (mail filter) applications. See MIL‐
3973 TER_README for a list of available macro names and their meanings.
3974 This feature is available in Postfix 2.3 and later.
3976
3978 The macros that are sent to Milter (mail filter) applications after the
3979 SMTP MAIL FROM command. See MILTER_README for a list of available macro
3980 names and their meanings.
3981 This feature is available in Postfix 2.3 and later.
3983
3985 The mail filter protocol version and optional protocol extensions for
3986 communication with a Milter application; prior to Postfix 2.6 the
3987 default protocol is 2. Postfix sends this version number during the
3988 initial protocol handshake. It should match the version number that is
3989 expected by the mail filter application (or by its Milter library).
3990 Protocol versions:
3992 2 Use Sendmail 8 mail filter protocol version 2 (default with
3994 Sendmail version 8.11 .. 8.13 and Postfix version 2.3 .. 2.5).
3995 3 Use Sendmail 8 mail filter protocol version 3.
3997 4 Use Sendmail 8 mail filter protocol version 4.
3999 6 Use Sendmail 8 mail filter protocol version 6 (default with
4001 Sendmail version 8.14 and Postfix version 2.6).
4002 Protocol extensions:
4004 no_header_reply
4006 Specify this when the Milter application will not reply for each
4007 individual message header.
4008 This feature is available in Postfix 2.3 and later.
4010
4012 The macros that are sent to Milter (mail filter) applications after the
4013 SMTP RCPT TO command. See MILTER_README for a list of available macro
4014 names and their meanings.
4015 This feature is available in Postfix 2.3 and later.
4017
4019 The macros that are sent to version 3 or higher Milter (mail filter)
4020 applications after an unknown SMTP command. See MILTER_README for a
4021 list of available macro names and their meanings.
4022 This feature is available in Postfix 2.3 and later.
4024
4026 The maximal length of MIME multipart boundary strings. The MIME proces‐
4027 sor is unable to distinguish between boundary strings that do not dif‐
4028 fer in the first $mime_boundary_length_limit characters.
4029 This feature is available in Postfix 2.0 and later.
4031
4033 Optional lookup tables for content inspection of MIME related message
4034 headers, as described in the header_checks(5) manual page.
4035 This feature is available in Postfix 2.0 and later.
4037
4039 The maximal recursion level that the MIME processor will handle. Post‐
4040 fix refuses mail that is nested deeper than the specified limit.
4041 This feature is available in Postfix 2.0 and later.
4043
4045 The minimal time between attempts to deliver a deferred message; prior
4046 to Postfix 2.4 the default value was 1000s.
4047 This parameter also limits the time an unreachable destination is kept
4049 in the short-term, in-memory, destination status cache.
4050 This parameter should be set greater than or equal to $queue_run_delay.
4052 See also $maximal_backoff_time.
4053 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4055 The default time unit is s (seconds).
4056
4058 An optional list of non-default Postfix configuration directories;
4059 these directories belong to additional Postfix instances that share the
4060 Postfix executable files and documentation with the default Postfix
4061 instance, and that are started, stopped, etc., together with the
4062 default Postfix instance. Specify a list of pathnames separated by
4063 comma or whitespace.
4064 When $multi_instance_directories is empty, the postfix(1) command runs
4066 in single-instance mode and operates on a single Postfix instance only.
4067 Otherwise, the postfix(1) command runs in multi-instance mode and
4068 invokes the multi-instance manager specified with the
4069 multi_instance_wrapper parameter. The multi-instance manager in turn
4070 executes postfix(1) commands for the default instance and for all Post‐
4071 fix instances in $multi_instance_directories.
4072 Currently, this parameter setting is ignored except for the default
4074 main.cf file.
4075 This feature is available in Postfix 2.6 and later.
4077
4079 Allow this Postfix instance to be started, stopped, etc., by a
4080 multi-instance manager. By default, new instances are created in a
4081 safe state that prevents them from being started inadvertently. This
4082 parameter is reserved for the multi-instance manager.
4083 This feature is available in Postfix 2.6 and later.
4085
4087 The optional instance group name of this Postfix instance. A group
4088 identifies closely-related Postfix instances that the multi-instance
4089 manager can start, stop, etc., as a unit. This parameter is reserved
4090 for the multi-instance manager.
4091 This feature is available in Postfix 2.6 and later.
4093
4095 The optional instance name of this Postfix instance. This name becomes
4096 also the default value for the syslog_name parameter.
4097 This feature is available in Postfix 2.6 and later.
4099
4101 The pathname of a multi-instance manager command that the postfix(1)
4102 command invokes when the multi_instance_directories parameter value is
4103 non-empty. The pathname may be followed by initial command arguments
4104 separated by whitespace; shell metacharacters such as quotes are not
4105 supported in this context.
4106 The postfix(1) command invokes the manager command with the postfix(1)
4108 non-option command arguments on the manager command line, and with all
4109 installation configuration parameters exported into the manager command
4110 process environment. The manager command in turn invokes the postfix(1)
4111 command for individual Postfix instances as "postfix -c config_direc‐
4112 tory command".
4113 This feature is available in Postfix 2.6 and later.
4115
4117 The numerical Postfix SMTP server response code when a remote SMTP
4118 client request is blocked by the reject_multi_recipient_bounce restric‐
4119 tion.
4120 Do not change this unless you have a complete understanding of RFC
4122 5321.
4123 This feature is available in Postfix 2.1 and later.
4125
4127 The list of domains that are delivered via the $local_transport mail
4128 delivery transport. By default this is the Postfix local(8) delivery
4129 agent which looks up all recipients in /etc/passwd and /etc/aliases.
4130 The SMTP server validates recipient addresses with $local_recipi‐
4131 ent_maps and rejects non-existent recipients. See also the local domain
4132 class in the ADDRESS_CLASS_README file.
4133 The default mydestination value specifies names for the local machine
4135 only. On a mail domain gateway, you should also include $mydomain.
4136 The $local_transport delivery method is also selected for mail
4138 addressed to user@[the.net.work.address] of the mail system (the IP
4139 addresses specified with the inet_interfaces and proxy_interfaces
4140 parameters).
4141 Warnings:
4143 · Do not specify the names of virtual domains - those domains are
4145 specified elsewhere. See VIRTUAL_README for more information.
4146 · Do not specify the names of domains that this machine is backup
4148 MX host for. See STANDARD_CONFIGURATION_README for how to set up
4149 backup MX hosts.
4150 · By default, the Postfix SMTP server rejects mail for recipients
4152 not listed with the local_recipient_maps parameter. See the
4153 postconf(5) manual for a description of the local_recipient_maps
4154 and unknown_local_recipient_reject_code parameters.
4155 Specify a list of host or domain names, "/file/name" or "type:table"
4157 patterns, separated by commas and/or whitespace. A "/file/name" pattern
4158 is replaced by its contents; a "type:table" lookup table is matched
4159 when a name matches a lookup key (the lookup result is ignored). Con‐
4160 tinue long lines by starting the next line with whitespace.
4161 Examples:
4163 mydestination = $myhostname, localhost.$mydomain $mydomain
4165 mydestination = $myhostname, localhost.$mydomain www.$mydomain, ftp.$mydomain
4166
4168 The internet domain name of this mail system. The default is to use
4169 $myhostname minus the first component, or "localdomain" (Postfix 2.3
4170 and later). $mydomain is used as a default value for many other con‐
4171 figuration parameters.
4172 Example:
4174 mydomain = domain.tld
4176
4178 The internet hostname of this mail system. The default is to use the
4179 fully-qualified domain name (FQDN) from gethostname(), or to use the
4180 non-FQDN result from gethostname() and append ".$mydomain". $myhost‐
4181 name is used as a default value for many other configuration parame‐
4182 ters.
4183 Example:
4185 myhostname = host.example.com
4187
4189 The list of "trusted" remote SMTP clients that have more privileges
4190 than "strangers".
4191 In particular, "trusted" SMTP clients are allowed to relay mail through
4193 Postfix. See the smtpd_relay_restrictions parameter description in the
4194 postconf(5) manual.
4195 You can specify the list of "trusted" network addresses by hand or you
4197 can let Postfix do it for you (which is the default). See the descrip‐
4198 tion of the mynetworks_style parameter for more information.
4199 If you specify the mynetworks list by hand, Postfix ignores the mynet‐
4201 works_style setting.
4202 Specify a list of network addresses or network/netmask patterns, sepa‐
4204 rated by commas and/or whitespace. Continue long lines by starting the
4205 next line with whitespace.
4206 The netmask specifies the number of bits in the network part of a host
4208 address. You can also specify "/file/name" or "type:table" patterns.
4209 A "/file/name" pattern is replaced by its contents; a "type:table"
4210 lookup table is matched when a table entry matches a lookup string (the
4211 lookup result is ignored).
4212 The list is matched left to right, and the search stops on the first
4214 match. Specify "!pattern" to exclude an address or network block from
4215 the list. The form "!/file/name" is supported only in Postfix version
4216 2.4 and later.
4217 Note 1: Pattern matching of domain names is controlled by the or
4219 absence of "mynetworks" in the parent_domain_matches_subdomains parame‐
4220 ter value.
4221 Note 2: IP version 6 address information must be specified inside [] in
4223 the mynetworks value, and in files specified with "/file/name". IP
4224 version 6 addresses contain the ":" character, and would otherwise be
4225 confused with a "type:table" pattern.
4226 Examples:
4228 mynetworks = 127.0.0.0/8 168.100.189.0/28
4230 mynetworks = !192.168.0.1, 192.168.0.0/28
4231 mynetworks = 127.0.0.0/8 168.100.189.0/28 [::1]/128 [2001:240:587::]/64
4232 mynetworks = $config_directory/mynetworks
4233 mynetworks = hash:/etc/postfix/network_table
4234
4236 The method to generate the default value for the mynetworks parameter.
4237 This is the list of trusted networks for relay access control etc.
4238 · Specify "mynetworks_style = host" when Postfix should "trust"
4240 only the local machine.
4241 · Specify "mynetworks_style = subnet" when Postfix should "trust"
4243 remote SMTP clients in the same IP subnetworks as the local
4244 machine. On Linux, this works correctly only with interfaces
4245 specified with the "ifconfig" command.
4246 · Specify "mynetworks_style = class" when Postfix should "trust"
4248 remote SMTP clients in the same IP class A/B/C networks as the
4249 local machine. Caution: this may cause Postfix to "trust" your
4250 entire provider's network. Instead, specify an explicit mynet‐
4251 works list by hand, as described with the mynetworks configura‐
4252 tion parameter.
4253
4255 The domain name that locally-posted mail appears to come from, and that
4256 locally posted mail is delivered to. The default, $myhostname, is ade‐
4257 quate for small sites. If you run a domain with multiple machines, you
4258 should (1) change this to $mydomain and (2) set up a domain-wide alias
4259 database that aliases each user to user@that.users.mailhost.
4260 Example:
4262 myorigin = $mydomain
4264
4266 Optional lookup tables for content inspection of non-MIME message head‐
4267 ers in attached messages, as described in the header_checks(5) manual
4268 page.
4269 This feature is available in Postfix 2.0 and later.
4271
4273 Sendmail compatibility feature that specifies the location of the
4274 newaliases(1) command. This command can be used to rebuild the local(8)
4275 aliases(5) database.
4276
4278 The numerical Postfix SMTP server reply code when a client request is
4279 rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender
4280 or reject_non_fqdn_recipient restriction.
4281
4283 A list of Milter (mail filter) applications for new mail that does not
4284 arrive via the Postfix smtpd(8) server. This includes local submission
4285 via the sendmail(1) command line, new mail that arrives via the Postfix
4286 qmqpd(8) server, and old mail that is re-injected into the queue with
4287 "postsuper -r". Specify space or comma as separator. See the MIL‐
4288 TER_README document for details.
4289 This feature is available in Postfix 2.3 and later.
4291
4293 The list of error classes that are reported to the postmaster. The
4294 default is to report only the most serious problems. The paranoid may
4295 wish to turn on the policy (UCE and mail relaying) and protocol error
4296 (broken mail software) reports.
4297 NOTE: postmaster notifications may contain confidential information
4299 such as SASL passwords or message content. It is the system adminis‐
4300 trator's responsibility to treat such information with care.
4301 The error classes are:
4303 bounce (also implies 2bounce)
4305 Send the postmaster copies of the headers of bounced mail, and
4306 send transcripts of SMTP sessions when Postfix rejects mail. The
4307 notification is sent to the address specified with the
4308 bounce_notice_recipient configuration parameter (default: post‐
4309 master).
4310 2bounce
4312 Send undeliverable bounced mail to the postmaster. The notifica‐
4313 tion is sent to the address specified with the
4314 2bounce_notice_recipient configuration parameter (default: post‐
4315 master).
4316 data Send the postmaster a transcript of the SMTP session with an
4318 error because a critical data file was unavailable. The notifi‐
4319 cation is sent to the address specified with the
4320 error_notice_recipient configuration parameter (default: post‐
4321 master).
4322 This feature is available in Postfix 2.9 and later.
4323 delay Send the postmaster copies of the headers of delayed mail (see
4325 delay_warning_time). The notification is sent to the address
4326 specified with the delay_notice_recipient configuration parame‐
4327 ter (default: postmaster).
4328 policy Send the postmaster a transcript of the SMTP session when a
4330 client request was rejected because of (UCE) policy. The notifi‐
4331 cation is sent to the address specified with the
4332 error_notice_recipient configuration parameter (default: post‐
4333 master).
4334 protocol
4336 Send the postmaster a transcript of the SMTP session in case of
4337 client or server protocol errors. The notification is sent to
4338 the address specified with the error_notice_recipient configura‐
4339 tion parameter (default: postmaster).
4340 resource
4342 Inform the postmaster of mail not delivered due to resource
4343 problems. The notification is sent to the address specified
4344 with the error_notice_recipient configuration parameter
4345 (default: postmaster).
4346 software
4348 Inform the postmaster of mail not delivered due to software
4349 problems. The notification is sent to the address specified
4350 with the error_notice_recipient configuration parameter
4351 (default: postmaster).
4352 Examples:
4354 notify_classes = bounce, delay, policy, protocol, resource, software
4356 notify_classes = 2bounce, resource, software
4357
4359 The numerical reply code when the Postfix SMTP server rejects a sender
4360 or recipient address because its domain has a nullmx DNS record (an MX
4361 record with an empty hostname). This is one of the possible replies
4362 from the restrictions reject_unknown_sender_domain and
4363 reject_unknown_recipient_domain.
4364 This feature is available in Postfix 3.0 and later.
4366
4368 The location of the OpenSSL command line program openssl(1). This is
4369 used by the "postfix tls" command to create private keys, certificate
4370 signing requests, self-signed certificates, and to compute public key
4371 digests for DANE TLSA records. In multi-instance environments, this
4372 parameter is always determined from the configuration of the default
4373 Postfix instance.
4374 Example:
4376 /etc/postfix/main.cf:
4378 # NetBSD pkgsrc:
4379 openssl_path = /usr/pkg/bin/openssl
4380 # Local build:
4381 openssl_path = /usr/local/bin/openssl
4382 This feature is available in Postfix 3.1 and later.
4384
4386 Enable special treatment for owner-listname entries in the aliases(5)
4387 file, and don't split owner-listname and listname-request address
4388 localparts when the recipient_delimiter is set to "-". This feature is
4389 useful for mailing lists.
4390
4392 A list of Postfix features where the pattern "example.com" also matches
4393 subdomains of example.com, instead of requiring an explicit ".exam‐
4394 ple.com" pattern. This is planned backwards compatibility: eventu‐
4395 ally, all Postfix features are expected to require explicit ".exam‐
4396 ple.com" style patterns when you really want to match subdomains.
4397 The following Postfix feature names are supported.
4399 Postfix version 1.0 and later
4401 debug_peer_list, fast_flush_domains, mynetworks, per‐
4402 mit_mx_backup_networks, relay_domains, transport_maps
4403 Postfix version 1.1 and later
4405 qmqpd_authorized_clients, smtpd_access_maps,
4406 Postfix version 2.8 and later
4408 postscreen_access_list
4409 Postfix version 3.0 and later
4411 smtpd_client_event_limit_exceptions
4412
4414 Restrict the use of the permit_mx_backup SMTP access feature to only
4415 domains whose primary MX hosts match the listed networks. The parame‐
4416 ter value syntax is the same as with the mynetworks parameter; note,
4417 however, that the default value is empty.
4418 Pattern matching of domain names is controlled by the presence or
4420 absence of "permit_mx_backup_networks" in the par‐
4421 ent_domain_matches_subdomains parameter value.
4422
4424 The name of the pickup(8) service. This service picks up local mail
4425 submissions from the Postfix maildrop queue.
4426 This feature is available in Postfix 2.0 and later.
4428
4430 Optional filter for the pipe(8) delivery agent to change the delivery
4431 status code or explanatory text of successful or unsuccessful deliver‐
4432 ies. See default_delivery_status_filter for details.
4433 This feature is available in Postfix 3.0 and later.
4435
4437 The numerical Postfix SMTP server response code when a request is
4438 rejected by the reject_plaintext_session restriction.
4439 This feature is available in Postfix 2.3 and later.
4441
4443 The postfix(1) commands that the postmulti(1) instance manager treats
4444 as "control" commands, that operate on running instances. For these
4445 commands, disabled instances are skipped.
4446 This feature is available in Postfix 2.6 and later.
4448
4450 The postfix(1) commands that the postmulti(1) instance manager treats
4451 as "start" commands. For these commands, disabled instances are
4452 "checked" rather than "started", and failure to "start" a member
4453 instance of an instance group will abort the start-up of later
4454 instances.
4455 This feature is available in Postfix 2.6 and later.
4457
4459 The postfix(1) commands that the postmulti(1) instance manager treats
4460 as "stop" commands. For these commands, disabled instances are skipped,
4461 and enabled instances are processed in reverse order.
4462 This feature is available in Postfix 2.6 and later.
4464
4466 Permanent white/blacklist for remote SMTP client IP addresses.
4467 postscreen(8) searches this list immediately after a remote SMTP client
4468 connects. Specify a comma- or whitespace-separated list of commands
4469 (in upper or lower case) or lookup tables. The search stops upon the
4470 first command that fires for the client IP address.
4471 permit_mynetworks
4473 Whitelist the client and terminate the search if the client IP
4474 address matches $mynetworks. Do not subject the client to any
4475 before/after 220 greeting tests. Pass the connection immedi‐
4476 ately to a Postfix SMTP server process.
4477 Pattern matching of domain names is controlled by the presence
4478 or absence of "postscreen_access_list" in the par‐
4479 ent_domain_matches_subdomains parameter value.
4480 type:table
4482 Query the specified lookup table. Each table lookup result is an
4483 access list, except that access lists inside a table cannot
4484 specify type:table entries.
4485 To discourage the use of hash, btree, etc. tables, there is no
4486 support for substring matching like smtpd(8). Use CIDR tables
4487 instead.
4488 permit
4490 Whitelist the client and terminate the search. Do not subject
4491 the client to any before/after 220 greeting tests. Pass the con‐
4492 nection immediately to a Postfix SMTP server process.
4493 reject
4495 Blacklist the client and terminate the search. Subject the
4496 client to the action configured with the postscreen_black‐
4497 list_action configuration parameter.
4498 dunno All postscreen(8) access lists implicitly have this command at
4500 the end.
4501 When dunno is executed inside a lookup table, return from the
4502 lookup table and evaluate the next command.
4503 When dunno is executed outside a lookup table, terminate the
4504 search, and subject the client to the configured before/after
4505 220 greeting tests.
4506 Example:
4508 /etc/postfix/main.cf:
4510 postscreen_access_list = permit_mynetworks,
4511 cidr:/etc/postfix/postscreen_access.cidr
4512 postscreen_blacklist_action = enforce
4513 /etc/postfix/postscreen_access.cidr:
4515 # Rules are evaluated in the order as specified.
4516 # Blacklist 192.168.* except 192.168.0.1.
4517 192.168.0.1 dunno
4518 192.168.0.0/16 reject
4519 This feature is available in Postfix 2.8.
4521
4523 The action that postscreen(8) takes when a remote SMTP client sends a
4524 bare newline character, that is, a newline not preceded by carriage
4525 return. Specify one of the following:
4526 ignore Ignore the failure of this test. Allow other tests to complete.
4528 Do not repeat this test before some the result from some other
4529 test expires. This option is useful for testing and collecting
4530 statistics without blocking mail permanently.
4531 enforce
4533 Allow other tests to complete. Reject attempts to deliver mail
4534 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4535 mation. Repeat this test the next time the client connects.
4536 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4538 this test the next time the client connects.
4539 This feature is available in Postfix 2.8.
4541
4543 Enable "bare newline" SMTP protocol tests in the postscreen(8) server.
4544 These tests are expensive: a remote SMTP client must disconnect after
4545 it passes the test, before it can talk to a real Postfix SMTP server.
4546 This feature is available in Postfix 2.8.
4548
4550 The amount of time that postscreen(8) will use the result from a suc‐
4551 cessful "bare newline" SMTP protocol test. During this time, the client
4552 IP address is excluded from this test. The default is long because a
4553 remote SMTP client must disconnect after it passes the test, before it
4554 can talk to a real Postfix SMTP server.
4555 Specify a non-zero time value (an integral value plus an optional
4557 one-letter suffix that specifies the time unit). Time units: s (sec‐
4558 onds), m (minutes), h (hours), d (days), w (weeks).
4559 This feature is available in Postfix 2.8.
4561
4563 The action that postscreen(8) takes when a remote SMTP client is perma‐
4564 nently blacklisted with the postscreen_access_list parameter. Specify
4565 one of the following:
4566 ignore (default)
4568 Ignore this result. Allow other tests to complete. Repeat this
4569 test the next time the client connects. This option is useful
4570 for testing and collecting statistics without blocking mail.
4571 enforce
4573 Allow other tests to complete. Reject attempts to deliver mail
4574 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4575 mation. Repeat this test the next time the client connects.
4576 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4578 this test the next time the client connects.
4579 This feature is available in Postfix 2.8.
4581
4583 The amount of time between postscreen(8) cache cleanup runs. Cache
4584 cleanup increases the load on the cache database and should therefore
4585 not be run frequently. This feature requires that the cache database
4586 supports the "delete" and "sequence" operators. Specify a zero inter‐
4587 val to disable cache cleanup.
4588 After each cache cleanup run, the postscreen(8) daemon logs the number
4590 of entries that were retained and dropped. A cleanup run is logged as
4591 "partial" when the daemon terminates early after "postfix reload",
4592 "postfix stop", or no requests for $max_idle seconds.
4593 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4595 This feature is available in Postfix 2.8.
4597
4599 Persistent storage for the postscreen(8) server decisions.
4600 To share a postscreen(8) cache between multiple postscreen(8)
4602 instances, use "postscreen_cache_map = proxy:btree:/path/to/file".
4603 This requires Postfix version 2.9 or later; earlier proxymap(8) imple‐
4604 mentations don't support cache cleanup. For an alternative approach see
4605 the memcache_table(5) manpage.
4606 This feature is available in Postfix 2.8.
4608
4610 The amount of time that postscreen(8) will cache an expired temporary
4611 whitelist entry before it is removed. This prevents clients from being
4612 logged as "NEW" just because their cache entry expired an hour ago. It
4613 also prevents the cache from filling up with clients that passed some
4614 deep protocol test once and never came back.
4615 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4617 This feature is available in Postfix 2.8.
4619
4621 tion_count_limit)
4622 How many simultaneous connections any remote SMTP client is allowed to
4623 have with the postscreen(8) daemon. By default, this limit is the same
4624 as with the Postfix SMTP server. Note that the triage process can take
4625 several seconds, with the time spent in postscreen_greet_wait delay,
4626 and with the time spent talking to the postscreen(8) built-in dummy
4627 SMTP protocol engine.
4628 This feature is available in Postfix 2.8.
4630
4632 The limit on the total number of commands per SMTP session for
4633 postscreen(8)'s built-in SMTP protocol engine. This SMTP engine defers
4634 or rejects all attempts to deliver mail, therefore there is no need to
4635 enforce separate limits on the number of junk commands and error com‐
4636 mands.
4637 This feature is available in Postfix 2.8.
4639
4641 A mechanism to transform commands from remote SMTP clients. See
4642 smtpd_command_filter for further details.
4643 This feature is available in Postfix 2.8 and later.
4645
4647 The time limit to read an entire command line with postscreen(8)'s
4648 built-in SMTP protocol engine.
4649 This feature is available in Postfix 2.8.
4651
4653 Disable the SMTP VRFY command in the postscreen(8) daemon. See dis‐
4654 able_vrfy_command for details.
4655 This feature is available in Postfix 2.8.
4657
4659 card_ehlo_keyword_address_maps)
4660 Lookup tables, indexed by the remote SMTP client address, with case
4661 insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
4662 that the postscreen(8) server will not send in the EHLO response to a
4663 remote SMTP client. See smtpd_discard_ehlo_keywords for details. The
4664 table is not searched by hostname for robustness reasons.
4665 This feature is available in Postfix 2.8 and later.
4667
4669 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
4670 etc.) that the postscreen(8) server will not send in the EHLO response
4671 to a remote SMTP client. See smtpd_discard_ehlo_keywords for details.
4672 This feature is available in Postfix 2.8 and later.
4674
4676 The action that postscreen(8) takes when a remote SMTP client's com‐
4677 bined DNSBL score is equal to or greater than a threshold (as defined
4678 with the postscreen_dnsbl_sites and postscreen_dnsbl_threshold parame‐
4679 ters). Specify one of the following:
4680 ignore (default)
4682 Ignore the failure of this test. Allow other tests to complete.
4683 Repeat this test the next time the client connects. This option
4684 is useful for testing and collecting statistics without blocking
4685 mail.
4686 enforce
4688 Allow other tests to complete. Reject attempts to deliver mail
4689 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4690 mation. Repeat this test the next time the client connects.
4691 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4693 this test the next time the client connects.
4694 This feature is available in Postfix 2.8.
4696
4698 ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h)
4699 The maximum amount of time that postscreen(8) will use the result from
4700 a successful DNS-based reputation test before a client IP address is
4701 required to pass that test again. If the DNS reply specifies a shorter
4702 TTL value, that value will be used unless it would be smaller than
4703 postscreen_dnsbl_min_ttl.
4704 Specify a non-zero time value (an integral value plus an optional
4706 one-letter suffix that specifies the time unit). Time units: s (sec‐
4707 onds), m (minutes), h (hours), d (days), w (weeks).
4708 This feature is available in Postfix 3.1. The default setting is back‐
4710 wards-compatible with older Postfix versions.
4711
4713 The minimum amount of time that postscreen(8) will use the result from
4714 a successful DNS-based reputation test before a client IP address is
4715 required to pass that test again. If the DNS reply specifies a larger
4716 TTL value, that value will be used unless it would be larger than
4717 postscreen_dnsbl_max_ttl.
4718 Specify a non-zero time value (an integral value plus an optional
4720 one-letter suffix that specifies the time unit). Time units: s (sec‐
4721 onds), m (minutes), h (hours), d (days), w (weeks).
4722 This feature is available in Postfix 3.1.
4724
4726 A mapping from actual DNSBL domain name which includes a secret pass‐
4727 word, to the DNSBL domain name that postscreen will reply with when it
4728 rejects mail. When no mapping is found, the actual DNSBL domain will
4729 be used.
4730 For maximal stability it is best to use a file that is read into memory
4732 such as pcre:, regexp: or texthash: (texthash: is similar to hash:,
4733 except a) there is no need to run postmap(1) before the file can be
4734 used, and b) texthash: does not detect changes after the file is read).
4735 Example:
4737 /etc/postfix/main.cf:
4739 postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
4740 /etc/postfix/dnsbl_reply:
4742 secret.zen.spamhaus.org zen.spamhaus.org
4743 This feature is available in Postfix 2.8.
4745
4747 Optional list of DNS white/blacklist domains, filters and weight fac‐
4748 tors. When the list is non-empty, the dnsblog(8) daemon will query
4749 these domains with the IP addresses of remote SMTP clients, and
4750 postscreen(8) will update an SMTP client's DNSBL score with each
4751 non-error reply.
4752 Caution: when postscreen rejects mail, it replies with the DNSBL domain
4754 name. Use the postscreen_dnsbl_reply_map feature to hide "password"
4755 information in DNSBL domain names.
4756 When a client's score is equal to or greater than the threshold speci‐
4758 fied with postscreen_dnsbl_threshold, postscreen(8) can drop the con‐
4759 nection with the remote SMTP client.
4760 Specify a list of domain=filter*weight entries, separated by comma or
4762 whitespace.
4763 · When no "=filter" is specified, postscreen(8) will use any
4765 non-error DNSBL reply. Otherwise, postscreen(8) uses only DNSBL
4766 replies that match the filter. The filter has the form d.d.d.d,
4767 where each d is a number, or a pattern inside [] that contains
4768 one or more ";"-separated numbers or number..number ranges.
4769 · When no "*weight" is specified, postscreen(8) increments the
4771 remote SMTP client's DNSBL score by 1. Otherwise, the weight
4772 must be an integral number, and postscreen(8) adds the specified
4773 weight to the remote SMTP client's DNSBL score. Specify a nega‐
4774 tive number for whitelisting.
4775 · When one postscreen_dnsbl_sites entry produces multiple DNSBL
4777 responses, postscreen(8) applies the weight at most once.
4778 Examples:
4780 To use example.com as a high-confidence blocklist, and to block mail
4782 with example.net and example.org only when both agree:
4783 postscreen_dnsbl_threshold = 2
4785 postscreen_dnsbl_sites = example.com*2, example.net, example.org
4786 To filter only DNSBL replies containing 127.0.0.4:
4788 postscreen_dnsbl_sites = example.com=127.0.0.4
4790 This feature is available in Postfix 2.8.
4792
4794 The inclusive lower bound for blocking a remote SMTP client, based on
4795 its combined DNSBL score as defined with the postscreen_dnsbl_sites
4796 parameter.
4797 This feature is available in Postfix 2.8.
4799
4801 The time limit for DNSBL or DNSWL lookups. This is separate from the
4802 timeouts in the dnsblog(8) daemon which are defined by system
4803 resolver(3) routines.
4804 This feature is available in Postfix 3.0.
4806
4808 The amount of time that postscreen(8) will use the result from a suc‐
4809 cessful DNS-based reputation test before a client IP address is
4810 required to pass that test again.
4811 Specify a non-zero time value (an integral value plus an optional
4813 one-letter suffix that specifies the time unit). Time units: s (sec‐
4814 onds), m (minutes), h (hours), d (days), w (weeks).
4815 This feature is available in Postfix 2.8-3.0. It was replaced by
4817 postscreen_dnsbl_max_ttl in Postfix 3.1.
4818
4820 Allow a remote SMTP client to skip "before" and "after 220 greeting"
4821 protocol tests, based on its combined DNSBL score as defined with the
4822 postscreen_dnsbl_sites parameter.
4823 Specify a negative value to enable this feature. When a client passes
4825 the postscreen_dnsbl_whitelist_threshold without having failed other
4826 tests, all pending or disabled tests are flagged as completed with a
4827 time-to-live value equal to postscreen_dnsbl_ttl. When a test was
4828 already completed, its time-to-live value is updated if it was less
4829 than postscreen_dnsbl_ttl.
4830 This feature is available in Postfix 2.11.
4832
4834 Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
4835 require that clients use TLS encryption. See
4836 smtpd_postscreen_enforce_tls for details.
4837 This feature is available in Postfix 2.8 and later. Preferably, use
4839 postscreen_tls_security_level instead.
4840
4842 List of characters that are permitted in postscreen_reject_footer
4843 attribute expansions. See smtpd_expansion_filter for further details.
4844 This feature is available in Postfix 2.8 and later.
4846
4848 List of commands that the postscreen(8) server considers in violation
4849 of the SMTP protocol. See smtpd_forbidden_commands for syntax, and
4850 postscreen_non_smtp_command_action for possible actions.
4851 This feature is available in Postfix 2.8.
4853
4855 The action that postscreen(8) takes when a remote SMTP client speaks
4856 before its turn within the time specified with the
4857 postscreen_greet_wait parameter. Specify one of the following:
4858 ignore (default)
4860 Ignore the failure of this test. Allow other tests to complete.
4861 Repeat this test the next time the client connects. This option
4862 is useful for testing and collecting statistics without blocking
4863 mail.
4864 enforce
4866 Allow other tests to complete. Reject attempts to deliver mail
4867 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4868 mation. Repeat this test the next time the client connects.
4869 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4871 this test the next time the client connects.
4872 In either case, postscreen(8) will not whitelist the remote SMTP client
4874 IP address.
4875 This feature is available in Postfix 2.8.
4877
4879 The text in the optional "220-text..." server response that
4880 postscreen(8) sends ahead of the real Postfix SMTP server's "220
4881 text..." response, in an attempt to confuse bad SMTP clients so that
4882 they speak before their turn (pre-greet). Specify an empty value to
4883 disable this feature.
4884 This feature is available in Postfix 2.8.
4886
4888 The amount of time that postscreen(8) will use the result from a suc‐
4889 cessful PREGREET test. During this time, the client IP address is
4890 excluded from this test. The default is relatively short, because a
4891 good client can immediately talk to a real Postfix SMTP server.
4892 Specify a non-zero time value (an integral value plus an optional
4894 one-letter suffix that specifies the time unit). Time units: s (sec‐
4895 onds), m (minutes), h (hours), d (days), w (weeks).
4896 This feature is available in Postfix 2.8.
4898
4900 The amount of time that postscreen(8) will wait for an SMTP client to
4901 send a command before its turn, and for DNS blocklist lookup results to
4902 arrive (default: up to 2 seconds under stress, up to 6 seconds other‐
4903 wise).
4904 Specify a non-zero time value (an integral value plus an optional
4906 one-letter suffix that specifies the time unit).
4907 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4909 This feature is available in Postfix 2.8.
4911
4913 Require that a remote SMTP client sends HELO or EHLO before commencing
4914 a MAIL transaction.
4915 This feature is available in Postfix 2.8.
4917
4919 The action that postscreen(8) takes when a remote SMTP client sends
4920 non-SMTP commands as specified with the postscreen_forbidden_commands
4921 parameter. Specify one of the following:
4922 ignore Ignore the failure of this test. Allow other tests to complete.
4924 Do not repeat this test before some the result from some other
4925 test expires. This option is useful for testing and collecting
4926 statistics without blocking mail permanently.
4927 enforce
4929 Allow other tests to complete. Reject attempts to deliver mail
4930 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4931 mation. Repeat this test the next time the client connects.
4932 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4934 this test the next time the client connects. This action is the
4935 same as with the Postfix SMTP server's smtpd_forbidden_commands
4936 feature.
4937 This feature is available in Postfix 2.8.
4939
4941 Enable "non-SMTP command" tests in the postscreen(8) server. These
4942 tests are expensive: a client must disconnect after it passes the test,
4943 before it can talk to a real Postfix SMTP server.
4944 This feature is available in Postfix 2.8.
4946
4948 The amount of time that postscreen(8) will use the result from a suc‐
4949 cessful "non_smtp_command" SMTP protocol test. During this time, the
4950 client IP address is excluded from this test. The default is long
4951 because a client must disconnect after it passes the test, before it
4952 can talk to a real Postfix SMTP server.
4953 Specify a non-zero time value (an integral value plus an optional
4955 one-letter suffix that specifies the time unit). Time units: s (sec‐
4956 onds), m (minutes), h (hours), d (days), w (weeks).
4957 This feature is available in Postfix 2.8.
4959
4961 The action that postscreen(8) takes when a remote SMTP client sends
4962 multiple commands instead of sending one command and waiting for the
4963 server to respond. Specify one of the following:
4964 ignore Ignore the failure of this test. Allow other tests to complete.
4966 Do not repeat this test before some the result from some other
4967 test expires. This option is useful for testing and collecting
4968 statistics without blocking mail permanently.
4969 enforce
4971 Allow other tests to complete. Reject attempts to deliver mail
4972 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4973 mation. Repeat this test the next time the client connects.
4974 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4976 this test the next time the client connects.
4977 This feature is available in Postfix 2.8.
4979
4981 Enable "pipelining" SMTP protocol tests in the postscreen(8) server.
4982 These tests are expensive: a good client must disconnect after it
4983 passes the test, before it can talk to a real Postfix SMTP server.
4984 This feature is available in Postfix 2.8.
4986
4988 The amount of time that postscreen(8) will use the result from a suc‐
4989 cessful "pipelining" SMTP protocol test. During this time, the client
4990 IP address is excluded from this test. The default is long because a
4991 good client must disconnect after it passes the test, before it can
4992 talk to a real Postfix SMTP server.
4993 Specify a non-zero time value (an integral value plus an optional
4995 one-letter suffix that specifies the time unit). Time units: s (sec‐
4996 onds), m (minutes), h (hours), d (days), w (weeks).
4997 This feature is available in Postfix 2.8.
4999
5001 The number of clients that can be waiting for service from a real Post‐
5002 fix SMTP server process. When this queue is full, all clients will
5003 receive a 421 response.
5004 This feature is available in Postfix 2.8.
5006
5008 The number of non-whitelisted clients that can be waiting for a deci‐
5009 sion whether they will receive service from a real Postfix SMTP server
5010 process. When this queue is full, all non-whitelisted clients will
5011 receive a 421 response.
5012 This feature is available in Postfix 2.8.
5014
5016 Optional information that is appended after a 4XX or 5XX postscreen(8)
5017 server response. See smtpd_reject_footer for further details.
5018 This feature is available in Postfix 2.8 and later.
5020
5022 The SMTP TLS security level for the postscreen(8) server; when a
5023 non-empty value is specified, this overrides the obsolete parameters
5024 postscreen_use_tls and postscreen_enforce_tls. See smtpd_tls_secu‐
5025 rity_level for details.
5026 This feature is available in Postfix 2.8 and later.
5028
5030 The name of the proxy protocol used by an optional before-postscreen
5031 proxy agent. When a proxy agent is used, this protocol conveys local
5032 and remote address and port information. Specify
5033 "postscreen_upstream_proxy_protocol = haproxy" to enable the haproxy
5034 protocol.
5035 This feature is available in Postfix 2.10 and later.
5037
5039 The time limit for the proxy protocol specified with the
5040 postscreen_upstream_proxy_protocol parameter.
5041 This feature is available in Postfix 2.10 and later.
5043
5045 Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
5046 but do not require that clients use TLS encryption.
5047 This feature is available in Postfix 2.8 and later. Preferably, use
5049 postscreen_tls_security_level instead.
5050
5052 How much time a postscreen(8) process may take to respond to a remote
5053 SMTP client command or to perform a cache operation before it is termi‐
5054 nated by a built-in watchdog timer. This is a safety mechanism that
5055 prevents postscreen(8) from becoming non-responsive due to a bug in
5056 Postfix itself or in system software. To avoid false alarms and unnec‐
5057 essary cache corruption this limit cannot be set under 10s.
5058 Specify a non-zero time value (an integral value plus an optional
5060 one-letter suffix that specifies the time unit). Time units: s (sec‐
5061 onds), m (minutes), h (hours), d (days), w (weeks).
5062 This feature is available in Postfix 2.8.
5064
5066 A list of local postscreen(8) server IP addresses where a
5067 non-whitelisted remote SMTP client can obtain postscreen(8)'s temporary
5068 whitelist status. This status is required before the client can talk to
5069 a Postfix SMTP server process. By default, a client can obtain
5070 postscreen(8)'s whitelist status on any local postscreen(8) server IP
5071 address.
5072 When postscreen(8) listens on both primary and backup MX addresses, the
5074 postscreen_whitelist_interfaces parameter can be configured to give the
5075 temporary whitelist status only when a client connects to a primary MX
5076 address. Once a client is whitelisted it can talk to a Postfix SMTP
5077 server on any address. Thus, clients that connect only to backup MX
5078 addresses will never become whitelisted, and will never be allowed to
5079 talk to a Postfix SMTP server process.
5080 Specify a list of network addresses or network/netmask patterns, sepa‐
5082 rated by commas and/or whitespace. The netmask specifies the number of
5083 bits in the network part of a host address. Continue long lines by
5084 starting the next line with whitespace.
5085 You can also specify "/file/name" or "type:table" patterns. A
5087 "/file/name" pattern is replaced by its contents; a "type:table" lookup
5088 table is matched when a table entry matches a lookup string (the lookup
5089 result is ignored).
5090 The list is matched left to right, and the search stops on the first
5092 match. Specify "!pattern" to exclude an address or network block from
5093 the list.
5094 Note: IP version 6 address information must be specified inside [] in
5096 the postscreen_whitelist_interfaces value, and in files specified with
5097 "/file/name". IP version 6 addresses contain the ":" character, and
5098 would otherwise be confused with a "type:table" pattern.
5099 Example:
5101 /etc/postfix/main.cf:
5103 # Don't whitelist connections to the backup IP address.
5104 postscreen_whitelist_interfaces = !168.100.189.8, static:all
5105 This feature is available in Postfix 2.9 and later.
5107
5109 The message delivery contexts where the Postfix local(8) delivery agent
5110 prepends a Delivered-To: message header with the address that the mail
5111 was delivered to. This information is used for mail delivery loop
5112 detection.
5113 By default, the Postfix local delivery agent prepends a Delivered-To:
5115 header when forwarding mail and when delivering to file (mailbox) and
5116 command. Turning off the Delivered-To: header when forwarding mail is
5117 not recommended.
5118 Specify zero or more of forward, file, or command.
5120 Example:
5122 prepend_delivered_header = forward
5124
5126 The process ID of a Postfix command or daemon process.
5127
5129 The location of Postfix PID files relative to $queue_directory. This
5130 is a read-only parameter.
5131
5133 The process name of a Postfix command or daemon process.
5134
5136 What address lookup tables copy an address extension from the lookup
5137 key to the lookup result.
5138 For example, with a virtual(5) mapping of "joe@example.com =>
5140 joe.user@example.net", the address "joe+foo@example.com" would rewrite
5141 to "joe.user+foo@example.net".
5142 Specify zero or more of canonical, virtual, alias, forward, include or
5144 generic. These cause address extension propagation with canonical(5),
5145 virtual(5), and aliases(5) maps, with local(8) .forward and :include:
5146 file lookups, and with smtp(8) generic maps, respectively.
5147 Note: enabling this feature for types other than canonical and virtual
5149 is likely to cause problems when mail is forwarded to other sites,
5150 especially with mail that is sent to a mailing list exploder address.
5151 Examples:
5153 propagate_unmatched_extensions = canonical, virtual, alias,
5155 forward, include
5156 propagate_unmatched_extensions = canonical, virtual
5157
5159 The network interface addresses that this mail system receives mail on
5160 by way of a proxy or network address translation unit.
5161 This feature is available in Postfix 2.0 and later.
5163 You must specify your "outside" proxy/NAT addresses when your system is
5165 a backup MX host for other domains, otherwise mail delivery loops will
5166 happen when the primary MX host is down.
5167 Example:
5169 proxy_interfaces = 1.2.3.4
5171
5173 The lookup tables that the proxymap(8) server is allowed to access for
5174 the read-only service.
5175 Specify zero or more "type:name" lookup tables, separated by whitespace
5177 or comma. Table references that don't begin with proxy: are ignored.
5178 This feature is available in Postfix 2.0 and later.
5180
5182 The lookup tables that the proxymap(8) server is allowed to access for
5183 the read-write service. Postfix-owned local database files should be
5184 stored under the Postfix-owned data_directory. Table references that
5185 don't begin with proxy: are ignored.
5186 This feature is available in Postfix 2.5 and later.
5188
5190 The name of the proxymap read-only table lookup service. This service
5191 is normally implemented by the proxymap(8) daemon.
5192 This feature is available in Postfix 2.6 and later.
5194
5196 The name of the proxywrite read-write table lookup service. This ser‐
5197 vice is normally implemented by the proxymap(8) daemon.
5198 This feature is available in Postfix 2.6 and later.
5200
5202 The minimal delay between warnings that a specific destination is clog‐
5203 ging up the Postfix active queue. Specify 0 to disable.
5204 This feature is enabled with the helpful_warnings parameter.
5206 This feature is available in Postfix 2.0 and later.
5208
5210 How much time a Postfix queue manager process may take to handle a
5211 request before it is terminated by a built-in watchdog timer.
5212 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5214 The default time unit is s (seconds).
5215 This feature is available in Postfix 2.8 and later.
5217
5219 Obsolete feature: the percentage of delivery resources that a busy mail
5220 system will use up for delivery of a large mailing list message.
5221 This feature exists only in the oqmgr(8) old queue manager. The current
5223 queue manager solves the problem in a better way.
5224
5226 The time limit for the queue manager to send or receive information
5227 over an internal communication channel. The purpose is to break out of
5228 deadlock situations. If the time limit is exceeded the software either
5229 retries or aborts the operation.
5230 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5232 The default time unit is s (seconds).
5233 This feature is available in Postfix 2.8 and later.
5235
5237 The maximal number of messages in the active queue.
5238
5240 The maximal number of recipients held in memory by the Postfix queue
5241 manager, and the maximal size of the short-term, in-memory "dead" des‐
5242 tination status cache.
5243
5245 The minimal number of in-memory recipients for any message. This takes
5246 priority over any other in-memory recipient limits (i.e., the global
5247 qmgr_message_recipient_limit and the per transport _recipient_limit) if
5248 necessary. The minimum value allowed for this parameter is 1.
5249
5251 What remote QMQP clients are allowed to connect to the Postfix QMQP
5252 server port.
5253 By default, no client is allowed to use the service. This is because
5255 the QMQP server will relay mail to any destination.
5256 Specify a list of client patterns. A list pattern specifies a host
5258 name, a domain name, an internet address, or a network/mask pattern,
5259 where the mask specifies the number of bits in the network part. When
5260 a pattern specifies a file name, its contents are substituted for the
5261 file name; when a pattern is a "type:table" table specification, table
5262 lookup is used instead.
5263 Patterns are separated by whitespace and/or commas. In order to reverse
5265 the result, precede a pattern with an exclamation point (!). The form
5266 "!/file/name" is supported only in Postfix version 2.4 and later.
5267 Pattern matching of domain names is controlled by the presence or
5269 absence of "qmqpd_authorized_clients" in the parent_domain_matches_sub‐
5270 domains parameter value.
5271 Example:
5273 qmqpd_authorized_clients = !192.168.0.1, 192.168.0.0/24
5275
5277 Enable logging of the remote QMQP client port in addition to the host‐
5278 name and IP address. The logging format is "host[address]:port".
5279 This feature is available in Postfix 2.5 and later.
5281
5283 How long the Postfix QMQP server will pause before sending a negative
5284 reply to the remote QMQP client. The purpose is to slow down confused
5285 or malicious clients.
5286 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5288 The default time unit is s (seconds).
5289
5291 The time limit for sending or receiving information over the network.
5292 If a read or write operation blocks for more than $qmqpd_timeout sec‐
5293 onds the Postfix QMQP server gives up and disconnects.
5294 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5296 The default time unit is s (seconds).
5297
5299 The location of the Postfix top-level queue directory. This is the root
5300 directory of Postfix daemon processes that run chrooted.
5301
5303 The maximal number of (name=value) attributes that may be stored in a
5304 Postfix queue file. The limit is enforced by the cleanup(8) server.
5305 This feature is available in Postfix 2.0 and later.
5307
5309 The minimal amount of free space in bytes in the queue file system that
5310 is needed to receive mail. This is currently used by the Postfix SMTP
5311 server to decide if it will accept any mail at all.
5312 By default, the Postfix SMTP server rejects MAIL FROM commands when the
5314 amount of free space is less than 1.5*$message_size_limit (Postfix ver‐
5315 sion 2.1 and later). To specify a higher minimum free space limit,
5316 specify a queue_minfree value that is at least 1.5*$message_size_limit.
5317 With Postfix versions 2.0 and earlier, a queue_minfree value of zero
5319 means there is no minimum required amount of free space.
5320
5322 The time between deferred queue scans by the queue manager; prior to
5323 Postfix 2.4 the default value was 1000s.
5324 This parameter should be set less than or equal to $minimal_back‐
5326 off_time. See also $maximal_backoff_time.
5327 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5329 The default time unit is s (seconds).
5330
5332 The name of the qmgr(8) service. This service manages the Postfix queue
5333 and schedules delivery requests.
5334 This feature is available in Postfix 2.0 and later.
5336
5338 Optional lookup tables with RBL response templates. The tables are
5339 indexed by the RBL domain name. By default, Postfix uses the default
5340 template as specified with the default_rbl_reply configuration parame‐
5341 ter. See there for a discussion of the syntax of RBL reply templates.
5342 This feature is available in Postfix 2.0 and later.
5344
5346 The location of Postfix README files that describe how to build, con‐
5347 figure or operate a specific Postfix subsystem or feature.
5348
5350 Enable or disable recipient validation, built-in content filtering, or
5351 address mapping. Typically, these are specified in master.cf as com‐
5352 mand-line arguments for the smtpd(8), qmqpd(8) or pickup(8) daemons.
5353 Specify zero or more of the following options. The options override
5355 main.cf settings and are either implemented by smtpd(8), qmqpd(8), or
5356 pickup(8) themselves, or they are forwarded to the cleanup server.
5357 no_unknown_recipient_checks
5359 Do not try to reject unknown recipients (SMTP server only).
5360 This is typically specified AFTER an external content filter.
5361 no_address_mappings
5363 Disable canonical address mapping, virtual alias map expansion,
5364 address masquerading, and automatic BCC (blind carbon-copy)
5365 recipients. This is typically specified BEFORE an external con‐
5366 tent filter.
5367 no_header_body_checks
5369 Disable header/body_checks. This is typically specified AFTER an
5370 external content filter.
5371 no_milters
5373 Disable Milter (mail filter) applications. This is typically
5374 specified AFTER an external content filter.
5375 Note: when the "BEFORE content filter" receive_override_options setting
5377 is specified in the main.cf file, specify the "AFTER content filter"
5378 receive_override_options setting in master.cf (and vice versa).
5379 Examples:
5381 receive_override_options =
5383 no_unknown_recipient_checks, no_header_body_checks
5384 receive_override_options = no_address_mappings
5385 This feature is available in Postfix 2.1 and later.
5387
5389 Optional BCC (blind carbon-copy) address lookup tables, indexed by
5390 recipient address. The BCC address (multiple results are not sup‐
5391 ported) is added when mail enters from outside of Postfix.
5392 Specify zero or more "type:name" lookup tables, separated by whitespace
5394 or comma. Tables will be searched in the specified order until a match
5395 is found.
5396 The table search order is as follows:
5398 · Look up the "user+extension@domain.tld" address including the
5400 optional address extension.
5401 · Look up the "user@domain.tld" address without the optional
5403 address extension.
5404 · Look up the "user+extension" address local part when the recipi‐
5406 ent domain equals $myorigin, $mydestination, $inet_interfaces or
5407 $proxy_interfaces.
5408 · Look up the "user" address local part when the recipient domain
5410 equals $myorigin, $mydestination, $inet_interfaces or
5411 $proxy_interfaces.
5412 · Look up the "@domain.tld" part.
5414 Note: with Postfix 2.3 and later the BCC address is added as if it was
5416 specified with NOTIFY=NONE. The sender will not be notified when the
5417 BCC address is undeliverable, as long as all down-stream software
5418 implements RFC 3461.
5419 Note: with Postfix 2.2 and earlier the sender will unconditionally be
5421 notified when the BCC address is undeliverable.
5422 Note: automatic BCC recipients are produced only for new mail. To
5424 avoid mailer loops, automatic BCC recipients are not generated after
5425 Postfix forwards mail internally, or after Postfix generates mail
5426 itself.
5427 Example:
5429 recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
5431 After a change, run "postmap /etc/postfix/recipient_bcc".
5433 This feature is available in Postfix 2.1 and later.
5435
5437 What addresses are subject to recipient_canonical_maps address mapping.
5438 By default, recipient_canonical_maps address mapping is applied to
5439 envelope recipient addresses, and to header recipient addresses.
5440 Specify one or more of: envelope_recipient, header_recipient
5442 This feature is available in Postfix 2.2 and later.
5444
5446 Optional address mapping lookup tables for envelope and header recipi‐
5447 ent addresses. The table format and lookups are documented in canoni‐
5448 cal(5).
5449 Note: $recipient_canonical_maps is processed before $canonical_maps.
5451 Example:
5453 recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
5455
5457 The set of characters that can separate a user name from its extension
5458 (example: user+foo), or a .forward file name from its extension (exam‐
5459 ple: .forward+foo). Basically, the software tries user+foo and .for‐
5460 ward+foo before trying user and .forward. This implementation recog‐
5461 nizes one delimiter character and one extension per email address or
5462 .forward file name.
5463 When the recipient_delimiter set contains multiple characters (Postfix
5465 2.11 and later), a user name or .forward file name is separated from
5466 its extension by the first character that matches the recipient_delim‐
5467 iter set.
5468 See canonical(5), local(8), relocated(5) and virtual(5) for the effects
5470 of recipient_delimiter on lookups in aliases, canonical, virtual, and
5471 relocated maps, and see the propagate_unmatched_extensions parameter
5472 for propagating an extension from one email address to another.
5473 When used in command_execution_directory, forward_path, or luser_relay,
5475 ${recipient_delimiter} is replaced with the actual recipient delimiter
5476 that was found in the recipient email address (Postfix 2.11 and later),
5477 or it is replaced with the main.cf recipient_delimiter parameter value
5478 (Postfix 2.10 and earlier).
5479 The recipient_delimiter is not applied to the mailer-daemon address,
5481 the postmaster address, or the double-bounce address. With the default
5482 "owner_request_special = yes" setting, the recipient_delimiter is also
5483 not applied to addresses with the special "owner-" prefix or the spe‐
5484 cial "-request" suffix.
5485 Examples:
5487 # Handle Postfix-style extensions.
5489 recipient_delimiter = +
5490 # Handle both Postfix and qmail extensions (Postfix 2.11 and later).
5492 recipient_delimiter = +-
5493 # Use .forward for mail without address extension, and for mail with
5495 # an unrecognized address extension.
5496 forward_path = $home/.forward${recipient_delimiter}${extension},
5497 $home/.forward
5498
5500 The numerical Postfix SMTP server response code when a remote SMTP
5501 client request is rejected by the "reject" restriction.
5502 Do not change this unless you have a complete understanding of RFC
5504 5321.
5505
5507 The Postfix SMTP server's action when a reject-type restriction fails
5508 due to a temporary error condition. Specify "defer" to defer the remote
5509 SMTP client request immediately. With the default "defer_if_permit"
5510 action, the Postfix SMTP server continues to look for opportunities to
5511 reject mail, and defers the client request only if it would otherwise
5512 be accepted.
5513 For finer control, see: unverified_recipient_tempfail_action, unveri‐
5515 fied_sender_tempfail_action, unknown_address_tempfail_action, and
5516 unknown_helo_hostname_tempfail_action.
5517 This feature is available in Postfix 2.6 and later.
5519
5521 List of tables with remote SMTP client-certificate fingerprints or pub‐
5522 lic key fingerprints (Postfix 2.9 and later) for which the Postfix SMTP
5523 server will allow access with the permit_tls_clientcerts feature. The
5524 fingerprint digest algorithm is configurable via the smtpd_tls_finger‐
5525 print_digest parameter (hard-coded as md5 prior to Postfix version
5526 2.5).
5527 Postfix lookup tables are in the form of (key, value) pairs. Since we
5529 only need the key, the value can be chosen freely, e.g. the name of
5530 the user or host: D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80
5531 lutzpc.at.home
5532 Example:
5534 relay_clientcerts = hash:/etc/postfix/relay_clientcerts
5536 For more fine-grained control, use check_ccert_access to select an
5538 appropriate access(5) policy for each client. See RESTRIC‐
5539 TION_CLASS_README.
5540 Note: Postfix 2.9.0-2.9.5 computed the public key fingerprint incor‐
5542 rectly. To use public-key fingerprints, upgrade to Postfix 2.9.6 or
5543 later.
5544 This feature is available with Postfix version 2.2.
5546
5548 rency_limit)
5549 The maximal number of parallel deliveries to the same destination via
5550 the relay message delivery transport. This limit is enforced by the
5551 queue manager. The message delivery transport name is the first field
5552 in the entry in the master.cf file.
5553 This feature is available in Postfix 2.0 and later.
5555
5557 ent_limit)
5558 The maximal number of recipients per message for the relay message
5559 delivery transport. This limit is enforced by the queue manager. The
5560 message delivery transport name is the first field in the entry in the
5561 master.cf file.
5562 Setting this parameter to a value of 1 changes the meaning of
5564 relay_destination_concurrency_limit from concurrency per domain into
5565 concurrency per recipient.
5566 This feature is available in Postfix 2.0 and later.
5568
5570 What destination domains (and subdomains thereof) this system will
5571 relay mail to. For details about how the relay_domains value is used,
5572 see the description of the permit_auth_destination and
5573 reject_unauth_destination SMTP recipient restrictions.
5574 Domains that match $relay_domains are delivered with the $relay_trans‐
5576 port mail delivery transport. The SMTP server validates recipient
5577 addresses with $relay_recipient_maps and rejects non-existent recipi‐
5578 ents. See also the relay domains address class in the
5579 ADDRESS_CLASS_README file.
5580 Note: Postfix will not automatically forward mail for domains that list
5582 this system as their primary or backup MX host. See the per‐
5583 mit_mx_backup restriction in the postconf(5) manual page.
5584 Specify a list of host or domain names, "/file/name" patterns or
5586 "type:table" lookup tables, separated by commas and/or whitespace.
5587 Continue long lines by starting the next line with whitespace. A
5588 "/file/name" pattern is replaced by its contents; a "type:table" lookup
5589 table is matched when a (parent) domain appears as lookup key. Specify
5590 "!pattern" to exclude a domain from the list. The form "!/file/name" is
5591 supported only in Postfix version 2.4 and later.
5592 Pattern matching of domain names is controlled by the presence or
5594 absence of "relay_domains" in the parent_domain_matches_subdomains
5595 parameter value.
5596
5598 The numerical Postfix SMTP server response code when a client request
5599 is rejected by the reject_unauth_destination recipient restriction.
5600 Do not change this unless you have a complete understanding of RFC
5602 5321.
5603
5605 Optional lookup tables with all valid addresses in the domains that
5606 match $relay_domains. Specify @domain as a wild-card for domains that
5607 have no valid recipient list, and become a source of backscatter mail:
5608 Postfix accepts spam for non-existent recipients and then floods inno‐
5609 cent people with undeliverable mail. Technically, tables listed with
5610 $relay_recipient_maps are used as lists: Postfix needs to know only if
5611 a lookup string is found or not, but it does not use the result from
5612 table lookup.
5613 Specify zero or more "type:name" lookup tables, separated by whitespace
5615 or comma. Tables will be searched in the specified order until a match
5616 is found.
5617 If this parameter is non-empty, then the Postfix SMTP server will
5619 reject mail to unknown relay users. This feature is off by default.
5620 See also the relay domains address class in the ADDRESS_CLASS_README
5622 file.
5623 Example:
5625 relay_recipient_maps = hash:/etc/postfix/relay_recipients
5627 This feature is available in Postfix 2.0 and later.
5629
5631 The default mail delivery transport and next-hop destination for remote
5632 delivery to domains listed with $relay_domains. In order of decreasing
5633 precedence, the nexthop destination is taken from $relay_transport,
5634 $sender_dependent_relayhost_maps, $relayhost, or from the recipient
5635 domain. This information can be overruled with the transport(5) table.
5636 Specify a string of the form transport:nexthop, where transport is the
5638 name of a mail delivery transport defined in master.cf. The :nexthop
5639 destination is optional; its syntax is documented in the manual page of
5640 the corresponding delivery agent.
5641 See also the relay domains address class in the ADDRESS_CLASS_README
5643 file.
5644 This feature is available in Postfix 2.0 and later.
5646
5648 The next-hop destination of non-local mail; overrides non-local domains
5649 in recipient addresses. This information is overruled with relay_trans‐
5650 port, sender_dependent_default_transport_maps, default_transport,
5651 sender_dependent_relayhost_maps and with the transport(5) table.
5652 On an intranet, specify the organizational domain name. If your inter‐
5654 nal DNS uses no MX records, specify the name of the intranet gateway
5655 host instead.
5656 In the case of SMTP, specify a domain name, hostname, hostname:port,
5658 [hostname]:port, [hostaddress] or [hostaddress]:port. The form [host‐
5659 name] turns off MX lookups.
5660 If you're connected via UUCP, see the UUCP_README file for useful
5662 information.
5663 Examples:
5665 relayhost = $mydomain
5667 relayhost = [gateway.example.com]
5668 relayhost = uucphost
5669 relayhost = [an.ip.add.ress]
5670
5672 Optional lookup tables with new contact information for users or
5673 domains that no longer exist. The table format and lookups are docu‐
5674 mented in relocated(5).
5675 Specify zero or more "type:name" lookup tables, separated by whitespace
5677 or comma. Tables will be searched in the specified order until a match
5678 is found.
5679 If you use this feature, run "postmap /etc/postfix/relocated" to build
5681 the necessary DBM or DB file after change, then "postfix reload" to
5682 make the changes visible.
5683 Examples:
5685 relocated_maps = dbm:/etc/postfix/relocated
5687 relocated_maps = hash:/etc/postfix/relocated
5688
5690 Don't rewrite message headers from remote clients at all when this
5691 parameter is empty; otherwise, rewrite message headers and append the
5692 specified domain name to incomplete addresses. The local_header_re‐
5693 write_clients parameter controls what clients Postfix considers local.
5694 Examples:
5696 The safe setting: append "domain.invalid" to incomplete header
5698 addresses from remote SMTP clients, so that those addresses cannot be
5699 confused with local addresses.
5700 remote_header_rewrite_domain = domain.invalid
5702 The default, purist, setting: don't rewrite headers from remote clients
5704 at all.
5705 remote_header_rewrite_domain =
5707
5709 Require that a local(8) recipient's home directory exists before mail
5710 delivery is attempted. By default this test is disabled. It can be
5711 useful for environments that import home directories to the mail server
5712 (IMPORTING HOME DIRECTORIES IS NOT RECOMMENDED).
5713
5715 Reset the local(8) delivery agent's idea of the owner-alias attribute,
5716 when delivering mail to a child alias that does not have its own owner
5717 alias.
5718 This feature is available in Postfix 2.8 and later. With older Postfix
5720 releases, the behavior is as if this parameter is set to "yes".
5721 As documented in aliases(5), when an alias name has a companion alias
5723 named owner-name, this will replace the envelope sender address, so
5724 that delivery errors will be reported to the owner alias instead of the
5725 sender. This configuration is recommended for mailing lists.
5726 A less known property of the owner alias is that it also forces the
5728 local(8) delivery agent to write local and remote addresses from alias
5729 expansion to a new queue file, instead of attempting to deliver mail to
5730 local addresses as soon as they come out of alias expansion.
5731 Writing local addresses from alias expansion to a new queue file allows
5733 for robust handling of temporary delivery errors: errors with one local
5734 member have no effect on deliveries to other members of the list. On
5735 the other hand, delivery to local addresses as soon as they come out of
5736 alias expansion is fragile: a temporary error with one local address
5737 from alias expansion will cause the entire alias to be expanded repeat‐
5738 edly until the error goes away, or until the message expires in the
5739 queue. In that case, a problem with one list member results in multi‐
5740 ple message deliveries to other list members.
5741 The default behavior of Postfix 2.8 and later is to keep the
5743 owner-alias attribute of the parent alias, when delivering mail to a
5744 child alias that does not have its own owner alias. Then, local
5745 addresses from that child alias will be written to a new queue file,
5746 and a temporary error with one local address will not affect delivery
5747 to other mailing list members.
5748 Unfortunately, older Postfix releases reset the owner-alias attribute
5750 when delivering mail to a child alias that does not have its own owner
5751 alias. To be precise, this resets only the decision to create a new
5752 queue file, not the decision to override the envelope sender address.
5753 The local(8) delivery agent then attempts to deliver local addresses as
5754 soon as they come out of child alias expansion. If delivery to any
5755 address from child alias expansion fails with a temporary error condi‐
5756 tion, the entire mailing list may be expanded repeatedly until the mail
5757 expires in the queue, resulting in multiple deliveries of the same mes‐
5758 sage to mailing list members.
5759
5761 Resolve a recipient address safely instead of correctly, by looking
5762 inside quotes.
5763 By default, the Postfix address resolver does not quote the address
5765 localpart as per RFC 822, so that additional @ or % or ! operators
5766 remain visible. This behavior is safe but it is also technically incor‐
5767 rect.
5768 If you specify "resolve_dequoted_address = no", then the Postfix
5770 resolver will not know about additional @ etc. operators in the address
5771 localpart. This opens opportunities for obscure mail relay attacks with
5772 user@domain@domain addresses when Postfix provides backup MX service
5773 for Sendmail systems.
5774
5776 Resolve an address that ends in the "@" null domain as if the local
5777 hostname were specified, instead of rejecting the address as invalid.
5778 This feature is available in Postfix 2.1 and later. Earlier versions
5780 always resolve the null domain as the local hostname.
5781 The Postfix SMTP server uses this feature to reject mail from or to
5783 addresses that end in the "@" null domain, and from addresses that re‐
5784 write into a form that ends in the "@" null domain.
5785
5787 Resolve "user@ipaddress" as "user@[ipaddress]", instead of rejecting
5788 the address as invalid.
5789 This feature is available in Postfix 2.3 and later.
5791
5793 The name of the address rewriting service. This service rewrites
5794 addresses to standard form and resolves them to a (delivery method,
5795 next-hop host, recipient) triple.
5796 This feature is available in Postfix 2.0 and later.
5798
5800 The name of the directory with example Postfix configuration files.
5801 Starting with Postfix 2.1, these files have been replaced with the
5802 postconf(5) manual page.
5803
5805 When authenticating to a remote SMTP or LMTP server with the default
5806 setting "no", send no SASL authoriZation ID (authzid); send only the
5807 SASL authentiCation ID (authcid) plus the authcid's password.
5808 The non-default setting "yes" enables the behavior of older Postfix
5810 versions. These always send a SASL authzid that is equal to the SASL
5811 authcid, but this causes interoperability problems with some SMTP
5812 servers.
5813 This feature is available in Postfix 2.4.4 and later.
5815
5817 This parameter should not be used. It was replaced by sender_depen‐
5818 dent_relayhost_maps in Postfix version 2.3.
5819
5821 Optional BCC (blind carbon-copy) address lookup tables, indexed by
5822 sender address. The BCC address (multiple results are not supported)
5823 is added when mail enters from outside of Postfix.
5824 Specify zero or more "type:name" lookup tables, separated by whitespace
5826 or comma. Tables will be searched in the specified order until a match
5827 is found.
5828 The table search order is as follows:
5830 · Look up the "user+extension@domain.tld" address including the
5832 optional address extension.
5833 · Look up the "user@domain.tld" address without the optional
5835 address extension.
5836 · Look up the "user+extension" address local part when the sender
5838 domain equals $myorigin, $mydestination, $inet_interfaces or
5839 $proxy_interfaces.
5840 · Look up the "user" address local part when the sender domain
5842 equals $myorigin, $mydestination, $inet_interfaces or
5843 $proxy_interfaces.
5844 · Look up the "@domain.tld" part.
5846 Note: with Postfix 2.3 and later the BCC address is added as if it was
5848 specified with NOTIFY=NONE. The sender will not be notified when the
5849 BCC address is undeliverable, as long as all down-stream software
5850 implements RFC 3461.
5851 Note: with Postfix 2.2 and earlier the sender will be notified when the
5853 BCC address is undeliverable.
5854 Note: automatic BCC recipients are produced only for new mail. To
5856 avoid mailer loops, automatic BCC recipients are not generated after
5857 Postfix forwards mail internally, or after Postfix generates mail
5858 itself.
5859 Example:
5861 sender_bcc_maps = hash:/etc/postfix/sender_bcc
5863 After a change, run "postmap /etc/postfix/sender_bcc".
5865 This feature is available in Postfix 2.1 and later.
5867
5869 What addresses are subject to sender_canonical_maps address mapping.
5870 By default, sender_canonical_maps address mapping is applied to enve‐
5871 lope sender addresses, and to header sender addresses.
5872 Specify one or more of: envelope_sender, header_sender
5874 This feature is available in Postfix 2.2 and later.
5876
5878 Optional address mapping lookup tables for envelope and header sender
5879 addresses. The table format and lookups are documented in canoni‐
5880 cal(5).
5881 Example: you want to rewrite the SENDER address "user@ugly.domain" to
5883 "user@pretty.domain", while still being able to send mail to the RECIP‐
5884 IENT address "user@ugly.domain".
5885 Note: $sender_canonical_maps is processed before $canonical_maps.
5887 Example:
5889 sender_canonical_maps = hash:/etc/postfix/sender_canonical
5891
5893 A sender-dependent override for the global default_transport parameter
5894 setting. The tables are searched by the envelope sender address and
5895 @domain. A lookup result of DUNNO terminates the search without over‐
5896 riding the global default_transport parameter setting. This informa‐
5897 tion is overruled with the transport(5) table.
5898 Specify zero or more "type:name" lookup tables, separated by whitespace
5900 or comma. Tables will be searched in the specified order until a match
5901 is found.
5902 Note: this overrides default_transport, not transport_maps, and there‐
5904 fore the expected syntax is that of default_transport, not the syntax
5905 of transport_maps. Specifically, this does not support the trans‐
5906 port_maps syntax for null transport, null nexthop, or null email
5907 addresses.
5908 For safety reasons, this feature does not allow $number substitutions
5910 in regular expression maps.
5911 This feature is available in Postfix 2.7 and later.
5913
5915 A sender-dependent override for the global relayhost parameter setting.
5916 The tables are searched by the envelope sender address and @domain. A
5917 lookup result of DUNNO terminates the search without overriding the
5918 global relayhost parameter setting (Postfix 2.6 and later). This infor‐
5919 mation is overruled with relay_transport, sender_depen‐
5920 dent_default_transport_maps, default_transport and with the trans‐
5921 port(5) table.
5922 Specify zero or more "type:name" lookup tables, separated by whitespace
5924 or comma. Tables will be searched in the specified order until a match
5925 is found.
5926 For safety reasons, this feature does not allow $number substitutions
5928 in regular expression maps.
5929 This feature is available in Postfix 2.3 and later.
5931
5933 Controls how the Postfix sendmail command converts email message line
5934 endings from <CR><LF> into UNIX format (<LF>).
5935 always Always convert message lines ending in <CR><LF>. This setting is
5937 the default with Postfix 2.9 and later.
5938 strict Convert message lines ending in <CR><LF> only if the first input
5940 line ends in <CR><LF>. This setting is backwards-compatible with
5941 Postfix 2.8 and earlier.
5942 never Never convert message lines ending in <CR><LF>. This setting
5944 exists for completeness only.
5945 This feature is available in Postfix 2.9 and later.
5947
5949 A Sendmail compatibility feature that specifies the location of the
5950 Postfix sendmail(1) command. This command can be used to submit mail
5951 into the Postfix queue.
5952
5954 The master.cf service name of a Postfix daemon process. This can be
5955 used to distinguish the logging from different services that use the
5956 same program name.
5957 Example master.cf entries:
5959 # Distinguish inbound MTA logging from submission and smtps logging.
5961 smtp inet n - n - - smtpd
5962 submission inet n - n - - smtpd
5963 -o syslog_name=postfix/$service_name
5964 smtps inet n - n - - smtpd
5965 -o syslog_name=postfix/$service_name
5966 # Distinguish outbound MTA logging from inbound relay logging.
5968 smtp unix - - n - - smtp
5969 relay unix - - n - - smtp
5970 -o syslog_name=postfix/$service_name
5971
5973 How long the Postfix master(8) waits before forking a server that
5974 appears to be malfunctioning.
5975 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5977 The default time unit is s (seconds).
5978
5980 The group ownership of set-gid Postfix commands and of group-writable
5981 Postfix directories. When this parameter value is changed you need to
5982 re-run "postfix set-permissions" (with Postfix version 2.0 and earlier:
5983 "/etc/postfix/post-install set-permissions".
5984
5986 The location of Postfix dynamically-linked libraries (libpostfix-*.so),
5987 and the default location of Postfix database plugins (postfix-*.so)
5988 that have a relative pathname in the dynamicmaps.cf file. The
5989 shlib_directory parameter defaults to "no" when Postfix dynami‐
5990 cally-linked libraries and database plugins are disabled at compile
5991 time, otherwise it typically defaults to /usr/lib/postfix or
5992 /usr/local/lib/postfix.
5993 Notes:
5995 · The directory specified with shlib_directory should contain only
5997 Postfix-related files. Postfix dynamically-linked libraries and
5998 database plugins should not be installed in a "public" system
5999 directory such as /usr/lib or /usr/local/lib. Linking Postfix
6000 dynamically-linked library files or database plugins into
6001 non-Postfix programs is not supported. Postfix dynami‐
6002 cally-linked libraries and database plugins implement a Post‐
6003 fix-internal API that changes without maintaining compatibility.
6004 · You can change the shlib_directory value after Postfix is built.
6006 However, you may have to run ldconfig or equivalent to prevent
6007 Postfix programs from failing because the libpostfix-*.so files
6008 are not found. No ldconfig command is needed if you keep the
6009 libpostfix-*.so files in the compiled-in default $shlib_direc‐
6010 tory location.
6011 This feature is available in Postfix 3.0 and later.
6013
6015 Display the name of the recipient table in the "User unknown"
6016 responses. The extra detail makes trouble shooting easier but also
6017 reveals information that is nobody elses business.
6018 This feature is available in Postfix 2.0 and later.
6020
6022 The name of the showq(8) service. This service produces mail queue sta‐
6023 tus reports.
6024 This feature is available in Postfix 2.0 and later.
6026
6028 The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP client
6029 will try first, when a destination has IPv6 and IPv4 addresses with
6030 equal MX preference. This feature has no effect unless the inet_proto‐
6031 cols setting enables both IPv4 and IPv6.
6032 Postfix SMTP client address preference has evolved. With Postfix 2.8
6034 the default is "ipv6"; earlier implementations are hard-coded to prefer
6035 IPv6 over IPv4.
6036 Notes for mail delivery between sites that have both IPv4 and IPv6 con‐
6038 nectivity:
6039 · The setting "smtp_address_preference = ipv6" is unsafe. It can
6041 fail to deliver mail when there is an outage that affects IPv6,
6042 while the destination is still reachable over IPv4.
6043 · The setting "smtp_address_preference = any" is safe. With this,
6045 mail will eventually be delivered even if there is an outage
6046 that affects IPv6 or IPv4, as long as it does not affect both.
6047 This feature is available in Postfix 2.8 and later.
6049
6051 In the context of email address verification, the SMTP protocol stage
6052 that determines whether an email address is deliverable. Specify one
6053 of "rcpt" or "data". The latter is needed with remote SMTP servers
6054 that reject recipients after the DATA command. Use transport_maps to
6055 apply this feature selectively:
6056 /etc/postfix/main.cf:
6058 transport_maps = hash:/etc/postfix/transport
6059 /etc/postfix/transport:
6061 smtp-domain-that-verifies-after-data smtp-data-target:
6062 lmtp-domain-that-verifies-after-data lmtp-data-target:
6063 /etc/postfix/master.cf:
6065 smtp-data-target unix - - n - - smtp
6066 -o smtp_address_verify_target=data
6067 lmtp-data-target unix - - n - - lmtp
6068 -o lmtp_address_verify_target=data
6069 Unselective use of the "data" target does no harm, but will result in
6071 unnecessary "lost connection after DATA" events at remote SMTP/LMTP
6072 servers.
6073 This feature is available in Postfix 3.0 and later.
6075
6077 Always send EHLO at the start of an SMTP session.
6078 With "smtp_always_send_ehlo = no", the Postfix SMTP client sends EHLO
6080 only when the word "ESMTP" appears in the server greeting banner (exam‐
6081 ple: 220 spike.porcupine.org ESMTP Postfix).
6082
6084 When a remote destination resolves to a combination of IPv4 and IPv6
6085 addresses, ensure that the Postfix SMTP client can try both address
6086 types before it runs into the smtp_mx_address_limit.
6087 This avoids an interoperability problem when a destination resolves to
6089 primarily IPv6 addresses, the smtp_address_limit feature eliminates
6090 most or all IPv4 addresses, and the destination is not reachable over
6091 IPv6.
6092 This feature is available in Postfix 3.3 and later.
6094
6096 An optional numerical network address that the Postfix SMTP client
6097 should bind to when making an IPv4 connection.
6098 This can be specified in the main.cf file for all SMTP clients, or it
6100 can be specified in the master.cf file for a specific client, for exam‐
6101 ple:
6102 /etc/postfix/master.cf:
6104 smtp ... smtp -o smtp_bind_address=11.22.33.44
6105 Note 1: when inet_interfaces specifies no more than one IPv4 address,
6107 and that address is a non-loopback address, it is automatically used as
6108 the smtp_bind_address. This supports virtual IP hosting, but can be a
6109 problem on multi-homed firewalls. See the inet_interfaces documentation
6110 for more detail.
6111 Note 2: address information may be enclosed inside [], but this form is
6113 not required here.
6114
6116 An optional numerical network address that the Postfix SMTP client
6117 should bind to when making an IPv6 connection.
6118 This feature is available in Postfix 2.2 and later.
6120 This can be specified in the main.cf file for all SMTP clients, or it
6122 can be specified in the master.cf file for a specific client, for exam‐
6123 ple:
6124 /etc/postfix/master.cf:
6126 smtp ... smtp -o smtp_bind_address6=1:2:3:4:5:6:7:8
6127 Note 1: when inet_interfaces specifies no more than one IPv6 address,
6129 and that address is a non-loopback address, it is automatically used as
6130 the smtp_bind_address6. This supports virtual IP hosting, but can be a
6131 problem on multi-homed firewalls. See the inet_interfaces documentation
6132 for more detail.
6133 Note 2: address information may be enclosed inside [], but this form is
6135 not recommended here.
6136
6138 Restricted body_checks(5) tables for the Postfix SMTP client. These
6139 tables are searched while mail is being delivered. Actions that change
6140 the delivery time or destination are not available.
6141 This feature is available in Postfix 2.5 and later.
6143
6145 When the remote SMTP servername is a DNS CNAME, replace the servername
6146 with the result from CNAME expansion for the purpose of logging, SASL
6147 password lookup, TLS policy decisions, or TLS certificate verification.
6148 The value "no" hardens Postfix smtp_tls_per_site hostname-based poli‐
6149 cies against false hostname information in DNS CNAME records, and makes
6150 SASL password file lookups more predictable. This is the default set‐
6151 ting as of Postfix 2.3.
6152 When DNS CNAME records are validated with secure DNS lookups
6154 (smtp_dns_support_level = dnssec), they are always allowed to override
6155 the above servername (Postfix 2.11 and later).
6156 This feature is available in Postfix 2.2.9 and later.
6158
6160 The Postfix SMTP client time limit for completing a TCP connection, or
6161 zero (use the operating system built-in time limit).
6162 When no connection can be made within the deadline, the Postfix SMTP
6164 client tries the next address on the mail exchanger list. Specify 0 to
6165 disable the time limit (i.e. use whatever timeout is implemented by the
6166 operating system).
6167 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6169 The default time unit is s (seconds).
6170
6172 Permanently enable SMTP connection caching for the specified destina‐
6173 tions. With SMTP connection caching, a connection is not closed imme‐
6174 diately after completion of a mail transaction. Instead, the connec‐
6175 tion is kept open for up to $smtp_connection_cache_time_limit seconds.
6176 This allows connections to be reused for other deliveries, and can
6177 improve mail delivery performance.
6178 Specify a comma or white space separated list of destinations or
6180 pseudo-destinations:
6181 · if mail is sent without a relay host: a domain name (the
6183 right-hand side of an email address, without the [] around a
6184 numeric IP address),
6185 · if mail is sent via a relay host: a relay host name (without []
6187 or non-default TCP port), as specified in main.cf or in the
6188 transport map,
6189 · if mail is sent via a UNIX-domain socket: a pathname (without
6191 the unix: prefix),
6192 · a /file/name with domain names and/or relay host names as
6194 defined above,
6195 · a "type:table" with domain names and/or relay host names on the
6197 left-hand side. The right-hand side result from "type:table"
6198 lookups is ignored.
6199 This feature is available in Postfix 2.2 and later.
6201
6203 Temporarily enable SMTP connection caching while a destination has a
6204 high volume of mail in the active queue. With SMTP connection caching,
6205 a connection is not closed immediately after completion of a mail
6206 transaction. Instead, the connection is kept open for up to $smtp_con‐
6207 nection_cache_time_limit seconds. This allows connections to be reused
6208 for other deliveries, and can improve mail delivery performance.
6209 This feature is available in Postfix 2.2 and later.
6211
6213 When SMTP connection caching is enabled, the amount of time that an
6214 unused SMTP client socket is kept open before it is closed. Do not
6215 specify larger values without permission from the remote sites.
6216 This feature is available in Postfix 2.2 and later.
6218
6220 When SMTP connection caching is enabled, the number of times that an
6221 SMTP session may be reused before it is closed, or zero (no limit).
6222 With a reuse count limit of N, a connection is used up to N+1 times.
6223 NOTE: This feature is unsafe. When a high-volume destination has multi‐
6225 ple inbound MTAs, then the slowest inbound MTA will attract the most
6226 connections to that destination. This limitation does not exist with
6227 the smtp_connection_reuse_time_limit feature.
6228 This feature is available in Postfix 2.11.
6230
6232 The amount of time during which Postfix will use an SMTP connection
6233 repeatedly. The timer starts when the connection is initiated (i.e. it
6234 includes the connect, greeting and helo latency, in addition to the
6235 latencies of subsequent mail delivery transactions).
6236 This feature addresses a performance stability problem with remote SMTP
6238 servers. This problem is not specific to Postfix: it can happen when
6239 any MTA sends large amounts of SMTP email to a site that has multiple
6240 MX hosts.
6241 The problem starts when one of a set of MX hosts becomes slower than
6243 the rest. Even though SMTP clients connect to fast and slow MX hosts
6244 with equal probability, the slow MX host ends up with more simultaneous
6245 inbound connections than the faster MX hosts, because the slow MX host
6246 needs more time to serve each client request.
6247 The slow MX host becomes a connection attractor. If one MX host
6249 becomes N times slower than the rest, it dominates mail delivery
6250 latency unless there are more than N fast MX hosts to counter the
6251 effect. And if the number of MX hosts is smaller than N, the mail
6252 delivery latency becomes effectively that of the slowest MX host
6253 divided by the total number of MX hosts.
6254 The solution uses connection caching in a way that differs from Postfix
6256 version 2.2. By limiting the amount of time during which a connection
6257 can be used repeatedly (instead of limiting the number of deliveries
6258 over that connection), Postfix not only restores fairness in the dis‐
6259 tribution of simultaneous connections across a set of MX hosts, it also
6260 favors deliveries over connections that perform well, which is exactly
6261 what we want.
6262 The default reuse time limit, 300s, is comparable to the various smtp
6264 transaction timeouts which are fair estimates of maximum excess latency
6265 for a slow delivery. Note that hosts may accept thousands of messages
6266 over a single connection within the default connection reuse time
6267 limit. This number is much larger than the default Postfix version 2.2
6268 limit of 10 messages per cached connection. It may prove necessary to
6269 lower the limit to avoid interoperability issues with MTAs that exhibit
6270 bugs when many messages are delivered via a single connection. A lower
6271 reuse time limit risks losing the benefit of connection reuse when the
6272 average connection and mail delivery latency exceeds the reuse time
6273 limit.
6274 This feature is available in Postfix 2.3 and later.
6276
6278 The Postfix SMTP client time limit for sending the SMTP ".", and for
6279 receiving the remote SMTP server response.
6280 When no response is received within the deadline, a warning is logged
6282 that the mail may be delivered multiple times.
6283 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6285 The default time unit is s (seconds).
6286
6288 The Postfix SMTP client time limit for sending the SMTP DATA command,
6289 and for receiving the remote SMTP server response.
6290 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6292 The default time unit is s (seconds).
6293
6295 The Postfix SMTP client time limit for sending the SMTP message con‐
6296 tent. When the connection makes no progress for more than
6297 $smtp_data_xfer_timeout seconds the Postfix SMTP client terminates the
6298 transfer.
6299 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6301 The default time unit is s (seconds).
6302
6304 Defer mail delivery when no MX record resolves to an IP address.
6305 The default (no) is to return the mail as undeliverable. With older
6307 Postfix versions the default was to keep trying to deliver the mail
6308 until someone fixed the MX record or until the mail was too old.
6309 Note: the Postfix SMTP client always ignores MX records with equal or
6311 worse preference than the local MTA itself.
6312 This feature is available in Postfix 2.1 and later.
6314
6316 Optional filter for the smtp(8) delivery agent to change the delivery
6317 status code or explanatory text of successful or unsuccessful deliver‐
6318 ies. See default_delivery_status_filter for details.
6319 NOTE: This feature modifies Postfix SMTP client error or non-error mes‐
6321 sages that may or may not be derived from remote SMTP server responses.
6322 In contrast, the smtp_reply_filter feature modifies remote SMTP server
6323 responses only.
6324
6326 rency_limit)
6327 The maximal number of parallel deliveries to the same destination via
6328 the smtp message delivery transport. This limit is enforced by the
6329 queue manager. The message delivery transport name is the first field
6330 in the entry in the master.cf file.
6331
6333 ent_limit)
6334 The maximal number of recipients per message for the smtp message
6335 delivery transport. This limit is enforced by the queue manager. The
6336 message delivery transport name is the first field in the entry in the
6337 master.cf file.
6338 Setting this parameter to a value of 1 changes the meaning of smtp_des‐
6340 tination_concurrency_limit from concurrency per domain into concurrency
6341 per recipient.
6342
6344 Lookup tables, indexed by the remote SMTP server address, with case
6345 insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
6346 that the Postfix SMTP client will ignore in the EHLO response from a
6347 remote SMTP server. See smtp_discard_ehlo_keywords for details. The ta‐
6348 ble is not indexed by hostname for consistency with smtpd_dis‐
6349 card_ehlo_keyword_address_maps.
6350 Specify zero or more "type:name" lookup tables, separated by whitespace
6352 or comma. Tables will be searched in the specified order until a match
6353 is found.
6354 This feature is available in Postfix 2.2 and later.
6356
6358 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
6359 etc.) that the Postfix SMTP client will ignore in the EHLO response
6360 from a remote SMTP server.
6361 This feature is available in Postfix 2.2 and later.
6363 Notes:
6365 · Specify the silent-discard pseudo keyword to prevent this action
6367 from being logged.
6368 · Use the smtp_discard_ehlo_keyword_address_maps feature to dis‐
6370 card EHLO keywords selectively.
6371
6373 Optional filter for Postfix SMTP client DNS lookup results. Specify
6374 zero or more lookup tables. The lookup tables are searched in the
6375 given order for a match with the DNS lookup result, converted to the
6376 following form:
6377 name ttl class type preference value
6379 The class field is always "IN", the preference field exists only for MX
6381 records, the names of hosts, domains, etc. end in ".", and those names
6382 are in ASCII form (xn--mumble form in the case of UTF8 names).
6383 When a match is found, the table lookup result specifies an action. By
6385 default, the table query and the action name are case-insensitive.
6386 Currently, only the IGNORE action is implemented.
6387 Notes:
6389 · Postfix DNS reply filters have no effect on implicit DNS lookups
6391 through nsswitch.conf or equivalent mechanisms.
6392 · The Postfix SMTP/LMTP client uses smtp_dns_reply_filter and
6394 lmtp_dns_reply_filter only to discover a remote SMTP or LMTP
6395 service (record types MX, A, AAAAA, and TLSA). These lookups
6396 are also made to implement the features reject_unverified_sender
6397 and reject_unverified_recipient.
6398 · The Postfix SMTP/LMTP client defers mail delivery when a filter
6400 removes all lookup results from a successful query.
6401 · Postfix SMTP server uses smtpd_dns_reply_filter only to look up
6403 MX, A, AAAAA, and TXT records to implement the features
6404 reject_unknown_helo_hostname, reject_unknown_sender_domain,
6405 reject_unknown_recipient_domain, reject_rbl_*, and
6406 reject_rhsbl_*.
6407 · The Postfix SMTP server logs a warning or defers mail delivery
6409 when a filter removes all lookup results from a successful
6410 query.
6411 Example: ignore Google AAAA records in Postfix SMTP client DNS lookups,
6413 because Google sometimes hard-rejects mail from IPv6 clients with valid
6414 PTR etc. records.
6415 /etc/postfix/main.cf:
6417 smtp_dns_reply_filter = pcre:/etc/postfix/smtp_dns_reply_filter
6418 /etc/postfix/smtp_dns_reply_filter:
6420 # /domain ttl IN AAAA address/ action, all case-insensitive.
6421 # Note: the domain name ends in ".".
6422 /^\S+\.google\.com\.\s+\S+\s+\S+\s+AAAA\s+/ IGNORE
6423 This feature is available in Postfix 3.0 and later.
6425
6427 DNS Resolver options for the Postfix SMTP client. Specify zero or more
6428 of the following options, separated by comma or whitespace. Option
6429 names are case-sensitive. Some options refer to domain names that are
6430 specified in the file /etc/resolv.conf or equivalent.
6431 res_defnames
6433 Append the current domain name to single-component names (those
6434 that do not contain a "." character). This can produce incorrect
6435 results, and is the hard-coded behavior prior to Postfix 2.8.
6436 res_dnsrch
6438 Search for host names in the current domain and in parent
6439 domains. This can produce incorrect results and is therefore not
6440 recommended.
6441 This feature is available in Postfix 2.8 and later.
6443
6445 Level of DNS support in the Postfix SMTP client. With "smtp_dns_sup‐
6446 port_level" left at its empty default value, the legacy "dis‐
6447 able_dns_lookups" parameter controls whether DNS is enabled in the
6448 Postfix SMTP client, otherwise the legacy parameter is ignored.
6449 Specify one of the following:
6451 disabled
6453 Disable DNS lookups. No MX lookups are performed and hostname
6454 to address lookups are unconditionally "native". This setting
6455 is not appropriate for hosts that deliver mail to the public
6456 Internet. Some obsolete how-to documents recommend disabling
6457 DNS lookups in some configurations with content_filters. This
6458 is no longer required and strongly discouraged.
6459 enabled
6461 Enable DNS lookups. Nexthop destination domains not enclosed in
6462 "[]" will be subject to MX lookups. If "dns" and "native" are
6463 included in the "smtp_host_lookup" parameter value, DNS will be
6464 queried first to resolve MX-host A records, followed by "native"
6465 lookups if no answer is found in DNS.
6466 dnssec Enable DNSSEC lookups. The "dnssec" setting differs from the
6468 "enabled" setting above in the following ways:
6469 · Any MX lookups will set RES_USE_DNSSEC and RES_USE_EDNS0 to
6471 request DNSSEC-validated responses. If the MX response is
6472 DNSSEC-validated the corresponding hostnames are considered val‐
6473 idated.
6474 · The address lookups of validated hostnames are also validated,
6476 (provided of course "smtp_host_lookup" includes "dns", see
6477 below).
6478 · Temporary failures in DNSSEC-enabled hostname-to-address resolu‐
6480 tion block any "native" lookups. Additional "native" lookups
6481 only happen when DNSSEC lookups hard-fail (NODATA or NXDOMAIN).
6482 The Postfix SMTP client considers non-MX "[nexthop]" and "[nex‐
6484 thop]:port" destinations equivalent to statically-validated MX records
6485 of the form "nexthop. IN MX 0 nexthop." Therefore, with "dnssec" sup‐
6486 port turned on, validated hostname-to-address lookups apply to the nex‐
6487 thop domain of any "[nexthop]" or "[nexthop]:port" destination. This
6488 is also true for LMTP "inet:host" and "inet:host:port" destinations, as
6489 LMTP hostnames are never subject to MX lookups.
6490 The "dnssec" setting is recommended only if you plan to use the dane or
6492 dane-only TLS security level, otherwise enabling DNSSEC support in
6493 Postfix offers no additional security. Postfix DNSSEC support relies
6494 on an upstream recursive nameserver that validates DNSSEC signatures.
6495 Such a DNS server will always filter out forged DNS responses, even
6496 when Postfix itself is not configured to use DNSSEC.
6497 When using Postfix DANE support the "smtp_host_lookup" parameter should
6499 include "dns", as DANE is not applicable to hosts resolved via "native"
6500 lookups.
6501 As mentioned above, Postfix is not a validating stub resolver; it
6503 relies on the system's configured DNSSEC-validating recursive name‐
6504 server to perform all DNSSEC validation. Since this nameserver's
6505 DNSSEC-validated responses will be fully trusted, it is strongly recom‐
6506 mended that the MTA host have a local DNSSEC-validating recursive
6507 caching nameserver listening on a loopback address, and be configured
6508 to use only this nameserver for all lookups. Otherwise, Postfix may
6509 remain subject to man-in-the-middle attacks that forge responses from
6510 the recursive nameserver
6511 DNSSEC support requires a version of Postfix compiled against a reason‐
6513 ably-modern DNS resolver(3) library that implements the RES_USE_DNSSEC
6514 and RES_USE_EDNS0 resolver options.
6515 This feature is available in Postfix 2.11 and later.
6517
6519 Enforcement mode: require that remote SMTP servers use TLS encryption,
6520 and never send mail in the clear. This also requires that the remote
6521 SMTP server hostname matches the information in the remote server cer‐
6522 tificate, and that the remote SMTP server certificate was issued by a
6523 CA that is trusted by the Postfix SMTP client. If the certificate
6524 doesn't verify or the hostname doesn't match, delivery is deferred and
6525 mail stays in the queue.
6526 The server hostname is matched against all names provided as dNSNames
6528 in the SubjectAlternativeName. If no dNSNames are specified, the Com‐
6529 monName is checked. The behavior may be changed with the
6530 smtp_tls_enforce_peername option.
6531 This option is useful only if you are definitely sure that you will
6533 only connect to servers that support RFC 2487 _and_ that provide valid
6534 server certificates. Typical use is for clients that send all their
6535 email to a dedicated mailhub.
6536 This feature is available in Postfix 2.2 and later. With Postfix 2.3
6538 and later use smtp_tls_security_level instead.
6539
6541 Optional list of relay hosts for SMTP destinations that can't be found
6542 or that are unreachable. With Postfix 2.2 and earlier this parameter is
6543 called fallback_relay.
6544 By default, mail is returned to the sender when a destination is not
6546 found, and delivery is deferred when a destination is unreachable.
6547 With bulk email deliveries, it can be beneficial to run the fallback
6549 relay MTA on the same host, so that it can reuse the sender IP address.
6550 This speeds up deliveries that are delayed by IP-based reputation sys‐
6551 tems (greylist, etc.).
6552 The fallback relays must be SMTP destinations. Specify a domain, host,
6554 host:port, [host]:port, [address] or [address]:port; the form [host]
6555 turns off MX lookups. If you specify multiple SMTP destinations, Post‐
6556 fix will try them in the specified order.
6557 To prevent mailer loops between MX hosts and fall-back hosts, Postfix
6559 version 2.2 and later will not use the fallback relays for destinations
6560 that it is MX host for (assuming DNS lookup is turned on).
6561
6563 Optional lookup tables that perform address rewriting in the Postfix
6564 SMTP client, typically to transform a locally valid address into a
6565 globally valid address when sending mail across the Internet. This is
6566 needed when the local machine does not have its own Internet domain
6567 name, but uses something like localdomain.local instead.
6568 Specify zero or more "type:name" lookup tables, separated by whitespace
6570 or comma. Tables will be searched in the specified order until a match
6571 is found.
6572 The table format and lookups are documented in generic(5); examples are
6574 shown in the ADDRESS_REWRITING_README and STANDARD_CONFIGURATION_README
6575 documents.
6576 This feature is available in Postfix 2.2 and later.
6578
6580 Restricted header_checks(5) tables for the Postfix SMTP client. These
6581 tables are searched while mail is being delivered. Actions that change
6582 the delivery time or destination are not available.
6583 This feature is available in Postfix 2.5 and later.
6585
6587 The hostname to send in the SMTP HELO or EHLO command.
6588 The default value is the machine hostname. Specify a hostname or
6590 [ip.add.re.ss].
6591 This information can be specified in the main.cf file for all SMTP
6593 clients, or it can be specified in the master.cf file for a specific
6594 client, for example:
6595 /etc/postfix/master.cf:
6597 mysmtp ... smtp -o smtp_helo_name=foo.bar.com
6598 This feature is available in Postfix 2.0 and later.
6600
6602 The Postfix SMTP client time limit for sending the HELO or EHLO com‐
6603 mand, and for receiving the initial remote SMTP server response.
6604 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6606 The default time unit is s (seconds).
6607
6609 What mechanisms the Postfix SMTP client uses to look up a host's IP
6610 address. This parameter is ignored when DNS lookups are disabled (see:
6611 disable_dns_lookups and smtp_dns_support_level). The "dns" mechanism
6612 is always tried before "native" if both are listed.
6613 Specify one of the following:
6615 dns Hosts can be found in the DNS (preferred).
6617 native Use the native naming service only (nsswitch.conf, or equivalent
6619 mechanism).
6620 dns, native
6622 Use the native service for hosts not found in the DNS.
6623 This feature is available in Postfix 2.1 and later.
6625
6627 The maximal length of message header and body lines that Postfix will
6628 send via SMTP. This limit does not include the <CR><LF> at the end of
6629 each line. Longer lines are broken by inserting "<CR><LF><SPACE>", to
6630 minimize the damage to MIME formatted mail.
6631 The Postfix limit of 998 characters not including <CR><LF> is consis‐
6633 tent with the SMTP limit of 1000 characters including <CR><LF>. The
6634 Postfix limit was 990 with Postfix 2.8 and earlier.
6635
6637 The Postfix SMTP client time limit for sending the MAIL FROM command,
6638 and for receiving the remote SMTP server response.
6639 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6641 The default time unit is s (seconds).
6642
6644 Restricted mime_header_checks(5) tables for the Postfix SMTP client.
6645 These tables are searched while mail is being delivered. Actions that
6646 change the delivery time or destination are not available.
6647 This feature is available in Postfix 2.5 and later.
6649
6651 The maximal number of MX (mail exchanger) IP addresses that can result
6652 from Postfix SMTP client mail exchanger lookups, or zero (no limit).
6653 Prior to Postfix version 2.3, this limit was disabled by default.
6654 This feature is available in Postfix 2.1 and later.
6656
6658 The maximal number of SMTP sessions per delivery request before the
6659 Postfix SMTP client gives up or delivers to a fall-back relay host, or
6660 zero (no limit). This restriction ignores sessions that fail to com‐
6661 plete the SMTP initial handshake (Postfix version 2.2 and earlier) or
6662 that fail to complete the EHLO and TLS handshake (Postfix version 2.3
6663 and later).
6664 This feature is available in Postfix 2.1 and later.
6666
6668 Restricted nested_header_checks(5) tables for the Postfix SMTP client.
6669 These tables are searched while mail is being delivered. Actions that
6670 change the delivery time or destination are not available.
6671 This feature is available in Postfix 2.5 and later.
6673
6675 Never send EHLO at the start of an SMTP session. See also the
6676 smtp_always_send_ehlo parameter.
6677
6679 Change the behavior of the smtp_*_timeout time limits, from a time
6680 limit per read or write system call, to a time limit to send or receive
6681 a complete record (an SMTP command line, SMTP response line, SMTP mes‐
6682 sage content line, or TLS protocol message). This limits the impact
6683 from hostile peers that trickle data one byte at a time.
6684 Note: when per-record deadlines are enabled, a short timeout may cause
6686 problems with TLS over very slow network connections. The reasons are
6687 that a TLS protocol message can be up to 16 kbytes long (with TLSv1),
6688 and that an entire TLS protocol message must be sent or received within
6689 the per-record deadline.
6690 This feature is available in Postfix 2.9 and later. With older Postfix
6692 releases, the behavior is as if this parameter is set to "no".
6693
6695 How long the Postfix SMTP client pauses before sending ".<CR><LF>" in
6696 order to work around the PIX firewall "<CR><LF>.<CR><LF>" bug.
6697 Choosing a too short time makes this workaround ineffective when send‐
6699 ing large messages over slow network connections.
6700
6702 Lookup tables, indexed by the remote SMTP server address, with per-des‐
6703 tination workarounds for CISCO PIX firewall bugs. The table is not
6704 indexed by hostname for consistency with smtp_discard_ehlo_key‐
6705 word_address_maps.
6706 Specify zero or more "type:name" lookup tables, separated by whitespace
6708 or comma. Tables will be searched in the specified order until a match
6709 is found.
6710 This feature is available in Postfix 2.4 and later.
6712
6714 How long a message must be queued before the Postfix SMTP client turns
6715 on the PIX firewall "<CR><LF>.<CR><LF>" bug workaround for delivery
6716 through firewalls with "smtp fixup" mode turned on.
6717 By default, the workaround is turned off for mail that is queued for
6719 less than 500 seconds. In other words, the workaround is normally
6720 turned off for the first delivery attempt.
6721 Specify 0 to enable the PIX firewall "<CR><LF>.<CR><LF>" bug workaround
6723 upon the first delivery attempt.
6724
6726 A list that specifies zero or more workarounds for CISCO PIX firewall
6727 bugs. These workarounds are implemented by the Postfix SMTP client.
6728 Workaround names are separated by comma or space, and are case insensi‐
6729 tive. This parameter setting can be overruled with per-destination
6730 smtp_pix_workaround_maps settings.
6731 delay_dotcrlf
6733 Insert a delay before sending ".<CR><LF>" after the end of the
6734 message content. The delay is subject to the smtp_pix_work‐
6735 around_delay_time and smtp_pix_workaround_threshold_time parame‐
6736 ter settings.
6737 disable_esmtp
6739 Disable all extended SMTP commands: send HELO instead of EHLO.
6740 This feature is available in Postfix 2.4 and later. The default set‐
6742 tings are backwards compatible with earlier Postfix versions.
6743
6745 The Postfix SMTP client time limit for sending the QUIT command, and
6746 for receiving the remote SMTP server response.
6747 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6749 The default time unit is s (seconds).
6750
6752 Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO commands
6753 as required by RFC 5321. This includes putting quotes around an address
6754 localpart that ends in ".".
6755 The default is to comply with RFC 5321. If you have to send mail to a
6757 broken SMTP server, configure a special SMTP client in master.cf:
6758 /etc/postfix/master.cf:
6760 broken-smtp . . . smtp -o smtp_quote_rfc821_envelope=no
6761 and route mail for the destination in question to the "broken-smtp"
6763 message delivery with a transport(5) table.
6764 This feature is available in Postfix 2.1 and later.
6766
6768 Randomize the order of equal-preference MX host addresses. This is a
6769 performance feature of the Postfix SMTP client.
6770
6772 The Postfix SMTP client time limit for sending the SMTP RCPT TO com‐
6773 mand, and for receiving the remote SMTP server response.
6774 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6776 The default time unit is s (seconds).
6777
6779 A mechanism to transform replies from remote SMTP servers one line at a
6780 time. This is a last-resort tool to work around server replies that
6781 break interoperability with the Postfix SMTP client. Other uses
6782 involve fault injection to test Postfix's handling of invalid
6783 responses.
6784 Notes:
6786 · In the case of a multi-line reply, the Postfix SMTP client uses
6788 the final reply line's numerical SMTP reply code and enhanced
6789 status code.
6790 · The numerical SMTP reply code (XYZ) takes precedence over the
6792 enhanced status code (X.Y.Z). When the enhanced status code
6793 initial digit differs from the SMTP reply code initial digit, or
6794 when no enhanced status code is present, the Postfix SMTP client
6795 uses a generic enhanced status code (X.0.0) instead.
6796 Specify the name of a "type:table" lookup table. The search string is a
6798 single SMTP reply line as received from the remote SMTP server, except
6799 that the trailing <CR><LF> are removed. When the lookup succeeds, the
6800 result replaces the single SMTP reply line.
6801 Examples:
6803 /etc/postfix/main.cf:
6805 smtp_reply_filter = pcre:/etc/postfix/reply_filter
6806 /etc/postfix/reply_filter:
6808 # Transform garbage into "250-filler..." so that it looks like
6809 # one line from a multi-line reply. It does not matter what we
6810 # substitute here as long it has the right syntax. The Postfix
6811 # SMTP client will use the final line's numerical SMTP reply
6812 # code and enhanced status code.
6813 !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage
6814 This feature is available in Postfix 2.7.
6816
6818 The Postfix SMTP client time limit for sending the RSET command, and
6819 for receiving the remote SMTP server response. The SMTP client sends
6820 RSET in order to finish a recipient address probe, or to verify that a
6821 cached session is still usable.
6822 This feature is available in Postfix 2.1 and later.
6824
6826 An optional table to prevent repeated SASL authentication failures with
6827 the same remote SMTP server hostname, username and password. Each table
6828 (key, value) pair contains a server name, a username and password, and
6829 the full server response. This information is stored when a remote SMTP
6830 server rejects an authentication attempt with a 535 reply code. As
6831 long as the smtp_sasl_password_maps information does no change, and as
6832 long as the smtp_sasl_auth_cache_name information does not expire (see
6833 smtp_sasl_auth_cache_time) the Postfix SMTP client avoids SASL authen‐
6834 tication attempts with the same server, username and password, and
6835 instead bounces or defers mail as controlled with the
6836 smtp_sasl_auth_soft_bounce configuration parameter.
6837 Use a per-destination delivery concurrency of 1 (for example,
6839 "smtp_destination_concurrency_limit = 1", "relay_destination_concur‐
6840 rency_limit = 1", etc.), otherwise multiple delivery agents may experi‐
6841 ence a login failure at the same time.
6842 The table must be accessed via the proxywrite service, i.e. the map
6844 name must start with "proxy:". The table should be stored under the
6845 directory specified with the data_directory parameter.
6846 This feature uses cryptographic hashing to protect plain-text pass‐
6848 words, and requires that Postfix is compiled with TLS support.
6849 Example:
6851 smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
6853 This feature is available in Postfix 2.5 and later.
6855
6857 The maximal age of an smtp_sasl_auth_cache_name entry before it is
6858 removed.
6859 This feature is available in Postfix 2.5 and later.
6861
6863 Enable SASL authentication in the Postfix SMTP client. By default, the
6864 Postfix SMTP client uses no authentication.
6865 Example:
6867 smtp_sasl_auth_enable = yes
6869
6871 When a remote SMTP server rejects a SASL authentication request with a
6872 535 reply code, defer mail delivery instead of returning mail as unde‐
6873 liverable. The latter behavior was hard-coded prior to Postfix version
6874 2.5.
6875 Note: the setting "yes" overrides the global soft_bounce parameter, but
6877 the setting "no" does not.
6878 Example:
6880 # Default as of Postfix 2.5
6882 smtp_sasl_auth_soft_bounce = yes
6883 # The old hard-coded default
6884 smtp_sasl_auth_soft_bounce = no
6885 This feature is available in Postfix 2.5 and later.
6887
6889 If non-empty, a Postfix SMTP client filter for the remote SMTP server's
6890 list of offered SASL mechanisms. Different client and server implemen‐
6891 tations may support different mechanism lists; by default, the Postfix
6892 SMTP client will use the intersection of the two. smtp_sasl_mecha‐
6893 nism_filter specifies an optional third mechanism list to intersect
6894 with.
6895 Specify mechanism names, "/file/name" patterns or "type:table" lookup
6897 tables. The right-hand side result from "type:table" lookups is
6898 ignored. Specify "!pattern" to exclude a mechanism name from the list.
6899 The form "!/file/name" is supported only in Postfix version 2.4 and
6900 later.
6901 This feature is available in Postfix 2.2 and later.
6903 Examples:
6905 smtp_sasl_mechanism_filter = plain, login
6907 smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs
6908 smtp_sasl_mechanism_filter = !gssapi, !login, static:rest
6909
6911 Optional Postfix SMTP client lookup tables with one username:password
6912 entry per sender, remote hostname or next-hop domain. Per-sender lookup
6913 is done only when sender-dependent authentication is enabled. If no
6914 username:password entry is found, then the Postfix SMTP client will not
6915 attempt to authenticate to the remote host.
6916 The Postfix SMTP client opens the lookup table before going to chroot
6918 jail, so you can leave the password file in /etc/postfix.
6919 Specify zero or more "type:name" lookup tables, separated by whitespace
6921 or comma. Tables will be searched in the specified order until a match
6922 is found.
6923
6925 Implementation-specific information that the Postfix SMTP client passes
6926 through to the SASL plug-in implementation that is selected with
6927 smtp_sasl_type. Typically this specifies the name of a configuration
6928 file or rendezvous point.
6929 This feature is available in Postfix 2.3 and later.
6931
6933 Postfix SMTP client SASL security options; as of Postfix 2.3 the list
6934 of available features depends on the SASL client implementation that is
6935 selected with smtp_sasl_type.
6936 The following security features are defined for the cyrus client SASL
6938 implementation:
6939 Specify zero or more of the following:
6941 noplaintext
6943 Disallow methods that use plaintext passwords.
6944 noactive
6946 Disallow methods subject to active (non-dictionary) attack.
6947 nodictionary
6949 Disallow methods subject to passive (dictionary) attack.
6950 noanonymous
6952 Disallow methods that allow anonymous authentication.
6953 mutual_auth
6955 Only allow methods that provide mutual authentication (not
6956 available with SASL version 1).
6957 Example:
6959 smtp_sasl_security_options = noplaintext
6961
6963 The SASL authentication security options that the Postfix SMTP client
6964 uses for TLS encrypted SMTP sessions.
6965 This feature is available in Postfix 2.2 and later.
6967
6969 rity_options)
6970 The SASL authentication security options that the Postfix SMTP client
6971 uses for TLS encrypted SMTP sessions with a verified server certifi‐
6972 cate.
6973 When mail is sent to the public MX host for the recipient's domain,
6975 server certificates are by default optional, and delivery proceeds even
6976 if certificate verification fails. For delivery via a submission ser‐
6977 vice that requires SASL authentication, it may be appropriate to send
6978 plaintext passwords only when the connection to the server is strongly
6979 encrypted and the server identity is verified.
6980 The smtp_sasl_tls_verified_security_options parameter makes it possible
6982 to only enable plaintext mechanisms when a secure connection to the
6983 server is available. Submission servers subject to this policy must
6984 either have verifiable certificates or offer suitable non-plaintext
6985 SASL mechanisms.
6986 This feature is available in Postfix 2.6 and later.
6988
6990 The SASL plug-in type that the Postfix SMTP client should use for
6991 authentication. The available types are listed with the "postconf -A"
6992 command.
6993 This feature is available in Postfix 2.3 and later.
6995
6997 Whether or not to append the "AUTH=<>" option to the MAIL FROM command
6998 in SASL-authenticated SMTP sessions. The default is not to send this,
6999 to avoid problems with broken remote SMTP servers. Before Postfix 2.9
7000 the behavior is as if "smtp_send_dummy_mail_auth = yes".
7001 This feature is available in Postfix 2.9 and later.
7003
7005 Send the non-standard XFORWARD command when the Postfix SMTP server
7006 EHLO response announces XFORWARD support.
7007 This allows a Postfix SMTP delivery agent, used for injecting mail into
7009 a content filter, to forward the name, address, protocol and HELO name
7010 of the original client to the content filter and downstream queuing
7011 SMTP server. This can produce more useful logging than local‐
7012 host[127.0.0.1] etc.
7013 This feature is available in Postfix 2.1 and later.
7015
7017 Enable sender-dependent authentication in the Postfix SMTP client; this
7018 is available only with SASL authentication, and disables SMTP connec‐
7019 tion caching to ensure that mail from different senders will use the
7020 appropriate credentials.
7021 This feature is available in Postfix 2.3 and later.
7023
7025 Skip SMTP servers that greet with a 4XX status code (go away, try again
7026 later).
7027 By default, the Postfix SMTP client moves on the next mail exchanger.
7029 Specify "smtp_skip_4xx_greeting = no" if Postfix should defer delivery
7030 immediately.
7031 This feature is available in Postfix 2.0 and earlier. Later Postfix
7033 versions always skip remote SMTP servers that greet with a 4XX status
7034 code.
7035
7037 Skip remote SMTP servers that greet with a 5XX status code.
7038 By default, the Postfix SMTP client moves on the next mail exchanger.
7040 Specify "smtp_skip_5xx_greeting = no" if Postfix should bounce the mail
7041 immediately. Caution: the latter behavior appears to contradict RFC
7042 2821.
7043
7045 Do not wait for the response to the SMTP QUIT command.
7046
7048 Time limit for Postfix SMTP client write and read operations during TLS
7049 startup and shutdown handshake procedures.
7050 This feature is available in Postfix 2.2 and later.
7052
7054 The default TCP port that the Postfix SMTP client connects to. Specify
7055 a symbolic name (see services(5)) or a numeric port.
7056
7058 A file containing CA certificates of root CAs trusted to sign either
7059 remote SMTP server certificates or intermediate CA certificates. These
7060 are loaded into memory before the smtp(8) client enters the chroot
7061 jail. If the number of trusted roots is large, consider using
7062 smtp_tls_CApath instead, but note that the latter directory must be
7063 present in the chroot jail if the smtp(8) client is chrooted. This file
7064 may also be used to augment the client certificate trust chain, but it
7065 is best to include all the required certificates directly in
7066 $smtp_tls_cert_file.
7067 Specify "smtp_tls_CAfile = /path/to/system_CA_file" to use ONLY the
7069 system-supplied default Certification Authority certificates.
7070 Specify "tls_append_default_CA = no" to prevent Postfix from appending
7072 the system-supplied default CAs and trusting third-party certificates.
7073 Example:
7075 smtp_tls_CAfile = /etc/postfix/CAcert.pem
7077 This feature is available in Postfix 2.2 and later.
7079
7081 Directory with PEM format Certification Authority certificates that the
7082 Postfix SMTP client uses to verify a remote SMTP server certificate.
7083 Don't forget to create the necessary "hash" links with, for example,
7084 "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
7085 To use this option in chroot mode, this directory (or a copy) must be
7087 inside the chroot jail.
7088 Specify "smtp_tls_CApath = /path/to/system_CA_directory" to use ONLY
7090 the system-supplied default Certification Authority certificates.
7091 Specify "tls_append_default_CA = no" to prevent Postfix from appending
7093 the system-supplied default CAs and trusting third-party certificates.
7094 Example:
7096 smtp_tls_CApath = /etc/postfix/certs
7098 This feature is available in Postfix 2.2 and later.
7100
7102 Try to detect a mail hijacking attack based on a TLS protocol vulnera‐
7103 bility (CVE-2009-3555), where an attacker prepends malicious HELO,
7104 MAIL, RCPT, DATA commands to a Postfix SMTP client TLS session. The
7105 attack would succeed with non-Postfix SMTP servers that reply to the
7106 malicious HELO, MAIL, RCPT, DATA commands after negotiating the Postfix
7107 SMTP client TLS session.
7108 This feature is available in Postfix 2.7.
7110
7112 File with the Postfix SMTP client RSA certificate in PEM format. This
7113 file may also contain the Postfix SMTP client private RSA key, and
7114 these may be the same as the Postfix SMTP server RSA certificate and
7115 key file.
7116 Do not configure client certificates unless you must present client TLS
7118 certificates to one or more servers. Client certificates are not usu‐
7119 ally needed, and can cause problems in configurations that work well
7120 without them. The recommended setting is to let the defaults stand:
7121 smtp_tls_cert_file =
7123 smtp_tls_key_file =
7124 smtp_tls_dcert_file =
7125 smtp_tls_dkey_file =
7126 smtp_tls_eccert_file =
7127 smtp_tls_eckey_file =
7128 The best way to use the default settings is to comment out the above
7130 parameters in main.cf if present.
7131 To enable remote SMTP servers to verify the Postfix SMTP client cer‐
7133 tificate, the issuing CA certificates must be made available to the
7134 server. You should include the required certificates in the client cer‐
7135 tificate file, the client certificate first, then the issuing CA(s)
7136 (bottom-up order).
7137 Example: the certificate for "client.example.com" was issued by "inter‐
7139 mediate CA" which itself has a certificate issued by "root CA". Create
7140 the client.pem file with "cat client_cert.pem intermediate_CA.pem
7141 root_CA.pem > client.pem".
7142 If you also want to verify remote SMTP server certificates issued by
7144 these CAs, you can add the CA certificates to the smtp_tls_CAfile, in
7145 which case it is not necessary to have them in the smtp_tls_cert_file,
7146 smtp_tls_dcert_file or smtp_tls_eccert_file.
7147 A certificate supplied here must be usable as an SSL client certificate
7149 and hence pass the "openssl verify -purpose sslclient ..." test.
7150 Example:
7152 smtp_tls_cert_file = /etc/postfix/client.pem
7154 This feature is available in Postfix 2.2 and later.
7156
7158 Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS cipher
7159 list. As this feature applies to all TLS security levels, it is easy to
7160 create interoperability problems by choosing a non-default cipher list.
7161 Do not use a non-default TLS cipher list on hosts that deliver email to
7162 the public Internet: you will be unable to send email to servers that
7163 only support the ciphers you exclude. Using a restricted cipher list
7164 may be more appropriate for an internal MTA, where one can exert some
7165 control over the TLS software and settings of the peer servers.
7166 Note: do not use "" quotes around the parameter value.
7168 This feature is available in Postfix version 2.2. It is not used with
7170 Postfix 2.3 and later; use smtp_tls_mandatory_ciphers instead.
7171
7173 The minimum TLS cipher grade that the Postfix SMTP client will use with
7174 opportunistic TLS encryption. Cipher types listed in
7175 smtp_tls_exclude_ciphers are excluded from the base definition of the
7176 selected cipher grade. The default value is "medium" for Postfix
7177 releases after the middle of 2015, "export" for older releases.
7178 When TLS is mandatory the cipher grade is chosen via the
7180 smtp_tls_mandatory_ciphers configuration parameter, see there for syn‐
7181 tax details. See smtp_tls_policy_maps for information on how to config‐
7182 ure ciphers on a per-destination basis.
7183 This feature is available in Postfix 2.6 and later. With earlier Post‐
7185 fix releases only the smtp_tls_mandatory_ciphers parameter is imple‐
7186 mented, and opportunistic TLS always uses "export" or better (i.e. all)
7187 ciphers.
7188
7190 The TLS policy for MX hosts with "secure" TLSA records when the nexthop
7191 destination security level is dane, but the MX record was found via an
7192 "insecure" MX lookup. The choices are:
7193 may The TLSA records will be ignored and TLS will be optional. If
7195 the MX host does not appear to support STARTTLS, or the STARTTLS
7196 handshake fails, mail may be sent in the clear.
7197 encrypt
7199 The TLSA records will signal a requirement to use TLS. While
7200 TLS encryption will be required, authentication will not be per‐
7201 formed.
7202 dane (default)
7204 The TLSA records will be used just as with "secure" MX records.
7205 TLS encryption will be required, and, if at least one of the
7206 TLSA records is "usable", authentication will be required. When
7207 authentication succeeds, it will be logged only as "Trusted",
7208 not "Verified", because the MX host name could have been forged.
7209 Though with "insecure" MX records an active attacker can compro‐
7210 mise SMTP transport security by returning forged MX records,
7211 such attacks are "tamper-evident" since any forged MX hostnames
7212 will be recorded in the mail logs. Attackers who place a high
7213 value staying hidden may be deterred from forging MX records.
7214 This feature is available in Postfix 3.1 and later. The may policy is
7216 backwards-compatible with earlier Postfix versions.
7217
7219 File with the Postfix SMTP client DSA certificate in PEM format. This
7220 file may also contain the Postfix SMTP client private DSA key.
7221 See the discussion under smtp_tls_cert_file for more details.
7223 Example:
7225 smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
7227 This feature is available in Postfix 2.2 and later.
7229
7231 File with the Postfix SMTP client DSA private key in PEM format. This
7232 file may be combined with the Postfix SMTP client DSA certificate file
7233 specified with $smtp_tls_dcert_file.
7234 The private key must be accessible without a pass-phrase, i.e. it must
7236 not be encrypted. File permissions should grant read-only access to the
7237 system superuser account ("root"), and no access to anyone else.
7238 This feature is available in Postfix 2.2 and later.
7240
7242 File with the Postfix SMTP client ECDSA certificate in PEM format.
7243 This file may also contain the Postfix SMTP client ECDSA private key.
7244 See the discussion under smtp_tls_cert_file for more details.
7246 Example:
7248 smtp_tls_eccert_file = /etc/postfix/ecdsa-ccert.pem
7250 This feature is available in Postfix 2.6 and later, when Postfix is
7252 compiled and linked with OpenSSL 1.0.0 or later.
7253
7255 File with the Postfix SMTP client ECDSA private key in PEM format.
7256 This file may be combined with the Postfix SMTP client ECDSA certifi‐
7257 cate file specified with $smtp_tls_eccert_file.
7258 The private key must be accessible without a pass-phrase, i.e. it must
7260 not be encrypted. File permissions should grant read-only access to the
7261 system superuser account ("root"), and no access to anyone else.
7262 This feature is available in Postfix 2.6 and later, when Postfix is
7264 compiled and linked with OpenSSL 1.0.0 or later.
7265
7267 With mandatory TLS encryption, require that the remote SMTP server
7268 hostname matches the information in the remote SMTP server certificate.
7269 As of RFC 2487 the requirements for hostname checking for MTA clients
7270 are not specified.
7271 This option can be set to "no" to disable strict peer name checking.
7273 This setting has no effect on sessions that are controlled via the
7274 smtp_tls_per_site table.
7275 Disabling the hostname verification can make sense in closed environ‐
7277 ment where special CAs are created. If not used carefully, this option
7278 opens the danger of a "man-in-the-middle" attack (the CommonName of
7279 this attacker will be logged).
7280 This feature is available in Postfix 2.2 and later. With Postfix 2.3
7282 and later use smtp_tls_security_level instead.
7283
7285 List of ciphers or cipher types to exclude from the Postfix SMTP client
7286 cipher list at all TLS security levels. This is not an OpenSSL
7287 cipherlist, it is a simple list separated by whitespace and/or commas.
7288 The elements are a single cipher, or one or more "+" separated cipher
7289 properties, in which case only ciphers matching all the properties are
7290 excluded.
7291 Examples (some of these will cause problems):
7293 smtp_tls_exclude_ciphers = aNULL
7295 smtp_tls_exclude_ciphers = MD5, DES
7296 smtp_tls_exclude_ciphers = DES+MD5
7297 smtp_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
7298 smtp_tls_exclude_ciphers = kEDH+aRSA
7299 The first setting, disables anonymous ciphers. The next setting dis‐
7301 ables ciphers that use the MD5 digest algorithm or the (single) DES
7302 encryption algorithm. The next setting disables ciphers that use MD5
7303 and DES together. The next setting disables the two ciphers
7304 "AES256-SHA" and "DES-CBC3-MD5". The last setting disables ciphers that
7305 use "EDH" key exchange with RSA authentication.
7306 This feature is available in Postfix 2.3 and later.
7308
7310 List of acceptable remote SMTP server certificate fingerprints for the
7311 "fingerprint" TLS security level (smtp_tls_security_level = finger‐
7312 print). At this security level, Certification Authorities are not used,
7313 and certificate expiration times are ignored. Instead, server certifi‐
7314 cates are verified directly via their certificate fingerprint or public
7315 key fingerprint (Postfix 2.9 and later). The fingerprint is a message
7316 digest of the server certificate (or public key). The digest algorithm
7317 is selected via the smtp_tls_fingerprint_digest parameter.
7318 When an smtp_tls_policy_maps table entry specifies the "fingerprint"
7320 security level, any "match" attributes in that entry specify the list
7321 of valid fingerprints for the corresponding destination. Multiple fin‐
7322 gerprints can be combined with a "|" delimiter in a single match
7323 attribute, or multiple match attributes can be employed.
7324 Example: Certificate fingerprint verification with internal mailhub.
7326 Two matching fingerprints are listed. The relayhost may be multiple
7327 physical hosts behind a load-balancer, each with its own private/public
7328 key and self-signed certificate. Alternatively, a single relayhost may
7329 be in the process of switching from one set of private/public keys to
7330 another, and both keys are trusted just prior to the transition.
7331 relayhost = [mailhub.example.com]
7333 smtp_tls_security_level = fingerprint
7334 smtp_tls_fingerprint_digest = md5
7335 smtp_tls_fingerprint_cert_match =
7336 3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
7337 EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
7338 Example: Certificate fingerprint verification with selected destina‐
7340 tions. As in the example above, we show two matching fingerprints:
7341 /etc/postfix/main.cf:
7343 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
7344 smtp_tls_fingerprint_digest = md5
7345 /etc/postfix/tls_policy:
7347 example.com fingerprint
7348 match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
7349 match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
7350 This feature is available in Postfix 2.5 and later.
7352
7354 The message digest algorithm used to construct remote SMTP server cer‐
7355 tificate fingerprints. At the "fingerprint" TLS security level
7356 (smtp_tls_security_level = fingerprint), the server certificate is ver‐
7357 ified by directly matching its certificate fingerprint or its public
7358 key fingerprint (Postfix 2.9 and later). The fingerprint is the message
7359 digest of the server certificate (or its public key) using the selected
7360 algorithm. With a digest algorithm resistant to "second pre-image"
7361 attacks, it is not feasible to create a new public key and a matching
7362 certificate (or public/private key-pair) that has the same fingerprint.
7363 The default algorithm is md5; this is consistent with the backwards
7365 compatible setting of the digest used to verify client certificates in
7366 the SMTP server.
7367 The best practice algorithm is now sha1. Recent advances in hash func‐
7369 tion cryptanalysis have led to md5 being deprecated in favor of sha1.
7370 However, as long as there are no known "second pre-image" attacks
7371 against md5, its use in this context can still be considered safe.
7372 While additional digest algorithms are often available with OpenSSL's
7374 libcrypto, only those used by libssl in SSL cipher suites are available
7375 to Postfix. For now this means just md5 or sha1.
7376 To find the fingerprint of a specific certificate file, with a specific
7378 digest algorithm, run:
7379 $ openssl x509 -noout -fingerprint -digest -in certfile.pem
7381 The text to the right of "=" sign is the desired fingerprint. For
7383 example:
7384 $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
7386 SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
7387 To extract the public key fingerprint from an X.509 certificate, you
7389 need to extract the public key from the certificate and compute the
7390 appropriate digest of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
7391 key" option of the "x509" command extracts the public key always in
7392 "PEM" format. We pipe the result to another OpenSSL command that con‐
7393 verts the key to DER and then to the "dgst" command to compute the fin‐
7394 gerprint.
7395 The actual command to transform the key to DER format depends on the
7397 version of OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" com‐
7398 mand supports all key types. With OpenSSL 0.9.8 and earlier, the key
7399 type is always RSA (nobody uses DSA, and EC keys are not fully sup‐
7400 ported by 0.9.8), so the "rsa" command is used.
7401 # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
7403 $ openssl x509 -in cert.pem -noout -pubkey |
7404 openssl pkey -pubin -outform DER |
7405 openssl dgst -sha1 -c
7406 (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
7407 # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
7409 $ openssl x509 -in cert.pem -noout -pubkey |
7410 openssl rsa -pubin -outform DER |
7411 openssl dgst -md5 -c
7412 (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
7413 The Postfix SMTP server and client log the peer (leaf) certificate fin‐
7415 gerprint and public key fingerprint when the TLS loglevel is 2 or
7416 higher.
7417 Note: Postfix 2.9.0-2.9.5 computed the public key fingerprint incor‐
7419 rectly. To use public-key fingerprints, upgrade to Postfix 2.9.6 or
7420 later.
7421 This feature is available in Postfix 2.5 and later.
7423
7425 Lookup the associated DANE TLSA RRset even when a hostname is not an
7426 alias and its address records lie in an unsigned zone. This is
7427 unlikely to ever yield DNSSEC validated results, since child zones of
7428 unsigned zones are also unsigned in the absence of DLV or locally con‐
7429 figured non-root trust-anchors. We anticipate that such mechanisms
7430 will not be used for just the "_tcp" subdomain of a host. Suppressing
7431 the TLSA RRset lookup reduces latency and avoids potential interoper‐
7432 ability problems with nameservers for unsigned zones that are not pre‐
7433 pared to handle the new TLSA RRset.
7434 This feature is available in Postfix 2.11.
7436
7438 File with the Postfix SMTP client RSA private key in PEM format. This
7439 file may be combined with the Postfix SMTP client RSA certificate file
7440 specified with $smtp_tls_cert_file.
7441 The private key must be accessible without a pass-phrase, i.e. it must
7443 not be encrypted. File permissions should grant read-only access to the
7444 system superuser account ("root"), and no access to anyone else.
7445 Example:
7447 smtp_tls_key_file = $smtp_tls_cert_file
7449 This feature is available in Postfix 2.2 and later.
7451
7453 Enable additional Postfix SMTP client logging of TLS activity. Each
7454 logging level also includes the information that is logged at a lower
7455 logging level.
7456 0 Disable logging of TLS activity.
7458 1 Log only a summary message on TLS handshake completion - no
7460 logging of remote SMTP server certificate trust-chain verifica‐
7461 tion errors if server certificate verification is not required.
7462 With Postfix 2.8 and earlier, log the summary message and uncon‐
7463 ditionally log trust-chain verification errors.
7464 2 Also log levels during TLS negotiation.
7466 3 Also log hexadecimal and ASCII dump of TLS negotiation
7468 process.
7469 4 Also log hexadecimal and ASCII dump of complete transmission
7471 after STARTTLS.
7472 Do not use "smtp_tls_loglevel = 2" or higher except in case of prob‐
7474 lems. Use of loglevel 4 is strongly discouraged.
7475 This feature is available in Postfix 2.2 and later.
7477
7479 The minimum TLS cipher grade that the Postfix SMTP client will use with
7480 mandatory TLS encryption. The default value "medium" is suitable for
7481 most destinations with which you may want to enforce TLS, and is beyond
7482 the reach of today's cryptanalytic methods. See smtp_tls_policy_maps
7483 for information on how to configure ciphers on a per-destination basis.
7484 The following cipher grades are supported:
7486 export Enable "EXPORT" grade or better OpenSSL ciphers. The underlying
7488 cipherlist is specified via the tls_export_cipherlist configura‐
7489 tion parameter, which you are strongly encouraged to not change.
7490 This choice is insecure and SHOULD NOT be used.
7491 low Enable "LOW" grade or better OpenSSL ciphers. The underlying
7493 cipherlist is specified via the tls_low_cipherlist configuration
7494 parameter, which you are strongly encouraged to not change.
7495 This choice is insecure and SHOULD NOT be used.
7496 medium Enable "MEDIUM" grade or better OpenSSL ciphers. The underlying
7498 cipherlist is specified via the tls_medium_cipherlist configura‐
7499 tion parameter, which you are strongly encouraged to not change.
7500 high Enable only "HIGH" grade OpenSSL ciphers. This setting may be
7502 appropriate when all mandatory TLS destinations (e.g. when all
7503 mail is routed to a suitably capable relayhost) support at least
7504 one "HIGH" grade cipher. The underlying cipherlist is specified
7505 via the tls_high_cipherlist configuration parameter, which you
7506 are strongly encouraged to not change.
7507 null Enable only the "NULL" OpenSSL ciphers, these provide authenti‐
7509 cation without encryption. This setting is only appropriate in
7510 the rare case that all servers are prepared to use NULL ciphers
7511 (not normally enabled in TLS servers). A plausible use-case is
7512 an LMTP server listening on a UNIX-domain socket that is config‐
7513 ured to support "NULL" ciphers. The underlying cipherlist is
7514 specified via the tls_null_cipherlist configuration parameter,
7515 which you are strongly encouraged to not change.
7516 The underlying cipherlists for grades other than "null" include anony‐
7518 mous ciphers, but these are automatically filtered out if the Postfix
7519 SMTP client is configured to verify server certificates. You are very
7520 unlikely to need to take any steps to exclude anonymous ciphers, they
7521 are excluded automatically as necessary. If you must exclude anonymous
7522 ciphers at the "may" or "encrypt" security levels, when the Postfix
7523 SMTP client does not need or use peer certificates, set
7524 "smtp_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers only
7525 when TLS is enforced, set "smtp_tls_mandatory_exclude_ciphers = aNULL".
7526 This feature is available in Postfix 2.3 and later.
7528
7530 Additional list of ciphers or cipher types to exclude from the Postfix
7531 SMTP client cipher list at mandatory TLS security levels. This list
7532 works in addition to the exclusions listed with
7533 smtp_tls_exclude_ciphers (see there for syntax details).
7534 Starting with Postfix 2.6, the mandatory cipher exclusions can be spec‐
7536 ified on a per-destination basis via the TLS policy "exclude"
7537 attribute. See smtp_tls_policy_maps for notes and examples.
7538 This feature is available in Postfix 2.3 and later.
7540
7542 List of SSL/TLS protocols that the Postfix SMTP client will use with
7543 mandatory TLS encryption. In main.cf the values are separated by
7544 whitespace, commas or colons. In the policy table "protocols" attribute
7545 (see smtp_tls_policy_maps) the only valid separator is colon. An empty
7546 value means allow all protocols. The valid protocol names, (see \fBfB‐
7547 SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1". The default
7548 value is "!SSLv2, !SSLv3" for Postfix releases after the middle of
7549 2015, "!SSLv2" for older releases.
7550 With Postfix >= 2.5 the parameter syntax was expanded to support proto‐
7552 col exclusions. One can explicitly exclude "SSLv2" by setting
7553 "smtp_tls_mandatory_protocols = !SSLv2". To exclude both "SSLv2" and
7554 "SSLv3" set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
7555 the protocols to include, rather than protocols to exclude, is sup‐
7556 ported, but not recommended. The exclusion form more closely matches
7557 the underlying OpenSSL interface semantics.
7558 The range of protocols advertised by an SSL/TLS client must be contigu‐
7560 ous. When a protocol version is enabled, disabling any higher version
7561 implicitly disables all versions above that higher version. Thus, for
7562 example (assuming the OpenSSL library supports both SSLv2 and SSLv3):
7563 smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
7565 also disables any protocols version higher than TLSv1 leaving only
7566 "SSLv3" enabled.
7567 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
7569 "TLSv1.2". When Postfix <= 2.5 is linked against OpenSSL 1.0.1 or
7570 later, these, or any other new protocol versions, cannot be disabled
7571 except by also disabling "TLSv1" (typically leaving just "SSLv3"). The
7572 latest patch levels of Postfix >= 2.6, and all versions of Postfix >=
7573 2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2".
7574 OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4
7576 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
7577 abled, if need be, via "!TLSv1.3".
7578 At the dane and dane-only security levels, when usable TLSA records are
7580 obtained for the remote SMTP server, the Postfix SMTP client is obli‐
7581 gated to include the SNI TLS extension in its SSL client hello message.
7582 This may help the remote SMTP server live up to its promise to provide
7583 a certificate that matches its TLSA records. Since TLS extensions
7584 require TLS 1.0 or later, the Postfix SMTP client must disable "SSLv2"
7585 and "SSLv3" when SNI is required. If you use "dane" or "dane-only" do
7586 not disable TLSv1, except perhaps via the policy table for destinations
7587 which you are sure will support "TLSv1.1" or "TLSv1.2".
7588 See the documentation of the smtp_tls_policy_maps parameter and
7590 TLS_README for more information about security levels.
7591 Example:
7593 # Preferred syntax with Postfix >= 2.5:
7595 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
7596 # Legacy syntax:
7597 smtp_tls_mandatory_protocols = TLSv1
7598 This feature is available in Postfix 2.3 and later.
7600
7602 Log the hostname of a remote SMTP server that offers STARTTLS, when TLS
7603 is not already enabled for that server.
7604 The logfile record looks like:
7606 postfix/smtp[pid]: Host offered STARTTLS: [name.of.host]
7608 This feature is available in Postfix 2.2 and later.
7610
7612 Optional lookup tables with the Postfix SMTP client TLS usage policy by
7613 next-hop destination and by remote SMTP server hostname. When both
7614 lookups succeed, the more specific per-site policy (NONE, MUST, etc)
7615 overrides the less specific one (MAY), and the more secure per-site
7616 policy (MUST, etc) overrides the less secure one (NONE). With Postfix
7617 2.3 and later smtp_tls_per_site is strongly discouraged: use
7618 smtp_tls_policy_maps instead.
7619 Use of the bare hostname as the per-site table lookup key is discour‐
7621 aged. Always use the full destination nexthop (enclosed in [] with a
7622 possible ":port" suffix). A recipient domain or MX-enabled transport
7623 next-hop with no port suffix may look like a bare hostname, but is
7624 still a suitable destination.
7625 Specify a next-hop destination or server hostname on the left-hand
7627 side; no wildcards are allowed. The next-hop destination is either the
7628 recipient domain, or the destination specified with a transport(5) ta‐
7629 ble, the relayhost parameter, or the relay_transport parameter. On the
7630 right hand side specify one of the following keywords:
7631 NONE Don't use TLS at all. This overrides a less specific MAY lookup
7633 result from the alternate host or next-hop lookup key, and over‐
7634 rides the global smtp_use_tls, smtp_enforce_tls, and
7635 smtp_tls_enforce_peername settings.
7636 MAY Try to use TLS if the server announces support, otherwise use
7638 the unencrypted connection. This has less precedence than a more
7639 specific result (including NONE) from the alternate host or
7640 next-hop lookup key, and has less precedence than the more spe‐
7641 cific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peer‐
7642 name = yes".
7643 MUST_NOPEERMATCH
7645 Require TLS encryption, but do not require that the remote SMTP
7646 server hostname matches the information in the remote SMTP
7647 server certificate, or that the server certificate was issued by
7648 a trusted CA. This overrides a less secure NONE or a less spe‐
7649 cific MAY lookup result from the alternate host or next-hop
7650 lookup key, and overrides the global smtp_use_tls,
7651 smtp_enforce_tls and smtp_tls_enforce_peername settings.
7652 MUST Require TLS encryption, require that the remote SMTP server
7654 hostname matches the information in the remote SMTP server cer‐
7655 tificate, and require that the remote SMTP server certificate
7656 was issued by a trusted CA. This overrides a less secure NONE
7657 and MUST_NOPEERMATCH or a less specific MAY lookup result from
7658 the alternate host or next-hop lookup key, and overrides the
7659 global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peer‐
7660 name settings.
7661 The above keywords correspond to the "none", "may", "encrypt" and "ver‐
7663 ify" security levels for the new smtp_tls_security_level parameter
7664 introduced in Postfix 2.3. Starting with Postfix 2.3, and independently
7665 of how the policy is specified, the smtp_tls_mandatory_ciphers and
7666 smtp_tls_mandatory_protocols parameters apply when TLS encryption is
7667 mandatory. Connections for which encryption is optional typically
7668 enable all "export" grade and better ciphers (see smtp_tls_ciphers and
7669 smtp_tls_protocols).
7670 As long as no secure DNS lookup mechanism is available, false hostnames
7672 in MX or CNAME responses can change the server hostname that Postfix
7673 uses for TLS policy lookup and server certificate verification. Even
7674 with a perfect match between the server hostname and the server cer‐
7675 tificate, there is no guarantee that Postfix is connected to the right
7676 server. See TLS_README (Closing a DNS loophole with obsolete per-site
7677 TLS policies) for a possible work-around.
7678 This feature is available in Postfix 2.2 and later. With Postfix 2.3
7680 and later use smtp_tls_policy_maps instead.
7681
7683 Optional lookup tables with the Postfix SMTP client TLS security policy
7684 by next-hop destination; when a non-empty value is specified, this
7685 overrides the obsolete smtp_tls_per_site parameter. See TLS_README for
7686 a more detailed discussion of TLS security levels.
7687 Specify zero or more "type:name" lookup tables, separated by whitespace
7689 or comma. Tables will be searched in the specified order until a match
7690 is found.
7691 The TLS policy table is indexed by the full next-hop destination, which
7693 is either the recipient domain, or the verbatim next-hop specified in
7694 the transport table, $local_transport, $virtual_transport,
7695 $relay_transport or $default_transport. This includes any enclosing
7696 square brackets and any non-default destination server port suffix. The
7697 LMTP socket type prefix (inet: or unix:) is not included in the lookup
7698 key.
7699 Only the next-hop domain, or $myhostname with LMTP over UNIX-domain
7701 sockets, is used as the nexthop name for certificate verification. The
7702 port and any enclosing square brackets are used in the table lookup
7703 key, but are not used for server name verification.
7704 When the lookup key is a domain name without enclosing square brackets
7706 or any :port suffix (typically the recipient domain), and the full
7707 domain is not found in the table, just as with the transport(5) table,
7708 the parent domain starting with a leading "." is matched recursively.
7709 This allows one to specify a security policy for a recipient domain and
7710 all its sub-domains.
7711 The lookup result is a security level, followed by an optional list of
7713 whitespace and/or comma separated name=value attributes that override
7714 related main.cf settings. The TLS security levels in order of increas‐
7715 ing security are:
7716 none No TLS. No additional attributes are supported at this level.
7718 may Opportunistic TLS. Since sending in the clear is acceptable,
7720 demanding stronger than default TLS security merely reduces
7721 interoperability. The optional "ciphers", "exclude" and "proto‐
7722 cols" attributes (available for opportunistic TLS with Postfix
7723 >= 2.6) override the "smtp_tls_ciphers",
7724 "smtp_tls_exclude_ciphers" and "smtp_tls_protocols" configura‐
7725 tion parameters. When opportunistic TLS handshakes fail, Postfix
7726 retries the connection with TLS disabled. This allows mail
7727 delivery to sites with non-interoperable TLS implementations.
7728 encrypt
7730 Mandatory TLS encryption. At this level and higher, the optional
7731 "protocols" attribute overrides the main.cf smtp_tls_manda‐
7732 tory_protocols parameter, the optional "ciphers" attribute over‐
7733 rides the main.cf smtp_tls_mandatory_ciphers parameter, and the
7734 optional "exclude" attribute (Postfix >= 2.6) overrides the
7735 main.cf smtp_tls_mandatory_exclude_ciphers parameter. In the
7736 policy table, multiple protocols or excluded ciphers must be
7737 separated by colons, as attribute values may not contain white‐
7738 space or commas.
7739 dane Opportunistic DANE TLS. The TLS policy for the destination is
7741 obtained via TLSA records in DNSSEC. If no TLSA records are
7742 found, the effective security level used is may. If TLSA
7743 records are found, but none are usable, the effective security
7744 level is encrypt. When usable TLSA records are obtained for the
7745 remote SMTP server, the server certificate must match the TLSA
7746 records. RFC 7672 (DANE) TLS authentication and DNSSEC support
7747 is available with Postfix 2.11 and later.
7748 dane-only
7750 Mandatory DANE TLS. The TLS policy for the destination is
7751 obtained via TLSA records in DNSSEC. If no TLSA records are
7752 found, or none are usable, no connection is made to the server.
7753 When usable TLSA records are obtained for the remote SMTP
7754 server, the server certificate must match the TLSA records. RFC
7755 7672 (DANE) TLS authentication and DNSSEC support is available
7756 with Postfix 2.11 and later.
7757 fingerprint
7759 Certificate fingerprint verification. Available with Postfix 2.5
7760 and later. At this security level, there are no trusted Certifi‐
7761 cation Authorities. The certificate trust chain, expiration
7762 date, ... are not checked. Instead, the optional match
7763 attribute, or else the main.cf smtp_tls_fingerprint_cert_match
7764 parameter, lists the certificate fingerprints or the public key
7765 fingerprint (Postfix 2.9 and later) of the valid server certifi‐
7766 cate. The digest algorithm used to calculate the fingerprint is
7767 selected by the smtp_tls_fingerprint_digest parameter. Multiple
7768 fingerprints can be combined with a "|" delimiter in a single
7769 match attribute, or multiple match attributes can be employed.
7770 The ":" character is not used as a delimiter as it occurs
7771 between each pair of fingerprint (hexadecimal) digits.
7772 verify Mandatory TLS verification. At this security level, DNS MX
7774 lookups are trusted to be secure enough, and the name verified
7775 in the server certificate is usually obtained indirectly via
7776 unauthenticated DNS MX lookups. The optional "match" attribute
7777 overrides the main.cf smtp_tls_verify_cert_match parameter. In
7778 the policy table, multiple match patterns and strategies must be
7779 separated by colons. In practice explicit control over matching
7780 is more common with the "secure" policy, described below.
7781 secure Secure-channel TLS. At this security level, DNS MX lookups,
7783 though potentially used to determine the candidate next-hop
7784 gateway IP addresses, are not trusted to be secure enough for
7785 TLS peername verification. Instead, the default name verified in
7786 the server certificate is obtained directly from the next-hop,
7787 or is explicitly specified via the optional match attribute
7788 which overrides the main.cf smtp_tls_secure_cert_match parame‐
7789 ter. In the policy table, multiple match patterns and strategies
7790 must be separated by colons. The match attribute is most useful
7791 when multiple domains are supported by common server, the policy
7792 entries for additional domains specify matching rules for the
7793 primary domain certificate. While transport table overrides
7794 routing the secondary domains to the primary nexthop also allow
7795 secure verification, they risk delivery to the wrong destination
7796 when domains change hands or are re-assigned to new gateways.
7797 With the "match" attribute approach, routing is not perturbed,
7798 and mail is deferred if verification of a new MX host fails.
7799 Example:
7801 /etc/postfix/main.cf:
7803 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
7804 # Postfix 2.5 and later
7805 smtp_tls_fingerprint_digest = md5
7806 /etc/postfix/tls_policy:
7808 example.edu none
7809 example.mil may
7810 example.gov encrypt protocols=TLSv1
7811 example.com verify ciphers=high
7812 example.net secure
7813 .example.net secure match=.example.net:example.net
7814 [mail.example.org]:587 secure match=nexthop
7815 # Postfix 2.5 and later
7816 [thumb.example.org] fingerprint
7817 match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
7818 match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
7819 Note: The hostname strategy if listed in a non-default setting of
7821 smtp_tls_secure_cert_match or in the match attribute in the policy ta‐
7822 ble can render the secure level vulnerable to DNS forgery. Do not use
7823 the hostname strategy for secure-channel configurations in environments
7824 where DNS security is not assured.
7825 This feature is available in Postfix 2.3 and later.
7827
7829 List of TLS protocols that the Postfix SMTP client will exclude or
7830 include with opportunistic TLS encryption. The default value is
7831 "!SSLv2, !SSLv3" for Postfix releases after the middle of 2015,
7832 "!SSLv2" for older releases. Before Postfix 2.6, the Postfix SMTP
7833 client would use all protocols with opportunistic TLS.
7834 In main.cf the values are separated by whitespace, commas or colons. In
7836 the policy table (see smtp_tls_policy_maps) the only valid separator is
7837 colon. An empty value means allow all protocols. The valid protocol
7838 names, (see \fBfBSSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".
7839 The range of protocols advertised by an SSL/TLS client must be contigu‐
7841 ous. When a protocol version is enabled, disabling any higher version
7842 implicitly disables all versions above that higher version. Thus, for
7843 example (assuming the OpenSSL library supports both SSLv2 and SSLv3):
7844 smtp_tls_protocols = !SSLv2, !TLSv1
7846 also disables any protocols version higher than TLSv1 leaving only
7847 "SSLv3" enabled.
7848 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
7850 "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all versions
7851 of Postfix >= 2.10 can explicitly disable support for "TLSv1.1" or
7852 "TLSv1.2"
7853 OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4
7855 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
7856 abled, if need be, via "!TLSv1.3".
7857 To include a protocol list its name, to exclude it, prefix the name
7859 with a "!" character. To exclude SSLv2 for opportunistic TLS set
7860 "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
7861 "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols
7862 to include, rather than protocols to exclude, is supported, but not
7863 recommended. The exclusion form more closely matches the underlying
7864 OpenSSL interface semantics.
7865 Example:
7867 # TLSv1 or better:
7868 smtp_tls_protocols = !SSLv2, !SSLv3
7869 This feature is available in Postfix 2.6 and later.
7871
7873 The verification depth for remote SMTP server certificates. A depth of
7874 1 is sufficient if the issuing CA is listed in a local CA file.
7875 The default verification depth is 9 (the OpenSSL default) for compati‐
7877 bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
7878 value was 5, but the limit was not actually enforced. If you have set
7879 this to a lower non-default value, certificates with longer trust
7880 chains may now fail to verify. Certificate chains with 1 or 2 CAs are
7881 common, deeper chains are more rare and any number between 5 and 9
7882 should suffice in practice. You can choose a lower number if, for exam‐
7883 ple, you trust certificates directly signed by an issuing CA but not
7884 any CAs it delegates to.
7885 This feature is available in Postfix 2.2 and later.
7887
7889 How the Postfix SMTP client verifies the server certificate peername
7890 for the "secure" TLS security level. In a "secure" TLS policy table
7891 ($smtp_tls_policy_maps) entry the optional "match" attribute overrides
7892 this main.cf setting.
7893 This parameter specifies one or more patterns or strategies separated
7895 by commas, whitespace or colons. In the policy table the only valid
7896 separator is the colon character.
7897 For a description of the pattern and strategy syntax see the
7899 smtp_tls_verify_cert_match parameter. The "hostname" strategy should be
7900 avoided in this context, as in the absence of a secure global DNS,
7901 using the results of MX lookups in certificate verification is not
7902 immune to active (man-in-the-middle) attacks on DNS.
7903 Sample main.cf setting:
7905 smtp_tls_secure_cert_match = nexthop
7907 Sample policy table override:
7909 example.net secure match=example.com:.example.com
7911 .example.net secure match=example.com:.example.com
7912 This feature is available in Postfix 2.3 and later.
7914
7916 The default SMTP TLS security level for the Postfix SMTP client; when a
7917 non-empty value is specified, this overrides the obsolete parameters
7918 smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
7919 Specify one of the following security levels:
7921 none No TLS. TLS will not be used unless enabled for specific desti‐
7923 nations via smtp_tls_policy_maps.
7924 may Opportunistic TLS. Use TLS if this is supported by the remote
7926 SMTP server, otherwise use plaintext. Since sending in the clear
7927 is acceptable, demanding stronger than default TLS security
7928 merely reduces interoperability. The "smtp_tls_ciphers" and
7929 "smtp_tls_protocols" (Postfix >= 2.6) configuration parameters
7930 provide control over the protocols and cipher grade used with
7931 opportunistic TLS. With earlier releases the opportunistic TLS
7932 cipher grade is always "export" and no protocols are disabled.
7933 When TLS handshakes fail, the connection is retried with TLS
7934 disabled. This allows mail delivery to sites with non-interop‐
7935 erable TLS implementations.
7936 encrypt
7938 Mandatory TLS encryption. Since a minimum level of security is
7939 intended, it is reasonable to be specific about sufficiently
7940 secure protocol versions and ciphers. At this security level and
7941 higher, the main.cf parameters smtp_tls_mandatory_protocols and
7942 smtp_tls_mandatory_ciphers specify the TLS protocols and minimum
7943 cipher grade which the administrator considers secure enough for
7944 mandatory encrypted sessions. This security level is not an
7945 appropriate default for systems delivering mail to the Internet.
7946 dane Opportunistic DANE TLS. At this security level, the TLS policy
7948 for the destination is obtained via DNSSEC. For TLSA policy to
7949 be in effect, the destination domain's containing DNS zone must
7950 be signed and the Postfix SMTP client's operating system must be
7951 configured to send its DNS queries to a recursive DNS nameserver
7952 that is able to validate the signed records. Each MX host's DNS
7953 zone should also be signed, and should publish DANE TLSA (RFC
7954 7672) records that specify how that MX host's TLS certificate is
7955 to be verified. TLSA records do not preempt the normal SMTP MX
7956 host selection algorithm, if some MX hosts support TLSA and oth‐
7957 ers do not, TLS security will vary from delivery to delivery.
7958 It is up to the domain owner to configure their MX hosts and
7959 their DNS sensibly. To configure the Postfix SMTP client for
7960 DNSSEC lookups see the documentation for the smtp_dns_sup‐
7961 port_level main.cf parameter. When DNSSEC-validated TLSA
7962 records are not found the effective tls security level is "may".
7963 When TLSA records are found, but are all unusable the effective
7964 security level is "encrypt". For purposes of protocol and
7965 cipher selection, the "dane" security level is treated like a
7966 "mandatory" TLS security level, and weak ciphers and protocols
7967 are disabled. Since DANE authenticates server certificates the
7968 "aNULL" cipher-suites are transparently excluded at this level,
7969 no need to configure this manually. RFC 7672 (DANE) TLS authen‐
7970 tication is available with Postfix 2.11 and later.
7971 dane-only
7973 Mandatory DANE TLS. This is just like "dane" above, but DANE
7974 TLSA authentication is required. There is no fallback to "may"
7975 or "encrypt" when TLSA records are missing or unusable. RFC
7976 7672 (DANE) TLS authentication is available with Postfix 2.11
7977 and later.
7978 fingerprint
7980 Certificate fingerprint verification. At this security level,
7981 there are no trusted Certification Authorities. The certificate
7982 trust chain, expiration date, etc., are not checked. Instead,
7983 the smtp_tls_fingerprint_cert_match parameter lists the certifi‐
7984 cate fingerprint or public key fingerprint (Postfix 2.9 and
7985 later) of the valid server certificate. The digest algorithm
7986 used to calculate the fingerprint is selected by the
7987 smtp_tls_fingerprint_digest parameter. Available with Postfix
7988 2.5 and later.
7989 verify Mandatory TLS verification. At this security level, DNS MX
7991 lookups are trusted to be secure enough, and the name verified
7992 in the server certificate is usually obtained indirectly via
7993 unauthenticated DNS MX lookups. The smtp_tls_verify_cert_match
7994 parameter controls how the server name is verified. In practice
7995 explicit control over matching is more common at the "secure"
7996 level, described below. This security level is not an appropri‐
7997 ate default for systems delivering mail to the Internet.
7998 secure Secure-channel TLS. At this security level, DNS MX lookups,
8000 though potentially used to determine the candidate next-hop
8001 gateway IP addresses, are not trusted to be secure enough for
8002 TLS peername verification. Instead, the default name verified in
8003 the server certificate is obtained from the next-hop domain as
8004 specified in the smtp_tls_secure_cert_match configuration param‐
8005 eter. The default matching rule is that a server certificate
8006 matches when its name is equal to or is a sub-domain of the nex‐
8007 thop domain. This security level is not an appropriate default
8008 for systems delivering mail to the Internet.
8009 Examples:
8011 # No TLS. Formerly: smtp_use_tls=no and smtp_enforce_tls=no.
8013 smtp_tls_security_level = none
8014 # Opportunistic TLS.
8016 smtp_tls_security_level = may
8017 # Postfix >= 2.6:
8018 # Do not tweak opportunistic ciphers or protocol unless it is essential
8019 # to do so (if a security vulnerability is found in the SSL library that
8020 # can be mitigated by disabling a particular protocol or raising the
8021 # cipher grade from "export" to "low" or "medium").
8022 smtp_tls_ciphers = export
8023 smtp_tls_protocols = !SSLv2, !SSLv3
8024 # Mandatory (high-grade) TLS encryption.
8026 smtp_tls_security_level = encrypt
8027 smtp_tls_mandatory_ciphers = high
8028 # Mandatory TLS verification of hostname or nexthop domain.
8030 smtp_tls_security_level = verify
8031 smtp_tls_mandatory_ciphers = high
8032 smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
8033 # Secure channel TLS with exact nexthop name match.
8035 smtp_tls_security_level = secure
8036 smtp_tls_mandatory_protocols = TLSv1
8037 smtp_tls_mandatory_ciphers = high
8038 smtp_tls_secure_cert_match = nexthop
8039 # Certificate fingerprint verification (Postfix >= 2.5).
8041 # The CA-less "fingerprint" security level only scales to a limited
8042 # number of destinations. As a global default rather than a per-site
8043 # setting, this is practical when mail for all recipients is sent
8044 # to a central mail hub.
8045 relayhost = [mailhub.example.com]
8046 smtp_tls_security_level = fingerprint
8047 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
8048 smtp_tls_mandatory_ciphers = high
8049 smtp_tls_fingerprint_cert_match =
8050 3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
8051 EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
8052 This feature is available in Postfix 2.3 and later.
8054
8056 Name of the file containing the optional Postfix SMTP client TLS ses‐
8057 sion cache. Specify a database type that supports enumeration, such as
8058 btree or sdbm; there is no need to support concurrent access. The file
8059 is created if it does not exist. The smtp(8) daemon does not use this
8060 parameter directly, rather the cache is implemented indirectly in the
8061 tlsmgr(8) daemon. This means that per-smtp-instance master.cf overrides
8062 of this parameter are not effective. Note, that each of the cache
8063 databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
8064 base, $smtp_tls_session_cache_database (and with Postfix 2.3 and later
8065 $lmtp_tls_session_cache_database), needs to be stored separately. It is
8066 not at this time possible to store multiple caches in a single data‐
8067 base.
8068 Note: dbm databases are not suitable. TLS session objects are too
8070 large.
8071 As of version 2.5, Postfix no longer uses root privileges when opening
8073 this file. The file should now be stored under the Postfix-owned
8074 data_directory. As a migration aid, an attempt to open the file under a
8075 non-Postfix directory is redirected to the Postfix-owned data_direc‐
8076 tory, and a warning is logged.
8077 Example:
8079 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
8081 This feature is available in Postfix 2.2 and later.
8083
8085 The expiration time of Postfix SMTP client TLS session cache informa‐
8086 tion. A cache cleanup is performed periodically every $smtp_tls_ses‐
8087 sion_cache_timeout seconds. As with $smtp_tls_session_cache_database,
8088 this parameter is implemented in the tlsmgr(8) daemon and therefore
8089 per-smtp-instance master.cf overrides are not possible.
8090 As of Postfix 2.11 this setting cannot exceed 100 days. If set <= 0,
8092 session caching is disabled. If set to a positive value less than 2
8093 minutes, the minimum value of 2 minutes is used instead.
8094 This feature is available in Postfix 2.2 and later.
8096
8098 Zero or more PEM-format files with trust-anchor certificates and/or
8099 public keys. If the parameter is not empty the root CAs in CAfile and
8100 CApath are no longer trusted. Rather, the Postfix SMTP client will
8101 only trust certificate-chains signed by one of the trust-anchors con‐
8102 tained in the chosen files. The specified trust-anchor certificates
8103 and public keys are not subject to expiration, and need not be
8104 (self-signed) root CAs. They may, if desired, be intermediate certifi‐
8105 cates. Therefore, these certificates also may be found "in the middle"
8106 of the trust chain presented by the remote SMTP server, and any
8107 untrusted issuing parent certificates will be ignored. Specify a list
8108 of pathnames separated by comma or whitespace.
8109 Whether specified in main.cf, or on a per-destination basis, the
8111 trust-anchor PEM file must be accessible to the Postfix SMTP client in
8112 the chroot jail if applicable. The trust-anchor file should contain
8113 only certificates and public keys, no private key material, and must be
8114 readable by the non-privileged $mail_owner user. This allows destina‐
8115 tions to be bound to a set of specific CAs or public keys without
8116 trusting the same CAs for all destinations.
8117 The main.cf parameter supports single-purpose Postfix installations
8119 that send mail to a fixed set of SMTP peers. At most sites, if
8120 trust-anchor files are used at all, they will be specified on a
8121 per-destination basis via the "tafile" attribute of the "verify" and
8122 "secure" levels in smtp_tls_policy_maps.
8123 The underlying mechanism is in support of RFC 7672 (DANE TLSA), which
8125 defines mechanisms for an SMTP client MTA to securely determine server
8126 TLS certificates via DNS.
8127 If you want your trust anchors to be public keys, with OpenSSL you can
8129 extract a single PEM public key from a PEM X.509 file containing a sin‐
8130 gle certificate, as follows:
8131 $ openssl x509 -in cert.pem -out ta-key.pem -noout -pubkey
8133 This feature is available in Postfix 2.11 and later.
8135
8137 How the Postfix SMTP client verifies the server certificate peername
8138 for the "verify" TLS security level. In a "verify" TLS policy table
8139 ($smtp_tls_policy_maps) entry the optional "match" attribute overrides
8140 this main.cf setting.
8141 This parameter specifies one or more patterns or strategies separated
8143 by commas, whitespace or colons. In the policy table the only valid
8144 separator is the colon character.
8145 Patterns specify domain names, or domain name suffixes:
8147 example.com
8149 Match the example.com domain, i.e. one of the names the server
8150 certificate must be example.com, upper and lower case distinc‐
8151 tions are ignored.
8152 .example.com
8154 Match subdomains of the example.com domain, i.e. match a name in
8155 the server certificate that consists of a non-zero number of
8156 labels followed by a .example.com suffix. Case distinctions are
8157 ignored.
8158 Strategies specify a transformation from the next-hop domain to the
8160 expected name in the server certificate:
8161 nexthop
8163 Match against the next-hop domain, which is either the recipient
8164 domain, or the transport next-hop configured for the domain
8165 stripped of any optional socket type prefix, enclosing square
8166 brackets and trailing port. When MX lookups are not suppressed,
8167 this is the original nexthop domain prior to the MX lookup, not
8168 the result of the MX lookup. For LMTP delivery via UNIX-domain
8169 sockets, the verified next-hop name is $myhostname. This strat‐
8170 egy is suitable for use with the "secure" policy. Case is
8171 ignored.
8172 dot-nexthop
8174 As above, but match server certificate names that are subdomains
8175 of the next-hop domain. Case is ignored.
8176 hostname
8178 Match against the hostname of the server, often obtained via an
8179 unauthenticated DNS MX lookup. For LMTP delivery via UNIX-domain
8180 sockets, the verified name is $myhostname. This matches the ver‐
8181 ification strategy of the "MUST" keyword in the obsolete
8182 smtp_tls_per_site table, and is suitable for use with the "ver‐
8183 ify" security level. When the next-hop name is enclosed in
8184 square brackets to suppress MX lookups, the "hostname" strategy
8185 is the same as the "nexthop" strategy. Case is ignored.
8186 Sample main.cf setting:
8188 smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
8190 Sample policy table override:
8192 example.com verify match=hostname:nexthop
8194 .example.com verify match=example.com:.example.com:hostname
8195 This feature is available in Postfix 2.3 and later.
8197
8199 Request that the Postfix SMTP client connects using the legacy SMTPS
8200 protocol instead of using the STARTTLS command.
8201 This mode requires "smtp_tls_security_level = encrypt" or stronger.
8203 Example: deliver all remote mail via a provider's server "mail.exam‐
8205 ple.com".
8206 /etc/postfix/main.cf:
8208 # Client-side SMTPS requires "encrypt" or stronger.
8209 smtp_tls_security_level = encrypt
8210 smtp_tls_wrappermode = yes
8211 # The [] suppress MX lookups.
8212 relayhost = [mail.example.com]:465
8213 More examples are in TLS_README, including examples for older Postfix
8215 versions.
8216 This feature is available in Postfix 3.0 and later.
8218
8220 Opportunistic mode: use TLS when a remote SMTP server announces START‐
8221 TLS support, otherwise send the mail in the clear. Beware: some SMTP
8222 servers offer STARTTLS even if it is not configured. With Postfix <
8223 2.3, if the TLS handshake fails, and no other server is available,
8224 delivery is deferred and mail stays in the queue. If this is a concern
8225 for you, use the smtp_tls_per_site feature instead.
8226 This feature is available in Postfix 2.2 and later. With Postfix 2.3
8228 and later use smtp_tls_security_level instead.
8229
8231 The Postfix SMTP client time limit for sending the XFORWARD command,
8232 and for receiving the remote SMTP server response.
8233 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
8235 The default time unit is s (seconds).
8236 This feature is available in Postfix 2.1 and later.
8238
8240 What remote SMTP clients are allowed to specify the XVERP command.
8241 This command requests that mail be delivered one recipient at a time
8242 with a per recipient return address.
8243 By default, no clients are allowed to specify XVERP.
8245 This parameter was renamed with Postfix version 2.1. The default value
8247 is backwards compatible with Postfix version 2.0.
8248 Specify a list of network/netmask patterns, separated by commas and/or
8250 whitespace. The mask specifies the number of bits in the network part
8251 of a host address. You can also specify hostnames or .domain names (the
8252 initial dot causes the domain to match any name below it),
8253 "/file/name" or "type:table" patterns. A "/file/name" pattern is
8254 replaced by its contents; a "type:table" lookup table is matched when a
8255 table entry matches a lookup string (the lookup result is ignored).
8256 Continue long lines by starting the next line with whitespace. Specify
8257 "!pattern" to exclude an address or network block from the list. The
8258 form "!/file/name" is supported only in Postfix version 2.4 and later.
8259 Note: IP version 6 address information must be specified inside [] in
8261 the smtpd_authorized_verp_clients value, and in files specified with
8262 "/file/name". IP version 6 addresses contain the ":" character, and
8263 would otherwise be confused with a "type:table" pattern.
8264
8266 What remote SMTP clients are allowed to use the XCLIENT feature. This
8267 command overrides remote SMTP client information that is used for
8268 access control. Typical use is for SMTP-based content filters, fetch‐
8269 mail-like programs, or SMTP server access rule testing. See the
8270 XCLIENT_README document for details.
8271 This feature is available in Postfix 2.1 and later.
8273 By default, no clients are allowed to specify XCLIENT.
8275 Specify a list of network/netmask patterns, separated by commas and/or
8277 whitespace. The mask specifies the number of bits in the network part
8278 of a host address. You can also specify hostnames or .domain names (the
8279 initial dot causes the domain to match any name below it),
8280 "/file/name" or "type:table" patterns. A "/file/name" pattern is
8281 replaced by its contents; a "type:table" lookup table is matched when a
8282 table entry matches a lookup string (the lookup result is ignored).
8283 Continue long lines by starting the next line with whitespace. Specify
8284 "!pattern" to exclude an address or network block from the list. The
8285 form "!/file/name" is supported only in Postfix version 2.4 and later.
8286 Note: IP version 6 address information must be specified inside [] in
8288 the smtpd_authorized_xclient_hosts value, and in files specified with
8289 "/file/name". IP version 6 addresses contain the ":" character, and
8290 would otherwise be confused with a "type:table" pattern.
8291
8293 What remote SMTP clients are allowed to use the XFORWARD feature. This
8294 command forwards information that is used to improve logging after
8295 SMTP-based content filters. See the XFORWARD_README document for
8296 details.
8297 This feature is available in Postfix 2.1 and later.
8299 By default, no clients are allowed to specify XFORWARD.
8301 Specify a list of network/netmask patterns, separated by commas and/or
8303 whitespace. The mask specifies the number of bits in the network part
8304 of a host address. You can also specify hostnames or .domain names (the
8305 initial dot causes the domain to match any name below it),
8306 "/file/name" or "type:table" patterns. A "/file/name" pattern is
8307 replaced by its contents; a "type:table" lookup table is matched when a
8308 table entry matches a lookup string (the lookup result is ignored).
8309 Continue long lines by starting the next line with whitespace. Specify
8310 "!pattern" to exclude an address or network block from the list. The
8311 form "!/file/name" is supported only in Postfix version 2.4 and later.
8312 Note: IP version 6 address information must be specified inside [] in
8314 the smtpd_authorized_xforward_hosts value, and in files specified with
8315 "/file/name". IP version 6 addresses contain the ":" character, and
8316 would otherwise be confused with a "type:table" pattern.
8317
8319 The text that follows the 220 status code in the SMTP greeting banner.
8320 Some people like to see the mail version advertised. By default, Post‐
8321 fix shows no version.
8322 You MUST specify $myhostname at the start of the text. This is required
8324 by the SMTP protocol.
8325 Example:
8327 smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
8329
8331 The maximal number of AUTH commands that any client is allowed to send
8332 to this service per time unit, regardless of whether or not Postfix
8333 actually accepts those commands. The time unit is specified with the
8334 anvil_rate_time_unit configuration parameter.
8335 By default, there is no limit on the number AUTH commands that a client
8337 may send.
8338 To disable this feature, specify a limit of 0.
8340 WARNING: The purpose of this feature is to limit abuse. It must not be
8342 used to regulate legitimate mail traffic.
8343 This feature is available in Postfix 3.1 and later.
8345
8347 How many simultaneous connections any client is allowed to make to this
8348 service. By default, the limit is set to half the default process
8349 limit value.
8350 To disable this feature, specify a limit of 0.
8352 WARNING: The purpose of this feature is to limit abuse. It must not be
8354 used to regulate legitimate mail traffic.
8355 This feature is available in Postfix 2.2 and later.
8357
8359 The maximal number of connection attempts any client is allowed to make
8360 to this service per time unit. The time unit is specified with the
8361 anvil_rate_time_unit configuration parameter.
8362 By default, a client can make as many connections per time unit as
8364 Postfix can accept.
8365 To disable this feature, specify a limit of 0.
8367 WARNING: The purpose of this feature is to limit abuse. It must not be
8369 used to regulate legitimate mail traffic.
8370 This feature is available in Postfix 2.2 and later.
8372 Example:
8374 smtpd_client_connection_rate_limit = 1000
8376
8378 Clients that are excluded from smtpd_client_*_count/rate_limit restric‐
8379 tions. See the mynetworks parameter description for the parameter value
8380 syntax.
8381 By default, clients in trusted networks are excluded. Specify a list of
8383 network blocks, hostnames or .domain names (the initial dot causes the
8384 domain to match any name below it).
8385 Note: IP version 6 address information must be specified inside [] in
8387 the smtpd_client_event_limit_exceptions value, and in files specified
8388 with "/file/name". IP version 6 addresses contain the ":" character,
8389 and would otherwise be confused with a "type:table" pattern.
8390 Pattern matching of domain names is controlled by the presence or
8392 absence of "smtpd_client_event_limit_exceptions" in the par‐
8393 ent_domain_matches_subdomains parameter value (postfix 3.0 and later).
8394 This feature is available in Postfix 2.2 and later.
8396
8398 The maximal number of message delivery requests that any client is
8399 allowed to make to this service per time unit, regardless of whether or
8400 not Postfix actually accepts those messages. The time unit is speci‐
8401 fied with the anvil_rate_time_unit configuration parameter.
8402 By default, a client can send as many message delivery requests per
8404 time unit as Postfix can accept.
8405 To disable this feature, specify a limit of 0.
8407 WARNING: The purpose of this feature is to limit abuse. It must not be
8409 used to regulate legitimate mail traffic.
8410 This feature is available in Postfix 2.2 and later.
8412 Example:
8414 smtpd_client_message_rate_limit = 1000
8416
8418 The maximal number of new (i.e., uncached) TLS sessions that a remote
8419 SMTP client is allowed to negotiate with this service per time unit.
8420 The time unit is specified with the anvil_rate_time_unit configuration
8421 parameter.
8422 By default, a remote SMTP client can negotiate as many new TLS sessions
8424 per time unit as Postfix can accept.
8425 To disable this feature, specify a limit of 0. Otherwise, specify a
8427 limit that is at least the per-client concurrent session limit, or else
8428 legitimate client sessions may be rejected.
8429 WARNING: The purpose of this feature is to limit abuse. It must not be
8431 used to regulate legitimate mail traffic.
8432 This feature is available in Postfix 2.3 and later.
8434 Example:
8436 smtpd_client_new_tls_session_rate_limit = 100
8438
8440 Enable logging of the remote SMTP client port in addition to the host‐
8441 name and IP address. The logging format is "host[address]:port".
8442 This feature is available in Postfix 2.5 and later.
8444
8446 The maximal number of recipient addresses that any client is allowed to
8447 send to this service per time unit, regardless of whether or not Post‐
8448 fix actually accepts those recipients. The time unit is specified with
8449 the anvil_rate_time_unit configuration parameter.
8450 By default, a client can send as many recipient addresses per time unit
8452 as Postfix can accept.
8453 To disable this feature, specify a limit of 0.
8455 WARNING: The purpose of this feature is to limit abuse. It must not be
8457 used to regulate legitimate mail traffic.
8458 This feature is available in Postfix 2.2 and later.
8460 Example:
8462 smtpd_client_recipient_rate_limit = 1000
8464
8466 Optional restrictions that the Postfix SMTP server applies in the con‐
8467 text of a client connection request. See SMTPD_ACCESS_README, section
8468 "Delayed evaluation of SMTP access restriction lists" for a discussion
8469 of evaluation context and time.
8470 The default is to allow all connection requests.
8472 Specify a list of restrictions, separated by commas and/or whitespace.
8474 Continue long lines by starting the next line with whitespace.
8475 Restrictions are applied in the order as specified; the first restric‐
8476 tion that matches wins.
8477 The following restrictions are specific to client hostname or client
8479 network address information.
8480 check_ccert_access type:table
8482 Use the remote SMTP client certificate fingerprint or the public
8483 key fingerprint (Postfix 2.9 and later) as lookup key for the
8484 specified access(5) database; with Postfix version 2.2, also
8485 require that the remote SMTP client certificate is verified suc‐
8486 cessfully. The fingerprint digest algorithm is configurable via
8487 the smtpd_tls_fingerprint_digest parameter (hard-coded as md5
8488 prior to Postfix version 2.5). This feature is available with
8489 Postfix version 2.2 and later.
8490 check_client_access type:table
8492 Search the specified access database for the client hostname,
8493 parent domains, client IP address, or networks obtained by
8494 stripping least significant octets. See the access(5) manual
8495 page for details.
8496 check_client_a_access type:table
8498 Search the specified access(5) database for the IP addresses for
8499 the client hostname, and execute the corresponding action.
8500 Note: a result of "OK" is not allowed for safety reasons.
8501 Instead, use DUNNO in order to exclude specific hosts from
8502 blacklists. This feature is available in Postfix 3.0 and later.
8503 check_client_mx_access type:table
8505 Search the specified access(5) database for the MX hosts for the
8506 client hostname, and execute the corresponding action. Note: a
8507 result of "OK" is not allowed for safety reasons. Instead, use
8508 DUNNO in order to exclude specific hosts from blacklists. This
8509 feature is available in Postfix 2.7 and later.
8510 check_client_ns_access type:table
8512 Search the specified access(5) database for the DNS servers for
8513 the client hostname, and execute the corresponding action.
8514 Note: a result of "OK" is not allowed for safety reasons.
8515 Instead, use DUNNO in order to exclude specific hosts from
8516 blacklists. This feature is available in Postfix 2.7 and later.
8517 check_reverse_client_hostname_access type:table
8519 Search the specified access database for the unverified reverse
8520 client hostname, parent domains, client IP address, or networks
8521 obtained by stripping least significant octets. See the
8522 access(5) manual page for details. Note: a result of "OK" is
8523 not allowed for safety reasons. Instead, use DUNNO in order to
8524 exclude specific hosts from blacklists. This feature is avail‐
8525 able in Postfix 2.6 and later.
8526 check_reverse_client_hostname_a_access type:table
8528 Search the specified access(5) database for the IP addresses for
8529 the unverified reverse client hostname, and execute the corre‐
8530 sponding action. Note: a result of "OK" is not allowed for
8531 safety reasons. Instead, use DUNNO in order to exclude specific
8532 hosts from blacklists. This feature is available in Postfix 3.0
8533 and later.
8534 check_reverse_client_hostname_mx_access type:table
8536 Search the specified access(5) database for the MX hosts for the
8537 unverified reverse client hostname, and execute the correspond‐
8538 ing action. Note: a result of "OK" is not allowed for safety
8539 reasons. Instead, use DUNNO in order to exclude specific hosts
8540 from blacklists. This feature is available in Postfix 2.7 and
8541 later.
8542 check_reverse_client_hostname_ns_access type:table
8544 Search the specified access(5) database for the DNS servers for
8545 the unverified reverse client hostname, and execute the corre‐
8546 sponding action. Note: a result of "OK" is not allowed for
8547 safety reasons. Instead, use DUNNO in order to exclude specific
8548 hosts from blacklists. This feature is available in Postfix 2.7
8549 and later.
8550 check_sasl_access type:table
8552 Use the remote SMTP client SASL user name as lookup key for the
8553 specified access(5) database. The lookup key has the form "user‐
8554 name@domainname" when the smtpd_sasl_local_domain parameter
8555 value is non-empty. Unlike the check_client_access feature,
8556 check_sasl_access does not perform matches of parent domains or
8557 IP subnet ranges. This feature is available with Postfix ver‐
8558 sion 2.11 and later.
8559 permit_inet_interfaces
8561 Permit the request when the client IP address matches
8562 $inet_interfaces.
8563 permit_mynetworks
8565 Permit the request when the client IP address matches any net‐
8566 work or network address listed in $mynetworks.
8567 permit_sasl_authenticated
8569 Permit the request when the client is successfully authenticated
8570 via the RFC 4954 (AUTH) protocol.
8571 permit_tls_all_clientcerts
8573 Permit the request when the remote SMTP client certificate is
8574 verified successfully. This option must be used only if a spe‐
8575 cial CA issues the certificates and only this CA is listed as
8576 trusted CA. Otherwise, clients with a third-party certificate
8577 would also be allowed to relay. Specify "tls_append_default_CA
8578 = no" when the trusted CA is specified with smtpd_tls_CAfile or
8579 smtpd_tls_CApath, to prevent Postfix from appending the sys‐
8580 tem-supplied default CAs. This feature is available with Post‐
8581 fix version 2.2.
8582 permit_tls_clientcerts
8584 Permit the request when the remote SMTP client certificate fin‐
8585 gerprint or public key fingerprint (Postfix 2.9 and later) is
8586 listed in $relay_clientcerts. The fingerprint digest algorithm
8587 is configurable via the smtpd_tls_fingerprint_digest parameter
8588 (hard-coded as md5 prior to Postfix version 2.5). This feature
8589 is available with Postfix version 2.2.
8590 reject_rbl_client rbl_domain=d.d.d.d
8592 Reject the request when the reversed client network address is
8593 listed with the A record "d.d.d.d" under rbl_domain (Postfix
8594 version 2.1 and later only). Each "d" is a number, or a pattern
8595 inside "[]" that contains one or more ";"-separated numbers or
8596 number..number ranges (Postfix version 2.8 and later). If no
8597 "=d.d.d.d" is specified, reject the request when the reversed
8598 client network address is listed with any A record under
8599 rbl_domain.
8600 The maps_rbl_reject_code parameter specifies the response code
8601 for rejected requests (default: 554), the default_rbl_reply
8602 parameter specifies the default server reply, and the
8603 rbl_reply_maps parameter specifies tables with server replies
8604 indexed by rbl_domain. This feature is available in Postfix 2.0
8605 and later.
8606 permit_dnswl_client dnswl_domain=d.d.d.d
8608 Accept the request when the reversed client network address is
8609 listed with the A record "d.d.d.d" under dnswl_domain. Each "d"
8610 is a number, or a pattern inside "[]" that contains one or more
8611 ";"-separated numbers or number..number ranges. If no
8612 "=d.d.d.d" is specified, accept the request when the reversed
8613 client network address is listed with any A record under
8614 dnswl_domain.
8615 For safety, permit_dnswl_client is silently ignored when it
8616 would override reject_unauth_destination. The result is
8617 DEFER_IF_REJECT when whitelist lookup fails. This feature is
8618 available in Postfix 2.8 and later.
8619 reject_rhsbl_client rbl_domain=d.d.d.d
8621 Reject the request when the client hostname is listed with the A
8622 record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
8623 only). Each "d" is a number, or a pattern inside "[]" that con‐
8624 tains one or more ";"-separated numbers or number..number ranges
8625 (Postfix version 2.8 and later). If no "=d.d.d.d" is specified,
8626 reject the request when the client hostname is listed with any A
8627 record under rbl_domain. See the reject_rbl_client description
8628 above for additional RBL related configuration parameters. This
8629 feature is available in Postfix 2.0 and later; with Postfix ver‐
8630 sion 2.8 and later, reject_rhsbl_reverse_client will usually
8631 produce better results.
8632 permit_rhswl_client rhswl_domain=d.d.d.d
8634 Accept the request when the client hostname is listed with the A
8635 record "d.d.d.d" under rhswl_domain. Each "d" is a number, or a
8636 pattern inside "[]" that contains one or more ";"-separated num‐
8637 bers or number..number ranges. If no "=d.d.d.d" is specified,
8638 accept the request when the client hostname is listed with any A
8639 record under rhswl_domain.
8640 Caution: client name whitelisting is fragile, since the client
8641 name lookup can fail due to temporary outages. Client name
8642 whitelisting should be used only to reduce false positives in
8643 e.g. DNS-based blocklists, and not for making access rule
8644 exceptions.
8645 For safety, permit_rhswl_client is silently ignored when it
8646 would override reject_unauth_destination. The result is
8647 DEFER_IF_REJECT when whitelist lookup fails. This feature is
8648 available in Postfix 2.8 and later.
8649 reject_rhsbl_reverse_client rbl_domain=d.d.d.d
8651 Reject the request when the unverified reverse client hostname
8652 is listed with the A record "d.d.d.d" under rbl_domain. Each
8653 "d" is a number, or a pattern inside "[]" that contains one or
8654 more ";"-separated numbers or number..number ranges. If no
8655 "=d.d.d.d" is specified, reject the request when the unverified
8656 reverse client hostname is listed with any A record under
8657 rbl_domain. See the reject_rbl_client description above for
8658 additional RBL related configuration parameters. This feature
8659 is available in Postfix 2.8 and later.
8660 reject_unknown_client_hostname (with Postfix < 2.3:
8662 reject_unknown_client)
8663 Reject the request when 1) the client IP address->name mapping
8664 fails, 2) the name->address mapping fails, or 3) the
8665 name->address mapping does not match the client IP address.
8666 This is a stronger restriction than the
8667 reject_unknown_reverse_client_hostname feature, which triggers
8668 only under condition 1) above.
8669 The unknown_client_reject_code parameter specifies the response
8670 code for rejected requests (default: 450). The reply is always
8671 450 in case the address->name or name->address lookup failed due
8672 to a temporary problem.
8673 reject_unknown_reverse_client_hostname
8675 Reject the request when the client IP address has no
8676 address->name mapping.
8677 This is a weaker restriction than the
8678 reject_unknown_client_hostname feature, which requires not only
8679 that the address->name and name->address mappings exist, but
8680 also that the two mappings reproduce the client IP address.
8681 The unknown_client_reject_code parameter specifies the response
8682 code for rejected requests (default: 450). The reply is always
8683 450 in case the address->name lookup failed due to a temporary
8684 problem.
8685 This feature is available in Postfix 2.3 and later.
8686 In addition, you can use any of the following generic restrictions.
8688 These restrictions are applicable in any SMTP command context.
8689 check_policy_service servername
8691 Query the specified policy server. See the SMTPD_POLICY_README
8692 document for details. This feature is available in Postfix 2.1
8693 and later.
8694 defer Defer the request. The client is told to try again later. This
8696 restriction is useful at the end of a restriction list, to make
8697 the default policy explicit.
8698 The defer_code parameter specifies the SMTP server reply code
8699 (default: 450).
8700 defer_if_permit
8702 Defer the request if some later restriction would result in an
8703 explicit or implicit PERMIT action. This is useful when a
8704 blacklisting feature fails due to a temporary problem. This
8705 feature is available in Postfix version 2.1 and later.
8706 defer_if_reject
8708 Defer the request if some later restriction would result in a
8709 REJECT action. This is useful when a whitelisting feature fails
8710 due to a temporary problem. This feature is available in Post‐
8711 fix version 2.1 and later.
8712 permit Permit the request. This restriction is useful at the end of a
8714 restriction list, to make the default policy explicit.
8715 reject_multi_recipient_bounce
8717 Reject the request when the envelope sender is the null address,
8718 and the message has multiple envelope recipients. This usage has
8719 rare but legitimate applications: under certain conditions,
8720 multi-recipient mail that was posted with the DSN option
8721 NOTIFY=NEVER may be forwarded with the null sender address.
8722 Note: this restriction can only work reliably when used in
8723 smtpd_data_restrictions or smtpd_end_of_data_restrictions,
8724 because the total number of recipients is not known at an ear‐
8725 lier stage of the SMTP conversation. Use at the RCPT stage will
8726 only reject the second etc. recipient.
8727 The multi_recipient_bounce_reject_code parameter specifies the
8728 response code for rejected requests (default: 550). This fea‐
8729 ture is available in Postfix 2.1 and later.
8730 reject_plaintext_session
8732 Reject the request when the connection is not encrypted. This
8733 restriction should not be used before the client has had a
8734 chance to negotiate encryption with the AUTH or STARTTLS com‐
8735 mands.
8736 The plaintext_reject_code parameter specifies the response code
8737 for rejected requests (default: 450). This feature is avail‐
8738 able in Postfix 2.3 and later.
8739 reject_unauth_pipelining
8741 Reject the request when the client sends SMTP commands ahead of
8742 time where it is not allowed, or when the client sends SMTP com‐
8743 mands ahead of time without knowing that Postfix actually sup‐
8744 ports ESMTP command pipelining. This stops mail from bulk mail
8745 software that improperly uses ESMTP command pipelining in order
8746 to speed up deliveries.
8747 With Postfix 2.6 and later, the SMTP server sets a per-session
8748 flag whenever it detects illegal pipelining, including pipelined
8749 HELO or EHLO commands. The reject_unauth_pipelining feature sim‐
8750 ply tests whether the flag was set at any point in time during
8751 the session.
8752 With older Postfix versions, reject_unauth_pipelining checks the
8753 current status of the input read queue, and its usage is not
8754 recommended in contexts other than smtpd_data_restrictions.
8755 reject Reject the request. This restriction is useful at the end of a
8757 restriction list, to make the default policy explicit. The
8758 reject_code configuration parameter specifies the response code
8759 for rejected requests (default: 554).
8760 sleep seconds
8762 Pause for the specified number of seconds and proceed with the
8763 next restriction in the list, if any. This may stop zombie mail
8764 when used as:
8765 /etc/postfix/main.cf:
8766 smtpd_client_restrictions =
8767 sleep 1, reject_unauth_pipelining
8768 smtpd_delay_reject = no
8769 This feature is available in Postfix 2.3.
8770 warn_if_reject
8772 A safety net for testing. When "warn_if_reject" is placed before
8773 a reject-type restriction, access table query, or check_pol‐
8774 icy_service query, this logs a "reject_warning" message instead
8775 of rejecting a request (when a reject-type restriction fails due
8776 to a temporary error, this logs a "reject_warning" message for
8777 any implicit "defer_if_permit" actions that would normally pre‐
8778 vent mail from being accepted by some later access restriction).
8779 This feature has no effect on defer_if_reject restrictions.
8780 Other restrictions that are valid in this context:
8782 · SMTP command specific restrictions that are described under the
8784 smtpd_helo_restrictions, smtpd_sender_restrictions or
8785 smtpd_recipient_restrictions parameters. When helo, sender or
8786 recipient restrictions are listed under smtpd_client_restric‐
8787 tions, they have effect only with "smtpd_delay_reject = yes", so
8788 that $smtpd_client_restrictions is evaluated at the time of the
8789 RCPT TO command.
8790 Example:
8792 smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname
8794
8796 A mechanism to transform commands from remote SMTP clients. This is a
8797 last-resort tool to work around client commands that break interoper‐
8798 ability with the Postfix SMTP server. Other uses involve fault injec‐
8799 tion to test Postfix's handling of invalid commands.
8800 Specify the name of a "type:table" lookup table. The search string is
8802 the SMTP command as received from the remote SMTP client, except that
8803 initial whitespace and the trailing <CR><LF> are removed. The result
8804 value is executed by the Postfix SMTP server.
8805 There is no need to use smtpd_command_filter for the following cases:
8807 · Use "resolve_numeric_domain = yes" to accept "user@ipaddress".
8809 · Postfix already accepts the correct form "user@[ipaddress]". Use
8811 virtual_alias_maps or canonical_maps to translate these into
8812 domain names if necessary.
8813 · Use "strict_rfc821_envelopes = no" to accept "RCPT TO:<User Name
8815 <user@example.com>>". Postfix will ignore the "User Name" part
8816 and deliver to the <user@example.com> address.
8817 Examples of problems that can be solved with the smtpd_command_filter
8819 feature:
8820 /etc/postfix/main.cf:
8822 smtpd_command_filter = pcre:/etc/postfix/command_filter
8823 /etc/postfix/command_filter:
8825 # Work around clients that send malformed HELO commands.
8826 /^HELO\s*$/ HELO domain.invalid
8827 # Work around clients that send empty lines.
8829 /^\s*$/ NOOP
8830 # Work around clients that send RCPT TO:<'user@domain'>.
8832 # WARNING: do not lose the parameters that follow the address.
8833 /^(RCPT\s+TO:\s*<)'([^[:space:]]+)'(>.*)/ $1$2$3
8834 # Append XVERP to MAIL FROM commands to request VERP-style delivery.
8836 # See VERP_README for more information on how to use Postfix VERP.
8837 /^(MAIL FROM:\s*<listname@example\.com>.*)/ $1 XVERP
8838 # Bounce-never mail sink. Use notify_classes=bounce,resource,software
8840 # to send bounced mail to the postmaster (with message body removed).
8841 /^(RCPT\s+TO:\s*<.*>.*)\s+NOTIFY=\S+(.*)/ $1 NOTIFY=NEVER$2
8842 /^(RCPT\s+TO:.*)/ $1 NOTIFY=NEVER
8843 This feature is available in Postfix 2.7.
8845
8847 Optional access restrictions that the Postfix SMTP server applies in
8848 the context of the SMTP DATA command. See SMTPD_ACCESS_README, section
8849 "Delayed evaluation of SMTP access restriction lists" for a discussion
8850 of evaluation context and time.
8851 This feature is available in Postfix 2.0 and later.
8853 Specify a list of restrictions, separated by commas and/or whitespace.
8855 Continue long lines by starting the next line with whitespace.
8856 Restrictions are applied in the order as specified; the first restric‐
8857 tion that matches wins.
8858 The following restrictions are valid in this context:
8860 · Generic restrictions that can be used in any SMTP command con‐
8862 text, described under smtpd_client_restrictions.
8863 · SMTP command specific restrictions described under
8865 smtpd_client_restrictions, smtpd_helo_restrictions,
8866 smtpd_sender_restrictions or smtpd_recipient_restrictions.
8867 · However, no recipient information is available in the case of
8869 multi-recipient mail. Acting on only one recipient would be mis‐
8870 leading, because any decision will affect all recipients
8871 equally. Acting on all recipients would require a possibly very
8872 large amount of memory, and would also be misleading for the
8873 reasons mentioned before.
8874 Examples:
8876 smtpd_data_restrictions = reject_unauth_pipelining
8878 smtpd_data_restrictions = reject_multi_recipient_bounce
8879
8881 Postpone the start of an SMTP mail transaction until a valid RCPT TO
8882 command is received. Specify "no" to create a mail transaction as soon
8883 as the Postfix SMTP server receives a valid MAIL FROM command.
8884 With sites that reject lots of mail, the default setting reduces the
8886 use of disk, CPU and memory resources. The downside is that rejected
8887 recipients are logged with NOQUEUE instead of a mail transaction ID.
8888 This complicates the logfile analysis of multi-recipient mail.
8889 This feature is available in Postfix 2.3 and later.
8891
8893 Wait until the RCPT TO command before evaluating $smtpd_client_restric‐
8894 tions, $smtpd_helo_restrictions and $smtpd_sender_restrictions, or wait
8895 until the ETRN command before evaluating $smtpd_client_restrictions and
8896 $smtpd_helo_restrictions.
8897 This feature is turned on by default because some clients apparently
8899 mis-behave when the Postfix SMTP server rejects commands before RCPT
8900 TO.
8901 The default setting has one major benefit: it allows Postfix to log
8903 recipient address information when rejecting a client name/address or
8904 sender address, so that it is possible to find out whose mail is being
8905 rejected.
8906
8908 Lookup tables, indexed by the remote SMTP client address, with case
8909 insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
8910 that the Postfix SMTP server will not send in the EHLO response to a
8911 remote SMTP client. See smtpd_discard_ehlo_keywords for details. The
8912 tables are not searched by hostname for robustness reasons.
8913 Specify zero or more "type:name" lookup tables, separated by whitespace
8915 or comma. Tables will be searched in the specified order until a match
8916 is found.
8917 This feature is available in Postfix 2.2 and later.
8919
8921 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
8922 etc.) that the Postfix SMTP server will not send in the EHLO response
8923 to a remote SMTP client.
8924 This feature is available in Postfix 2.2 and later.
8926 Notes:
8928 · Specify the silent-discard pseudo keyword to prevent this action
8930 from being logged.
8931 · Use the smtpd_discard_ehlo_keyword_address_maps feature to dis‐
8933 card EHLO keywords selectively.
8934
8936 Optional filter for Postfix SMTP server DNS lookup results. See
8937 smtp_dns_reply_filter for details including an example.
8938 This feature is available in Postfix 3.0 and later.
8940
8942 Optional access restrictions that the Postfix SMTP server applies in
8943 the context of the SMTP END-OF-DATA command. See SMTPD_ACCESS_README,
8944 section "Delayed evaluation of SMTP access restriction lists" for a
8945 discussion of evaluation context and time.
8946 This feature is available in Postfix 2.2 and later.
8948 See smtpd_data_restrictions for details and limitations.
8950
8952 Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
8953 require that clients use TLS encryption. According to RFC 2487 this
8954 MUST NOT be applied in case of a publicly-referenced SMTP server. This
8955 option is therefore off by default.
8956 Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes".
8958 Note 2: when invoked via "sendmail -bs", Postfix will never offer
8960 STARTTLS due to insufficient privileges to access the server private
8961 key. This is intended behavior.
8962 This feature is available in Postfix 2.2 and later. With Postfix 2.3
8964 and later use smtpd_tls_security_level instead.
8965
8967 With Postfix version 2.1 and later: the SMTP server response delay
8968 after a client has made more than $smtpd_soft_error_limit errors, and
8969 fewer than $smtpd_hard_error_limit errors, without delivering mail.
8970 With Postfix version 2.0 and earlier: the SMTP server delay before
8972 sending a reject (4xx or 5xx) response, when the client has made fewer
8973 than $smtpd_soft_error_limit errors without delivering mail.
8974
8976 Optional restrictions that the Postfix SMTP server applies in the con‐
8977 text of a client ETRN command. See SMTPD_ACCESS_README, section
8978 "Delayed evaluation of SMTP access restriction lists" for a discussion
8979 of evaluation context and time.
8980 The Postfix ETRN implementation accepts only destinations that are eli‐
8982 gible for the Postfix "fast flush" service. See the ETRN_README file
8983 for details.
8984 Specify a list of restrictions, separated by commas and/or whitespace.
8986 Continue long lines by starting the next line with whitespace.
8987 Restrictions are applied in the order as specified; the first restric‐
8988 tion that matches wins.
8989 The following restrictions are specific to the domain name information
8991 received with the ETRN command.
8992 check_etrn_access type:table
8994 Search the specified access database for the ETRN domain name or
8995 its parent domains. See the access(5) manual page for details.
8996 Other restrictions that are valid in this context:
8998 · Generic restrictions that can be used in any SMTP command con‐
9000 text, described under smtpd_client_restrictions.
9001 · SMTP command specific restrictions described under
9003 smtpd_client_restrictions and smtpd_helo_restrictions.
9004 Example:
9006 smtpd_etrn_restrictions = permit_mynetworks, reject
9008
9010 What characters are allowed in $name expansions of RBL reply templates.
9011 Characters not in the allowed set are replaced by "_". Use C like
9012 escapes to specify special characters such as whitespace.
9013 This parameter is not subjected to $parameter expansion.
9015 This feature is available in Postfix 2.0 and later.
9017
9019 List of commands that cause the Postfix SMTP server to immediately ter‐
9020 minate the session with a 221 code. This can be used to disconnect
9021 clients that obviously attempt to abuse the system. In addition to the
9022 commands listed in this parameter, commands that follow the "Label:"
9023 format of message headers will also cause a disconnect.
9024 This feature is available in Postfix 2.2 and later.
9026
9028 The maximal number of errors a remote SMTP client is allowed to make
9029 without delivering mail. The Postfix SMTP server disconnects when the
9030 limit is exceeded. Normally the default limit is 20, but it changes
9031 under overload to just 1. With Postfix 2.5 and earlier, the SMTP server
9032 always allows up to 20 errors by default.
9033
9035 Require that a remote SMTP client introduces itself with the HELO or
9036 EHLO command before sending the MAIL command or other commands that
9037 require EHLO negotiation.
9038 Example:
9040 smtpd_helo_required = yes
9042
9044 Optional restrictions that the Postfix SMTP server applies in the con‐
9045 text of a client HELO command. See SMTPD_ACCESS_README, section
9046 "Delayed evaluation of SMTP access restriction lists" for a discussion
9047 of evaluation context and time.
9048 The default is to permit everything.
9050 Note: specify "smtpd_helo_required = yes" to fully enforce this
9052 restriction (without "smtpd_helo_required = yes", a client can simply
9053 skip smtpd_helo_restrictions by not sending HELO or EHLO).
9054 Specify a list of restrictions, separated by commas and/or whitespace.
9056 Continue long lines by starting the next line with whitespace.
9057 Restrictions are applied in the order as specified; the first restric‐
9058 tion that matches wins.
9059 The following restrictions are specific to the hostname information
9061 received with the HELO or EHLO command.
9062 check_helo_access type:table
9064 Search the specified access(5) database for the HELO or EHLO
9065 hostname or parent domains, and execute the corresponding
9066 action. Note: specify "smtpd_helo_required = yes" to fully
9067 enforce this restriction (without "smtpd_helo_required = yes", a
9068 client can simply skip check_helo_access by not sending HELO or
9069 EHLO).
9070 check_helo_a_access type:table
9072 Search the specified access(5) database for the IP addresses for
9073 the HELO or EHLO hostname, and execute the corresponding action.
9074 Note 1: a result of "OK" is not allowed for safety reasons.
9075 Instead, use DUNNO in order to exclude specific hosts from
9076 blacklists. Note 2: specify "smtpd_helo_required = yes" to
9077 fully enforce this restriction (without "smtpd_helo_required =
9078 yes", a client can simply skip check_helo_a_access by not send‐
9079 ing HELO or EHLO). This feature is available in Postfix 3.0 and
9080 later.
9081 check_helo_mx_access type:table
9083 Search the specified access(5) database for the MX hosts for the
9084 HELO or EHLO hostname, and execute the corresponding action.
9085 Note 1: a result of "OK" is not allowed for safety reasons.
9086 Instead, use DUNNO in order to exclude specific hosts from
9087 blacklists. Note 2: specify "smtpd_helo_required = yes" to
9088 fully enforce this restriction (without "smtpd_helo_required =
9089 yes", a client can simply skip check_helo_mx_access by not send‐
9090 ing HELO or EHLO). This feature is available in Postfix 2.1 and
9091 later.
9092 check_helo_ns_access type:table
9094 Search the specified access(5) database for the DNS servers for
9095 the HELO or EHLO hostname, and execute the corresponding action.
9096 Note 1: a result of "OK" is not allowed for safety reasons.
9097 Instead, use DUNNO in order to exclude specific hosts from
9098 blacklists. Note 2: specify "smtpd_helo_required = yes" to
9099 fully enforce this restriction (without "smtpd_helo_required =
9100 yes", a client can simply skip check_helo_ns_access by not send‐
9101 ing HELO or EHLO). This feature is available in Postfix 2.1 and
9102 later.
9103 reject_invalid_helo_hostname (with Postfix < 2.3: reject_invalid_host‐
9105 name)
9106 Reject the request when the HELO or EHLO hostname is malformed.
9107 Note: specify "smtpd_helo_required = yes" to fully enforce this
9108 restriction (without "smtpd_helo_required = yes", a client can
9109 simply skip reject_invalid_helo_hostname by not sending HELO or
9110 EHLO).
9111 The invalid_hostname_reject_code specifies the response code for
9112 rejected requests (default: 501).
9113 reject_non_fqdn_helo_hostname (with Postfix < 2.3:
9115 reject_non_fqdn_hostname)
9116 Reject the request when the HELO or EHLO hostname is not in
9117 fully-qualified domain or address literal form, as required by
9118 the RFC. Note: specify "smtpd_helo_required = yes" to fully
9119 enforce this restriction (without "smtpd_helo_required = yes", a
9120 client can simply skip reject_non_fqdn_helo_hostname by not
9121 sending HELO or EHLO).
9122 The non_fqdn_reject_code parameter specifies the response code
9123 for rejected requests (default: 504).
9124 reject_rhsbl_helo rbl_domain=d.d.d.d
9126 Reject the request when the HELO or EHLO hostname is listed with
9127 the A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and
9128 later only). Each "d" is a number, or a pattern inside "[]"
9129 that contains one or more ";"-separated numbers or number..num‐
9130 ber ranges (Postfix version 2.8 and later). If no "=d.d.d.d" is
9131 specified, reject the request when the HELO or EHLO hostname is
9132 listed with any A record under rbl_domain. See the
9133 reject_rbl_client description for additional RBL related config‐
9134 uration parameters. Note: specify "smtpd_helo_required = yes"
9135 to fully enforce this restriction (without "smtpd_helo_required
9136 = yes", a client can simply skip reject_rhsbl_helo by not send‐
9137 ing HELO or EHLO). This feature is available in Postfix 2.0 and
9138 later.
9139 reject_unknown_helo_hostname (with Postfix < 2.3: reject_unknown_host‐
9141 name)
9142 Reject the request when the HELO or EHLO hostname has no DNS A
9143 or MX record.
9144 The reply is specified with the unknown_hostname_reject_code
9145 parameter (default: 450) or unknown_helo_hostname_temp‐
9146 fail_action (default: defer_if_permit). See the respective
9147 parameter descriptions for details.
9148 Note: specify "smtpd_helo_required = yes" to fully enforce this
9149 restriction (without "smtpd_helo_required = yes", a client can
9150 simply skip reject_unknown_helo_hostname by not sending HELO or
9151 EHLO).
9152 Other restrictions that are valid in this context:
9154 · Generic restrictions that can be used in any SMTP command con‐
9156 text, described under smtpd_client_restrictions.
9157 · Client hostname or network address specific restrictions
9159 described under smtpd_client_restrictions.
9160 · SMTP command specific restrictions described under
9162 smtpd_sender_restrictions or smtpd_recipient_restrictions. When
9163 sender or recipient restrictions are listed under
9164 smtpd_helo_restrictions, they have effect only with
9165 "smtpd_delay_reject = yes", so that $smtpd_helo_restrictions is
9166 evaluated at the time of the RCPT TO command.
9167 Examples:
9169 smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname
9171 smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname
9172
9174 The maximal number of lines in the Postfix SMTP server command history
9175 before it is flushed upon receipt of EHLO, RSET, or end of DATA.
9176
9178 The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote
9179 SMTP client can send before the Postfix SMTP server starts to increment
9180 the error counter with each junk command. The junk command count is
9181 reset after mail is delivered. See also the smtpd_error_sleep_time and
9182 smtpd_soft_error_limit configuration parameters. Normally the default
9183 limit is 100, but it changes under overload to just 1. With Postfix 2.5
9184 and earlier, the SMTP server always allows up to 100 junk commands by
9185 default.
9186
9188 Enable logging of the named "permit" actions in SMTP server access
9189 lists (by default, the SMTP server logs "reject" actions but not "per‐
9190 mit" actions). This feature does not affect conditional actions such
9191 as "defer_if_permit".
9192 Specify a list of "permit" action names, "/file/name" or "type:table"
9194 patterns, separated by commas and/or whitespace. The list is matched
9195 left to right, and the search stops on the first match. A "/file/name"
9196 pattern is replaced by its contents; a "type:table" lookup table is
9197 matched when a name matches a lookup key (the lookup result is
9198 ignored). Continue long lines by starting the next line with white‐
9199 space. Specify "!pattern" to exclude a name from the list.
9200 Examples:
9202 /etc/postfix/main.cf:
9204 # Log all "permit" actions.
9205 smtpd_log_access_permit_actions = static:all
9206 /etc/postfix/main.cf:
9208 # Log "permit_dnswl_client" only.
9209 smtpd_log_access_permit_actions = permit_dnswl_client
9210 This feature is available in Postfix 2.10 and later.
9212
9214 Lookup tables with Milter settings per remote SMTP client IP address.
9215 The lookup result overrides the smtpd_milters setting, and has the same
9216 syntax.
9217 Note: lookup tables cannot return empty responses. Specify a lookup
9219 result of DISABLE (case does not matter) to indicate that Milter sup‐
9220 port should be disabled.
9221 Example to disable Milters for local clients:
9223 /etc/postfix/main.cf:
9225 smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
9226 smtpd_milters = inet:host:port, { inet:host:port, ... }, ...
9227 /etc/postfix/smtpd_milter_map:
9229 # Disable Milters for local clients.
9230 127.0.0.0/8 DISABLE
9231 192.168.0.0/16 DISABLE
9232 ::/64 DISABLE
9233 2001:db8::/32 DISABLE
9234 This feature is available in Postfix 3.2 and later.
9236
9238 A list of Milter (mail filter) applications for new mail that arrives
9239 via the Postfix smtpd(8) server. Specify space or comma as separator.
9240 See the MILTER_README document for details.
9241 This feature is available in Postfix 2.3 and later.
9243
9245 List of commands that the Postfix SMTP server replies to with "250 Ok",
9246 without doing any syntax checks and without changing state. This list
9247 overrides any commands built into the Postfix SMTP server.
9248
9250 The lookup key to be used in SMTP access(5) tables instead of the null
9251 sender address.
9252
9254 Attempt to look up the remote SMTP client hostname, and verify that the
9255 name matches the client IP address. A client name is set to "unknown"
9256 when it cannot be looked up or verified, or when name lookup is dis‐
9257 abled. Turning off name lookup reduces delays due to DNS lookup and
9258 increases the maximal inbound delivery rate.
9259 This feature is available in Postfix 2.3 and later.
9261
9263 Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
9264 time limits, from a time limit per read or write system call, to a time
9265 limit to send or receive a complete record (an SMTP command line, SMTP
9266 response line, SMTP message content line, or TLS protocol message).
9267 This limits the impact from hostile peers that trickle data one byte at
9268 a time.
9269 Note: when per-record deadlines are enabled, a short timeout may cause
9271 problems with TLS over very slow network connections. The reasons are
9272 that a TLS protocol message can be up to 16 kbytes long (with TLSv1),
9273 and that an entire TLS protocol message must be sent or received within
9274 the per-record deadline.
9275 This feature is available in Postfix 2.9 and later. With older Postfix
9277 releases, the behavior is as if this parameter is set to "no".
9278
9280 problem)
9281 The default action when an SMTPD policy service request fails. Specify
9282 "DUNNO" to behave as if the failed SMTPD policy service request was
9283 not sent, and to continue processing other access restrictions, if any.
9284 Limitations:
9286 · This parameter may specify any value that would be a valid SMTPD
9288 policy server response (or access(5) map lookup result). An
9289 access(5) map or policy server in this parameter value may need
9290 to be declared in advance with a restriction_class setting.
9291 · If the specified action invokes another check_policy_service
9293 request, that request will have the built-in default action.
9294 This feature is available in Postfix 3.0 and later.
9296
9298 The time after which an idle SMTPD policy service connection is closed.
9299 This feature is available in Postfix 2.1 and later.
9301
9303 The time after which an active SMTPD policy service connection is
9304 closed.
9305 This feature is available in Postfix 2.1 and later.
9307
9309 Optional information that the Postfix SMTP server specifies in the
9310 "policy_context" attribute of a policy service request (originally, to
9311 share the same service endpoint among multiple check_policy_service
9312 clients).
9313 This feature is available in Postfix 3.1 and later.
9315
9317 The maximal number of requests per SMTPD policy service connection, or
9318 zero (no limit). Once a connection reaches this limit, the connection
9319 is closed and the next request will be sent over a new connection. This
9320 is a workaround to avoid error-recovery delays with policy servers that
9321 cannot maintain a persistent connection.
9322 This feature is available in Postfix 3.0 and later.
9324
9326 The delay between attempts to resend a failed SMTPD policy service
9327 request. Specify a value greater than zero.
9328 This feature is available in Postfix 3.0 and later.
9330
9332 The time limit for connecting to, writing to, or receiving from a dele‐
9333 gated SMTPD policy server.
9334 This feature is available in Postfix 2.1 and later.
9336
9338 The maximal number of attempts to send an SMTPD policy service request
9339 before giving up. Specify a value greater than zero.
9340 This feature is available in Postfix 3.0 and later.
9342
9344 How the Postfix SMTP server announces itself to the proxy filter. By
9345 default, the Postfix hostname is used.
9346 This feature is available in Postfix 2.1 and later.
9348
9350 The hostname and TCP port of the mail filtering proxy server. The
9351 proxy receives all mail from the Postfix SMTP server, and is supposed
9352 to give the result to another Postfix SMTP server process.
9353 Specify "host:port" or "inet:host:port" for a TCP endpoint, or
9355 "unix:pathname" for a UNIX-domain endpoint. The host can be specified
9356 as an IP address or as a symbolic name; no MX lookups are done. When
9357 no "host" or "host:" are specified, the local machine is assumed.
9358 Pathname interpretation is relative to the Postfix queue directory.
9359 This feature is available in Postfix 2.1 and later.
9361 The "inet:" and "unix:" prefixes are available in Postfix 2.3 and
9363 later.
9364
9366 List of options that control how the Postfix SMTP server communicates
9367 with a before-queue content filter. Specify zero or more of the follow‐
9368 ing, separated by comma or whitespace.
9369 speed_adjust
9371 Do not connect to a before-queue content filter until an entire
9372 message has been received. This reduces the number of simultane‐
9373 ous before-queue content filter processes.
9374 NOTE 1: A filter must not selectively reject recipients of a
9376 multi-recipient message. Rejecting all recipients is OK, as is accept‐
9377 ing all recipients.
9378 NOTE 2: This feature increases the minimum amount of free queue space
9380 by $message_size_limit. The extra space is needed to save the message
9381 to a temporary file.
9382 This feature is available in Postfix 2.7 and later.
9384
9386 The time limit for connecting to a proxy filter and for sending or
9387 receiving information. When a connection fails the client gets a
9388 generic error message while more detailed information is logged to the
9389 maillog file.
9390 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
9392 The default time unit is s (seconds).
9393 This feature is available in Postfix 2.1 and later.
9395
9397 The maximal number of recipients that the Postfix SMTP server accepts
9398 per message delivery request.
9399
9401 The number of recipients that a remote SMTP client can send in excess
9402 of the limit specified with $smtpd_recipient_limit, before the Postfix
9403 SMTP server increments the per-session error count for each excess
9404 recipient.
9405
9407 Optional restrictions that the Postfix SMTP server applies in the con‐
9408 text of a client RCPT TO command, after smtpd_relay_restrictions. See
9409 SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access
9410 restriction lists" for a discussion of evaluation context and time.
9411 With Postfix versions before 2.10, the rules for relay permission and
9413 spam blocking were combined under smtpd_recipient_restrictions, result‐
9414 ing in error-prone configuration. As of Postfix 2.10, relay permission
9415 rules are preferably implemented with smtpd_relay_restrictions, so that
9416 a permissive spam blocking policy under smtpd_recipient_restrictions
9417 will no longer result in a permissive mail relay policy.
9418 For backwards compatibility, sites that migrate from Postfix versions
9420 before 2.10 can set smtpd_relay_restrictions to the empty value, and
9421 use smtpd_recipient_restrictions exactly as before.
9422 IMPORTANT: Either the smtpd_relay_restrictions or the smtpd_recipi‐
9424 ent_restrictions parameter must specify at least one of the following
9425 restrictions. Otherwise Postfix will refuse to receive mail:
9426 reject, reject_unauth_destination
9428 defer, defer_if_permit, defer_unauth_destination
9430 Specify a list of restrictions, separated by commas and/or whitespace.
9432 Continue long lines by starting the next line with whitespace.
9433 Restrictions are applied in the order as specified; the first restric‐
9434 tion that matches wins.
9435 The following restrictions are specific to the recipient address that
9437 is received with the RCPT TO command.
9438 check_recipient_access type:table
9440 Search the specified access(5) database for the resolved RCPT TO
9441 address, domain, parent domains, or localpart@, and execute the
9442 corresponding action.
9443 check_recipient_a_access type:table
9445 Search the specified access(5) database for the IP addresses for
9446 the RCPT TO domain, and execute the corresponding action. Note:
9447 a result of "OK" is not allowed for safety reasons. Instead, use
9448 DUNNO in order to exclude specific hosts from blacklists. This
9449 feature is available in Postfix 3.0 and later.
9450 check_recipient_mx_access type:table
9452 Search the specified access(5) database for the MX hosts for the
9453 RCPT TO domain, and execute the corresponding action. Note: a
9454 result of "OK" is not allowed for safety reasons. Instead, use
9455 DUNNO in order to exclude specific hosts from blacklists. This
9456 feature is available in Postfix 2.1 and later.
9457 check_recipient_ns_access type:table
9459 Search the specified access(5) database for the DNS servers for
9460 the RCPT TO domain, and execute the corresponding action. Note:
9461 a result of "OK" is not allowed for safety reasons. Instead, use
9462 DUNNO in order to exclude specific hosts from blacklists. This
9463 feature is available in Postfix 2.1 and later.
9464 permit_auth_destination
9466 Permit the request when one of the following is true:
9467 · Postfix is mail forwarder: the resolved RCPT TO domain matches
9469 $relay_domains or a subdomain thereof, and the address contains
9470 no sender-specified routing (user@elsewhere@domain),
9471 · Postfix is the final destination: the resolved RCPT TO domain
9473 matches $mydestination, $inet_interfaces, $proxy_interfaces,
9474 $virtual_alias_domains, or $virtual_mailbox_domains, and the
9475 address contains no sender-specified routing (user@else‐
9476 where@domain).
9477 permit_mx_backup
9479 Permit the request when the local mail system is backup MX for
9480 the RCPT TO domain, or when the domain is an authorized destina‐
9481 tion (see permit_auth_destination for definition).
9482 · Safety: permit_mx_backup does not accept addresses that have
9484 sender-specified routing information (example: user@else‐
9485 where@domain).
9486 · Safety: permit_mx_backup can be vulnerable to mis-use when
9488 access is not restricted with permit_mx_backup_networks.
9489 · Safety: as of Postfix version 2.3, permit_mx_backup no longer
9491 accepts the address when the local mail system is primary MX for
9492 the recipient domain. Exception: permit_mx_backup accepts the
9493 address when it specifies an authorized destination (see per‐
9494 mit_auth_destination for definition).
9495 · Limitation: mail may be rejected in case of a temporary DNS
9497 lookup problem with Postfix prior to version 2.0.
9498 reject_non_fqdn_recipient
9500 Reject the request when the RCPT TO address specifies a domain
9501 that is not in fully-qualified domain form, as required by the
9502 RFC.
9503 The non_fqdn_reject_code parameter specifies the response code
9504 for rejected requests (default: 504).
9505 reject_rhsbl_recipient rbl_domain=d.d.d.d
9507 Reject the request when the RCPT TO domain is listed with the A
9508 record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
9509 only). Each "d" is a number, or a pattern inside "[]" that con‐
9510 tains one or more ";"-separated numbers or number..number ranges
9511 (Postfix version 2.8 and later). If no "=d.d.d.d" is specified,
9512 reject the request when the RCPT TO domain is listed with any A
9513 record under rbl_domain.
9514 The maps_rbl_reject_code parameter specifies the response code
9515 for rejected requests (default: 554); the default_rbl_reply
9516 parameter specifies the default server reply; and the
9517 rbl_reply_maps parameter specifies tables with server replies
9518 indexed by rbl_domain. This feature is available in Postfix
9519 version 2.0 and later.
9520 reject_unauth_destination
9522 Reject the request unless one of the following is true:
9523 · Postfix is mail forwarder: the resolved RCPT TO domain matches
9525 $relay_domains or a subdomain thereof, and contains no
9526 sender-specified routing (user@elsewhere@domain),
9527 · Postfix is the final destination: the resolved RCPT TO domain
9529 matches $mydestination, $inet_interfaces, $proxy_interfaces,
9530 $virtual_alias_domains, or $virtual_mailbox_domains, and con‐
9531 tains no sender-specified routing (user@elsewhere@domain).
9532 The relay_domains_reject_code parameter specifies the response
9533 code for rejected requests (default: 554).
9534 defer_unauth_destination
9536 Reject the same requests as reject_unauth_destination, with a
9537 non-permanent error code. This feature is available in Postfix
9538 2.10 and later.
9539 reject_unknown_recipient_domain
9541 Reject the request when Postfix is not final destination for the
9542 recipient domain, and the RCPT TO domain has 1) no DNS MX and no
9543 DNS A record or 2) a malformed MX record such as a record with a
9544 zero-length MX hostname (Postfix version 2.3 and later).
9545 The reply is specified with the unknown_address_reject_code
9546 parameter (default: 450), unknown_address_tempfail_action
9547 (default: defer_if_permit), or 556 (nullmx, Postfix 3.0 and
9548 later). See the respective parameter descriptions for details.
9549 reject_unlisted_recipient (with Postfix version 2.0: check_recipi‐
9551 ent_maps)
9552 Reject the request when the RCPT TO address is not listed in the
9553 list of valid recipients for its domain class. See the
9554 smtpd_reject_unlisted_recipient parameter description for
9555 details. This feature is available in Postfix 2.1 and later.
9556 reject_unverified_recipient
9558 Reject the request when mail to the RCPT TO address is known to
9559 bounce, or when the recipient address destination is not reach‐
9560 able. Address verification information is managed by the ver‐
9561 ify(8) server; see the ADDRESS_VERIFICATION_README file for
9562 details.
9563 The unverified_recipient_reject_code parameter specifies the
9564 numerical response code when an address is known to bounce
9565 (default: 450, change into 550 when you are confident that it is
9566 safe to do so).
9567 The unverified_recipient_defer_code parameter specifies the
9568 numerical response code when an address probe failed due to a
9569 temporary problem (default: 450).
9570 The unverified_recipient_tempfail_action parameter specifies the
9571 action after address probe failure due to a temporary problem
9572 (default: defer_if_permit).
9573 This feature breaks for aliased addresses with "enable_origi‐
9574 nal_recipient = no" (Postfix <= 3.2).
9575 This feature is available in Postfix 2.1 and later.
9576 Other restrictions that are valid in this context:
9578 · Generic restrictions that can be used in any SMTP command con‐
9580 text, described under smtpd_client_restrictions.
9581 · SMTP command specific restrictions described under
9583 smtpd_client_restrictions, smtpd_helo_restrictions and
9584 smtpd_sender_restrictions.
9585 Example:
9587 # The Postfix before 2.10 default mail relay policy. Later Postfix
9589 # versions implement this preferably with smtpd_relay_restrictions.
9590 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
9591
9593 Optional information that is appended after each Postfix SMTP server
9594 4XX or 5XX response.
9595 The following example uses "\c" at the start of the template (supported
9597 in Postfix 2.10 and later) to suppress the line break between the reply
9598 text and the footer text. With earlier Postfix versions, the footer
9599 text always begins on a new line, and the "\c" is output literally.
9600 /etc/postfix/main.cf:
9602 smtpd_reject_footer = \c. For assistance, call 800-555-0101.
9603 Please provide the following information in your problem report:
9604 time ($localtime), client ($client_address) and server
9605 ($server_name).
9606 Server response:
9608 550-5.5.1 <user@example> Recipient address rejected: User
9610 unknown. For assistance, call 800-555-0101. Please provide the
9611 following information in your problem report: time (Jan 4 15:42:00),
9612 client (192.168.1.248) and server (mail1.example.com).
9613 Note: the above text is meant to make it easier to find the Postfix
9615 logfile records for a failed SMTP session. The text itself is not
9616 logged to the Postfix SMTP server's maillog file.
9617 Be sure to keep the text as short as possible. Long text may be trun‐
9619 cated before it is logged to the remote SMTP client's maillog file, or
9620 before it is returned to the sender in a delivery status notification.
9621 This feature supports a limited number of $name attributes in the
9623 footer text. These are replaced by their current value for the SMTP
9624 session:
9625 client_address
9627 The Client IP address that is logged in the maillog file.
9628 client_port
9630 The client TCP port that is logged in the maillog file.
9631 localtime
9633 The server local time (Mmm dd hh:mm:ss) that is logged in the
9634 maillog file.
9635 server_name
9637 The server's myhostname value. This attribute is made available
9638 for sites with multiple MTAs (perhaps behind a load-balancer),
9639 where the server name can help the server support team to
9640 quickly find the right log files.
9641 Notes:
9643 · NOT SUPPORTED are other attributes such as sender, recipient, or
9645 main.cf parameters.
9646 · For safety reasons, text that does not match $smtpd_expan‐
9648 sion_filter is censored.
9649 This feature supports the two-character sequence \n as a request for a
9651 line break in the footer text. Postfix automatically inserts after each
9652 line break the three-digit SMTP reply code (and optional enhanced sta‐
9653 tus code) from the original Postfix reject message.
9654 To work around mail software that mis-handles multi-line replies, spec‐
9656 ify the two-character sequence \c at the start of the template. This
9657 suppresses the line break between the reply text and the footer text
9658 (Postfix 2.10 and later).
9659 This feature is available in Postfix 2.8 and later.
9661
9663 Request that the Postfix SMTP server rejects mail for unknown recipient
9664 addresses, even when no explicit reject_unlisted_recipient access
9665 restriction is specified. This prevents the Postfix queue from filling
9666 up with undeliverable MAILER-DAEMON messages.
9667 An address is always considered "known" when it matches a virtual(5)
9669 alias or a canonical(5) mapping.
9670 · The recipient domain matches $mydestination, $inet_interfaces or
9672 $proxy_interfaces, but the recipient is not listed in
9673 $local_recipient_maps, and $local_recipient_maps is not null.
9674 · The recipient domain matches $virtual_alias_domains but the
9676 recipient is not listed in $virtual_alias_maps.
9677 · The recipient domain matches $virtual_mailbox_domains but the
9679 recipient is not listed in $virtual_mailbox_maps, and $vir‐
9680 tual_mailbox_maps is not null.
9681 · The recipient domain matches $relay_domains but the recipient is
9683 not listed in $relay_recipient_maps, and $relay_recipient_maps
9684 is not null.
9685 This feature is available in Postfix 2.1 and later.
9687
9689 Request that the Postfix SMTP server rejects mail from unknown sender
9690 addresses, even when no explicit reject_unlisted_sender access restric‐
9691 tion is specified. This can slow down an explosion of forged mail from
9692 worms or viruses.
9693 An address is always considered "known" when it matches a virtual(5)
9695 alias or a canonical(5) mapping.
9696 · The sender domain matches $mydestination, $inet_interfaces or
9698 $proxy_interfaces, but the sender is not listed in $local_recip‐
9699 ient_maps, and $local_recipient_maps is not null.
9700 · The sender domain matches $virtual_alias_domains but the sender
9702 is not listed in $virtual_alias_maps.
9703 · The sender domain matches $virtual_mailbox_domains but the
9705 sender is not listed in $virtual_mailbox_maps, and $vir‐
9706 tual_mailbox_maps is not null.
9707 · The sender domain matches $relay_domains but the sender is not
9709 listed in $relay_recipient_maps, and $relay_recipient_maps is
9710 not null.
9711 This feature is available in Postfix 2.1 and later.
9713
9715 cated, defer_unauth_destination)
9716 Access restrictions for mail relay control that the Postfix SMTP server
9717 applies in the context of the RCPT TO command, before smtpd_recipi‐
9718 ent_restrictions. See SMTPD_ACCESS_README, section "Delayed evaluation
9719 of SMTP access restriction lists" for a discussion of evaluation con‐
9720 text and time.
9721 With Postfix versions before 2.10, the rules for relay permission and
9723 spam blocking were combined under smtpd_recipient_restrictions, result‐
9724 ing in error-prone configuration. As of Postfix 2.10, relay permission
9725 rules are preferably implemented with smtpd_relay_restrictions, so that
9726 a permissive spam blocking policy under smtpd_recipient_restrictions
9727 will no longer result in a permissive mail relay policy.
9728 For backwards compatibility, sites that migrate from Postfix versions
9730 before 2.10 can set smtpd_relay_restrictions to the empty value, and
9731 use smtpd_recipient_restrictions exactly as before.
9732 By default, the Postfix SMTP server accepts:
9734 · Mail from clients whose IP address matches $mynetworks, or:
9736 · Mail to remote destinations that match $relay_domains, except
9738 for addresses that contain sender-specified routing (user@else‐
9739 where@domain), or:
9740 · Mail to local destinations that match $inet_interfaces or
9742 $proxy_interfaces, $mydestination, $virtual_alias_domains, or
9743 $virtual_mailbox_domains.
9744 IMPORTANT: Either the smtpd_relay_restrictions or the smtpd_recipi‐
9746 ent_restrictions parameter must specify at least one of the following
9747 restrictions. Otherwise Postfix will refuse to receive mail:
9748 reject, reject_unauth_destination
9750 defer, defer_if_permit, defer_unauth_destination
9752 Specify a list of restrictions, separated by commas and/or whitespace.
9754 Continue long lines by starting the next line with whitespace. The
9755 same restrictions are available as documented under smtpd_recipi‐
9756 ent_restrictions.
9757 This feature is available in Postix 2.10 and later.
9759
9761 User-defined aliases for groups of access restrictions. The aliases can
9762 be specified in smtpd_recipient_restrictions etc., and on the
9763 right-hand side of a Postfix access(5) table.
9764 One major application is for implementing per-recipient UCE control.
9766 See the RESTRICTION_CLASS_README document for other examples.
9767
9769 The application name that the Postfix SMTP server uses for SASL server
9770 initialization. This controls the name of the SASL configuration file.
9771 The default value is smtpd, corresponding to a SASL configuration file
9772 named smtpd.conf.
9773 This feature is available in Postfix 2.1 and 2.2. With Postfix 2.3 it
9775 was renamed to smtpd_sasl_path.
9776
9778 Enable SASL authentication in the Postfix SMTP server. By default, the
9779 Postfix SMTP server does not use authentication.
9780 If a remote SMTP client is authenticated, the permit_sasl_authenticated
9782 access restriction can be used to permit relay access, like this:
9783 # With Postfix 2.10 and later, the mail relay policy is
9785 # preferably specified under smtpd_relay_restrictions.
9786 smtpd_relay_restrictions =
9787 permit_mynetworks, permit_sasl_authenticated, ...
9788 # With Postfix before 2.10, the relay policy can be
9790 # specified only under smtpd_recipient_restrictions.
9791 smtpd_recipient_restrictions =
9792 permit_mynetworks, permit_sasl_authenticated, ...
9793 To reject all SMTP connections from unauthenticated clients, specify
9795 "smtpd_delay_reject = yes" (which is the default) and use:
9796 smtpd_client_restrictions = permit_sasl_authenticated, reject
9798 See the SASL_README file for SASL configuration and operation details.
9800
9802 Report the SASL authenticated user name in the smtpd(8) Received mes‐
9803 sage header.
9804 This feature is available in Postfix 2.3 and later.
9806
9808 What remote SMTP clients the Postfix SMTP server will not offer AUTH
9809 support to.
9810 Some clients (Netscape 4 at least) have a bug that causes them to
9812 require a login and password whenever AUTH is offered, whether it's
9813 necessary or not. To work around this, specify, for example, $mynet‐
9814 works to prevent Postfix from offering AUTH to local clients.
9815 Specify a list of network/netmask patterns, separated by commas and/or
9817 whitespace. The mask specifies the number of bits in the network part
9818 of a host address. You can also "/file/name" or "type:table" patterns.
9819 A "/file/name" pattern is replaced by its contents; a "type:table"
9820 lookup table is matched when a table entry matches a lookup string (the
9821 lookup result is ignored). Continue long lines by starting the next
9822 line with whitespace. Specify "!pattern" to exclude an address or net‐
9823 work block from the list. The form "!/file/name" is supported only in
9824 Postfix version 2.4 and later.
9825 Note: IP version 6 address information must be specified inside [] in
9827 the smtpd_sasl_exceptions_networks value, and in files specified with
9828 "/file/name". IP version 6 addresses contain the ":" character, and
9829 would otherwise be confused with a "type:table" pattern.
9830 Example:
9832 smtpd_sasl_exceptions_networks = $mynetworks
9834 This feature is available in Postfix 2.1 and later.
9836
9838 The name of the Postfix SMTP server's local SASL authentication realm.
9839 By default, the local authentication realm name is the null string.
9841 Examples:
9843 smtpd_sasl_local_domain = $mydomain
9845 smtpd_sasl_local_domain = $myhostname
9846
9848 Implementation-specific information that the Postfix SMTP server passes
9849 through to the SASL plug-in implementation that is selected with
9850 smtpd_sasl_type. Typically this specifies the name of a configuration
9851 file or rendezvous point.
9852 This feature is available in Postfix 2.3 and later. In earlier releases
9854 it was called smtpd_sasl_application_name.
9855
9857 Postfix SMTP server SASL security options; as of Postfix 2.3 the list
9858 of available features depends on the SASL server implementation that is
9859 selected with smtpd_sasl_type.
9860 The following security features are defined for the cyrus server SASL
9862 implementation:
9863 Restrict what authentication mechanisms the Postfix SMTP server will
9865 offer to the client. The list of available authentication mechanisms
9866 is system dependent.
9867 Specify zero or more of the following:
9869 noplaintext
9871 Disallow methods that use plaintext passwords.
9872 noactive
9874 Disallow methods subject to active (non-dictionary) attack.
9875 nodictionary
9877 Disallow methods subject to passive (dictionary) attack.
9878 noanonymous
9880 Disallow methods that allow anonymous authentication.
9881 forward_secrecy
9883 Only allow methods that support forward secrecy (Dovecot only).
9884 mutual_auth
9886 Only allow methods that provide mutual authentication (not
9887 available with Cyrus SASL version 1).
9888 By default, the Postfix SMTP server accepts plaintext passwords but not
9890 anonymous logins.
9891 Warning: it appears that clients try authentication methods in the
9893 order as advertised by the server (e.g., PLAIN ANONYMOUS CRAM-MD5)
9894 which means that if you disable plaintext passwords, clients will log
9895 in anonymously, even when they should be able to use CRAM-MD5. So, if
9896 you disable plaintext logins, disable anonymous logins too. Postfix
9897 treats anonymous login as no authentication.
9898 Example:
9900 smtpd_sasl_security_options = noanonymous, noplaintext
9902
9904 The service name that is passed to the SASL plug-in that is selected
9905 with smtpd_sasl_type and smtpd_sasl_path.
9906 This feature is available in Postfix 2.11 and later. Prior versions
9908 behave as if "smtp" is specified.
9909
9911 The SASL authentication security options that the Postfix SMTP server
9912 uses for TLS encrypted SMTP sessions.
9913 This feature is available in Postfix 2.2 and later.
9915
9917 The SASL plug-in type that the Postfix SMTP server should use for
9918 authentication. The available types are listed with the "postconf -a"
9919 command.
9920 This feature is available in Postfix 2.3 and later.
9922
9924 Optional lookup table with the SASL login names that own the sender
9925 (MAIL FROM) addresses.
9926 Specify zero or more "type:name" lookup tables, separated by whitespace
9928 or comma. Tables will be searched in the specified order until a match
9929 is found. With lookups from indexed files such as DB or DBM, or from
9930 networked tables such as NIS, LDAP or SQL, the following search opera‐
9931 tions are done with a sender address of user@domain:
9932 1) user@domain
9934 This table lookup is always done and has the highest precedence.
9935 2) user
9937 This table lookup is done only when the domain part of the
9938 sender address matches $myorigin, $mydestination, $inet_inter‐
9939 faces or $proxy_interfaces.
9940 3) @domain
9942 This table lookup is done last and has the lowest precedence.
9943 In all cases the result of table lookup must be either "not found" or a
9945 list of SASL login names separated by comma and/or whitespace.
9946
9948 Optional restrictions that the Postfix SMTP server applies in the con‐
9949 text of a client MAIL FROM command. See SMTPD_ACCESS_README, section
9950 "Delayed evaluation of SMTP access restriction lists" for a discussion
9951 of evaluation context and time.
9952 The default is to permit everything.
9954 Specify a list of restrictions, separated by commas and/or whitespace.
9956 Continue long lines by starting the next line with whitespace.
9957 Restrictions are applied in the order as specified; the first restric‐
9958 tion that matches wins.
9959 The following restrictions are specific to the sender address received
9961 with the MAIL FROM command.
9962 check_sender_access type:table
9964 Search the specified access(5) database for the MAIL FROM
9965 address, domain, parent domains, or localpart@, and execute the
9966 corresponding action.
9967 check_sender_a_access type:table
9969 Search the specified access(5) database for the IP addresses for
9970 the MAIL FROM domain, and execute the corresponding action.
9971 Note: a result of "OK" is not allowed for safety reasons.
9972 Instead, use DUNNO in order to exclude specific hosts from
9973 blacklists. This feature is available in Postfix 3.0 and later.
9974 check_sender_mx_access type:table
9976 Search the specified access(5) database for the MX hosts for the
9977 MAIL FROM domain, and execute the corresponding action. Note: a
9978 result of "OK" is not allowed for safety reasons. Instead, use
9979 DUNNO in order to exclude specific hosts from blacklists. This
9980 feature is available in Postfix 2.1 and later.
9981 check_sender_ns_access type:table
9983 Search the specified access(5) database for the DNS servers for
9984 the MAIL FROM domain, and execute the corresponding action.
9985 Note: a result of "OK" is not allowed for safety reasons.
9986 Instead, use DUNNO in order to exclude specific hosts from
9987 blacklists. This feature is available in Postfix 2.1 and later.
9988 reject_authenticated_sender_login_mismatch
9990 Enforces the reject_sender_login_mismatch restriction for
9991 authenticated clients only. This feature is available in Postfix
9992 version 2.1 and later.
9993 reject_known_sender_login_mismatch
9995 Apply the reject_sender_login_mismatch restriction only to MAIL
9996 FROM addresses that are known in $smtpd_sender_login_maps. This
9997 feature is available in Postfix version 2.11 and later.
9998 reject_non_fqdn_sender
10000 Reject the request when the MAIL FROM address specifies a domain
10001 that is not in fully-qualified domain form as required by the
10002 RFC.
10003 The non_fqdn_reject_code parameter specifies the response code
10004 for rejected requests (default: 504).
10005 reject_rhsbl_sender rbl_domain=d.d.d.d
10007 Reject the request when the MAIL FROM domain is listed with the
10008 A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and
10009 later only). Each "d" is a number, or a pattern inside "[]"
10010 that contains one or more ";"-separated numbers or number..num‐
10011 ber ranges (Postfix version 2.8 and later). If no "=d.d.d.d" is
10012 specified, reject the request when the MAIL FROM domain is
10013 listed with any A record under rbl_domain.
10014 The maps_rbl_reject_code parameter specifies the response code
10015 for rejected requests (default: 554); the default_rbl_reply
10016 parameter specifies the default server reply; and the
10017 rbl_reply_maps parameter specifies tables with server replies
10018 indexed by rbl_domain. This feature is available in Postfix 2.0
10019 and later.
10020 reject_sender_login_mismatch
10022 Reject the request when $smtpd_sender_login_maps specifies an
10023 owner for the MAIL FROM address, but the client is not (SASL)
10024 logged in as that MAIL FROM address owner; or when the client is
10025 (SASL) logged in, but the client login name doesn't own the MAIL
10026 FROM address according to $smtpd_sender_login_maps.
10027 reject_unauthenticated_sender_login_mismatch
10029 Enforces the reject_sender_login_mismatch restriction for unau‐
10030 thenticated clients only. This feature is available in Postfix
10031 version 2.1 and later.
10032 reject_unknown_sender_domain
10034 Reject the request when Postfix is not final destination for the
10035 sender address, and the MAIL FROM domain has 1) no DNS MX and no
10036 DNS A record, or 2) a malformed MX record such as a record with
10037 a zero-length MX hostname (Postfix version 2.3 and later).
10038 The reply is specified with the unknown_address_reject_code
10039 parameter (default: 450), unknown_address_tempfail_action
10040 (default: defer_if_permit), or 550 (nullmx, Postfix 3.0 and
10041 later). See the respective parameter descriptions for details.
10042 reject_unlisted_sender
10044 Reject the request when the MAIL FROM address is not listed in
10045 the list of valid recipients for its domain class. See the
10046 smtpd_reject_unlisted_sender parameter description for details.
10047 This feature is available in Postfix 2.1 and later.
10048 reject_unverified_sender
10050 Reject the request when mail to the MAIL FROM address is known
10051 to bounce, or when the sender address destination is not reach‐
10052 able. Address verification information is managed by the ver‐
10053 ify(8) server; see the ADDRESS_VERIFICATION_README file for
10054 details.
10055 The unverified_sender_reject_code parameter specifies the numer‐
10056 ical response code when an address is known to bounce (default:
10057 450, change into 550 when you are confident that it is safe to
10058 do so).
10059 The unverified_sender_defer_code specifies the numerical
10060 response code when an address probe failed due to a temporary
10061 problem (default: 450).
10062 The unverified_sender_tempfail_action parameter specifies the
10063 action after address probe failure due to a temporary problem
10064 (default: defer_if_permit).
10065 This feature breaks for aliased addresses with "enable_origi‐
10066 nal_recipient = no" (Postfix <= 3.2).
10067 This feature is available in Postfix 2.1 and later.
10068 Other restrictions that are valid in this context:
10070 · Generic restrictions that can be used in any SMTP command con‐
10072 text, described under smtpd_client_restrictions.
10073 · SMTP command specific restrictions described under
10075 smtpd_client_restrictions and smtpd_helo_restrictions.
10076 · SMTP command specific restrictions described under smtpd_recipi‐
10078 ent_restrictions. When recipient restrictions are listed under
10079 smtpd_sender_restrictions, they have effect only with
10080 "smtpd_delay_reject = yes", so that $smtpd_sender_restrictions
10081 is evaluated at the time of the RCPT TO command.
10082 Examples:
10084 smtpd_sender_restrictions = reject_unknown_sender_domain
10086 smtpd_sender_restrictions = reject_unknown_sender_domain,
10087 check_sender_access hash:/etc/postfix/access
10088
10090 The internal service that postscreen(8) hands off allowed connections
10091 to. In a future version there may be different classes of SMTP service.
10092 This feature is available in Postfix 2.8.
10094
10096 The number of errors a remote SMTP client is allowed to make without
10097 delivering mail before the Postfix SMTP server slows down all its
10098 responses.
10099 · With Postfix version 2.1 and later, the Postfix SMTP server
10101 delays all responses by $smtpd_error_sleep_time seconds.
10102 · With Postfix versions 2.0 and earlier, the Postfix SMTP server
10104 delays all responses by (number of errors) seconds.
10105
10107 The time limit for Postfix SMTP server write and read operations during
10108 TLS startup and shutdown handshake procedures. The current default
10109 value is stress-dependent. Before Postfix version 2.8, it was fixed at
10110 300s.
10111 This feature is available in Postfix 2.2 and later.
10113
10115 The time limit for sending a Postfix SMTP server response and for
10116 receiving a remote SMTP client request. Normally the default limit is
10117 300s, but it changes under overload to just 10s. With Postfix 2.5 and
10118 earlier, the SMTP server always uses a time limit of 300s by default.
10119 Note: if you set SMTP time limits to very large values you may have to
10121 update the global ipc_timeout parameter.
10122 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
10124 The default time unit is s (seconds).
10125
10127 A file containing (PEM format) CA certificates of root CAs trusted to
10128 sign either remote SMTP client certificates or intermediate CA certifi‐
10129 cates. These are loaded into memory before the smtpd(8) server enters
10130 the chroot jail. If the number of trusted roots is large, consider
10131 using smtpd_tls_CApath instead, but note that the latter directory must
10132 be present in the chroot jail if the smtpd(8) server is chrooted. This
10133 file may also be used to augment the server certificate trust chain,
10134 but it is best to include all the required certificates directly in the
10135 server certificate file.
10136 Specify "smtpd_tls_CAfile = /path/to/system_CA_file" to use ONLY the
10138 system-supplied default Certification Authority certificates.
10139 Specify "tls_append_default_CA = no" to prevent Postfix from appending
10141 the system-supplied default CAs and trusting third-party certificates.
10142 By default (see smtpd_tls_ask_ccert), client certificates are not
10144 requested, and smtpd_tls_CAfile should remain empty. If you do make use
10145 of client certificates, the distinguished names (DNs) of the Certifica‐
10146 tion Authorities listed in smtpd_tls_CAfile are sent to the remote SMTP
10147 client in the client certificate request message. MUAs with multiple
10148 client certificates may use the list of preferred Certification Author‐
10149 ities to select the correct client certificate. You may want to put
10150 your "preferred" CA or CAs in this file, and install other trusted CAs
10151 in $smtpd_tls_CApath.
10152 Example:
10154 smtpd_tls_CAfile = /etc/postfix/CAcert.pem
10156 This feature is available in Postfix 2.2 and later.
10158
10160 A directory containing (PEM format) CA certificates of root CAs trusted
10161 to sign either remote SMTP client certificates or intermediate CA cer‐
10162 tificates. Do not forget to create the necessary "hash" links with, for
10163 example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
10164 smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
10165 inside the chroot jail.
10166 Specify "smtpd_tls_CApath = /path/to/system_CA_directory" to use ONLY
10168 the system-supplied default Certification Authority certificates.
10169 Specify "tls_append_default_CA = no" to prevent Postfix from appending
10171 the system-supplied default CAs and trusting third-party certificates.
10172 By default (see smtpd_tls_ask_ccert), client certificates are not
10174 requested, and smtpd_tls_CApath should remain empty. In contrast to
10175 smtpd_tls_CAfile, DNs of Certification Authorities installed in
10176 $smtpd_tls_CApath are not included in the client certificate request
10177 message. MUAs with multiple client certificates may use the list of
10178 preferred Certification Authorities to select the correct client cer‐
10179 tificate. You may want to put your "preferred" CA or CAs in
10180 $smtpd_tls_CAfile, and install the remaining trusted CAs in
10181 $smtpd_tls_CApath.
10182 Example:
10184 smtpd_tls_CApath = /etc/postfix/certs
10186 This feature is available in Postfix 2.2 and later.
10188
10190 Force the Postfix SMTP server to issue a TLS session id, even when TLS
10191 session caching is turned off (smtpd_tls_session_cache_database is
10192 empty). This behavior is compatible with Postfix < 2.3.
10193 With Postfix 2.3 and later the Postfix SMTP server can disable session
10195 id generation when TLS session caching is turned off. This keeps remote
10196 SMTP clients from caching sessions that almost certainly cannot be
10197 re-used.
10198 By default, the Postfix SMTP server always generates TLS session ids.
10200 This works around a known defect in mail client applications such as MS
10201 Outlook, and may also prevent interoperability issues with other MTAs.
10202 Example:
10204 smtpd_tls_always_issue_session_ids = no
10206 This feature is available in Postfix 2.3 and later.
10208
10210 Ask a remote SMTP client for a client certificate. This information is
10211 needed for certificate based mail relaying with, for example, the per‐
10212 mit_tls_clientcerts feature.
10213 Some clients such as Netscape will either complain if no certificate is
10215 available (for the list of CAs in $smtpd_tls_CAfile) or will offer mul‐
10216 tiple client certificates to choose from. This may be annoying, so this
10217 option is "off" by default.
10218 This feature is available in Postfix 2.2 and later.
10220
10222 When TLS encryption is optional in the Postfix SMTP server, do not
10223 announce or accept SASL authentication over unencrypted connections.
10224 This feature is available in Postfix 2.2 and later.
10226
10228 The verification depth for remote SMTP client certificates. A depth of
10229 1 is sufficient if the issuing CA is listed in a local CA file.
10230 The default verification depth is 9 (the OpenSSL default) for compati‐
10232 bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
10233 value was 5, but the limit was not actually enforced. If you have set
10234 this to a lower non-default value, certificates with longer trust
10235 chains may now fail to verify. Certificate chains with 1 or 2 CAs are
10236 common, deeper chains are more rare and any number between 5 and 9
10237 should suffice in practice. You can choose a lower number if, for exam‐
10238 ple, you trust certificates directly signed by an issuing CA but not
10239 any CAs it delegates to.
10240 This feature is available in Postfix 2.2 and later.
10242
10244 File with the Postfix SMTP server RSA certificate in PEM format. This
10245 file may also contain the Postfix SMTP server private RSA key.
10246 Public Internet MX hosts without certificates signed by a "reputable"
10248 CA must generate, and be prepared to present to most clients, a
10249 self-signed or private-CA signed certificate. The client will not be
10250 able to authenticate the server, but unless it is running Postfix 2.3
10251 or similar software, it will still insist on a server certificate.
10252 For servers that are not public Internet MX hosts, Postfix 2.3 supports
10254 configurations with no certificates. This entails the use of just the
10255 anonymous TLS ciphers, which are not supported by typical SMTP clients.
10256 Since such clients will not, as a rule, fall back to plain text after a
10257 TLS handshake failure, the server will be unable to receive email from
10258 TLS enabled clients. To avoid accidental configurations with no cer‐
10259 tificates, Postfix 2.3 enables certificate-less operation only when the
10260 administrator explicitly sets "smtpd_tls_cert_file = none". This
10261 ensures that new Postfix configurations will not accidentally run with
10262 no certificates.
10263 Both RSA and DSA certificates are supported. When both types are
10265 present, the cipher used determines which certificate will be presented
10266 to the client. For Netscape and OpenSSL clients without special cipher
10267 choices the RSA certificate is preferred.
10268 To enable a remote SMTP client to verify the Postfix SMTP server cer‐
10270 tificate, the issuing CA certificates must be made available to the
10271 client. You should include the required certificates in the server cer‐
10272 tificate file, the server certificate first, then the issuing CA(s)
10273 (bottom-up order).
10274 Example: the certificate for "server.example.com" was issued by "inter‐
10276 mediate CA" which itself has a certificate of "root CA". Create the
10277 server.pem file with "cat server_cert.pem intermediate_CA.pem
10278 root_CA.pem > server.pem".
10279 If you also want to verify client certificates issued by these CAs, you
10281 can add the CA certificates to the smtpd_tls_CAfile, in which case it
10282 is not necessary to have them in the smtpd_tls_cert_file or
10283 smtpd_tls_dcert_file.
10284 A certificate supplied here must be usable as an SSL server certificate
10286 and hence pass the "openssl verify -purpose sslserver ..." test.
10287 Example:
10289 smtpd_tls_cert_file = /etc/postfix/server.pem
10291 This feature is available in Postfix 2.2 and later.
10293
10295 Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS cipher
10296 list. It is easy to create interoperability problems by choosing a
10297 non-default cipher list. Do not use a non-default TLS cipherlist for MX
10298 hosts on the public Internet. Clients that begin the TLS handshake, but
10299 are unable to agree on a common cipher, may not be able to send any
10300 email to the SMTP server. Using a restricted cipher list may be more
10301 appropriate for a dedicated MSA or an internal mailhub, where one can
10302 exert some control over the TLS software and settings of the connecting
10303 clients.
10304 Note: do not use "" quotes around the parameter value.
10306 This feature is available with Postfix version 2.2. It is not used with
10308 Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead.
10309
10311 The minimum TLS cipher grade that the Postfix SMTP server will use with
10312 opportunistic TLS encryption. Cipher types listed in
10313 smtpd_tls_exclude_ciphers are excluded from the base definition of the
10314 selected cipher grade. The default value is "medium" for Postfix
10315 releases after the middle of 2015, "export" for older releases.
10316 When TLS is mandatory the cipher grade is chosen via the
10318 smtpd_tls_mandatory_ciphers configuration parameter, see there for syn‐
10319 tax details.
10320 This feature is available in Postfix 2.6 and later. With earlier Post‐
10322 fix releases only the smtpd_tls_mandatory_ciphers parameter is imple‐
10323 mented, and opportunistic TLS always uses "export" or better (i.e. all)
10324 ciphers.
10325
10327 File with the Postfix SMTP server DSA certificate in PEM format. This
10328 file may also contain the Postfix SMTP server private DSA key.
10329 See the discussion under smtpd_tls_cert_file for more details.
10331 Example:
10333 smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
10335 This feature is available in Postfix 2.2 and later.
10337
10339 File with DH parameters that the Postfix SMTP server should use with
10340 non-export EDH ciphers.
10341 Instead of using the exact same parameter sets as distributed with
10343 other TLS packages, it is more secure to generate your own set of
10344 parameters with something like the following commands:
10345 openssl dhparam -out /etc/postfix/dh512.pem 512
10347 openssl dhparam -out /etc/postfix/dh1024.pem 1024
10348 openssl dhparam -out /etc/postfix/dh2048.pem 2048
10349 It is safe to share the same DH parameters between multiple Postfix
10351 instances. If you prefer, you can generate separate parameters for
10352 each instance.
10353 If you want to take maximal advantage of ciphers that offer forward
10355 secrecy see the Getting started section of FORWARD_SECRECY_README. The
10356 full document conveniently presents all information about Postfix "per‐
10357 fect" forward secrecy support in one place: what forward secrecy is,
10358 how to tweak settings, and what you can expect to see when Postfix uses
10359 ciphers with forward secrecy.
10360 Example:
10362 smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
10364 This feature is available with Postfix version 2.2.
10366
10368 File with DH parameters that the Postfix SMTP server should use with
10369 export-grade EDH ciphers. The default SMTP server cipher grade is
10370 "medium" with Postfix releases after the middle of 2015, and as a
10371 result export-grade cipher suites are by default not used.
10372 See also the discussion under the smtpd_tls_dh1024_param_file configu‐
10374 ration parameter.
10375 Example:
10377 smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
10379 This feature is available with Postfix version 2.2.
10381
10383 File with the Postfix SMTP server DSA private key in PEM format. This
10384 file may be combined with the Postfix SMTP server DSA certificate file
10385 specified with $smtpd_tls_dcert_file.
10386 The private key must be accessible without a pass-phrase, i.e. it must
10388 not be encrypted. File permissions should grant read-only access to the
10389 system superuser account ("root"), and no access to anyone else.
10390 This feature is available in Postfix 2.2 and later.
10392
10394 File with the Postfix SMTP server ECDSA certificate in PEM format.
10395 This file may also contain the Postfix SMTP server private ECDSA key.
10396 See the discussion under smtpd_tls_cert_file for more details.
10398 Example:
10400 smtpd_tls_eccert_file = /etc/postfix/ecdsa-scert.pem
10402 This feature is available in Postfix 2.6 and later, when Postfix is
10404 compiled and linked with OpenSSL 1.0.0 or later.
10405
10407 File with the Postfix SMTP server ECDSA private key in PEM format.
10408 This file may be combined with the Postfix SMTP server ECDSA certifi‐
10409 cate file specified with $smtpd_tls_eccert_file.
10410 The private key must be accessible without a pass-phrase, i.e. it must
10412 not be encrypted. File permissions should grant read-only access to the
10413 system superuser account ("root"), and no access to anyone else.
10414 This feature is available in Postfix 2.6 and later, when Postfix is
10416 compiled and linked with OpenSSL 1.0.0 or later.
10417
10419 The Postfix SMTP server security grade for ephemeral elliptic-curve
10420 Diffie-Hellman (EECDH) key exchange.
10421 The available choices are:
10423 none Don't use EECDH. Ciphers based on EECDH key exchange will be
10425 disabled. This is the default in Postfix versions 2.6 and 2.7.
10426 strong Use EECDH with approximately 128 bits of security at a reason‐
10428 able computational cost. This is the current best-practice
10429 trade-off between security and computational efficiency. This is
10430 the default in Postfix version 2.8 and later.
10431 ultra Use EECDH with approximately 192 bits of security at computa‐
10433 tional cost that is approximately twice as high as 128 bit
10434 strength ECC. Barring significant progress in attacks on ellip‐
10435 tic curve crypto-systems, the "strong" curve is sufficient for
10436 most users.
10437 auto Use the most preferred curve that is supported by both the
10439 client and the server. This setting requires Postfix >= 3.2
10440 compiled and linked with OpenSSL >= 1.0.2. This is the default
10441 setting under the above conditions.
10442 If you want to take maximal advantage of ciphers that offer forward
10444 secrecy see the Getting started section of FORWARD_SECRECY_README. The
10445 full document conveniently presents all information about Postfix "per‐
10446 fect" forward secrecy support in one place: what forward secrecy is,
10447 how to tweak settings, and what you can expect to see when Postfix uses
10448 ciphers with forward secrecy.
10449 This feature is available in Postfix 2.6 and later, when it is compiled
10451 and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
10452 have not been disabled by the vendor.
10453
10455 List of ciphers or cipher types to exclude from the SMTP server cipher
10456 list at all TLS security levels. Excluding valid ciphers can create
10457 interoperability problems. DO NOT exclude ciphers unless it is essen‐
10458 tial to do so. This is not an OpenSSL cipherlist; it is a simple list
10459 separated by whitespace and/or commas. The elements are a single
10460 cipher, or one or more "+" separated cipher properties, in which case
10461 only ciphers matching all the properties are excluded.
10462 Examples (some of these will cause problems):
10464 smtpd_tls_exclude_ciphers = aNULL
10466 smtpd_tls_exclude_ciphers = MD5, DES
10467 smtpd_tls_exclude_ciphers = DES+MD5
10468 smtpd_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
10469 smtpd_tls_exclude_ciphers = kEDH+aRSA
10470 The first setting disables anonymous ciphers. The next setting disables
10472 ciphers that use the MD5 digest algorithm or the (single) DES encryp‐
10473 tion algorithm. The next setting disables ciphers that use MD5 and DES
10474 together. The next setting disables the two ciphers "AES256-SHA" and
10475 "DES-CBC3-MD5". The last setting disables ciphers that use "EDH" key
10476 exchange with RSA authentication.
10477 This feature is available in Postfix 2.3 and later.
10479
10481 The message digest algorithm to construct remote SMTP client-certifi‐
10482 cate fingerprints or public key fingerprints (Postfix 2.9 and later)
10483 for check_ccert_access and permit_tls_clientcerts. The default algo‐
10484 rithm is md5, for backwards compatibility with Postfix releases prior
10485 to 2.5.
10486 Advances in hash function cryptanalysis have led to md5 being depre‐
10488 cated in favor of sha1. However, as long as there are no known "second
10489 pre-image" attacks against md5, its use in this context can still be
10490 considered safe.
10491 While additional digest algorithms are often available with OpenSSL's
10493 libcrypto, only those used by libssl in SSL cipher suites are available
10494 to Postfix.
10495 To find the fingerprint of a specific certificate file, with a specific
10497 digest algorithm, run:
10498 $ openssl x509 -noout -fingerprint -digest -in certfile.pem
10500 The text to the right of "=" sign is the desired fingerprint. For
10502 example:
10503 $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
10505 SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
10506 To extract the public key fingerprint from an X.509 certificate, you
10508 need to extract the public key from the certificate and compute the
10509 appropriate digest of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
10510 key" option of the "x509" command extracts the public key always in
10511 "PEM" format. We pipe the result to another OpenSSL command that con‐
10512 verts the key to DER and then to the "dgst" command to compute the fin‐
10513 gerprint.
10514 The actual command to transform the key to DER format depends on the
10516 version of OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" com‐
10517 mand supports all key types. With OpenSSL 0.9.8 and earlier, the key
10518 type is always RSA (nobody uses DSA, and EC keys are not fully sup‐
10519 ported by 0.9.8), so the "rsa" command is used.
10520 # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
10522 $ openssl x509 -in cert.pem -noout -pubkey |
10523 openssl pkey -pubin -outform DER |
10524 openssl dgst -sha1 -c
10525 (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
10526 # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
10528 $ openssl x509 -in cert.pem -noout -pubkey |
10529 openssl rsa -pubin -outform DER |
10530 openssl dgst -md5 -c
10531 (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
10532 The Postfix SMTP server and client log the peer (leaf) certificate fin‐
10534 gerprint and public key fingerprint when the TLS loglevel is 2 or
10535 higher.
10536 Note: Postfix 2.9.0-2.9.5 computed the public key fingerprint incor‐
10538 rectly. To use public-key fingerprints, upgrade to Postfix 2.9.6 or
10539 later.
10540 Example: client-certificate access table, with sha1 fingerprints:
10542 /etc/postfix/main.cf:
10544 smtpd_tls_fingerprint_digest = sha1
10545 smtpd_client_restrictions =
10546 check_ccert_access hash:/etc/postfix/access,
10547 reject
10548 /etc/postfix/access:
10549 # Action folded to next line...
10550 AF:88:7C:AD:51:95:6F:36:96:F6:01:FB:2E:48:CD:AB:49:25:A2:3B
10551 OK
10552 85:16:78:FD:73:6E:CE:70:E0:31:5F:0D:3C:C8:6D:C4:2C:24:59:E1
10553 permit_auth_destination
10554 This feature is available in Postfix 2.5 and later.
10556
10558 File with the Postfix SMTP server RSA private key in PEM format. This
10559 file may be combined with the Postfix SMTP server RSA certificate file
10560 specified with $smtpd_tls_cert_file.
10561 The private key must be accessible without a pass-phrase, i.e. it must
10563 not be encrypted. File permissions should grant read-only access to the
10564 system superuser account ("root"), and no access to anyone else.
10565
10567 Enable additional Postfix SMTP server logging of TLS activity. Each
10568 logging level also includes the information that is logged at a lower
10569 logging level.
10570 0 Disable logging of TLS activity.
10572 1 Log only a summary message on TLS handshake completion - no
10574 logging of client certificate trust-chain verification errors if
10575 client certificate verification is not required. With Postfix
10576 2.8 and earlier, log the summary message, peer certificate sum‐
10577 mary information and unconditionally log trust-chain verifica‐
10578 tion errors.
10579 2 Also log levels during TLS negotiation.
10581 3 Also log hexadecimal and ASCII dump of TLS negotiation
10583 process.
10584 4 Also log hexadecimal and ASCII dump of complete transmission
10586 after STARTTLS.
10587 Do not use "smtpd_tls_loglevel = 2" or higher except in case of prob‐
10589 lems. Use of loglevel 4 is strongly discouraged.
10590 This feature is available in Postfix 2.2 and later.
10592
10594 The minimum TLS cipher grade that the Postfix SMTP server will use with
10595 mandatory TLS encryption. The default grade ("medium") is sufficiently
10596 strong that any benefit from globally restricting TLS sessions to a
10597 more stringent grade is likely negligible, especially given the fact
10598 that many implementations still do not offer any stronger ("high"
10599 grade) ciphers, while those that do, will always use "high" grade
10600 ciphers. So insisting on "high" grade ciphers is generally counter-pro‐
10601 ductive. Allowing "export" or "low" ciphers is typically not a good
10602 idea, as systems limited to just these are limited to obsolete
10603 browsers. No known SMTP clients fail to support at least one "medium"
10604 or "high" grade cipher.
10605 The following cipher grades are supported:
10607 export Enable "EXPORT" grade or stronger OpenSSL ciphers. The underly‐
10609 ing cipherlist is specified via the tls_export_cipherlist con‐
10610 figuration parameter, which you are strongly encouraged to not
10611 change. This choice is insecure and SHOULD NOT be used.
10612 low Enable "LOW" grade or stronger OpenSSL ciphers. The underlying
10614 cipherlist is specified via the tls_low_cipherlist configuration
10615 parameter, which you are strongly encouraged to not change.
10616 This choice is insecure and SHOULD NOT be used.
10617 medium Enable "MEDIUM" grade or stronger OpenSSL ciphers. These use
10619 128-bit or longer symmetric bulk-encryption keys. This is the
10620 default minimum strength for mandatory TLS encryption. The
10621 underlying cipherlist is specified via the tls_medium_cipherlist
10622 configuration parameter, which you are strongly encouraged to
10623 not change.
10624 high Enable only "HIGH" grade OpenSSL ciphers. The underlying
10626 cipherlist is specified via the tls_high_cipherlist configura‐
10627 tion parameter, which you are strongly encouraged to not change.
10628 null Enable only the "NULL" OpenSSL ciphers, these provide authenti‐
10630 cation without encryption. This setting is only appropriate in
10631 the rare case that all clients are prepared to use NULL ciphers
10632 (not normally enabled in TLS clients). The underlying cipherlist
10633 is specified via the tls_null_cipherlist configuration parame‐
10634 ter, which you are strongly encouraged to not change.
10635 Cipher types listed in smtpd_tls_mandatory_exclude_ciphers or
10637 smtpd_tls_exclude_ciphers are excluded from the base definition of the
10638 selected cipher grade. See smtpd_tls_ciphers for cipher controls that
10639 apply to opportunistic TLS.
10640 The underlying cipherlists for grades other than "null" include anony‐
10642 mous ciphers, but these are automatically filtered out if the server is
10643 configured to ask for remote SMTP client certificates. You are very
10644 unlikely to need to take any steps to exclude anonymous ciphers, they
10645 are excluded automatically as required. If you must exclude anonymous
10646 ciphers even when Postfix does not need or use peer certificates, set
10647 "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers only
10648 when TLS is enforced, set "smtpd_tls_mandatory_exclude_ciphers =
10649 aNULL".
10650 This feature is available in Postfix 2.3 and later.
10652
10654 Additional list of ciphers or cipher types to exclude from the Postfix
10655 SMTP server cipher list at mandatory TLS security levels. This list
10656 works in addition to the exclusions listed with
10657 smtpd_tls_exclude_ciphers (see there for syntax details).
10658 This feature is available in Postfix 2.3 and later.
10660
10662 The SSL/TLS protocols accepted by the Postfix SMTP server with manda‐
10663 tory TLS encryption. If the list is empty, the server supports all
10664 available SSL/TLS protocol versions. A non-empty value is a list of
10665 protocol names separated by whitespace, commas or colons. The sup‐
10666 ported protocol names are "SSLv2", "SSLv3" and "TLSv1", and are not
10667 case sensitive. The default value is "!SSLv2, !SSLv3" for Postfix
10668 releases after the middle of 2015, "!SSLv2" for older releases.
10669 With Postfix >= 2.5 the parameter syntax was expanded to support proto‐
10671 col exclusions. One can explicitly exclude "SSLv2" by setting
10672 "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both "SSLv2" and
10673 "SSLv3" set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
10674 the protocols to include, rather than protocols to exclude, is sup‐
10675 ported, but not recommended. The exclusion form more closely matches
10676 the underlying OpenSSL interface semantics.
10677 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
10679 "TLSv1.2". When Postfix <= 2.5 is linked against OpenSSL 1.0.1 or
10680 later, these, or any other new protocol versions, cannot be disabled.
10681 The latest patch levels of Postfix >= 2.6, and all versions of Postfix
10682 >= 2.10 can disable support for "TLSv1.1" or "TLSv1.2".
10683 OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4
10685 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
10686 abled, if need be, via "!TLSv1.3".
10687 Example:
10689 # Preferred syntax with Postfix >= 2.5:
10691 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
10692 # Legacy syntax:
10693 smtpd_tls_mandatory_protocols = TLSv1
10694 This feature is available in Postfix 2.3 and later.
10696
10698 List of TLS protocols that the Postfix SMTP server will exclude or
10699 include with opportunistic TLS encryption. The default value is
10700 "!SSLv2, !SSLv3" for Postfix releases after the middle of 2015, empty
10701 for older releases allowing all protocols to be used with opportunistic
10702 TLS. A non-empty value is a list of protocol names separated by white‐
10703 space, commas or colons. The supported protocol names are "SSLv2",
10704 "SSLv3" and "TLSv1", and are not case sensitive.
10705 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
10707 "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all versions
10708 of Postfix >= 2.10 can disable support for "TLSv1.1" or "TLSv1.2".
10709 OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4
10711 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
10712 abled, if need be, via "!TLSv1.3".
10713 To include a protocol list its name, to exclude it, prefix the name
10715 with a "!" character. To exclude SSLv2 for opportunistic TLS set
10716 "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
10717 "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the proto‐
10718 cols to include, rather than protocols to exclude, is supported, but
10719 not recommended. The exclusion form more closely matches the underly‐
10720 ing OpenSSL interface semantics.
10721 Example:
10723 smtpd_tls_protocols = !SSLv2, !SSLv3
10724 This feature is available in Postfix 2.6 and later.
10726
10728 Request that the Postfix SMTP server produces Received: message head‐
10729 ers that include information about the protocol and cipher used, as
10730 well as the remote SMTP client CommonName and client certificate issuer
10731 CommonName. This is disabled by default, as the information may be
10732 modified in transit through other mail servers. Only information that
10733 was recorded by the final destination can be trusted.
10734 This feature is available in Postfix 2.2 and later.
10736
10738 With mandatory TLS encryption, require a trusted remote SMTP client
10739 certificate in order to allow TLS connections to proceed. This option
10740 implies "smtpd_tls_ask_ccert = yes".
10741 When TLS encryption is optional, this setting is ignored with a warning
10743 written to the mail log.
10744 This feature is available in Postfix 2.2 and later.
10746
10748 The SMTP TLS security level for the Postfix SMTP server; when a
10749 non-empty value is specified, this overrides the obsolete parameters
10750 smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with
10751 "smtpd_tls_wrappermode = yes".
10752 Specify one of the following security levels:
10754 none TLS will not be used.
10756 may Opportunistic TLS: announce STARTTLS support to remote SMTP
10758 clients, but do not require that clients use TLS encryption.
10759 encrypt
10761 Mandatory TLS encryption: announce STARTTLS support to remote
10762 SMTP clients, and require that clients use TLS encryption.
10763 According to RFC 2487 this MUST NOT be applied in case of a pub‐
10764 licly-referenced SMTP server. Instead, this option should be
10765 used only on dedicated servers.
10766 Note 1: the "fingerprint", "verify" and "secure" levels are not sup‐
10768 ported here. The Postfix SMTP server logs a warning and uses "encrypt"
10769 instead. To verify remote SMTP client certificates, see TLS_README for
10770 a discussion of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and per‐
10771 mit_tls_clientcerts features.
10772 Note 2: The parameter setting "smtpd_tls_security_level = encrypt"
10774 implies "smtpd_tls_auth_only = yes".
10775 Note 3: when invoked via "sendmail -bs", Postfix will never offer
10777 STARTTLS due to insufficient privileges to access the server private
10778 key. This is intended behavior.
10779 This feature is available in Postfix 2.3 and later.
10781
10783 Name of the file containing the optional Postfix SMTP server TLS ses‐
10784 sion cache. Specify a database type that supports enumeration, such as
10785 btree or sdbm; there is no need to support concurrent access. The file
10786 is created if it does not exist. The smtpd(8) daemon does not use this
10787 parameter directly, rather the cache is implemented indirectly in the
10788 tlsmgr(8) daemon. This means that per-smtpd-instance master.cf over‐
10789 rides of this parameter are not effective. Note, that each of the cache
10790 databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
10791 base, $smtp_tls_session_cache_database (and with Postfix 2.3 and later
10792 $lmtp_tls_session_cache_database), needs to be stored separately. It is
10793 not at this time possible to store multiple caches in a single data‐
10794 base.
10795 Note: dbm databases are not suitable. TLS session objects are too
10797 large.
10798 As of version 2.5, Postfix no longer uses root privileges when opening
10800 this file. The file should now be stored under the Postfix-owned
10801 data_directory. As a migration aid, an attempt to open the file under a
10802 non-Postfix directory is redirected to the Postfix-owned data_direc‐
10803 tory, and a warning is logged.
10804 As of Postfix 2.11 the preferred mechanism for session resumption is
10806 RFC 5077 TLS session tickets, which don't require server-side storage.
10807 Consequently, for Postfix >= 2.11 this parameter should generally be
10808 left empty. TLS session tickets require an OpenSSL library (at least
10809 version 0.9.8h) that provides full support for this TLS extension. See
10810 also smtpd_tls_session_cache_timeout.
10811 Example:
10813 smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
10815 This feature is available in Postfix 2.2 and later.
10817
10819 The expiration time of Postfix SMTP server TLS session cache informa‐
10820 tion. A cache cleanup is performed periodically every $smtpd_tls_ses‐
10821 sion_cache_timeout seconds. As with $smtpd_tls_session_cache_database,
10822 this parameter is implemented in the tlsmgr(8) daemon and therefore
10823 per-smtpd-instance master.cf overrides are not possible.
10824 As of Postfix 2.11 this setting cannot exceed 100 days. If set <= 0,
10826 session caching is disabled, not just via the database, but also via
10827 RFC 5077 TLS session tickets, which don't require server-side storage.
10828 If set to a positive value less than 2 minutes, the minimum value of 2
10829 minutes is used instead. TLS session tickets require an OpenSSL
10830 library (at least version 0.9.8h) that provides full support for this
10831 TLS extension.
10832 This feature is available in Postfix 2.2 and later, and updated for TLS
10834 session ticket support in Postfix 2.11.
10835
10837 Run the Postfix SMTP server in the non-standard "wrapper" mode, instead
10838 of using the STARTTLS command.
10839 If you want to support this service, enable a special port in mas‐
10841 ter.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP server's
10842 command line. Port 465 (smtps) was once chosen for this purpose.
10843 This feature is available in Postfix 2.2 and later.
10845
10847 The name of the proxy protocol used by an optional before-smtpd proxy
10848 agent. When a proxy agent is used, this protocol conveys local and
10849 remote address and port information. Specify
10850 "smtpd_upstream_proxy_protocol = haproxy" to enable the haproxy proto‐
10851 col.
10852 NOTE: To use the nginx proxy with smtpd(8), enable the XCLIENT protocol
10854 with smtpd_authorized_xclient_hosts. This supports SASL authentication
10855 in the proxy agent (Postfix 2.9 and later).
10856 This feature is available in Postfix 2.10 and later.
10858
10860 The time limit for the proxy protocol specified with the
10861 smtpd_upstream_proxy_protocol parameter.
10862 This feature is available in Postfix 2.10 and later.
10864
10866 Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
10867 but do not require that clients use TLS encryption.
10868 Note: when invoked via "sendmail -bs", Postfix will never offer START‐
10870 TLS due to insufficient privileges to access the server private key.
10871 This is intended behavior.
10872 This feature is available in Postfix 2.2 and later. With Postfix 2.3
10874 and later use smtpd_tls_security_level instead.
10875
10877 Detect that a message requires SMTPUTF8 support for the specified mail
10878 origin classes. This is a workaround to avoid chicken-and-egg problems
10879 during the initial SMTPUTF8 roll-out in environments with pre-existing
10880 mail flows that contain UTF8. Those mail flows should not break because
10881 Postfix suddenly refuses to deliver such mail to down-stream MTAs that
10882 don't announce SMTPUTF8 support.
10883 The problem is that Postfix cannot rely solely on the sender's declara‐
10885 tion that a message requires SMTPUTF8 support, because UTF8 may be
10886 introduced during local processing (for example, the client hostname in
10887 Postfix's Received: header, adding @$myorigin or .$mydomain to an
10888 incomplete address, address rewriting, alias expansion, automatic BCC
10889 recipients, local forwarding, and changes made by header checks or Mil‐
10890 ter applications).
10891 For now, the default is to enable "SMTPUTF8 required" autodetection
10893 only for Postfix sendmail command-line submissions and address verifi‐
10894 cation probes. This may change once SMTPUTF8 support achieves world
10895 domination. However, sites that add UTF8 content via local processing
10896 (see above) should autodetect the need for SMTPUTF8 support for all
10897 email.
10898 Specify one or more of the following:
10900 sendmail
10902 Submission with the Postfix sendmail(1) command.
10903 smtpd Mail received with the smtpd(8) daemon.
10905 qmqpd Mail received with the qmqpd(8) daemon.
10907 forward
10909 Local forwarding or aliasing. When a message is received with
10910 "SMTPUTF8 required", then the forwarded (aliased) message always
10911 has "SMTPUTF8 required".
10912 bounce
10914 Submission by the bounce(8) daemon. When a message is received
10915 with "SMTPUTF8 required", then the delivery status notification
10916 always has "SMTPUTF8 required".
10917 notify
10919 Postmaster notification from the smtp(8) or smtpd(8) daemon.
10920 verify
10922 Address verification probe from the verify(8) daemon.
10923 all Enable SMTPUTF8 autodetection for all mail.
10925 This feature is available in Postfix 3.0 and later.
10927
10929 Enable preliminary SMTPUTF8 support for the protocols described in RFC
10930 6531..6533. This requires that Postfix is built to support these proto‐
10931 cols.
10932 This feature is available in Postfix 3.0 and later.
10934
10936 Safety net to keep mail queued that would otherwise be returned to the
10937 sender. This parameter disables locally-generated bounces, changes the
10938 handling of negative responses from remote servers, content filters or
10939 plugins, and prevents the Postfix SMTP server from rejecting mail per‐
10940 manently by changing 5xx reply codes into 4xx. However, soft_bounce is
10941 no cure for address rewriting mistakes or mail routing mistakes.
10942 Note: "soft_bounce = yes" is in some cases implemented by modifying
10944 server responses. Therefore, the response that Postfix logs may differ
10945 from the response that Postfix actually sends or receives.
10946 Example:
10948 soft_bounce = yes
10950
10952 The time after which a stale exclusive mailbox lockfile is removed.
10953 This is used for delivery to file or mailbox.
10954 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
10956 The default time unit is s (seconds).
10957
10959 This feature is documented in the STRESS_README document.
10960 This feature is available in Postfix 2.5 and later.
10962
10964 Reject mail with 8-bit text in message headers. This blocks mail from
10965 poorly written applications.
10966 This feature should not be enabled on a general purpose mail server,
10968 because it is likely to reject legitimate email.
10969 This feature is available in Postfix 2.0 and later.
10971
10973 Enable both strict_7bit_headers and strict_8bitmime_body.
10974 This feature should not be enabled on a general purpose mail server,
10976 because it is likely to reject legitimate email.
10977 This feature is available in Postfix 2.0 and later.
10979
10981 Reject 8-bit message body text without 8-bit MIME content encoding
10982 information. This blocks mail from poorly written applications.
10983 Unfortunately, this also rejects majordomo approval requests when the
10985 included request contains valid 8-bit MIME mail, and it rejects bounces
10986 from mailers that do not MIME encapsulate 8-bit content (for example,
10987 bounces from qmail or from old versions of Postfix).
10988 This feature should not be enabled on a general purpose mail server,
10990 because it is likely to reject legitimate email.
10991 This feature is available in Postfix 2.0 and later.
10993
10995 Defer delivery when a mailbox file is not owned by its recipient. The
10996 default setting is not backwards compatible.
10997 This feature is available in Postfix 2.5.3 and later.
10999
11001 Reject mail with invalid Content-Transfer-Encoding: information for the
11002 message/* or multipart/* MIME content types. This blocks mail from
11003 poorly written software.
11004 This feature should not be enabled on a general purpose mail server,
11006 because it will reject mail after a single violation.
11007 This feature is available in Postfix 2.0 and later.
11009
11011 Require that addresses received in SMTP MAIL FROM and RCPT TO commands
11012 are enclosed with <>, and that those addresses do not contain RFC 822
11013 style comments or phrases. This stops mail from poorly written soft‐
11014 ware.
11015 By default, the Postfix SMTP server accepts RFC 822 syntax in MAIL FROM
11017 and RCPT TO addresses.
11018
11020 Enable stricter enforcement of the SMTPUTF8 protocol. The Postfix SMTP
11021 server accepts UTF8 sender or recipient addresses only when the client
11022 requests an SMTPUTF8 mail transaction.
11023 This feature is available in Postfix 3.0 and later.
11025
11027 Obsolete SUN mailtool compatibility feature. Instead, use "mail‐
11028 box_delivery_lock = dotlock".
11029
11031 Enable the rewriting of "site!user" into "user@site". This is neces‐
11032 sary if your machine is connected to UUCP networks. It is enabled by
11033 default.
11034 Note: with Postfix version 2.2, message header address rewriting hap‐
11036 pens only when one of the following conditions is true:
11037 · The message is received with the Postfix sendmail(1) command,
11039 · The message is received from a network client that matches
11041 $local_header_rewrite_clients,
11042 · The message is received from the network, and the
11044 remote_header_rewrite_domain parameter specifies a non-empty
11045 value.
11046 To get the behavior before Postfix version 2.2, specify
11048 "local_header_rewrite_clients = static:all".
11049 Example:
11051 swap_bangpath = no
11053
11055 The syslog facility of Postfix logging. Specify a facility as defined
11056 in syslog.conf(5). The default facility is "mail".
11057 Warning: a non-default syslog_facility setting takes effect only after
11059 a Postfix process has completed initialization. Errors during process
11060 initialization will be logged with the default facility. Examples are
11061 errors while parsing the command line arguments, and errors while
11062 accessing the Postfix main.cf configuration file.
11063
11065 A prefix that is prepended to the process name in syslog records, so
11066 that, for example, "smtpd" becomes "prefix/smtpd".
11067 Warning: a non-default syslog_name setting takes effect only after a
11069 Postfix process has completed initialization. Errors during process
11070 initialization will be logged with the default name. Examples are
11071 errors while parsing the command line arguments, and errors while
11072 accessing the Postfix main.cf configuration file.
11073
11075 An optional workaround for routers that break TCP window scaling.
11076 Specify a value > 0 and < 65536 to enable this feature. With Postfix
11077 TCP servers (smtpd(8), qmqpd(8)), this feature is implemented by the
11078 Postfix master(8) daemon.
11079 To change this parameter without stopping Postfix, you need to first
11081 terminate all Postfix TCP servers:
11082 # postconf -e master_service_disable=inet
11084 # postfix reload
11085 This immediately terminates all processes that accept network connec‐
11087 tions. Next, you enable Postfix TCP servers with the updated tcp_win‐
11088 dowsize setting:
11089 # postconf -e tcp_windowsize=65535 master_service_disable=
11091 # postfix reload
11092 If you skip these steps with a running Postfix system, then the
11094 tcp_windowsize change will work only for Postfix TCP clients (smtp(8),
11095 lmtp(8)).
11096 This feature is available in Postfix 2.6 and later.
11098
11100 Append the system-supplied default Certification Authority certificates
11101 to the ones specified with *_tls_CApath or *_tls_CAfile. The default
11102 is "no"; this prevents Postfix from trusting third-party certificates
11103 and giving them relay permission with permit_tls_all_clientcerts.
11104 This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8, 2.7.2 and
11106 later versions. Specify "tls_append_default_CA = yes" for backwards
11107 compatibility, to avoid breaking certificate verification with sites
11108 that don't use permit_tls_all_clientcerts.
11109
11111 The number of pseudo-random bytes that an smtp(8) or smtpd(8) process
11112 requests from the tlsmgr(8) server in order to seed its internal pseudo
11113 random number generator (PRNG). The default of 32 bytes (equivalent to
11114 256 bits) is sufficient to generate a 128bit (or 168bit) session key.
11115 This feature is available in Postfix 2.2 and later.
11117
11119 Configure RFC7671 DANE TLSA digest algorithm agility. Do not change
11120 this setting from its default value.
11121 See Section 8 of RFC7671 for correct key rotation procedures.
11123 This feature is available in Postfix 2.11 through 3.1. Postfix 3.2 and
11125 later ignore this configuration parameter and behave as though it were
11126 set to "on".
11127
11129 DANE TLSA (RFC 6698, RFC 7671, RFC 7672) resource-record "matching
11130 type" digest algorithms in descending preference order. All the speci‐
11131 fied algorithms must be supported by the underlying OpenSSL library,
11132 otherwise the Postfix SMTP client will not support DANE TLSA security.
11133 Specify a list of digest names separated by commas and/or whitespace.
11135 Each digest name may be followed by an optional "=<number>" suffix.
11136 For example, "sha512" may instead be specified as "sha512=2" and
11137 "sha256" may instead be specified as "sha256=1". The optional number
11138 must match the <a href="https://www.iana.org/assignments/dane-parame‐
11139 ters/dane-parameters.xhtml#matching-types" >IANA assigned TLSA matching
11140 type number the algorithm in question. Postfix will check this con‐
11141 straint for the algorithms it knows about. Additional matching type
11142 algorithms registered with IANA can be added with explicit numbers pro‐
11143 vided they are supported by OpenSSL.
11144 Invalid list elements are logged with a warning and disable DANE sup‐
11146 port. TLSA RRs that specify digests not included in the list are
11147 ignored with a warning.
11148 Note: It is unwise to omit sha256 from the digest list. This digest
11150 algorithm is the only mandatory to implement digest algorithm in RFC
11151 6698, and many servers are expected publish TLSA records with just
11152 sha256 digests. Unless one of the standard digests is seriously com‐
11153 promised and servers have had ample time to update their TLSA records
11154 you should not omit any standard digests, just arrange them in order
11155 from strongest to weakest.
11156 This feature is available in Postfix 2.11 and later.
11158
11160 Enable support for RFC 6698 (DANE TLSA) DNS records that contain
11161 digests of trust-anchors with certificate usage "2". Do not change
11162 this setting from its default value.
11163 This feature is available in Postfix 2.11 through 3.1. It has been
11165 withdrawn in Postfix 3.2, as trust-anchor TLSA records are now widely
11166 used and have proved sufficiently reliable. Postfix 3.2 and later
11167 ignore this configuration parameter and behaves as though it were set
11168 to "yes".
11169
11171 List or bit-mask of OpenSSL bug work-arounds to disable.
11172 The OpenSSL toolkit includes a set of work-arounds for buggy SSL/TLS
11174 implementations. Applications, such as Postfix, that want to maximize
11175 interoperability ask the OpenSSL library to enable the full set of rec‐
11176 ommended work-arounds.
11177 From time to time, it is discovered that a work-around creates a secu‐
11179 rity issue, and should no longer be used. If upgrading OpenSSL to a
11180 fixed version is not an option or an upgrade is not available in a
11181 timely manner, or in closed environments where no buggy clients or
11182 servers exist, it may be appropriate to disable some or all of the
11183 OpenSSL interoperability work-arounds. This parameter specifies which
11184 bug work-arounds to disable.
11185 If the value of the parameter is a hexadecimal long integer starting
11187 with "0x", the bug work-arounds corresponding to the bits specified in
11188 its value are removed from the SSL_OP_ALL work-around bit-mask (see
11189 openssl/ssl.h and SSL_CTX_set_options(3)). You can specify more bits
11190 than are present in SSL_OP_ALL, excess bits are ignored. Specifying
11191 0xFFFFFFFF disables all bug-workarounds on a 32-bit system. This should
11192 also be sufficient on 64-bit systems, until OpenSSL abandons support
11193 for 32-bit systems and starts using the high 32 bits of a 64-bit
11194 bug-workaround mask.
11195 Otherwise, the parameter is a white-space or comma separated list of
11197 specific named bug work-arounds chosen from the list below. It is pos‐
11198 sible that your OpenSSL version includes new bug work-arounds added
11199 after your Postfix source code was last updated, in that case you can
11200 only disable one of these via the hexadecimal syntax above.
11201 CRYPTOPRO_TLSEXT_BUG
11203 New with GOST support in OpenSSL 1.0.0.
11204 DONT_INSERT_EMPTY_FRAGMENTS
11206 See SSL_CTX_set_options(3)
11207 LEGACY_SERVER_CONNECT
11209 See SSL_CTX_set_options(3)
11210 MICROSOFT_BIG_SSLV3_BUFFER
11212 See SSL_CTX_set_options(3)
11213 MICROSOFT_SESS_ID_BUG
11215 See SSL_CTX_set_options(3)
11216 MSIE_SSLV2_RSA_PADDING
11218 also aliased as CVE-2005-2969. Postfix 2.8 disables this
11219 work-around by default with OpenSSL versions that may predate
11220 the fix. Fixed in OpenSSL 0.9.7h and OpenSSL 0.9.8a.
11221 NETSCAPE_CHALLENGE_BUG
11223 See SSL_CTX_set_options(3)
11224 NETSCAPE_REUSE_CIPHER_CHANGE_BUG
11226 also aliased as CVE-2010-4180. Postfix 2.8 disables this
11227 work-around by default with OpenSSL versions that may predate
11228 the fix. Fixed in OpenSSL 0.9.8q and OpenSSL 1.0.0c.
11229 SSLEAY_080_CLIENT_DH_BUG
11231 See SSL_CTX_set_options(3)
11232 SSLREF2_REUSE_CERT_TYPE_BUG
11234 See SSL_CTX_set_options(3)
11235 TLS_BLOCK_PADDING_BUG
11237 See SSL_CTX_set_options(3)
11238 TLS_D5_BUG
11240 See SSL_CTX_set_options(3)
11241 TLS_ROLLBACK_BUG
11243 See SSL_CTX_set_options(3). This is disabled in OpenSSL 0.9.7
11244 and later. Nobody should still be using 0.9.6!
11245 TLSEXT_PADDING
11247 Postfix >= 3.4. See SSL_CTX_set_options(3).
11248 This feature is available in Postfix 2.8 and later.
11250
11252 The prioritized list of elliptic curves supported by the Postfix SMTP
11253 client and server. These curves are used by the Postfix SMTP server
11254 when "smtpd_tls_eecdh_grade = auto". The selected curves must be
11255 implemented by OpenSSL and be standardized for use in TLS (RFC 4492 or
11256 its imminent successor). It is unwise to list only "bleeding-edge"
11257 curves supported by a small subset of clients. The default list is
11258 suitable for most users.
11259 Postfix skips curve names that are unknown to OpenSSL, or that are
11261 known but not yet implemented. This makes it possible to "anticipate"
11262 support for curves that should be used once they become available. In
11263 particular, in some OpenSSL versions, the new RFC 8031 curves "X25519"
11264 and "X448" may be known by name, but ECDH support for either or both
11265 may be missing. These curves may appear in the default value of this
11266 parameter, even though they'll only be usable with later versions of
11267 OpenSSL.
11268 This feature is available in Postfix 3.2 and later, when it is compiled
11270 and linked with OpenSSL 1.0.2 or later on platforms where EC algorithms
11271 have not been disabled by the vendor.
11272
11274 The elliptic curve used by the Postfix SMTP server for sensibly strong
11275 ephemeral ECDH key exchange. This curve is used by the Postfix SMTP
11276 server when "smtpd_tls_eecdh_grade = strong". The phrase "sensibly
11277 strong" means approximately 128-bit security based on best known
11278 attacks. The selected curve must be implemented by OpenSSL (as reported
11279 by ecparam(1) with the "-list_curves" option) and be one of the curves
11280 listed in Section 5.1.1 of RFC 4492. You should not generally change
11281 this setting. Remote SMTP client implementations must support this
11282 curve for EECDH key exchange to take place. It is unwise to choose an
11283 "bleeding-edge" curve supported by only a small subset of clients.
11284 The default "strong" curve is rated in NSA Suite B for information
11286 classified up to SECRET.
11287 Note: elliptic curve names are poorly standardized; different standards
11289 groups are assigning different names to the same underlying curves.
11290 The curve with the X9.62 name "prime256v1" is also known under the SECG
11291 name "secp256r1", but OpenSSL does not recognize the latter name.
11292 If you want to take maximal advantage of ciphers that offer forward
11294 secrecy see the Getting started section of FORWARD_SECRECY_README. The
11295 full document conveniently presents all information about Postfix "per‐
11296 fect" forward secrecy support in one place: what forward secrecy is,
11297 how to tweak settings, and what you can expect to see when Postfix uses
11298 ciphers with forward secrecy.
11299 This feature is available in Postfix 2.6 and later, when it is compiled
11301 and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
11302 have not been disabled by the vendor.
11303
11305 The elliptic curve used by the Postfix SMTP server for maximally strong
11306 ephemeral ECDH key exchange. This curve is used by the Postfix SMTP
11307 server when "smtpd_tls_eecdh_grade = ultra". The phrase "maximally
11308 strong" means approximately 192-bit security based on best known
11309 attacks. This additional strength comes at a significant computational
11310 cost, most users should instead set "smtpd_tls_eecdh_grade = strong".
11311 The selected curve must be implemented by OpenSSL (as reported by
11312 ecparam(1) with the "-list_curves" option) and be one of the curves
11313 listed in Section 5.1.1 of RFC 4492. You should not generally change
11314 this setting.
11315 This default "ultra" curve is rated in NSA Suite B for information
11317 classified up to TOP SECRET.
11318 If you want to take maximal advantage of ciphers that offer forward
11320 secrecy see the Getting started section of FORWARD_SECRECY_README. The
11321 full document conveniently presents all information about Postfix "per‐
11322 fect" forward secrecy support in one place: what forward secrecy is,
11323 how to tweak settings, and what you can expect to see when Postfix uses
11324 ciphers with forward secrecy.
11325 This feature is available in Postfix 2.6 and later, when it is compiled
11327 and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
11328 have not been disabled by the vendor.
11329
11331 The OpenSSL cipherlist for "export" or higher grade ciphers. This
11332 defines the meaning of the "export" setting in smtpd_tls_ciphers,
11333 smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_manda‐
11334 tory_ciphers, lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. With
11335 Postfix releases before the middle of 2015 this is the default
11336 cipherlist for the opportunistic ("may") TLS client security level and
11337 also the default cipherlist for the SMTP server. You are strongly
11338 encouraged to not change this setting.
11339 This feature is available in Postfix 2.3 and later.
11341
11343 The OpenSSL cipherlist for "high" grade ciphers. This defines the mean‐
11344 ing of the "high" setting in smtpd_tls_ciphers, smtpd_tls_manda‐
11345 tory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
11346 lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. You are strongly
11347 encouraged to not change this setting.
11348 This feature is available in Postfix 2.3 and later.
11350
11352 A temporary migration aid for sites that use certificate public-key
11353 fingerprints with Postfix 2.9.0..2.9.5, which use an incorrect algo‐
11354 rithm. This parameter has no effect on the certificate fingerprint sup‐
11355 port that is available since Postfix 2.2.
11356 Specify "tls_legacy_public_key_fingerprints = yes" temporarily, pending
11358 a migration from configuration files with incorrect Postfix
11359 2.9.0..2.9.5 certificate public-key finger prints, to the correct fin‐
11360 gerprints used by Postfix 2.9.6 and later. To compute the correct cer‐
11361 tificate public-key fingerprints, see TLS_README.
11362 This feature is available in Postfix 2.9.6 and later.
11364
11366 The OpenSSL cipherlist for "low" or higher grade ciphers. This defines
11367 the meaning of the "low" setting in smtpd_tls_ciphers, smtpd_tls_manda‐
11368 tory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
11369 lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. You are strongly
11370 encouraged to not change this setting.
11371 This feature is available in Postfix 2.3 and later.
11373
11375 The OpenSSL cipherlist for "medium" or higher grade ciphers. This
11376 defines the meaning of the "medium" setting in smtpd_tls_ciphers,
11377 smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_manda‐
11378 tory_ciphers, lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. This
11379 is the default cipherlist for mandatory TLS encryption in the TLS
11380 client (with anonymous ciphers disabled when verifying server certifi‐
11381 cates). This is the default cipherlist for opportunistic TLS with
11382 Postfix releases after the middle of 2015. You are strongly encouraged
11383 to not change this setting.
11384 This feature is available in Postfix 2.3 and later.
11386
11388 The OpenSSL cipherlist for "NULL" grade ciphers that provide authenti‐
11389 cation without encryption. This defines the meaning of the "null" set‐
11390 ting in smtpd_mandatory_tls_ciphers, smtp_tls_mandatory_ciphers and
11391 lmtp_tls_mandatory_ciphers. You are strongly encouraged to not change
11392 this setting.
11393 This feature is available in Postfix 2.3 and later.
11395
11397 With SSLv3 and later, use the Postfix SMTP server's cipher preference
11398 order instead of the remote client's cipher preference order.
11399 By default, the OpenSSL server selects the client's most preferred
11401 cipher that the server supports. With SSLv3 and later, the server may
11402 choose its own most preferred cipher that is supported (offered) by the
11403 client. Setting "tls_preempt_cipherlist = yes" enables server cipher
11404 preferences.
11405 While server cipher selection may in some cases lead to a more secure
11407 or performant cipher choice, there is some risk of interoperability
11408 issues. In the past, some SSL clients have listed lower priority
11409 ciphers that they did not implement correctly. If the server chooses a
11410 cipher that the client prefers less, it may select a cipher whose
11411 client implementation is flawed. Most notably Windows 2003 Microsoft
11412 Exchange servers have flawed implementations of DES-CBC3-SHA, which
11413 OpenSSL considers stronger than RC4-SHA. Enabling server cipher-suite
11414 selection may create interoperability issues with Windows 2003 Micro‐
11415 soft Exchange clients.
11416 This feature is available in Postfix 2.8 and later, in combination with
11418 OpenSSL 0.9.7 and later.
11419
11421 The number of bytes that tlsmgr(8) reads from $tls_random_source when
11422 (re)seeding the in-memory pseudo random number generator (PRNG) pool.
11423 The default of 32 bytes (256 bits) is good enough for 128bit symmetric
11424 keys. If using EGD or a device file, a maximum of 255 bytes is read.
11425 This feature is available in Postfix 2.2 and later.
11427
11429 Name of the pseudo random number generator (PRNG) state file that is
11430 maintained by tlsmgr(8). The file is created when it does not exist,
11431 and its length is fixed at 1024 bytes.
11432 As of version 2.5, Postfix no longer uses root privileges when opening
11434 this file, and the default file location was changed from ${con‐
11435 fig_directory}/prng_exch to ${data_directory}/prng_exch. As a migra‐
11436 tion aid, an attempt to open the file under a non-Postfix directory is
11437 redirected to the Postfix-owned data_directory, and a warning is
11438 logged.
11439 This feature is available in Postfix 2.2 and later.
11441
11443 The time between attempts by tlsmgr(8) to save the state of the pseudo
11444 random number generator (PRNG) to the file specified with $tls_ran‐
11445 dom_exchange_name.
11446 This feature is available in Postfix 2.2 and later.
11448
11450 The maximal time between attempts by tlsmgr(8) to re-seed the in-memory
11451 pseudo random number generator (PRNG) pool from external sources. The
11452 actual time between re-seeding attempts is calculated using the PRNG,
11453 and is between 0 and the time specified.
11454 This feature is available in Postfix 2.2 and later.
11456
11458 The external entropy source for the in-memory tlsmgr(8) pseudo random
11459 number generator (PRNG) pool. Be sure to specify a non-blocking source.
11460 If this source is not a regular file, the entropy source type must be
11461 prepended: egd:/path/to/egd_socket for a source with EGD compatible
11462 socket interface, or dev:/path/to/device for a device file.
11463 Note: on OpenBSD systems specify /dev/arandom when /dev/urandom gives
11465 timeout errors.
11466 This feature is available in Postfix 2.2 and later.
11468
11470 3.0: aes-128-cbc)
11471 Algorithm used to encrypt RFC5077 TLS session tickets. This algorithm
11472 must use CBC mode, have a 128-bit block size, and must have a key
11473 length between 128 and 256 bits. The default is aes-256-cbc. Overrid‐
11474 ing the default to choose a different algorithm is discouraged.
11475 Setting this parameter empty disables session ticket support in the
11477 Postfix SMTP server. Another way to disable session ticket support is
11478 via the tls_ssl_options parameter.
11479 This feature is available in Postfix 3.0 and later.
11481
11483 List or bit-mask of OpenSSL options to enable.
11484 The OpenSSL toolkit provides a set of options that applications can
11486 enable to tune the OpenSSL behavior. Some of these work around bugs in
11487 other implementations and are on by default. You can use the tls_dis‐
11488 able_workarounds parameter to selectively disable some or all of the
11489 bug work-arounds, making OpenSSL more strict at the cost of non-inter‐
11490 operability with SSL clients or servers that exhibit the bugs.
11491 Other options are off by default, and typically enable or disable fea‐
11493 tures rather than bug work-arounds. These may be turned on (with care)
11494 via the tls_ssl_options parameter. The value is a white-space or comma
11495 separated list of named options chosen from the list below. The names
11496 are not case-sensitive, you can use lower-case if you prefer. The
11497 upper case values below match the corresponding macro name in the ssl.h
11498 header file with the SSL_OP_ prefix removed. It is possible that your
11499 OpenSSL version includes new options added after your Postfix source
11500 code was last updated, in that case you can only enable one of these
11501 via the hexadecimal syntax below.
11502 You should only enable features via the hexadecimal mask when the need
11504 to control the feature is critical (to deal with a new vulnerability or
11505 a serious interoperability problem). Postfix DOES NOT promise back‐
11506 wards compatible behavior with respect to the mask bits. A feature
11507 enabled via the mask in one release may be enabled by other means in a
11508 later release, and the mask bit will then be ignored. Therefore, use
11509 of the hexadecimal mask is only a temporary measure until a new Postfix
11510 or OpenSSL release provides a better solution.
11511 If the value of the parameter is a hexadecimal long integer starting
11513 with "0x", the options corresponding to the bits specified in its value
11514 are enabled (see openssl/ssl.h and SSL_CTX_set_options(3)). You can
11515 only enable options not already controlled by other Postfix settings.
11516 For example, you cannot disable protocols or enable server cipher pref‐
11517 erence. Do not attempt to turn all features by specifying 0xFFFFFFFF,
11518 this is unlikely to be a good idea. Some bug work-arounds are also
11519 valid here, allowing them to be re-enabled if/when they're no longer
11520 enabled by default. The supported values include:
11521 ENABLE_MIDDLEBOX_COMPAT
11523 Postfix >= 3.4. See SSL_CTX_set_options(3).
11524 LEGACY_SERVER_CONNECT
11526 See SSL_CTX_set_options(3).
11527 NO_TICKET
11529 Enabled by default when needed in fully-patched Postfix >= 2.7.
11530 Not needed at all for Postfix >= 2.11, unless for some reason
11531 you do not want to support TLS session resumption. Best not set
11532 explicitly. See SSL_CTX_set_options(3).
11533 NO_COMPRESSION
11535 Disable SSL compression even if supported by the OpenSSL
11536 library. Compression is CPU-intensive, and compression before
11537 encryption does not always improve security.
11538 NO_RENEGOTIATION
11540 Postfix >= 3.4. This can reduce opportunities for a potential
11541 CPU exhaustion attack. See SSL_CTX_set_options(3).
11542 NO_SESSION_RESUMPTION_ON_RENEGOTIATION
11544 Postfix >= 3.4. See SSL_CTX_set_options(3).
11545 PRIORITIZE_CHACHA
11547 Postfix >= 3.4. See SSL_CTX_set_options(3).
11548 TLSEXT_PADDING
11550 Postfix >= 3.4. See SSL_CTX_set_options(3).
11551 This feature is available in Postfix 2.11 and later.
11553
11555 Match multiple DNS labels with "*" in wildcard certificates.
11556 Some mail service providers prepend the customer domain name to a base
11558 domain for which they have a wildcard TLS certificate. For example,
11559 the MX records for example.com hosted by example.net may be:
11560 example.com. IN MX 0 example.com.mx1.example.net.
11562 example.com. IN MX 0 example.com.mx2.example.net.
11563 and the TLS certificate may be for "*.example.net". The "*" then corre‐
11565 sponds with multiple labels in the mail server domain name. While
11566 multi-label wildcards are not widely supported, and are not blessed by
11567 any standard, there is little to be gained by disallowing their use in
11568 this context.
11569 Notes:
11571 · In a certificate name, the "*" is special only when it is used
11573 as the first label.
11574 · While Postfix (2.11 or later) can match "*" with multiple domain
11576 name labels, other implementations likely will not.
11577 · Earlier Postfix implementations behave as if "tls_wild‐
11579 card_matches_multiple_labels = no".
11580 This feature is available in Postfix 2.11 and later.
11582
11584 The name of the tlsmgr(8) service entry in master.cf. This service
11585 maintains TLS session caches and other information in support of TLS.
11586 This feature is available in Postfix 2.11 and later.
11588
11590 Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
11591 require that clients use TLS encryption. See smtpd_enforce_tls for fur‐
11592 ther details.
11593 This feature is available in Postfix 2.8 and later.
11595
11597 The name of the tlsproxy(8) service entry in master.cf. This service
11598 performs plaintext <=> TLS ciphertext conversion.
11599 This feature is available in Postfix 2.8 and later.
11601
11603 A file containing (PEM format) CA certificates of root CAs trusted to
11604 sign either remote SMTP client certificates or intermediate CA certifi‐
11605 cates. See smtpd_tls_CAfile for further details.
11606 This feature is available in Postfix 2.8 and later.
11608
11610 A directory containing (PEM format) CA certificates of root CAs trusted
11611 to sign either remote SMTP client certificates or intermediate CA cer‐
11612 tificates. See smtpd_tls_CApath for further details.
11613 This feature is available in Postfix 2.8 and later.
11615
11617 sion_ids)
11618 Force the Postfix tlsproxy(8) server to issue a TLS session id, even
11619 when TLS session caching is turned off. See smtpd_tls_always_issue_ses‐
11620 sion_ids for further details.
11621 This feature is available in Postfix 2.8 and later.
11623
11625 Ask a remote SMTP client for a client certificate. See
11626 smtpd_tls_ask_ccert for further details.
11627 This feature is available in Postfix 2.8 and later.
11629
11631 The verification depth for remote SMTP client certificates. A depth of
11632 1 is sufficient if the issuing CA is listed in a local CA file. See
11633 smtpd_tls_ccert_verifydepth for further details.
11634 This feature is available in Postfix 2.8 and later.
11636
11638 File with the Postfix tlsproxy(8) server RSA certificate in PEM format.
11639 This file may also contain the Postfix tlsproxy(8) server private RSA
11640 key. See smtpd_tls_cert_file for further details.
11641 This feature is available in Postfix 2.8 and later.
11643
11645 The minimum TLS cipher grade that the Postfix tlsproxy(8) server will
11646 use with opportunistic TLS encryption. See smtpd_tls_ciphers for fur‐
11647 ther details.
11648 This feature is available in Postfix 2.8 and later.
11650
11652 File with the Postfix tlsproxy(8) server DSA certificate in PEM format.
11653 This file may also contain the Postfix tlsproxy(8) server private DSA
11654 key. See smtpd_tls_dcert_file for further details.
11655 This feature is available in Postfix 2.8 and later.
11657
11659 File with DH parameters that the Postfix tlsproxy(8) server should use
11660 with non-export EDH ciphers. See smtpd_tls_dh1024_param_file for fur‐
11661 ther details.
11662 This feature is available in Postfix 2.8 and later.
11664
11666 File with DH parameters that the Postfix tlsproxy(8) server should use
11667 with export-grade EDH ciphers. See smtpd_tls_dh512_param_file for fur‐
11668 ther details. The default SMTP server cipher grade is "medium" with
11669 Postfix releases after the middle of 2015, and as a result export-grade
11670 cipher suites are by default not used.
11671 This feature is available in Postfix 2.8 and later.
11673
11675 File with the Postfix tlsproxy(8) server DSA private key in PEM format.
11676 This file may be combined with the Postfix tlsproxy(8) server DSA cer‐
11677 tificate file specified with $smtpd_tls_dcert_file. See
11678 smtpd_tls_dkey_file for further details.
11679 This feature is available in Postfix 2.8 and later.
11681
11683 File with the Postfix tlsproxy(8) server ECDSA certificate in PEM for‐
11684 mat. This file may also contain the Postfix tlsproxy(8) server private
11685 ECDSA key. See smtpd_tls_eccert_file for further details.
11686 This feature is available in Postfix 2.8 and later.
11688
11690 File with the Postfix tlsproxy(8) server ECDSA private key in PEM for‐
11691 mat. This file may be combined with the Postfix tlsproxy(8) server
11692 ECDSA certificate file specified with $smtpd_tls_eccert_file. See
11693 smtpd_tls_eckey_file for further details.
11694 This feature is available in Postfix 2.8 and later.
11696
11698 The Postfix tlsproxy(8) server security grade for ephemeral ellip‐
11699 tic-curve Diffie-Hellman (EECDH) key exchange. See
11700 smtpd_tls_eecdh_grade for further details.
11701 This feature is available in Postfix 2.8 and later.
11703
11705 List of ciphers or cipher types to exclude from the tlsproxy(8) server
11706 cipher list at all TLS security levels. See smtpd_tls_exclude_ciphers
11707 for further details.
11708 This feature is available in Postfix 2.8 and later.
11710
11712 The message digest algorithm to construct remote SMTP client-certifi‐
11713 cate fingerprints. See smtpd_tls_fingerprint_digest for further
11714 details.
11715 This feature is available in Postfix 2.8 and later.
11717
11719 File with the Postfix tlsproxy(8) server RSA private key in PEM format.
11720 This file may be combined with the Postfix tlsproxy(8) server RSA cer‐
11721 tificate file specified with $smtpd_tls_cert_file. See
11722 smtpd_tls_key_file for further details.
11723 This feature is available in Postfix 2.8 and later.
11725
11727 Enable additional Postfix tlsproxy(8) server logging of TLS activity.
11728 Each logging level also includes the information that is logged at a
11729 lower logging level. See smtpd_tls_loglevel for further details.
11730 This feature is available in Postfix 2.8 and later.
11732
11734 The minimum TLS cipher grade that the Postfix tlsproxy(8) server will
11735 use with mandatory TLS encryption. See smtpd_tls_mandatory_ciphers for
11736 further details.
11737 This feature is available in Postfix 2.8 and later.
11739
11741 tory_exclude_ciphers)
11742 Additional list of ciphers or cipher types to exclude from the
11743 tlsproxy(8) server cipher list at mandatory TLS security levels. See
11744 smtpd_tls_mandatory_exclude_ciphers for further details.
11745 This feature is available in Postfix 2.8 and later.
11747
11749 The SSL/TLS protocols accepted by the Postfix tlsproxy(8) server with
11750 mandatory TLS encryption. If the list is empty, the server supports all
11751 available SSL/TLS protocol versions. See smtpd_tls_mandatory_protocols
11752 for further details.
11753 This feature is available in Postfix 2.8 and later.
11755
11757 List of TLS protocols that the Postfix tlsproxy(8) server will exclude
11758 or include with opportunistic TLS encryption. See smtpd_tls_protocols
11759 for further details.
11760 This feature is available in Postfix 2.8 and later.
11762
11764 With mandatory TLS encryption, require a trusted remote SMTP client
11765 certificate in order to allow TLS connections to proceed. See
11766 smtpd_tls_req_ccert for further details.
11767 This feature is available in Postfix 2.8 and later.
11769
11771 The SMTP TLS security level for the Postfix tlsproxy(8) server; when a
11772 non-empty value is specified, this overrides the obsolete parameters
11773 smtpd_use_tls and smtpd_enforce_tls. See smtpd_tls_security_level for
11774 further details.
11775 This feature is available in Postfix 2.8 and later.
11777
11779 Obsolete expiration time of Postfix tlsproxy(8) server TLS session
11781 cache information. Since the cache is shared with smtpd(8) and managed
11782 by tlsmgr(8), there is only one expiration time for the SMTP server
11783 cache shared by all three services, namely smtpd_tls_ses‐
11784 sion_cache_timeout.
11785 This feature is available in Postfix 2.8 and later.
11787
11789 Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
11790 but do not require that clients use TLS encryption. See smtpd_use_tls
11791 for further details.
11792 This feature is available in Postfix 2.8 and later.
11794
11796 How much time a tlsproxy(8) process may take to process local or remote
11797 I/O before it is terminated by a built-in watchdog timer. This is a
11798 safety mechanism that prevents tlsproxy(8) from becoming non-responsive
11799 due to a bug in Postfix itself or in system software. To avoid false
11800 alarms and unnecessary cache corruption this limit cannot be set under
11801 10s.
11802 Specify a non-zero time value (an integral value plus an optional
11804 one-letter suffix that specifies the time unit). Time units: s (sec‐
11805 onds), m (minutes), h (hours), d (days), w (weeks).
11806 This feature is available in Postfix 2.8.
11808
11810 The name of the trace service. This service is implemented by the
11811 bounce(8) daemon and maintains a record of mail deliveries and produces
11812 a mail delivery report when verbose delivery is requested with "send‐
11813 mail -v".
11814 This feature is available in Postfix 2.1 and later.
11816
11818 A transport-specific override for the default_delivery_slot_cost param‐
11819 eter value, where transport is the master.cf name of the message deliv‐
11820 ery transport.
11821 Note: transport_delivery_slot_cost parameters will not show up in
11823 "postconf" command output before Postfix version 2.9. This limitation
11824 applies to many parameters whose name is a combination of a master.cf
11825 service name and a built-in suffix (in this case: "_deliv‐
11826 ery_slot_cost").
11827
11829 A transport-specific override for the default_delivery_slot_discount
11830 parameter value, where transport is the master.cf name of the message
11831 delivery transport.
11832 Note: transport_delivery_slot_discount parameters will not show up in
11834 "postconf" command output before Postfix version 2.9. This limitation
11835 applies to many parameters whose name is a combination of a master.cf
11836 service name and a built-in suffix (in this case: "_delivery_slot_dis‐
11837 count").
11838
11840 A transport-specific override for the default_delivery_slot_loan param‐
11841 eter value, where transport is the master.cf name of the message deliv‐
11842 ery transport.
11843 Note: transport_delivery_slot_loan parameters will not show up in
11845 "postconf" command output before Postfix version 2.9. This limitation
11846 applies to many parameters whose name is a combination of a master.cf
11847 service name and a built-in suffix (in this case: "_deliv‐
11848 ery_slot_loan").
11849
11851 tination_concurrency_failed_cohort_limit)
11852 A transport-specific override for the default_destination_concur‐
11853 rency_failed_cohort_limit parameter value, where transport is the mas‐
11854 ter.cf name of the message delivery transport.
11855 Note: some transport_destination_concurrency_failed_cohort_limit param‐
11857 eters will not show up in "postconf" command output before Postfix ver‐
11858 sion 2.9. This limitation applies to many parameters whose name is a
11859 combination of a master.cf service name and a built-in suffix (in this
11860 case: "_destination_concurrency_failed_cohort_limit").
11861 This feature is available in Postfix 2.5 and later.
11863
11865 rency_limit)
11866 A transport-specific override for the default_destination_concur‐
11867 rency_limit parameter value, where transport is the master.cf name of
11868 the message delivery transport.
11869 Note: some transport_destination_concurrency_limit parameters will not
11871 show up in "postconf" command output before Postfix version 2.9. This
11872 limitation applies to many parameters whose name is a combination of a
11873 master.cf service name and a built-in suffix (in this case: "_destina‐
11874 tion_concurrency_limit").
11875
11877 nation_concurrency_negative_feedback)
11878 A transport-specific override for the default_destination_concur‐
11879 rency_negative_feedback parameter value, where transport is the mas‐
11880 ter.cf name of the message delivery transport.
11881 Note: some transport_destination_concurrency_negative_feedback parame‐
11883 ters will not show up in "postconf" command output before Postfix ver‐
11884 sion 2.9. This limitation applies to many parameters whose name is a
11885 combination of a master.cf service name and a built-in suffix (in this
11886 case: "_destination_concurrency_negative_feedback").
11887 This feature is available in Postfix 2.5 and later.
11889
11891 nation_concurrency_positive_feedback)
11892 A transport-specific override for the default_destination_concur‐
11893 rency_positive_feedback parameter value, where transport is the mas‐
11894 ter.cf name of the message delivery transport.
11895 Note: some transport_destination_concurrency_positive_feedback parame‐
11897 ters will not show up in "postconf" command output before Postfix ver‐
11898 sion 2.9. This limitation applies to many parameters whose name is a
11899 combination of a master.cf service name and a built-in suffix (in this
11900 case: "_destination_concurrency_positive_feedback").
11901 This feature is available in Postfix 2.5 and later.
11903
11905 A transport-specific override for the default_destination_rate_delay
11906 parameter value, where transport is the master.cf name of the message
11907 delivery transport.
11908 Note: some transport_destination_rate_delay parameters will not show up
11910 in "postconf" command output before Postfix version 2.9. This limita‐
11911 tion applies to many parameters whose name is a combination of a mas‐
11912 ter.cf service name and a built-in suffix (in this case: "_destina‐
11913 tion_rate_delay").
11914 This feature is available in Postfix 2.5 and later.
11916
11918 ent_limit)
11919 A transport-specific override for the default_destination_recipi‐
11920 ent_limit parameter value, where transport is the master.cf name of the
11921 message delivery transport.
11922 Note: some transport_destination_recipient_limit parameters will not
11924 show up in "postconf" command output before Postfix version 2.9. This
11925 limitation applies to many parameters whose name is a combination of a
11926 master.cf service name and a built-in suffix (in this case: "_destina‐
11927 tion_recipient_limit").
11928
11930 A transport-specific override for the default_extra_recipient_limit
11931 parameter value, where transport is the master.cf name of the message
11932 delivery transport.
11933 Note: transport_extra_recipient_limit parameters will not show up in
11935 "postconf" command output before Postfix version 2.9. This limitation
11936 applies to many parameters whose name is a combination of a master.cf
11937 service name and a built-in suffix (in this case: "_extra_recipi‐
11938 ent_limit").
11939
11941 currency)
11942 A transport-specific override for the initial_destination_concurrency
11943 parameter value, where transport is the master.cf name of the message
11944 delivery transport.
11945 Note: some transport_initial_destination_concurrency parameters will
11947 not show up in "postconf" command output before Postfix version 2.9.
11948 This limitation applies to many parameters whose name is a combination
11949 of a master.cf service name and a built-in suffix (in this case: "_ini‐
11950 tial_destination_concurrency").
11951 This feature is available in Postfix 2.5 and later.
11953
11955 Optional lookup tables with mappings from recipient address to (message
11956 delivery transport, next-hop destination). See transport(5) for
11957 details.
11958 Specify zero or more "type:table" lookup tables, separated by white‐
11960 space or comma. Tables will be searched in the specified order until a
11961 match is found. If you use this feature with local files, run "postmap
11962 /etc/postfix/transport" after making a change.
11963 Pattern matching of domain names is controlled by the presence or
11965 absence of "transport_maps" in the parent_domain_matches_subdomains
11966 parameter value.
11967 For safety reasons, as of Postfix 2.3 this feature does not allow $num‐
11969 ber substitutions in regular expression maps.
11970 Examples:
11972 transport_maps = dbm:/etc/postfix/transport
11974 transport_maps = hash:/etc/postfix/transport
11975
11977 A transport-specific override for the default_minimum_delivery_slots
11978 parameter value, where transport is the master.cf name of the message
11979 delivery transport.
11980 Note: transport_minimum_delivery_slots parameters will not show up in
11982 "postconf" command output before Postfix version 2.9. This limitation
11983 applies to many parameters whose name is a combination of a master.cf
11984 service name and a built-in suffix (in this case: "_minimum_deliv‐
11985 ery_slots").
11986
11988 A transport-specific override for the default_recipient_limit parameter
11989 value, where transport is the master.cf name of the message delivery
11990 transport.
11991 Note: some transport_recipient_limit parameters will not show up in
11993 "postconf" command output before Postfix version 2.9. This limitation
11994 applies to many parameters whose name is a combination of a master.cf
11995 service name and a built-in suffix (in this case: "_recipient_limit").
11996
11998 A transport-specific override for the default_recipient_refill_delay
11999 parameter value, where transport is the master.cf name of the message
12000 delivery transport.
12001 Note: transport_recipient_refill_delay parameters will not show up in
12003 "postconf" command output before Postfix version 2.9. This limitation
12004 applies to many parameters whose name is a combination of a master.cf
12005 service name and a built-in suffix (in this case: "_recipi‐
12006 ent_refill_delay").
12007 This feature is available in Postfix 2.4 and later.
12009
12011 A transport-specific override for the default_recipient_refill_limit
12012 parameter value, where transport is the master.cf name of the message
12013 delivery transport.
12014 Note: transport_recipient_refill_limit parameters will not show up in
12016 "postconf" command output before Postfix version 2.9. This limitation
12017 applies to many parameters whose name is a combination of a master.cf
12018 service name and a built-in suffix (in this case: "_recipi‐
12019 ent_refill_limit").
12020 This feature is available in Postfix 2.4 and later.
12022
12024 The time between attempts by the Postfix queue manager to contact a
12025 malfunctioning message delivery transport.
12026 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
12028 The default time unit is s (seconds).
12029
12031 A transport-specific override for the command_time_limit parameter
12032 value, where transport is the master.cf name of the message delivery
12033 transport.
12034 Note: transport_time_limit parameters will not show up in "postconf"
12036 command output before Postfix version 2.9. This limitation applies to
12037 many parameters whose name is a combination of a master.cf service name
12038 and a built-in suffix (in this case: "_time_limit").
12039
12041 A transport-specific override for the default_transport_rate_delay
12042 parameter value, where the initial transport in the parameter name is
12043 the master.cf name of the message delivery transport.
12044
12046 The time limit for sending a trigger to a Postfix daemon (for example,
12047 the pickup(8) or qmgr(8) daemon). This time limit prevents programs
12048 from getting stuck when the mail system is under heavy load.
12049 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
12051 The default time unit is s (seconds).
12052
12054 Message header that the Postfix cleanup(8) server inserts when a mes‐
12055 sage contains no To: or Cc: message header. With Postfix 2.8 and later,
12056 the default value is empty. With Postfix 2.4-2.7, specify an empty
12057 value to disable this feature.
12058 Example:
12060 # Default value before Postfix 2.8.
12062 # Note: the ":" and ";" are both required.
12063 undisclosed_recipients_header = To: undisclosed-recipients:;
12064
12066 The numerical response code when the Postfix SMTP server rejects a
12067 sender or recipient address because its domain is unknown. This is one
12068 of the possible replies from the restrictions
12069 reject_unknown_sender_domain and reject_unknown_recipient_domain.
12070 Do not change this unless you have a complete understanding of RFC
12072 5321.
12073
12075 The Postfix SMTP server's action when reject_unknown_sender_domain or
12076 reject_unknown_recipient_domain fail due to a temporary error condi‐
12077 tion. Specify "defer" to defer the remote SMTP client request immedi‐
12078 ately. With the default "defer_if_permit" action, the Postfix SMTP
12079 server continues to look for opportunities to reject mail, and defers
12080 the client request only if it would otherwise be accepted.
12081 This feature is available in Postfix 2.6 and later.
12083
12085 The numerical Postfix SMTP server response code when a client without
12086 valid address <=> name mapping is rejected by the
12087 reject_unknown_client_hostname restriction. The SMTP server always
12088 replies with 450 when the mapping failed due to a temporary error con‐
12089 dition.
12090 Do not change this unless you have a complete understanding of RFC
12092 5321.
12093
12095 The Postfix SMTP server's action when reject_unknown_helo_hostname
12096 fails due to an temporary error condition. Specify "defer" to defer the
12097 remote SMTP client request immediately. With the default "defer_if_per‐
12098 mit" action, the Postfix SMTP server continues to look for opportuni‐
12099 ties to reject mail, and defers the client request only if it would
12100 otherwise be accepted.
12101 This feature is available in Postfix 2.6 and later.
12103
12105 The numerical Postfix SMTP server response code when the hostname spec‐
12106 ified with the HELO or EHLO command is rejected by the
12107 reject_unknown_helo_hostname restriction.
12108 Do not change this unless you have a complete understanding of RFC
12110 5321.
12111
12113 The numerical Postfix SMTP server response code when a recipient
12114 address is local, and $local_recipient_maps specifies a list of lookup
12115 tables that does not match the recipient. A recipient address is local
12116 when its domain matches $mydestination, $proxy_interfaces or
12117 $inet_interfaces.
12118 The default setting is 550 (reject mail) but it is safer to initially
12120 use 450 (try again later) so you have time to find out if your
12121 local_recipient_maps settings are OK.
12122 Example:
12124 unknown_local_recipient_reject_code = 450
12126 This feature is available in Postfix 2.0 and later.
12128
12130 The numerical Postfix SMTP server reply code when a recipient address
12131 matches $relay_domains, and relay_recipient_maps specifies a list of
12132 lookup tables that does not match the recipient address.
12133 This feature is available in Postfix 2.0 and later.
12135
12137 The Postfix SMTP server reply code when a recipient address matches
12138 $virtual_alias_domains, and $virtual_alias_maps specifies a list of
12139 lookup tables that does not match the recipient address.
12140 This feature is available in Postfix 2.0 and later.
12142
12144 The Postfix SMTP server reply code when a recipient address matches
12145 $virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list of
12146 lookup tables that does not match the recipient address.
12147 This feature is available in Postfix 2.0 and later.
12149
12151 The numerical Postfix SMTP server response when a recipient address
12152 probe fails due to a temporary error condition.
12153 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12155 address anyway.
12156 Do not change this unless you have a complete understanding of RFC
12158 5321.
12159 This feature is available in Postfix 2.6 and later.
12161
12163 The numerical Postfix SMTP server response when a recipient address is
12164 rejected by the reject_unverified_recipient restriction.
12165 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12167 address anyway.
12168 Do not change this unless you have a complete understanding of RFC
12170 5321.
12171 This feature is available in Postfix 2.1 and later.
12173
12175 The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
12176 fied_recipient. Do not include the numeric SMTP reply code or the
12177 enhanced status code. By default, the response includes actual address
12178 verification details.
12179 Example:
12181 unverified_recipient_reject_reason = Recipient address lookup failed
12183 This feature is available in Postfix 2.6 and later.
12185
12187 The Postfix SMTP server's action when reject_unverified_recipient fails
12188 due to a temporary error condition. Specify "defer" to defer the remote
12189 SMTP client request immediately. With the default "defer_if_permit"
12190 action, the Postfix SMTP server continues to look for opportunities to
12191 reject mail, and defers the client request only if it would otherwise
12192 be accepted.
12193 This feature is available in Postfix 2.6 and later.
12195
12197 The numerical Postfix SMTP server response code when a sender address
12198 probe fails due to a temporary error condition.
12199 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12201 address anyway.
12202 Do not change this unless you have a complete understanding of RFC
12204 5321.
12205 This feature is available in Postfix 2.6 and later.
12207
12209 The numerical Postfix SMTP server response code when a recipient
12210 address is rejected by the reject_unverified_sender restriction.
12211 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12213 address anyway.
12214 Do not change this unless you have a complete understanding of RFC
12216 5321.
12217 This feature is available in Postfix 2.1 and later.
12219
12221 The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
12222 fied_sender. Do not include the numeric SMTP reply code or the enhanced
12223 status code. By default, the response includes actual address verifica‐
12224 tion details.
12225 Example:
12227 unverified_sender_reject_reason = Sender address lookup failed
12229 This feature is available in Postfix 2.6 and later.
12231
12233 The Postfix SMTP server's action when reject_unverified_sender fails
12234 due to a temporary error condition. Specify "defer" to defer the remote
12235 SMTP client request immediately. With the default "defer_if_permit"
12236 action, the Postfix SMTP server continues to look for opportunities to
12237 reject mail, and defers the client request only if it would otherwise
12238 be accepted.
12239 This feature is available in Postfix 2.6 and later.
12241
12243 The characters Postfix accepts as VERP delimiter characters on the
12244 Postfix sendmail(1) command line and in SMTP commands.
12245 This feature is available in Postfix 1.1 and later.
12247
12249 The maximal length of an email address after virtual alias expansion.
12250 This stops virtual aliasing loops that increase the address length
12251 exponentially.
12252 This feature is available in Postfix 3.0 and later.
12254
12256 Postfix is final destination for the specified list of virtual alias
12257 domains, that is, domains for which all addresses are aliased to
12258 addresses in other local or remote domains. The SMTP server validates
12259 recipient addresses with $virtual_alias_maps and rejects non-existent
12260 recipients. See also the virtual alias domain class in the
12261 ADDRESS_CLASS_README file
12262 This feature is available in Postfix 2.0 and later. The default value
12264 is backwards compatible with Postfix version 1.1.
12265 The default value is $virtual_alias_maps so that you can keep all
12267 information about virtual alias domains in one place. If you have many
12268 users, it is better to separate information that changes more fre‐
12269 quently (virtual address -> local or remote address mapping) from
12270 information that changes less frequently (the list of virtual domain
12271 names).
12272 Specify a list of host or domain names, "/file/name" or "type:table"
12274 patterns, separated by commas and/or whitespace. A "/file/name" pattern
12275 is replaced by its contents; a "type:table" lookup table is matched
12276 when a table entry matches a lookup string (the lookup result is
12277 ignored). Continue long lines by starting the next line with white‐
12278 space. Specify "!pattern" to exclude a host or domain name from the
12279 list. The form "!/file/name" is supported only in Postfix version 2.4
12280 and later.
12281 See also the VIRTUAL_README and ADDRESS_CLASS_README documents for fur‐
12283 ther information.
12284 Example:
12286 virtual_alias_domains = virtual1.tld virtual2.tld
12288
12290 The maximal number of addresses that virtual alias expansion produces
12291 from each original recipient.
12292 This feature is available in Postfix 2.1 and later.
12294
12296 Optional lookup tables that alias specific mail addresses or domains to
12297 other local or remote address. The table format and lookups are docu‐
12298 mented in virtual(5). For an overview of Postfix address manipulations
12299 see the ADDRESS_REWRITING_README document.
12300 This feature is available in Postfix 2.0 and later. The default value
12302 is backwards compatible with Postfix version 1.1.
12303 Specify zero or more "type:name" lookup tables, separated by whitespace
12305 or comma. Tables will be searched in the specified order until a match
12306 is found. Note: these lookups are recursive.
12307 If you use this feature with indexed files, run "postmap /etc/post‐
12309 fix/virtual" after changing the file.
12310 Examples:
12312 virtual_alias_maps = dbm:/etc/postfix/virtual
12314 virtual_alias_maps = hash:/etc/postfix/virtual
12315
12317 The maximal nesting depth of virtual alias expansion. Currently the
12318 recursion limit is applied only to the left branch of the expansion
12319 graph, so the depth of the tree can in the worst case reach the sum of
12320 the expansion and recursion limits. This may change in the future.
12321 This feature is available in Postfix 2.1 and later.
12323
12325 Optional filter for the virtual(8) delivery agent to change the deliv‐
12326 ery status code or explanatory text of successful or unsuccessful
12327 deliveries. See default_delivery_status_filter for details.
12328 This feature is available in Postfix 3.0 and later.
12330
12332 rency_limit)
12333 The maximal number of parallel deliveries to the same destination via
12334 the virtual message delivery transport. This limit is enforced by the
12335 queue manager. The message delivery transport name is the first field
12336 in the entry in the master.cf file.
12337
12339 ent_limit)
12340 The maximal number of recipients per message for the virtual message
12341 delivery transport. This limit is enforced by the queue manager. The
12342 message delivery transport name is the first field in the entry in the
12343 master.cf file.
12344 Setting this parameter to a value of 1 changes the meaning of vir‐
12346 tual_destination_concurrency_limit from concurrency per domain into
12347 concurrency per recipient.
12348
12350 Lookup tables with the per-recipient group ID for virtual(8) mailbox
12351 delivery.
12352 This parameter is specific to the virtual(8) delivery agent. It does
12354 not apply when mail is delivered with a different mail delivery pro‐
12355 gram.
12356 Specify zero or more "type:name" lookup tables, separated by whitespace
12358 or comma. Tables will be searched in the specified order until a match
12359 is found.
12360 In a lookup table, specify a left-hand side of "@domain.tld" to match
12362 any user in the specified domain that does not have a specific
12363 "user@domain.tld" entry.
12364 When a recipient address has an optional address extension
12366 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
12367 address first, and when the lookup fails, it looks up the unextended
12368 address (user@domain.tld).
12369 Note 1: for security reasons, the virtual(8) delivery agent disallows
12371 regular expression substitution of $1 etc. in regular expression lookup
12372 tables, because that would open a security hole.
12373 Note 2: for security reasons, the virtual(8) delivery agent will
12375 silently ignore requests to use the proxymap(8) server. Instead it will
12376 open the table directly. Before Postfix version 2.2, the virtual(8)
12377 delivery agent will terminate with a fatal error.
12378
12380 A prefix that the virtual(8) delivery agent prepends to all pathname
12381 results from $virtual_mailbox_maps table lookups. This is a safety
12382 measure to ensure that an out of control map doesn't litter the file
12383 system with mailboxes. While virtual_mailbox_base could be set to "/",
12384 this setting isn't recommended.
12385 This parameter is specific to the virtual(8) delivery agent. It does
12387 not apply when mail is delivered with a different mail delivery pro‐
12388 gram.
12389 Example:
12391 virtual_mailbox_base = /var/mail
12393
12395 Postfix is final destination for the specified list of domains; mail is
12396 delivered via the $virtual_transport mail delivery transport. By
12397 default this is the Postfix virtual(8) delivery agent. The SMTP server
12398 validates recipient addresses with $virtual_mailbox_maps and rejects
12399 mail for non-existent recipients. See also the virtual mailbox domain
12400 class in the ADDRESS_CLASS_README file.
12401 This parameter expects the same syntax as the mydestination configura‐
12403 tion parameter.
12404 This feature is available in Postfix 2.0 and later. The default value
12406 is backwards compatible with Postfix version 1.1.
12407
12409 The maximal size in bytes of an individual virtual(8) mailbox or
12410 maildir file, or zero (no limit).
12411 This parameter is specific to the virtual(8) delivery agent. It does
12413 not apply when mail is delivered with a different mail delivery pro‐
12414 gram.
12415
12417 How to lock a UNIX-style virtual(8) mailbox before attempting delivery.
12418 For a list of available file locking methods, use the "postconf -l"
12419 command.
12420 This parameter is specific to the virtual(8) delivery agent. It does
12422 not apply when mail is delivered with a different mail delivery pro‐
12423 gram.
12424 This setting is ignored with maildir style delivery, because such
12426 deliveries are safe without application-level locks.
12427 Note 1: the dotlock method requires that the recipient UID or GID has
12429 write access to the parent directory of the recipient's mailbox file.
12430 Note 2: the default setting of this parameter is system dependent.
12432
12434 Optional lookup tables with all valid addresses in the domains that
12435 match $virtual_mailbox_domains.
12436 Specify zero or more "type:name" lookup tables, separated by whitespace
12438 or comma. Tables will be searched in the specified order until a match
12439 is found.
12440 In a lookup table, specify a left-hand side of "@domain.tld" to match
12442 any user in the specified domain that does not have a specific
12443 "user@domain.tld" entry.
12444 The remainder of this text is specific to the virtual(8) delivery
12446 agent. It does not apply when mail is delivered with a different mail
12447 delivery program.
12448 The virtual(8) delivery agent uses this table to look up the per-recip‐
12450 ient mailbox or maildir pathname. If the lookup result ends in a slash
12451 ("/"), maildir-style delivery is carried out, otherwise the path is
12452 assumed to specify a UNIX-style mailbox file. Note that $virtual_mail‐
12453 box_base is unconditionally prepended to this path.
12454 When a recipient address has an optional address extension
12456 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
12457 address first, and when the lookup fails, it looks up the unextended
12458 address (user@domain.tld).
12459 Note 1: for security reasons, the virtual(8) delivery agent disallows
12461 regular expression substitution of $1 etc. in regular expression lookup
12462 tables, because that would open a security hole.
12463 Note 2: for security reasons, the virtual(8) delivery agent will
12465 silently ignore requests to use the proxymap(8) server. Instead it will
12466 open the table directly. Before Postfix version 2.2, the virtual(8)
12467 delivery agent will terminate with a fatal error.
12468
12470 Optional lookup tables with a) names of domains for which all addresses
12471 are aliased to addresses in other local or remote domains, and b)
12472 addresses that are aliased to addresses in other local or remote
12473 domains. Available before Postfix version 2.0. With Postfix version
12474 2.0 and later, this is replaced by separate controls: vir‐
12475 tual_alias_domains and virtual_alias_maps.
12476
12478 The minimum user ID value that the virtual(8) delivery agent accepts as
12479 a result from $virtual_uid_maps table lookup. Returned values less
12480 than this will be rejected, and the message will be deferred.
12481 This parameter is specific to the virtual(8) delivery agent. It does
12483 not apply when mail is delivered with a different mail delivery pro‐
12484 gram.
12485
12487 The default mail delivery transport and next-hop destination for final
12488 delivery to domains listed with $virtual_mailbox_domains. This infor‐
12489 mation can be overruled with the transport(5) table.
12490 Specify a string of the form transport:nexthop, where transport is the
12492 name of a mail delivery transport defined in master.cf. The :nexthop
12493 destination is optional; its syntax is documented in the manual page of
12494 the corresponding delivery agent.
12495 This feature is available in Postfix 2.0 and later.
12497
12499 Lookup tables with the per-recipient user ID that the virtual(8) deliv‐
12500 ery agent uses while writing to the recipient's mailbox.
12501 This parameter is specific to the virtual(8) delivery agent. It does
12503 not apply when mail is delivered with a different mail delivery pro‐
12504 gram.
12505 Specify zero or more "type:name" lookup tables, separated by whitespace
12507 or comma. Tables will be searched in the specified order until a match
12508 is found.
12509 In a lookup table, specify a left-hand side of "@domain.tld" to match
12511 any user in the specified domain that does not have a specific
12512 "user@domain.tld" entry.
12513 When a recipient address has an optional address extension
12515 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
12516 address first, and when the lookup fails, it looks up the unextended
12517 address (user@domain.tld).
12518 Note 1: for security reasons, the virtual(8) delivery agent disallows
12520 regular expression substitution of $1 etc. in regular expression lookup
12521 tables, because that would open a security hole.
12522 Note 2: for security reasons, the virtual(8) delivery agent will
12524 silently ignore requests to use the proxymap(8) server. Instead it will
12525 open the table directly. Before Postfix version 2.2, the virtual(8)
12526 delivery agent will terminate with a fatal error.
12527
12529 postconf(1), Postfix configuration parameter maintenance
12530 master(5), Postfix daemon configuration maintenance
12531
12533 The Secure Mailer license must be distributed with this software.
12534
12536 Wietse Venema
12537 IBM T.J. Watson Research
12538 P.O. Box 704
12539 Yorktown Heights, NY 10598, USA
12540 Wietse Venema
12542 Google, Inc.
12543 111 8th Avenue
12544 New York, NY 10011, USA
12545 Viktor Dukhovni
12547 POSTCONF(5)