1POSTCONF(5) File Formats Manual POSTCONF(5)
2
6 postconf - Postfix configuration parameters
7
9 postconf parameter ...
10 postconf -e "parameter=value" ...
12
14 The Postfix main.cf configuration file specifies parameters that con‐
15 trol the operation of the Postfix mail system. Typically the file con‐
16 tains only a small subset of all parameters; parameters not specified
17 are left at their default values.
18 The general format of the main.cf file is as follows:
20 · Each logical line has the form "parameter = value". Whitespace
22 around the "=" is ignored, as is whitespace at the end of a log‐
23 ical line.
24 · Empty lines and whitespace-only lines are ignored, as are lines
26 whose first non-whitespace character is a `#'.
27 · A logical line starts with non-whitespace text. A line that
29 starts with whitespace continues a logical line.
30 · A parameter value may refer to other parameters.
32 · The expressions "$name" and "${name}" are recursively
34 replaced with the value of the named parameter. The
35 parameter name must contain only characters from the set
36 [a-zA-Z0-9_]. An undefined parameter value is replaced
37 with the empty value.
38 · The expressions "${name?value}" and "${name?{value}}" are
40 replaced with "value" when "$name" is non-empty. The
41 parameter name must contain only characters from the set
42 [a-zA-Z0-9_]. These forms are supported with Postfix ver‐
43 sions >= 2.2 and >= 3.0, respectively.
44 · The expressions "${name:value}" and "${name:{value}}" are
46 replaced with "value" when "$name" is empty. The parame‐
47 ter name must contain only characters from the set [a-zA-
48 Z0-9_]. These forms are supported with Postfix versions
49 >= 2.2 and >= 3.0, respectively.
50 · The expression "${name?{value1}:{value2}}" is replaced
52 with "value1" when "$name" is non-empty, and with
53 "value2" when "$name" is empty. The "{}" is required for
54 "value1", optional for "value2". The parameter name must
55 contain only characters from the set [a-zA-Z0-9_]. This
56 form is supported with Postfix versions >= 3.0.
57 · The first item inside "${...}" may be a relational
59 expression of the form: "{value3} == {value4}". Besides
60 the "==" (equality) operator Postfix supports "!="
61 (inequality), "<", "<=", ">=", and ">". The comparison is
62 numerical when both operands are all digits, otherwise
63 the comparison is lexicographical. These forms are sup‐
64 ported with Postfix versions >= 3.0.
65 · Each "value" is subject to recursive named parameter and
67 relational expression evaluation, except where noted.
68 · Whitespace before or after each "{value}" is ignored.
70 · Specify "$$" to produce a single "$" character.
72 · The legacy form "$(...)" is equivalent to the preferred
74 form "${...}".
75 · When the same parameter is defined multiple times, only the last
77 instance is remembered.
78 · Otherwise, the order of main.cf parameter definitions does not
80 matter.
81 The remainder of this document is a description of all Postfix configu‐
83 ration parameters. Default values are shown after the parameter name in
84 parentheses, and can be looked up with the "postconf -d" command.
85 Note: this is not an invitation to make changes to Postfix configura‐
87 tion parameters. Unnecessary changes can impair the operation of the
88 mail system.
89
91 The recipient of undeliverable mail that cannot be returned to the
92 sender. This feature is enabled with the notify_classes parameter.
93
95 The numerical Postfix SMTP server response code for an access(5) map
96 "defer" action, including "defer_if_permit" or "defer_if_reject". Prior
97 to Postfix 2.6, the response is hard-coded as "450".
98 Do not change this unless you have a complete understanding of RFC
100 5321.
101 This feature is available in Postfix 2.6 and later.
103
105 The numerical Postfix SMTP server response code for an access(5) map
106 "reject" action.
107 Do not change this unless you have a complete understanding of RFC
109 5321.
110
112 The amount of time between verify(8) address verification database
113 cleanup runs. This feature requires that the database supports the
114 "delete" and "sequence" operators. Specify a zero interval to disable
115 database cleanup.
116 After each database cleanup run, the verify(8) daemon logs the number
118 of entries that were retained and dropped. A cleanup run is logged as
119 "partial" when the daemon terminates early after "postfix reload",
120 "postfix stop", or no requests for $max_idle seconds.
121 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
123 This feature is available in Postfix 2.7.
125
127 Overrides the default_transport parameter setting for address verifica‐
128 tion probes.
129 This feature is available in Postfix 2.1 and later.
131
133 Overrides the local_transport parameter setting for address verifica‐
134 tion probes.
135 This feature is available in Postfix 2.1 and later.
137
139 Lookup table for persistent address verification status storage. The
140 table is maintained by the verify(8) service, and is opened before the
141 process releases privileges.
142 The lookup table is persistent by default (Postfix 2.7 and later).
144 Specify an empty table name to keep the information in volatile memory
145 which is lost after "postfix reload" or "postfix stop". This is the
146 default with Postfix version 2.6 and earlier.
147 Specify a location in a file system that will not fill up. If the data‐
149 base becomes corrupted, the world comes to an end. To recover delete
150 (NOT: truncate) the file and do "postfix reload".
151 Postfix daemon processes do not use root privileges when opening this
153 file (Postfix 2.5 and later). The file must therefore be stored under
154 a Postfix-owned directory such as the data_directory. As a migration
155 aid, an attempt to open the file under a non-Postfix directory is redi‐
156 rected to the Postfix-owned data_directory, and a warning is logged.
157 Examples:
159 address_verify_map = hash:/var/lib/postfix/verify
161 address_verify_map = btree:/var/lib/postfix/verify
162 This feature is available in Postfix 2.1 and later.
164
166 Enable caching of failed address verification probe results. When this
167 feature is enabled, the cache may pollute quickly with garbage. When
168 this feature is disabled, Postfix will generate an address probe for
169 every lookup.
170 This feature is available in Postfix 2.1 and later.
172
174 The time after which a failed probe expires from the address verifica‐
175 tion cache.
176 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
178 This feature is available in Postfix 2.1 and later.
180
182 The time after which a failed address verification probe needs to be
183 refreshed.
184 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
186 This feature is available in Postfix 2.1 and later.
188
190 A safety limit that prevents address verification requests from over‐
191 whelming the Postfix queue. By default, the number of pending requests
192 is limited to 1/4 of the active queue maximum size (qmgr_mes‐
193 sage_active_limit). The queue manager enforces the limit by tempfailing
194 requests that exceed the limit. This affects only unknown addresses and
195 inactive addresses that have expired, because the verify(8) daemon
196 automatically refreshes an active address before it expires.
197 This feature is available in Postfix 3.1 and later.
199
201 How many times to query the verify(8) service for the completion of an
202 address verification request in progress.
203 By default, the Postfix SMTP server polls the verify(8) service up to
205 three times under non-overload conditions, and only once when under
206 overload. With Postfix version 2.5 and earlier, the SMTP server always
207 polls the verify(8) service up to three times by default.
208 Specify 1 to implement a crude form of greylisting, that is, always
210 defer the first delivery request for a new address.
211 Examples:
213 # Postfix <= 2.6 default
215 address_verify_poll_count = 3
216 # Poor man's greylisting
217 address_verify_poll_count = 1
218 This feature is available in Postfix 2.1 and later.
220
222 The delay between queries for the completion of an address verification
223 request in progress.
224 The default polling delay is 3 seconds.
226 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
228 This feature is available in Postfix 2.1 and later.
230
232 The time after which a successful probe expires from the address veri‐
233 fication cache.
234 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
236 This feature is available in Postfix 2.1 and later.
238
240 The time after which a successful address verification probe needs to
241 be refreshed. The address verification status is not updated when the
242 probe fails (optimistic caching).
243 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
245 This feature is available in Postfix 2.1 and later.
247
249 Overrides the relay_transport parameter setting for address verifica‐
250 tion probes.
251 This feature is available in Postfix 2.1 and later.
253
255 Overrides the relayhost parameter setting for address verification
256 probes. This information can be overruled with the transport(5) table.
257 This feature is available in Postfix 2.1 and later.
259
261 The sender address to use in address verification probes; prior to
262 Postfix 2.5 the default was "postmaster". To avoid problems with
263 address probes that are sent in response to address probes, the Postfix
264 SMTP server excludes the probe sender address from all SMTPD access
265 blocks.
266 Specify an empty value (address_verify_sender =) or <> if you want to
268 use the null sender address. Beware, some sites reject mail from <>,
269 even though RFCs require that such addresses be accepted.
270 Examples:
272 address_verify_sender = <>
274 address_verify_sender = postmaster@my.domain
275 This feature is available in Postfix 2.1 and later.
277
279 $sender_dependent_default_transport_maps)
280 Overrides the sender_dependent_default_transport_maps parameter setting
281 for address verification probes.
282 This feature is available in Postfix 2.7 and later.
284
286 dent_relayhost_maps)
287 Overrides the sender_dependent_relayhost_maps parameter setting for
288 address verification probes.
289 This feature is available in Postfix 2.3 and later.
291
293 The time between changes in the time-dependent portion of address veri‐
294 fication probe sender addresses. The time-dependent portion is appended
295 to the localpart of the address specified with the address_ver‐
296 ify_sender parameter. This feature is ignored when the probe sender
297 addresses is the null sender, i.e. the address_verify_sender value is
298 empty or <>.
299 Historically, the probe sender address was fixed. This has caused such
301 addresses to end up on spammer mailing lists, and has resulted in
302 wasted network and processing resources.
303 To enable time-dependent probe sender addresses, specify a non-zero
305 time value (an integral value plus an optional one-letter suffix that
306 specifies the time unit). Specify a value of at least several hours,
307 to avoid problems with senders that use greylisting. Avoid nice TTL
308 values, to make the result less predictable. Time units are: s (sec‐
309 onds), m (minutes), h (hours), d (days), w (weeks).
310 This feature is available in Postfix 2.9 and later.
312
314 The name of the verify(8) address verification service. This service
315 maintains the status of sender and/or recipient address verification
316 probes, and generates probes on request by other Postfix processes.
317
319 Overrides the transport_maps parameter setting for address verification
320 probes.
321 This feature is available in Postfix 2.1 and later.
323
325 Overrides the virtual_transport parameter setting for address verifica‐
326 tion probes.
327 This feature is available in Postfix 2.1 and later.
329
331 The alias databases for local(8) delivery that are updated with
332 "newaliases" or with "sendmail -bi".
333 This is a separate configuration parameter because not all the tables
335 specified with $alias_maps have to be local files.
336 Examples:
338 alias_database = hash:/etc/aliases
340 alias_database = hash:/etc/mail/aliases
341
343 The alias databases that are used for local(8) delivery. See aliases(5)
344 for syntax details. Specify zero or more "type:name" lookup tables,
345 separated by whitespace or comma. Tables will be searched in the speci‐
346 fied order until a match is found. Note: these lookups are recursive.
347 The default list is system dependent. On systems with NIS, the default
349 is to search the local alias database, then the NIS alias database.
350 If you change the alias database, run "postalias /etc/aliases" (or
352 wherever your system stores the mail alias file), or simply run
353 "newaliases" to build the necessary DBM or DB file.
354 The local(8) delivery agent disallows regular expression substitution
356 of $1 etc. in alias_maps, because that would open a security hole.
357 The local(8) delivery agent will silently ignore requests to use the
359 proxymap(8) server within alias_maps. Instead it will open the table
360 directly. Before Postfix version 2.2, the local(8) delivery agent will
361 terminate with a fatal error.
362 Examples:
364 alias_maps = hash:/etc/aliases, nis:mail.aliases
366 alias_maps = hash:/etc/aliases
367
369 Restrict local(8) mail delivery to external commands. The default is
370 to disallow delivery to "|command" in :include: files (see aliases(5)
371 for the text that defines this terminology).
372 Specify zero or more of: alias, forward or include, in order to allow
374 commands in aliases(5), .forward files or in :include: files, respec‐
375 tively.
376 Example:
378 allow_mail_to_commands = alias,forward,include
380
382 Restrict local(8) mail delivery to external files. The default is to
383 disallow "/file/name" destinations in :include: files (see aliases(5)
384 for the text that defines this terminology).
385 Specify zero or more of: alias, forward or include, in order to allow
387 "/file/name" destinations in aliases(5), .forward files and in
388 :include: files, respectively.
389 Example:
391 allow_mail_to_files = alias,forward,include
393
395 Allow a sender or recipient address to have `-' as the first character.
396 By default, this is not allowed, to avoid accidents with software that
397 passes email addresses via the command line. Such software would not be
398 able to distinguish a malicious address from a bona fide command-line
399 option. Although this can be prevented by inserting a "--" option ter‐
400 minator into the command line, this is difficult to enforce consis‐
401 tently and globally.
402 As of Postfix version 2.5, this feature is implemented by trivial-re‐
404 write(8). With earlier versions this feature was implemented by
405 qmgr(8) and was limited to recipient addresses only.
406
408 Enable the rewriting of the form "user%domain" to "user@domain". This
409 is enabled by default.
410 Note: as of Postfix version 2.2, message header address rewriting hap‐
412 pens only when one of the following conditions is true:
413 · The message is received with the Postfix sendmail(1) command,
415 · The message is received from a network client that matches
417 $local_header_rewrite_clients,
418 · The message is received from the network, and the
420 remote_header_rewrite_domain parameter specifies a non-empty
421 value.
422 To get the behavior before Postfix version 2.2, specify
424 "local_header_rewrite_clients = static:all".
425 Example:
427 allow_percent_hack = no
429
431 Forward mail with sender-specified routing (user[@%!]remote[@%!]site)
432 from untrusted clients to destinations matching $relay_domains.
433 By default, this feature is turned off. This closes a nasty open relay
435 loophole where a backup MX host can be tricked into forwarding junk
436 mail to a primary MX host which then spams it out to the world.
437 This parameter also controls if non-local addresses with sender-speci‐
439 fied routing can match Postfix access tables. By default, such
440 addresses cannot match Postfix access tables, because the address is
441 ambiguous.
442
444 A list of non-default Postfix configuration directories that may be
445 specified with "-c config_directory" on the command line (in the case
446 of sendmail(1), with the "-C" option), or via the MAIL_CONFIG environ‐
447 ment parameter.
448 This list must be specified in the default Postfix main.cf file, and
450 will be used by set-gid Postfix commands such as postqueue(1) and post‐
451 drop(1).
452 Specify absolute pathnames, separated by comma or space. Note: $name
454 expansion is not supported.
455
457 Always add (Resent-) From:, To:, Date: or Message-ID: headers when not
458 present. Postfix 2.6 and later add these headers only when clients
459 match the local_header_rewrite_clients parameter setting. Earlier
460 Postfix versions always add these headers; this may break DKIM signa‐
461 tures that cover non-existent headers. The undisclosed_recipi‐
462 ents_header parameter setting determines whether a To: header will be
463 added.
464
466 Optional address that receives a "blind carbon copy" of each message
467 that is received by the Postfix mail system.
468 Note: with Postfix 2.3 and later the BCC address is added as if it was
470 specified with NOTIFY=NONE. The sender will not be notified when the
471 BCC address is undeliverable, as long as all down-stream software
472 implements RFC 3461.
473 Note: with Postfix 2.2 and earlier the sender will be notified when the
475 BCC address is undeliverable.
476 Note: automatic BCC recipients are produced only for new mail. To
478 avoid mailer loops, automatic BCC recipients are not generated after
479 Postfix forwards mail internally, or after Postfix generates mail
480 itself.
481
483 The time unit over which client connection rates and other rates are
484 calculated.
485 This feature is implemented by the anvil(8) service which is available
487 in Postfix version 2.2 and later.
488 The default interval is relatively short. Because of the high frequency
490 of updates, the anvil(8) server uses volatile memory only. Thus, infor‐
491 mation is lost whenever the process terminates.
492 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
494 The default time unit is s (seconds).
495
497 How frequently the anvil(8) connection and rate limiting server logs
498 peak usage information.
499 This feature is available in Postfix 2.2 and later.
501 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
503 The default time unit is s (seconds).
504
506 With locally submitted mail, append the string "@$myorigin" to mail
507 addresses without domain information. With remotely submitted mail,
508 append the string "@$remote_header_rewrite_domain" instead.
509 Note 1: this feature is enabled by default and must not be turned off.
511 Postfix does not support domain-less addresses.
512 Note 2: with Postfix version 2.2, message header address rewriting hap‐
514 pens only when one of the following conditions is true:
515 · The message is received with the Postfix sendmail(1) command,
517 · The message is received from a network client that matches
519 $local_header_rewrite_clients,
520 · The message is received from the network, and the
522 remote_header_rewrite_domain parameter specifies a non-empty
523 value.
524 To get the behavior before Postfix version 2.2, specify
526 "local_header_rewrite_clients = static:all".
527
529 With locally submitted mail, append the string ".$mydomain" to
530 addresses that have no ".domain" information. With remotely submitted
531 mail, append the string ".$remote_header_rewrite_domain" instead.
532 Note 1: this feature is enabled by default. If disabled, users will not
534 be able to send mail to "user@partialdomainname" but will have to spec‐
535 ify full domain names instead.
536 Note 2: with Postfix version 2.2, message header address rewriting hap‐
538 pens only when one of the following conditions is true:
539 · The message is received with the Postfix sendmail(1) command,
541 · The message is received from a network client that matches
543 $local_header_rewrite_clients,
544 · The message is received from the network, and the
546 remote_header_rewrite_domain parameter specifies a non-empty
547 value.
548 To get the behavior before Postfix version 2.2, specify
550 "local_header_rewrite_clients = static:all".
551
553 How long the postkick(1) command waits for a request to enter the Post‐
554 fix daemon process input buffer before giving up.
555 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
557 The default time unit is s (seconds).
558 This feature is available in Postfix 2.1 and later.
560
562 List of users who are authorized to flush the queue.
563 By default, all users are allowed to flush the queue. Access is always
565 granted if the invoking user is the super-user or the $mail_owner user.
566 Otherwise, the real UID of the process is looked up in the system pass‐
567 word file, and access is granted only if the corresponding login name
568 is on the access list. The username "unknown" is used for processes
569 whose real UID is not found in the password file.
570 Specify a list of user names, "/file/name" or "type:table" patterns,
572 separated by commas and/or whitespace. The list is matched left to
573 right, and the search stops on the first match. A "/file/name" pattern
574 is replaced by its contents; a "type:table" lookup table is matched
575 when a name matches a lookup key (the lookup result is ignored). Con‐
576 tinue long lines by starting the next line with whitespace. Specify
577 "!pattern" to exclude a name from the list. The form "!/file/name" is
578 supported only in Postfix version 2.4 and later.
579 This feature is available in Postfix 2.2 and later.
581
583 List of users who are authorized to view the queue.
584 By default, all users are allowed to view the queue. Access is always
586 granted if the invoking user is the super-user or the $mail_owner user.
587 Otherwise, the real UID of the process is looked up in the system pass‐
588 word file, and access is granted only if the corresponding login name
589 is on the access list. The username "unknown" is used for processes
590 whose real UID is not found in the password file.
591 Specify a list of user names, "/file/name" or "type:table" patterns,
593 separated by commas and/or whitespace. The list is matched left to
594 right, and the search stops on the first match. A "/file/name" pattern
595 is replaced by its contents; a "type:table" lookup table is matched
596 when a name matches a lookup key (the lookup result is ignored). Con‐
597 tinue long lines by starting the next line with whitespace. Specify
598 "!pattern" to exclude a user name from the list. The form "!/file/name"
599 is supported only in Postfix version 2.4 and later.
600 This feature is available in Postfix 2.2 and later.
602
604 List of users who are authorized to submit mail with the sendmail(1)
605 command (and with the privileged postdrop(1) helper command).
606 By default, all users are allowed to submit mail. Otherwise, the real
608 UID of the process is looked up in the system password file, and access
609 is granted only if the corresponding login name is on the access list.
610 The username "unknown" is used for processes whose real UID is not
611 found in the password file. To deny mail submission access to all users
612 specify an empty list.
613 Specify a list of user names, "/file/name" or "type:table" patterns,
615 separated by commas and/or whitespace. The list is matched left to
616 right, and the search stops on the first match. A "/file/name" pattern
617 is replaced by its contents; a "type:table" lookup table is matched
618 when a name matches a lookup key (the lookup result is ignored). Con‐
619 tinue long lines by starting the next line with whitespace. Specify
620 "!pattern" to exclude a user name from the list. The form "!/file/name"
621 is supported only in Postfix version 2.4 and later.
622 Example:
624 authorized_submit_users = !www, static:all
626 This feature is available in Postfix 2.2 and later.
628
630 What remote SMTP clients are allowed to specify the XVERP command.
631 This command requests that mail be delivered one recipient at a time
632 with a per recipient return address.
633 By default, only trusted clients are allowed to specify XVERP.
635 This parameter was introduced with Postfix version 1.1. Postfix ver‐
637 sion 2.1 renamed this parameter to smtpd_authorized_verp_clients and
638 changed the default to none.
639 Specify a list of network/netmask patterns, separated by commas and/or
641 whitespace. The mask specifies the number of bits in the network part
642 of a host address. You can also specify hostnames or .domain names (the
643 initial dot causes the domain to match any name below it),
644 "/file/name" or "type:table" patterns. A "/file/name" pattern is
645 replaced by its contents; a "type:table" lookup table is matched when a
646 table entry matches a lookup string (the lookup result is ignored).
647 Continue long lines by starting the next line with whitespace. Specify
648 "!pattern" to exclude an address or network block from the list. The
649 form "!/file/name" is supported only in Postfix version 2.4 and later.
650 Note: IP version 6 address information must be specified inside [] in
652 the authorized_verp_clients value, and in files specified with
653 "/file/name". IP version 6 addresses contain the ":" character, and
654 would otherwise be confused with a "type:table" pattern.
655
657 Produce additional bounce(8) logfile records that can be read by Post‐
658 fix versions before 2.0. The current and more extensible "name = value"
659 format is needed in order to implement more sophisticated functional‐
660 ity.
661 This feature is available in Postfix 2.1 and later.
663
665 The per-table I/O buffer size for programs that create Berkeley DB hash
666 or btree tables. Specify a byte count.
667 This feature is available in Postfix 2.0 and later.
669
671 The per-table I/O buffer size for programs that read Berkeley DB hash
672 or btree tables. Specify a byte count.
673 This feature is available in Postfix 2.0 and later.
675
677 Where the Postfix SMTP client should deliver mail when it detects a
678 "mail loops back to myself" error condition. This happens when the
679 local MTA is the best SMTP mail exchanger for a destination not listed
680 in $mydestination, $inet_interfaces, $proxy_interfaces, $vir‐
681 tual_alias_domains, or $virtual_mailbox_domains. By default, the Post‐
682 fix SMTP client returns such mail as undeliverable.
683 Specify, for example, "best_mx_transport = local" to pass the mail from
685 the Postfix SMTP client to the local(8) delivery agent. You can specify
686 any message delivery "transport" or "transport:nexthop" that is defined
687 in the master.cf file. See the transport(5) manual page for the syntax
688 and meaning of "transport" or "transport:nexthop".
689 However, this feature is expensive because it ties up a Postfix SMTP
691 client process while the local(8) delivery agent is doing its work. It
692 is more efficient (for Postfix) to list all hosted domains in a table
693 or database.
694
696 Whether or not to use the local biff service. This service sends "new
697 mail" notifications to users who have requested new mail notification
698 with the UNIX command "biff y".
699 For compatibility reasons this feature is on by default. On systems
701 with lots of interactive users, the biff service can be a performance
702 drain. Specify "biff = no" in main.cf to disable.
703
705 Optional lookup tables for content inspection as specified in the
706 body_checks(5) manual page.
707 Note: with Postfix versions before 2.0, these rules inspect all content
709 after the primary message headers.
710
712 How much text in a message body segment (or attachment, if you prefer
713 to use that term) is subjected to body_checks inspection. The amount
714 of text is limited to avoid scanning huge attachments.
715 This feature is available in Postfix 2.0 and later.
717
719 The recipient of postmaster notifications with the message headers of
720 mail that Postfix did not deliver and of SMTP conversation transcripts
721 of mail that Postfix did not receive. This feature is enabled with the
722 notify_classes parameter.
723
725 Consider a bounce message as undeliverable, when delivery fails with a
726 temporary error, and the time in the queue has reached the
727 bounce_queue_lifetime limit. By default, this limit is the same as for
728 regular mail.
729 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
731 The default time unit is d (days).
732 Specify 0 when mail delivery should be tried only once.
734 This feature is available in Postfix 2.1 and later.
736
738 The name of the bounce(8) service. This service maintains a record of
739 failed delivery attempts and generates non-delivery notifications.
740 This feature is available in Postfix 2.0 and later.
742
744 The maximal amount of original message text that is sent in a
745 non-delivery notification. Specify a byte count. A message is returned
746 as either message/rfc822 (the complete original) or as
747 text/rfc822-headers (the headers only). With Postfix version 2.4 and
748 earlier, a message is always returned as message/rfc822 and is trun‐
749 cated when it exceeds the size limit.
750 Notes:
752 · If you increase this limit, then you should increase the
754 mime_nesting_limit value proportionally.
755 · Be careful when making changes. Excessively large values will
757 result in the loss of non-delivery notifications, when a bounce
758 message size exceeds a local or remote MTA's message size limit.
759
761 Pathname of a configuration file with bounce message templates. These
762 override the built-in templates of delivery status notification (DSN)
763 messages for undeliverable mail, for delayed mail, successful delivery,
764 or delivery verification. The bounce(5) manual page describes how to
765 edit and test template files.
766 Template message body text may contain $name references to Postfix con‐
768 figuration parameters. The result of $name expansion can be previewed
769 with "postconf -b file_name" before the file is placed into the Postfix
770 configuration directory.
771 This feature is available in Postfix 2.3 and later.
773
775 Enable interoperability with remote SMTP clients that implement an
776 obsolete version of the AUTH command (RFC 4954). Examples of such
777 clients are MicroSoft Outlook Express version 4 and MicroSoft Exchange
778 version 5.0.
779 Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH
781 support in a non-standard way.
782
784 header_sender, header_recipient)
785 What addresses are subject to canonical_maps address mapping. By
786 default, canonical_maps address mapping is applied to envelope sender
787 and recipient addresses, and to header sender and header recipient
788 addresses.
789 Specify one or more of: envelope_sender, envelope_recipient,
791 header_sender, header_recipient
792 This feature is available in Postfix 2.2 and later.
794
796 Optional address mapping lookup tables for message headers and
797 envelopes. The mapping is applied to both sender and recipient
798 addresses, in both envelopes and in headers, as controlled with the
799 canonical_classes parameter. This is typically used to clean up dirty
800 addresses from legacy mail systems, or to replace login names by First‐
801 name.Lastname. The table format and lookups are documented in canoni‐
802 cal(5). For an overview of Postfix address manipulations see the
803 ADDRESS_REWRITING_README document.
804 Specify zero or more "type:name" lookup tables, separated by whitespace
806 or comma. Tables will be searched in the specified order until a match
807 is found. Note: these lookups are recursive.
808 If you use this feature, run "postmap /etc/postfix/canonical" to build
810 the necessary DBM or DB file after every change. The changes will
811 become visible after a minute or so. Use "postfix reload" to eliminate
812 the delay.
813 Note: with Postfix version 2.2, message header address mapping happens
815 only when message header address rewriting is enabled:
816 · The message is received with the Postfix sendmail(1) command,
818 · The message is received from a network client that matches
820 $local_header_rewrite_clients,
821 · The message is received from the network, and the
823 remote_header_rewrite_domain parameter specifies a non-empty
824 value.
825 To get the behavior before Postfix version 2.2, specify
827 "local_header_rewrite_clients = static:all".
828 Examples:
830 canonical_maps = dbm:/etc/postfix/canonical
832 canonical_maps = hash:/etc/postfix/canonical
833
835 The name of the cleanup(8) service. This service rewrites addresses
836 into the standard form, and performs canonical(5) address mapping and
837 virtual(5) aliasing.
838 This feature is available in Postfix 2.0 and later.
840
842 The location of all postfix administrative commands.
843
845 The local(8) delivery agent working directory for delivery to external
846 command. Failure to change directory causes the delivery to be
847 deferred.
848 The command_execution_directory value is not subject to Postfix config‐
850 uration parameter $name expansion. Instead, the following $name expan‐
851 sions are done on command_execution_directory before the directory is
852 used. Expansion happens in the context of the delivery request. The
853 result of $name expansion is filtered with the character set that is
854 specified with the execution_directory_expansion_filter parameter.
855 $user The recipient's username.
857 $shell The recipient's login shell pathname.
859 $home The recipient's home directory.
861 $recipient
863 The full recipient address.
864 $extension
866 The optional recipient address extension.
867 $domain
869 The recipient domain.
870 $local The entire recipient localpart.
872 $recipient_delimiter
874 The address extension delimiter that was found in the recipient
875 address (Postfix 2.11 and later), or the system-wide recipient
876 address extension delimiter (Postfix 2.10 and earlier).
877 ${name?value}
879 Expands to value when $name is non-empty.
880 ${name:value}
882 Expands to value when $name is empty.
883 Instead of $name you can also specify ${name} or $(name).
885 This feature is available in Postfix 2.2 and later.
887
889 Restrict the characters that the local(8) delivery agent allows in
890 $name expansions of $mailbox_command and $command_execution_directory.
891 Characters outside the allowed set are replaced by underscores.
892
894 Time limit for delivery to external commands. This limit is used by the
895 local(8) delivery agent, and is the default time limit for delivery by
896 the pipe(8) delivery agent.
897 Note: if you set this time limit to a large value you must update the
899 global ipc_timeout parameter as well.
900
902 A safety net that causes Postfix to run with backwards-compatible
903 default settings after an upgrade to a newer Postfix version.
904 With backwards compatibility turned on (the main.cf compatibility_level
906 value is less than the Postfix built-in value), Postfix looks for set‐
907 tings that are left at their implicit default value, and logs a message
908 when a backwards-compatible default setting is required.
909 using backwards-compatible default setting name=value
911 to [accept a specific client request]
912 using backwards-compatible default setting name=value
914 to [enable specific Postfix behavior]
915 See COMPATIBILITY_README for specific message details. If such a mes‐
917 sage is logged in the context of a legitimate request, the system
918 administrator should make the backwards-compatible setting permanent in
919 main.cf or master.cf, for example:
920 # postconf name=value
922 # postfix reload
923 When no more backwards-compatible settings need to be made permanent,
925 the administrator should turn off backwards compatibility by updating
926 the compatibility_level setting in main.cf:
927 # postconf compatibility_level=N
929 # postfix reload
930 For N specify the number that is logged in your postfix(1) warning mes‐
932 sage:
933 warning: To disable backwards compatibility use "postconf
935 compatibility_level=N" and "postfix reload"
936 This feature is available in Postfix 3.0 and later.
938
940 The default location of the Postfix main.cf and master.cf configuration
941 files. This can be overruled via the following mechanisms:
942 · The MAIL_CONFIG environment variable (daemon processes and com‐
944 mands).
945 · The "-c" command-line option (commands only).
947 With Postfix command that run with set-gid privileges, a config_direc‐
949 tory override requires either root privileges, or it requires that the
950 directory is listed with the alternate_config_directories parameter in
951 the default main.cf file.
952
954 After sending a "your message is delayed" notification, inform the
955 sender when the delay clears up. This can result in a sudden burst of
956 notifications at the end of a prolonged network outage, and is there‐
957 fore disabled by default.
958 See also: delay_warning_time.
960 This feature is available in Postfix 3.0 and later.
962
964 Time limit for connection cache connect, send or receive operations.
965 The time limit is enforced in the client.
966 This feature is available in Postfix 2.3 and later.
968
970 The name of the scache(8) connection cache service. This service main‐
971 tains a limited pool of cached sessions.
972 This feature is available in Postfix 2.2 and later.
974
976 How frequently the scache(8) server logs usage statistics with connec‐
977 tion cache hit and miss rates for logical destinations and for physical
978 endpoints.
979
981 The maximal time-to-live value that the scache(8) connection cache
982 server allows. Requests that specify a larger TTL will be stored with
983 the maximum allowed TTL. The purpose of this additional control is to
984 protect the infrastructure against careless people. The cache TTL is
985 already bounded by $max_idle.
986
988 After the message is queued, send the entire message to the specified
989 transport:destination. The transport name specifies the first field of
990 a mail delivery agent definition in master.cf; the syntax of the
991 next-hop destination is described in the manual page of the correspond‐
992 ing delivery agent. More information about external content filters is
993 in the Postfix FILTER_README file.
994 Notes:
996 · This setting has lower precedence than a FILTER action that is
998 specified in an access(5), header_checks(5) or body_checks(5)
999 table.
1000 · The meaning of an empty next-hop filter destination is version
1002 dependent. Postfix 2.7 and later will use the recipient domain;
1003 earlier versions will use $myhostname. Specify "default_fil‐
1004 ter_nexthop = $myhostname" for compatibility with Postfix 2.6 or
1005 earlier, or specify a content_filter value with an explicit
1006 next-hop destination.
1007
1009 Search path for Cyrus SASL application configuration files, currently
1010 used only to locate the $smtpd_sasl_path.conf file. Specify zero or
1011 more directories separated by a colon character, or an empty value to
1012 use Cyrus SASL's built-in search path.
1013 This feature is available in Postfix 2.5 and later when compiled with
1015 Cyrus SASL 2.1.22 or later.
1016
1018 The directory with Postfix support programs and daemon programs. These
1019 should not be invoked directly by humans. The directory must be owned
1020 by root.
1021
1023 How a Postfix daemon process handles errors while opening lookup
1024 tables: gradual degradation or immediate termination.
1025 no (default)
1027 Gradual degradation: a daemon process logs a message of type
1028 "error" and continues execution with reduced functionality. Fea‐
1029 tures that do not depend on the unavailable table will work nor‐
1030 mally, while features that depend on the table will result in a
1031 type "warning" message.
1032 When the notify_classes parameter value contains the "data"
1033 class, the Postfix SMTP server and client will report tran‐
1034 scripts of sessions with an error because a table is unavail‐
1035 able.
1036 yes (historical behavior)
1038 Immediate termination: a daemon process logs a type "fatal" mes‐
1039 sage and terminates immediately. This option reduces the number
1040 of possible code paths through Postfix, and may therefore be
1041 slightly more secure than the default.
1042 For the sake of sanity, the number of type "error" messages is limited
1044 to 13 over the lifetime of a daemon process.
1045 This feature is available in Postfix 2.9 and later.
1047
1049 How much time a Postfix daemon process may take to handle a request
1050 before it is terminated by a built-in watchdog timer.
1051 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1053 The default time unit is s (seconds).
1054
1056 The directory with Postfix-writable data files (for example: caches,
1057 pseudo-random numbers). This directory must be owned by the mail_owner
1058 account, and must not be shared with non-Postfix software.
1059 This feature is available in Postfix 2.5 and later.
1061
1063 The increment in verbose logging level when a remote client or server
1064 matches a pattern in the debug_peer_list parameter.
1065
1067 Optional list of remote client or server hostname or network address
1068 patterns that cause the verbose logging level to increase by the amount
1069 specified in $debug_peer_level.
1070 Specify domain names, network/netmask patterns, "/file/name" patterns
1072 or "type:table" lookup tables. The right-hand side result from
1073 "type:table" lookups is ignored.
1074 Pattern matching of domain names is controlled by the presence or
1076 absence of "debug_peer_list" in the parent_domain_matches_subdomains
1077 parameter value.
1078 Examples:
1080 debug_peer_list = 127.0.0.1
1082 debug_peer_list = example.com
1083
1085 The external command to execute when a Postfix daemon program is
1086 invoked with the -D option.
1087 Use "command .. & sleep 5" so that the debugger can attach before the
1089 process marches on. If you use an X-based debugger, be sure to set up
1090 your XAUTHORITY environment variable before starting Postfix.
1091 Note: the command is subject to $name expansion, before it is passed to
1093 the default command interpreter. Specify "$$" to produce a single "$"
1094 character.
1095 Example:
1097 debugger_command =
1099 PATH=/usr/bin:/usr/X11R6/bin
1100 ddd $daemon_directory/$process_name $process_id & sleep 5
1101
1103 The default database type for use in newaliases(1), postalias(1) and
1104 postmap(1) commands. On many UNIX systems the default type is either
1105 dbm or hash. The default setting is frozen when the Postfix system is
1106 built.
1107 Examples:
1109 default_database_type = hash
1111 default_database_type = dbm
1112
1114 How often the Postfix queue manager's scheduler is allowed to preempt
1115 delivery of one message with another.
1116 Each transport maintains a so-called "available delivery slot counter"
1118 for each message. One message can be preempted by another one when the
1119 other message can be delivered using no more delivery slots (i.e.,
1120 invocations of delivery agents) than the current message counter has
1121 accumulated (or will eventually accumulate - see about slot loans
1122 below). This parameter controls how often is the counter incremented -
1123 it happens after each default_delivery_slot_cost recipients have been
1124 delivered.
1125 The cost of 0 is used to disable the preempting scheduling completely.
1127 The minimum value the scheduling algorithm can use is 2 - use it if you
1128 want to maximize the message throughput rate. Although there is no max‐
1129 imum, it doesn't make much sense to use values above say 50.
1130 The only reason why the value of 2 is not the default is the way this
1132 parameter affects the delivery of mailing-list mail. In the worst case,
1133 delivery can take somewhere between (cost+1/cost) and (cost/cost-1)
1134 times more than if the preemptive scheduler was disabled. The default
1135 value of 5 turns out to provide reasonable message response times while
1136 making sure the mailing-list deliveries are not extended by more than
1137 20-25 percent even in the worst case.
1138 Use transport_delivery_slot_cost to specify a transport-specific over‐
1140 ride, where transport is the master.cf name of the message delivery
1141 transport.
1142 Examples:
1144 default_delivery_slot_cost = 0
1146 default_delivery_slot_cost = 2
1147
1149 The default value for transport-specific _delivery_slot_discount set‐
1150 tings.
1151 This parameter speeds up the moment when a message preemption can hap‐
1153 pen. Instead of waiting until the full amount of delivery slots
1154 required is available, the preemption can happen when transport_deliv‐
1155 ery_slot_discount percent of the required amount plus transport_deliv‐
1156 ery_slot_loan still remains to be accumulated. Note that the full
1157 amount will still have to be accumulated before another preemption can
1158 take place later.
1159 Use transport_delivery_slot_discount to specify a transport-specific
1161 override, where transport is the master.cf name of the message delivery
1162 transport.
1163
1165 The default value for transport-specific _delivery_slot_loan settings.
1166 This parameter speeds up the moment when a message preemption can hap‐
1168 pen. Instead of waiting until the full amount of delivery slots
1169 required is available, the preemption can happen when transport_deliv‐
1170 ery_slot_discount percent of the required amount plus transport_deliv‐
1171 ery_slot_loan still remains to be accumulated. Note that the full
1172 amount will still have to be accumulated before another preemption can
1173 take place later.
1174 Use transport_delivery_slot_loan to specify a transport-specific over‐
1176 ride, where transport is the master.cf name of the message delivery
1177 transport.
1178
1180 Optional filter to replace the delivery status code or explanatory text
1181 of successful or unsuccessful deliveries. This does not allow the
1182 replacement of a successful status code (2.X.X) with an unsuccessful
1183 status code (4.X.X or 5.X.X) or vice versa.
1184 Note: the (smtp|lmtp)_delivery_status_filter is applied only once per
1186 recipient: when delivery is successful, when delivery is rejected with
1187 5XX, or when there are no more alternate MX or A destinations. Use
1188 smtp_reply_filter or lmtp_reply_filter to inspect responses for all
1189 delivery attempts.
1190 The following parameters can be used to implement a filter for specific
1192 delivery agents: lmtp_delivery_status_filter, local_delivery_sta‐
1193 tus_filter, pipe_delivery_status_filter, smtp_delivery_status_filter or
1194 virtual_delivery_status_filter. These parameters support the same fil‐
1195 ter syntax as described here.
1196 Specify zero or more "type:table" lookup table names, separated by
1198 comma or whitespace. For each successful or unsuccessful delivery to a
1199 recipient, the tables are queried in the specified order with one line
1200 of text that is structured as follows:
1201 enhanced-status-code SPACE explanatory-text
1203 The first table match wins. The lookup result must have the same struc‐
1205 ture as the query, a successful status code (2.X.X) must be replaced
1206 with a successful status code, an unsuccessful status code (4.X.X or
1207 5.X.X) must be replaced with an unsuccessful status code, and the
1208 explanatory text field must be non-empty. Other results will result in
1209 a warning.
1210 Example 1: convert specific soft TLS errors into hard errors, by over‐
1212 riding the first number in the enhanced status code.
1213 /etc/postfix/main.cf:
1215 smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter
1216 /etc/postfix/smtp_dsn_filter:
1218 /^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/
1219 5$1
1220 /^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/
1221 5$1
1222 # Do not change the following into hard bounces. They may
1223 # result from a local configuration problem.
1224 # 4.\d+.\d+ TLS is required, but our TLS engine is unavailable
1225 # 4.\d+.\d+ TLS is required, but unavailable
1226 # 4.\d+.\d+ Cannot start TLS: handshake failure
1227 Example 2: censor the per-recipient delivery status text so that it
1229 does not reveal the destination command or filename when a remote
1230 sender requests confirmation of successful delivery.
1231 /etc/postfix/main.cf:
1233 local_delivery_status_filter = pcre:/etc/postfix/local_dsn_filter
1234 /etc/postfix/local_dsn_filter:
1236 /^(2\S+ delivered to file).+/ $1
1237 /^(2\S+ delivered to command).+/ $1
1238 Notes:
1240 · This feature will NOT override the soft_bounce safety net.
1242 · This feature will change the enhanced status code and text that
1244 is logged to the maillog file, and that is reported to the
1245 sender in delivery confirmation or non-delivery notifications.
1246 This feature is available in Postfix 3.0 and later.
1248
1250 How many pseudo-cohorts must suffer connection or handshake failure
1251 before a specific destination is considered unavailable (and further
1252 delivery is suspended). Specify zero to disable this feature. A desti‐
1253 nation's pseudo-cohort failure count is reset each time a delivery com‐
1254 pletes without connection or handshake failure for that specific desti‐
1255 nation.
1256 A pseudo-cohort is the number of deliveries equal to a destination's
1258 delivery concurrency.
1259 Use transport_destination_concurrency_failed_cohort_limit to specify a
1261 transport-specific override, where transport is the master.cf name of
1262 the message delivery transport.
1263 This feature is available in Postfix 2.5. The default setting is com‐
1265 patible with earlier Postfix versions.
1266
1268 The default maximal number of parallel deliveries to the same destina‐
1269 tion. This is the default limit for delivery via the lmtp(8), pipe(8),
1270 smtp(8) and virtual(8) delivery agents. With per-destination recipient
1271 limit > 1, a destination is a domain, otherwise it is a recipient.
1272 Use transport_destination_concurrency_limit to specify a transport-spe‐
1274 cific override, where transport is the master.cf name of the message
1275 delivery transport.
1276
1278 The per-destination amount of delivery concurrency negative feedback,
1279 after a delivery completes with a connection or handshake failure.
1280 Feedback values are in the range 0..1 inclusive. With negative feed‐
1281 back, concurrency is decremented at the beginning of a sequence of
1282 length 1/feedback. This is unlike positive feedback, where concurrency
1283 is incremented at the end of a sequence of length 1/feedback.
1284 As of Postfix version 2.5, negative feedback cannot reduce delivery
1286 concurrency to zero. Instead, a destination is marked dead (further
1287 delivery suspended) after the failed pseudo-cohort count reaches
1288 $default_destination_concurrency_failed_cohort_limit (or $trans‐
1289 port_destination_concurrency_failed_cohort_limit). To make the sched‐
1290 uler completely immune to connection or handshake failures, specify a
1291 zero feedback value and a zero failed pseudo-cohort limit.
1292 Specify one of the following forms:
1294 number
1296 number / number
1298 Constant feedback. The value must be in the range 0..1 inclu‐
1299 sive. The default setting of "1" is compatible with Postfix
1300 versions before 2.5, where a destination's delivery concurrency
1301 is throttled down to zero (and further delivery suspended) after
1302 a single failed pseudo-cohort.
1303 number / concurrency
1305 Variable feedback of "number / (delivery concurrency)". The
1306 number must be in the range 0..1 inclusive. With number equal to
1307 "1", a destination's delivery concurrency is decremented by 1
1308 after each failed pseudo-cohort.
1309 A pseudo-cohort is the number of deliveries equal to a destination's
1311 delivery concurrency.
1312 Use transport_destination_concurrency_negative_feedback to specify a
1314 transport-specific override, where transport is the master.cf name of
1315 the message delivery transport.
1316 This feature is available in Postfix 2.5. The default setting is com‐
1318 patible with earlier Postfix versions.
1319
1321 The per-destination amount of delivery concurrency positive feedback,
1322 after a delivery completes without connection or handshake failure.
1323 Feedback values are in the range 0..1 inclusive. The concurrency
1324 increases until it reaches the per-destination maximal concurrency
1325 limit. With positive feedback, concurrency is incremented at the end of
1326 a sequence with length 1/feedback. This is unlike negative feedback,
1327 where concurrency is decremented at the start of a sequence of length
1328 1/feedback.
1329 Specify one of the following forms:
1331 number
1333 number / number
1335 Constant feedback. The value must be in the range 0..1 inclu‐
1336 sive. The default setting of "1" is compatible with Postfix ver‐
1337 sions before 2.5, where a destination's delivery concurrency
1338 doubles after each successful pseudo-cohort.
1339 number / concurrency
1341 Variable feedback of "number / (delivery concurrency)". The
1342 number must be in the range 0..1 inclusive. With number equal to
1343 "1", a destination's delivery concurrency is incremented by 1
1344 after each successful pseudo-cohort.
1345 A pseudo-cohort is the number of deliveries equal to a destination's
1347 delivery concurrency.
1348 Use transport_destination_concurrency_positive_feedback to specify a
1350 transport-specific override, where transport is the master.cf name of
1351 the message delivery transport.
1352 This feature is available in Postfix 2.5 and later.
1354
1356 The default amount of delay that is inserted between individual message
1357 deliveries to the same destination and over the same message delivery
1358 transport. Specify a non-zero value to rate-limit those message deliv‐
1359 eries to at most one per $default_destination_rate_delay.
1360 The resulting behavior depends on the value of the corresponding
1362 per-destination recipient limit.
1363 · With a corresponding per-destination recipient limit > 1, the
1365 rate delay specifies the time between deliveries to the same
1366 domain. Different domains are delivered in parallel, subject to
1367 the process limits specified in master.cf.
1368 · With a corresponding per-destination recipient limit equal to 1,
1370 the rate delay specifies the time between deliveries to the same
1371 recipient. Different recipients are delivered in parallel, sub‐
1372 ject to the process limits specified in master.cf.
1373 To enable the delay, specify a non-zero time value (an integral value
1375 plus an optional one-letter suffix that specifies the time unit).
1376 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1378 The default time unit is s (seconds).
1379 NOTE: the delay is enforced by the queue manager. The delay timer state
1381 does not survive "postfix reload" or "postfix stop".
1382 Use transport_destination_rate_delay to specify a transport-specific
1384 override, where transport is the master.cf name of the message delivery
1385 transport.
1386 NOTE: with a non-zero _destination_rate_delay, specify a transport_des‐
1388 tination_concurrency_failed_cohort_limit of 10 or more to prevent Post‐
1389 fix from deferring all mail for the same destination after only one
1390 connection or handshake error.
1391 This feature is available in Postfix 2.5 and later.
1393
1395 The default maximal number of recipients per message delivery. This is
1396 the default limit for delivery via the lmtp(8), pipe(8), smtp(8) and
1397 virtual(8) delivery agents.
1398 Setting this parameter to a value of 1 affects email deliveries as fol‐
1400 lows:
1401 · It changes the meaning of the corresponding per-destination con‐
1403 currency limit, from concurrency of deliveries to the same
1404 domain into concurrency of deliveries to the same recipient.
1405 Different recipients are delivered in parallel, subject to the
1406 process limits specified in master.cf.
1407 · It changes the meaning of the corresponding per-destination rate
1409 delay, from the delay between deliveries to the same domain into
1410 the delay between deliveries to the same recipient. Again, dif‐
1411 ferent recipients are delivered in parallel, subject to the
1412 process limits specified in master.cf.
1413 · It changes the meaning of other corresponding per-destination
1415 settings in a similar manner, from settings for delivery to the
1416 same domain into settings for delivery to the same recipient.
1417 Use transport_destination_recipient_limit to specify a transport-spe‐
1419 cific override, where transport is the master.cf name of the message
1420 delivery transport.
1421
1423 The default value for the extra per-transport limit imposed on the num‐
1424 ber of in-memory recipients. This extra recipient space is reserved
1425 for the cases when the Postfix queue manager's scheduler preempts one
1426 message with another and suddenly needs some extra recipients slots for
1427 the chosen message in order to avoid performance degradation.
1428 Use transport_extra_recipient_limit to specify a transport-specific
1430 override, where transport is the master.cf name of the message delivery
1431 transport.
1432
1434 When a content_filter or FILTER request specifies no explicit next-hop
1435 destination, use $default_filter_nexthop instead; when that value is
1436 empty, use the domain in the recipient address. Specify "default_fil‐
1437 ter_nexthop = $myhostname" for compatibility with Postfix version 2.6
1438 and earlier, or specify an explicit next-hop destination with each con‐
1439 tent_filter value or FILTER action.
1440 This feature is available in Postfix 2.7 and later.
1442
1444 How many recipients a message must have in order to invoke the Postfix
1445 queue manager's scheduling algorithm at all. Messages which would
1446 never accumulate at least this many delivery slots (subject to slot
1447 cost parameter as well) are never preempted.
1448 Use transport_minimum_delivery_slots to specify a transport-specific
1450 override, where transport is the master.cf name of the message delivery
1451 transport.
1452
1454 The default rights used by the local(8) delivery agent for delivery to
1455 external file or command. These rights are used when delivery is
1456 requested from an aliases(5) file that is owned by root, or when deliv‐
1457 ery is done on behalf of root. DO NOT SPECIFY A PRIVILEGED USER OR THE
1458 POSTFIX OWNER.
1459
1461 The default maximal number of Postfix child processes that provide a
1462 given service. This limit can be overruled for specific services in the
1463 master.cf file.
1464
1466 The default Postfix SMTP server response template for a request that is
1467 rejected by an RBL-based restriction. This template can be overruled by
1468 specific entries in the optional rbl_reply_maps lookup table.
1469 This feature is available in Postfix 2.0 and later.
1471 The template does not support Postfix configuration parameter $name
1473 substitution. Instead, it supports exactly one level of $name substitu‐
1474 tion for the following attributes:
1475 $client
1477 The client hostname and IP address, formatted as name[address].
1478 $client_address
1480 The client IP address.
1481 $client_name
1483 The client hostname or "unknown". See
1484 reject_unknown_client_hostname for more details.
1485 $reverse_client_name
1487 The client hostname from address->name lookup, or "unknown".
1488 See reject_unknown_reverse_client_hostname for more details.
1489 $helo_name
1491 The hostname given in HELO or EHLO command or empty string.
1492 $rbl_class
1494 The blacklisted entity type: Client host, Helo command, Sender
1495 address, or Recipient address.
1496 $rbl_code
1498 The numerical SMTP response code, as specified with the
1499 maps_rbl_reject_code configuration parameter. Note: The numeri‐
1500 cal SMTP response code is required, and must appear at the start
1501 of the reply. With Postfix version 2.3 and later this informa‐
1502 tion may be followed by an RFC 3463 enhanced status code.
1503 $rbl_domain
1505 The RBL domain where $rbl_what is blacklisted.
1506 $rbl_reason
1508 The reason why $rbl_what is blacklisted, or an empty string.
1509 $rbl_what
1511 The entity that is blacklisted (an IP address, a hostname, a
1512 domain name, or an email address whose domain was blacklisted).
1513 $recipient
1515 The recipient address or <> in case of the null address.
1516 $recipient_domain
1518 The recipient domain or empty string.
1519 $recipient_name
1521 The recipient address localpart or <> in case of null address.
1522 $sender
1524 The sender address or <> in case of the null address.
1525 $sender_domain
1527 The sender domain or empty string.
1528 $sender_name
1530 The sender address localpart or <> in case of the null address.
1531 ${name?text}
1533 Expands to `text' if $name is not empty.
1534 ${name:text}
1536 Expands to `text' if $name is empty.
1537 Instead of $name you can also specify ${name} or $(name).
1539 Note: when an enhanced status code is specified in an RBL reply tem‐
1541 plate, it is subject to modification. The following transformations
1542 are needed when the same RBL reply template is used for client, helo,
1543 sender, or recipient access restrictions.
1544 · When rejecting a sender address, the Postfix SMTP server will
1546 transform a recipient DSN status (e.g., 4.1.1-4.1.6) into the
1547 corresponding sender DSN status, and vice versa.
1548 · When rejecting non-address information (such as the HELO command
1550 argument or the client hostname/address), the Postfix SMTP
1551 server will transform a sender or recipient DSN status into a
1552 generic non-address DSN status (e.g., 4.0.0).
1553
1555 The default per-transport upper limit on the number of in-memory recip‐
1556 ients. These limits take priority over the global qmgr_message_recipi‐
1557 ent_limit after the message has been assigned to the respective trans‐
1558 ports. See also default_extra_recipient_limit and qmgr_message_recipi‐
1559 ent_minimum.
1560 Use transport_recipient_limit to specify a transport-specific override,
1562 where transport is the master.cf name of the message delivery trans‐
1563 port.
1564
1566 The default per-transport maximum delay between recipients refills.
1567 When not all message recipients fit into the memory at once, keep load‐
1568 ing more of them at least once every this many seconds. This is used
1569 to make sure the recipients are refilled in timely manner even when
1570 $default_recipient_refill_limit is too high for too slow deliveries.
1571 Use transport_recipient_refill_delay to specify a transport-specific
1573 override, where transport is the master.cf name of the message delivery
1574 transport.
1575 This feature is available in Postfix 2.4 and later.
1577
1579 The default per-transport limit on the number of recipients refilled at
1580 once. When not all message recipients fit into the memory at once,
1581 keep loading more of them in batches of at least this many at a time.
1582 See also $default_recipient_refill_delay, which may result in recipient
1583 batches lower than this when this limit is too high for too slow deliv‐
1584 eries.
1585 Use transport_recipient_refill_limit to specify a transport-specific
1587 override, where transport is the master.cf name of the message delivery
1588 transport.
1589 This feature is available in Postfix 2.4 and later.
1591
1593 The default mail delivery transport and next-hop destination for desti‐
1594 nations that do not match $mydestination, $inet_interfaces,
1595 $proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, or
1596 $relay_domains. This information can be overruled with the
1597 sender_dependent_default_transport_maps parameter and with the trans‐
1598 port(5) table.
1599 In order of decreasing precedence, the nexthop destination is taken
1601 from $sender_dependent_default_transport_maps, $default_transport,
1602 $sender_dependent_relayhost_maps, $relayhost, or from the recipient
1603 domain.
1604 Specify a string of the form transport:nexthop, where transport is the
1606 name of a mail delivery transport defined in master.cf. The :nexthop
1607 destination is optional; its syntax is documented in the manual page of
1608 the corresponding delivery agent. In the case of SMTP or LMTP, specify
1609 one or more destinations separated by comma or whitespace (with Postfix
1610 3.5 and later).
1611 Example:
1613 default_transport = uucp:relayhostname
1615
1617 The default amount of delay that is inserted between individual message
1618 deliveries over the same message delivery transport, regardless of des‐
1619 tination. Specify a non-zero value to rate-limit those message deliver‐
1620 ies to at most one per $default_transport_rate_delay.
1621 Use transport_transport_rate_delay to specify a transport-specific
1623 override, where the initial transport is the master.cf name of the mes‐
1624 sage delivery transport.
1625 Example: throttle outbound SMTP mail to at most 3 deliveries per
1627 minute.
1628 /etc/postfix/main.cf:
1630 smtp_transport_rate_delay = 20s
1631 To enable the delay, specify a non-zero time value (an integral value
1633 plus an optional one-letter suffix that specifies the time unit).
1634 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1636 The default time unit is s (seconds).
1637 NOTE: the delay is enforced by the queue manager.
1639 This feature is available in Postfix 3.1 and later.
1641
1643 The two default VERP delimiter characters. These are used when no
1644 explicit delimiters are specified with the SMTP XVERP command or with
1645 the "sendmail -V" command-line option. Specify characters that are
1646 allowed by the verp_delimiter_filter setting.
1647 This feature is available in Postfix 1.1 and later.
1649
1651 The numerical Postfix SMTP server response code when a remote SMTP
1652 client request is rejected by the "defer" restriction.
1653 Do not change this unless you have a complete understanding of RFC
1655 5321.
1656
1658 The name of the defer service. This service is implemented by the
1659 bounce(8) daemon and maintains a record of failed delivery attempts and
1660 generates non-delivery notifications.
1661 This feature is available in Postfix 2.0 and later.
1663
1665 The names of message delivery transports that should not deliver mail
1666 unless someone issues "sendmail -q" or equivalent. Specify zero or more
1667 names of mail delivery transports names that appear in the first field
1668 of master.cf.
1669 Example:
1671 defer_transports = smtp
1673
1675 The maximal number of digits after the decimal point when logging
1676 sub-second delay values. Specify a number in the range 0..6.
1677 Large delay values are rounded off to an integral number seconds; delay
1679 values below the delay_logging_resolution_limit are logged as "0", and
1680 delay values under 100s are logged with at most two-digit precision.
1681 The format of the "delays=a/b/c/d" logging is as follows:
1683 · a = time from message arrival to last active queue entry
1685 · b = time from last active queue entry to connection setup
1687 · c = time in connection setup, including DNS, EHLO and STARTTLS
1689 · d = time in message transmission
1691 This feature is available in Postfix 2.3 and later.
1693
1695 The recipient of postmaster notifications with the message headers of
1696 mail that cannot be delivered within $delay_warning_time time units.
1697 See also: delay_warning_time, notify_classes.
1699
1701 The time after which the sender receives a copy of the message headers
1702 of mail that is still queued. The confirm_delay_cleared parameter con‐
1703 trols sender notification when the delay clears up.
1704 To enable this feature, specify a non-zero time value (an integral
1706 value plus an optional one-letter suffix that specifies the time unit).
1707 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1709 The default time unit is h (hours).
1710 See also: delay_notice_recipient, notify_classes, con‐
1712 firm_delay_cleared.
1713
1715 The maximal number of attempts to acquire an exclusive lock on a mail‐
1716 box file or bounce(8) logfile.
1717
1719 The time between attempts to acquire an exclusive lock on a mailbox
1720 file or bounce(8) logfile.
1721 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1723 The default time unit is s (seconds).
1724
1726 Make the queue manager's feedback algorithm verbose for performance
1727 analysis purposes.
1728 This feature is available in Postfix 2.5 and later.
1730
1732 Automatically detect 8BITMIME body content by looking at Content-Trans‐
1733 fer-Encoding: message headers; historically, this behavior was
1734 hard-coded to be "always on".
1735 This feature is available in Postfix 2.5 and later.
1737
1739 Disable DNS lookups in the Postfix SMTP and LMTP clients. When dis‐
1740 abled, hosts are looked up with the getaddrinfo() system library rou‐
1741 tine which normally also looks in /etc/hosts. As of Postfix 2.11, this
1742 parameter is deprecated; use smtp_dns_support_level instead.
1743 DNS lookups are enabled by default.
1745
1747 Turn off MIME processing while receiving mail. This means that no spe‐
1748 cial treatment is given to Content-Type: message headers, and that all
1749 text after the initial message headers is considered to be part of the
1750 message body.
1751 This feature is available in Postfix 2.0 and later.
1753 Mime input processing is enabled by default, and is needed in order to
1755 recognize MIME headers in message content.
1756
1758 Disable the conversion of 8BITMIME format to 7BIT format. Mime output
1759 conversion is needed when the destination does not advertise 8BITMIME
1760 support.
1761 This feature is available in Postfix 2.0 and later.
1763
1765 Disable sending one bounce report per recipient.
1766 The default, one per recipient, is what ezmlm needs.
1768 This feature is available in Postfix 1.1 and later.
1770
1772 Disable the SMTP VRFY command. This stops some techniques used to har‐
1773 vest email addresses.
1774 Example:
1776 disable_vrfy_command = no
1778
1780 Enable a workaround for future libc incompatibility. The Postfix imple‐
1781 mentation of RFC 2308 negative reply caching relies on the promise that
1782 res_query() and res_search() invoke res_send(), which returns the
1783 server response in an application buffer even if the requested record
1784 does not exist. If this promise is broken, specify "yes" to enable a
1785 workaround for DNS reputation lookups.
1786 This feature is available in Postfix 3.1 and later.
1788
1790 A debugging aid to artificially delay DNS responses.
1791 This feature is available in Postfix 2.8.
1793
1795 The name of the dnsblog(8) service entry in master.cf. This service
1796 performs DNS white/blacklist lookups.
1797 This feature is available in Postfix 2.8 and later.
1799
1801 Don't remove queue files and save them to the "saved" mail queue. This
1802 is a debugging aid. To inspect the envelope information and content of
1803 a Postfix queue file, use the postcat(1) command.
1804
1806 The sender address of postmaster notifications that are generated by
1807 the mail system. All mail to this address is silently discarded, in
1808 order to terminate mail bounce loops.
1809
1811 The maximal number of addresses remembered by the address duplicate
1812 filter for aliases(5) or virtual(5) alias expansion, or for showq(8)
1813 queue displays.
1814
1816 The sender_dependent_default_transport_maps search string that will be
1817 used instead of the null sender address.
1818 This feature is available in Postfix 2.7 and later.
1820
1822 The recipient of mail addressed to the null address. Postfix does not
1823 accept such addresses in SMTP commands, but they may still be created
1824 locally as the result of configuration or software error.
1825
1827 The sender_dependent_relayhost_maps search string that will be used
1828 instead of the null sender address.
1829 This feature is available in Postfix 2.5 and later. With earlier ver‐
1831 sions, sender_dependent_relayhost_maps lookups were skipped for the
1832 null sender address.
1833
1835 Report mail delivery errors to the address specified with the non-stan‐
1836 dard Errors-To: message header, instead of the envelope sender address
1837 (this feature is removed with Postfix version 2.2, is turned off by
1838 default with Postfix version 2.1, and is always turned on with older
1839 Postfix versions).
1840
1842 Enable 'transitional' compatibility between IDNA2003 and IDNA2008, when
1843 converting UTF-8 domain names to/from the ASCII form that is used for
1844 DNS lookups. Specify "yes" for compatibility with Postfix <= 3.1 (not
1845 recommended). This affects the conversion of domain names that contain
1846 for example the German sz and the Greek zeta. See http://uni‐
1847 code.org/cldr/utility/idna.jsp for more examples.
1848 This feature is available in Postfix 3.2 and later.
1850
1852 Enable long, non-repeating, queue IDs (queue file names). The benefit
1853 of non-repeating names is simpler logfile analysis and easier queue
1854 migration (there is no need to run "postsuper" to change queue file
1855 names that don't match their message file inode number).
1856 Note: see below for how to convert long queue file names to Postfix <=
1858 2.8.
1859 Changing the parameter value to "yes" has the following effects:
1861 · Existing queue file names are not affected.
1863 · New queue files are created with names such as 3Pt2mN2VXxznjll.
1865 These are encoded in a 52-character alphabet that contains dig‐
1866 its (0-9), upper-case letters (B-Z) and lower-case letters
1867 (b-z). For safety reasons the vowels (AEIOUaeiou) are excluded
1868 from the alphabet. The name format is: 6 or more characters for
1869 the time in seconds, 4 characters for the time in microseconds,
1870 the 'z'; the remainder is the file inode number encoded in the
1871 first 51 characters of the 52-character alphabet.
1872 · New messages have a Message-ID header with queueID@myhostname.
1874 · The mailq (postqueue -p) output has a wider Queue ID column.
1876 The number of whitespace-separated fields is not changed.
1877 · The hash_queue_depth algorithm uses the first characters of the
1879 queue file creation time in microseconds, after conversion into
1880 hexadecimal representation. This produces the same queue hashing
1881 behavior as if the queue file name was created with
1882 "enable_long_queue_ids = no".
1883 Changing the parameter value to "no" has the following effects:
1885 · Existing long queue file names are renamed to the short form
1887 (while running "postfix reload" or "postsuper").
1888 · New queue files are created with names such as C3CD21F3E90 from
1890 a hexadecimal alphabet that contains digits (0-9) and upper-case
1891 letters (A-F). The name format is: 5 characters for the time in
1892 microseconds; the remainder is the file inode number.
1893 · New messages have a Message-ID header with YYYYMMDDHH‐
1895 MMSS.queueid@myhostname, where YYYYMMDDHHMMSS are the year,
1896 month, day, hour, minute and second.
1897 · The mailq (postqueue -p) output has the same format as with
1899 Postfix <= 2.8.
1900 · The hash_queue_depth algorithm uses the first characters of the
1902 queue file name, with the hexadecimal representation of the file
1903 creation time in microseconds.
1904 Before migration to Postfix <= 2.8, the following commands are required
1906 to convert long queue file names into short names:
1907 # postfix stop
1909 # postconf enable_long_queue_ids=no
1910 # postsuper
1911 Repeat the postsuper command until it reports no more queue file name
1913 changes.
1914 This feature is available in Postfix 2.9 and later.
1916
1918 Enable support for the original recipient address after an address is
1919 rewritten to a different address (for example with aliasing or with
1920 canonical mapping).
1921 The original recipient address is used as follows:
1923 Final delivery
1925 With "enable_original_recipient = yes", the original recipient
1926 address is stored in the X-Original-To message header. This
1927 header may be used to distinguish between different recipients
1928 that share the same mailbox.
1929 Recipient deduplication
1931 With "enable_original_recipient = yes", the cleanup(8) daemon
1932 performs duplicate recipient elimination based on the content of
1933 (original recipient, maybe-rewritten recipient) pairs. Other‐
1934 wise, the cleanup(8) daemon performs duplicate recipient elimi‐
1935 nation based only on the maybe-rewritten recipient address.
1936 Note: with Postfix <= 3.2 the "setting enable_original_recipient = no"
1938 breaks address verification for addresses that are aliased or otherwise
1939 rewritten (Postfix is unable to store the address verification result
1940 under the original probe destination address; instead, it can store the
1941 result only under the rewritten address).
1942 This feature is available in Postfix 2.1 and later. Postfix version 2.0
1944 behaves as if this parameter is always set to yes. Postfix versions
1945 before 2.0 have no support for the original recipient address.
1946
1948 The recipient of postmaster notifications about mail delivery problems
1949 that are caused by policy, resource, software or protocol errors.
1950 These notifications are enabled with the notify_classes parameter.
1951
1953 The name of the error(8) pseudo delivery agent. This service always
1954 returns mail as undeliverable.
1955 This feature is available in Postfix 2.0 and later.
1957
1959 Restrict the characters that the local(8) delivery agent allows in
1960 $name expansions of $command_execution_directory. Characters outside
1961 the allowed set are replaced by underscores.
1962 This feature is available in Postfix 2.2 and later.
1964
1966 When delivering to an alias "aliasname" that has an "owner-aliasname"
1967 companion alias, set the envelope sender address to the expansion of
1968 the "owner-aliasname" alias. Normally, Postfix sets the envelope
1969 sender address to the name of the "owner-aliasname" alias.
1970
1972 The list of environment variables that a Postfix process will export to
1973 non-Postfix processes. The TZ variable is needed for sane time keeping
1974 on System-V-ish systems.
1975 Specify a list of names and/or name=value pairs, separated by white‐
1977 space or comma. Specify "{ name=value }" to protect whitespace or comma
1978 in parameter values (whitespace after the opening "{" and before the
1979 closing "}" is ignored). The form name=value is supported with Postfix
1980 version 2.1 and later; the use of {} is supported with Postfix 3.0 and
1981 later.
1982 Example:
1984 export_environment = TZ PATH=/bin:/usr/bin
1986
1988 The maximal number of recipient addresses that Postfix will extract
1989 from message headers when mail is submitted with "sendmail -t".
1990 This feature was removed in Postfix version 2.1.
1992
1994 Optional list of relay hosts for SMTP destinations that can't be found
1995 or that are unreachable. With Postfix 2.3 this parameter is renamed to
1996 smtp_fallback_relay.
1997 By default, mail is returned to the sender when a destination is not
1999 found, and delivery is deferred when a destination is unreachable.
2000 The fallback relays must be SMTP destinations. Specify a domain, host,
2002 host:port, [host]:port, [address] or [address]:port; the form [host]
2003 turns off MX lookups. If you specify multiple SMTP destinations, Post‐
2004 fix will try them in the specified order.
2005 Note: before Postfix 2.2, do not use the fallback_relay feature when
2007 relaying mail for a backup or primary MX domain. Mail would loop
2008 between the Postfix MX host and the fallback_relay host when the final
2009 destination is unavailable.
2010 · In main.cf specify "relay_transport = relay",
2012 · In master.cf specify "-o fallback_relay =" (i.e., empty) at the
2014 end of the relay entry.
2015 · In transport maps, specify "relay:nexthop..." as the right-hand
2017 side for backup or primary MX domain entries.
2018 Postfix version 2.2 and later will not use the fallback_relay feature
2020 for destinations that it is MX host for.
2021
2023 Optional message delivery transport that the local(8) delivery agent
2024 should use for names that are not found in the aliases(5) or UNIX pass‐
2025 word database.
2026 The precedence of local(8) delivery features from high to low is:
2028 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2029 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2030 tory, fallback_transport_maps, fallback_transport and luser_relay.
2031
2033 Optional lookup tables with per-recipient message delivery transports
2034 for recipients that the local(8) delivery agent could not find in the
2035 aliases(5) or UNIX password database.
2036 The precedence of local(8) delivery features from high to low is:
2038 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2039 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2040 tory, fallback_transport_maps, fallback_transport and luser_relay.
2041 For safety reasons, this feature does not allow $number substitutions
2043 in regular expression maps.
2044 This feature is available in Postfix 2.3 and later.
2046
2048 Optional list of destinations that are eligible for per-destination
2049 logfiles with mail that is queued to those destinations.
2050 By default, Postfix maintains "fast flush" logfiles only for destina‐
2052 tions that the Postfix SMTP server is willing to relay to (i.e. the
2053 default is: "fast_flush_domains = $relay_domains"; see the
2054 relay_domains parameter in the postconf(5) manual).
2055 Specify a list of hosts or domains, "/file/name" patterns or "type:ta‐
2057 ble" lookup tables, separated by commas and/or whitespace. Continue
2058 long lines by starting the next line with whitespace. A "/file/name"
2059 pattern is replaced by its contents; a "type:table" lookup table is
2060 matched when the domain or its parent domain appears as lookup key.
2061 Pattern matching of domain names is controlled by the presence or
2063 absence of "fast_flush_domains" in the parent_domain_matches_subdomains
2064 parameter value.
2065 Specify "fast_flush_domains =" (i.e., empty) to disable the feature
2067 altogether.
2068
2070 The time after which an empty per-destination "fast flush" logfile is
2071 deleted.
2072 You can specify the time as a number, or as a number followed by a let‐
2074 ter that indicates the time unit: s=seconds, m=minutes, h=hours,
2075 d=days, w=weeks. The default time unit is days.
2076
2078 The time after which a non-empty but unread per-destination "fast
2079 flush" logfile needs to be refreshed. The contents of a logfile are
2080 refreshed by requesting delivery of all messages listed in the logfile.
2081 You can specify the time as a number, or as a number followed by a let‐
2083 ter that indicates the time unit: s=seconds, m=minutes, h=hours,
2084 d=days, w=weeks. The default time unit is hours.
2085
2087 Force specific internal tests to fail, to test the handling of errors
2088 that are difficult to reproduce otherwise.
2089
2091 The name of the flush(8) service. This service maintains per-destina‐
2092 tion logfiles with the queue file names of mail that is queued for
2093 those destinations.
2094 This feature is available in Postfix 2.0 and later.
2096
2098 The maximal number of attempts to fork() a child process.
2099
2101 The delay between attempts to fork() a child process.
2102 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2104 The default time unit is s (seconds).
2105
2107 Restrict the characters that the local(8) delivery agent allows in
2108 $name expansions of $forward_path. Characters outside the allowed set
2109 are replaced by underscores.
2110
2112 The local(8) delivery agent search list for finding a .forward file
2113 with user-specified delivery methods. The first file that is found is
2114 used.
2115 The forward_path value is not subject to Postfix configuration parame‐
2117 ter $name expansion. Instead, the following $name expansions are done
2118 on forward_path before the search actually happens. The result of
2119 $name expansion is filtered with the character set that is specified
2120 with the forward_expansion_filter parameter.
2121 $user The recipient's username.
2123 $shell The recipient's login shell pathname.
2125 $home The recipient's home directory.
2127 $recipient
2129 The full recipient address.
2130 $extension
2132 The optional recipient address extension.
2133 $domain
2135 The recipient domain.
2136 $local The entire recipient localpart.
2138 $recipient_delimiter
2140 The address extension delimiter that was found in the recipient
2141 address (Postfix 2.11 and later), or the system-wide recipient
2142 address extension delimiter (Postfix 2.10 and earlier).
2143 ${name?value}
2145 Expands to value when $name is non-empty.
2146 ${name:value}
2148 Expands to value when $name is empty.
2149 Instead of $name you can also specify ${name} or $(name).
2151 Examples:
2153 forward_path = /var/forward/$user
2155 forward_path =
2156 /var/forward/$user/.forward$recipient_delimiter$extension,
2157 /var/forward/$user/.forward
2158
2160 Update the local(8) delivery agent's idea of the Delivered-To: address
2161 (see prepend_delivered_header) only once, at the start of a delivery
2162 attempt; do not update the Delivered-To: address while expanding
2163 aliases or .forward files.
2164 This feature is available in Postfix 2.3 and later. With older Postfix
2166 releases, the behavior is as if this parameter is set to "no". The old
2167 setting can be expensive with deeply nested aliases or .forward files.
2168 When an alias or .forward file changes the Delivered-To: address, it
2169 ties up one queue file and one cleanup process instance while mail is
2170 being forwarded.
2171
2173 The number of subdirectory levels for queue directories listed with the
2174 hash_queue_names parameter. Queue hashing is implemented by creating
2175 one or more levels of directories with one-character names. Origi‐
2176 nally, these directory names were equal to the first characters of the
2177 queue file name, with the hexadecimal representation of the file cre‐
2178 ation time in microseconds.
2179 With long queue file names, queue hashing produces the same results as
2181 with short names. The file creation time in microseconds is converted
2182 into hexadecimal form before the result is used for queue hashing. The
2183 base 16 encoding gives finer control over the number of subdirectories
2184 than is possible with the base 52 encoding of long queue file names.
2185 After changing the hash_queue_names or hash_queue_depth parameter, exe‐
2187 cute the command "postfix reload".
2188
2190 The names of queue directories that are split across multiple subdirec‐
2191 tory levels.
2192 Before Postfix version 2.2, the default list of hashed queues was sig‐
2194 nificantly larger. Claims about improvements in file system technology
2195 suggest that hashing of the incoming and active queues is no longer
2196 needed. Fewer hashed directories speed up the time needed to restart
2197 Postfix.
2198 After changing the hash_queue_names or hash_queue_depth parameter, exe‐
2200 cute the command "postfix reload".
2201
2203 The maximal number of address tokens are allowed in an address message
2204 header. Information that exceeds the limit is discarded. The limit is
2205 enforced by the cleanup(8) server.
2206
2208 Optional lookup tables for content inspection of primary non-MIME mes‐
2209 sage headers, as specified in the header_checks(5) manual page.
2210
2212 The format of the Postfix-generated From: header. This setting affects
2213 the appearance of 'full name' information when a local program such as
2214 /bin/mail submits a message without From: header through the Postfix
2215 sendmail(1) command.
2216 Specify one of the following:
2218 standard (default)
2220 Produce a header formatted as "From: name <address>". This is
2221 the default as of Postfix 3.3.
2222 obsolete
2224 Produce a header formatted as "From: address (name)". This is
2225 the behavior prior to Postfix 3.3.
2226 Notes:
2228 · Postfix generates the format "From: address" when name informa‐
2230 tion is unavailable or the envelope sender address is empty.
2231 This is the same behavior as prior to Postfix 3.3.
2232 · In the standard form, the name will be quoted if it contains
2234 specials as defined in RFC 5322, or the "!%" address operators.
2235 · The Postfix sendmail(1) command gets name information from the
2237 -F command-line option, from the NAME environment variable, or
2238 from the UNIX password file.
2239 This feature is available in Postfix 3.3 and later.
2241
2243 The maximal amount of memory in bytes for storing a message header. If
2244 a header is larger, the excess is discarded. The limit is enforced by
2245 the cleanup(8) server.
2246
2248 Log warnings about problematic configuration settings, and provide
2249 helpful suggestions.
2250 This feature is available in Postfix 2.0 and later.
2252
2254 Optional pathname of a mailbox file relative to a local(8) user's home
2255 directory.
2256 Specify a pathname ending in "/" for qmail-style delivery.
2258 The precedence of local(8) delivery features from high to low is:
2260 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2261 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2262 tory, fallback_transport_maps, fallback_transport and luser_relay.
2263 Examples:
2265 home_mailbox = Mailbox
2267 home_mailbox = Maildir/
2268
2270 The maximal number of Received: message headers that is allowed in the
2271 primary message headers. A message that exceeds the limit is bounced,
2272 in order to stop a mailer loop.
2273
2275 The location of Postfix HTML files that describe how to build, config‐
2276 ure or operate a specific Postfix subsystem or feature.
2277
2279 Ignore DNS MX lookups that produce no response. By default, the Post‐
2280 fix SMTP client defers delivery and tries again after some delay. This
2281 behavior is required by the SMTP standard.
2282 Specify "ignore_mx_lookup_error = yes" to force a DNS A record lookup
2284 instead. This violates the SMTP standard and can result in mis-delivery
2285 of mail.
2286
2288 The list of environment parameters that a privileged Postfix process
2289 will import from a non-Postfix parent process, or name=value environ‐
2290 ment overrides. Unprivileged utilities will enforce the name=value
2291 overrides, but otherwise will not change their process environment.
2292 Examples of relevant parameters:
2293 TZ May be needed for sane time keeping on most System-V-ish sys‐
2295 tems.
2296 DISPLAY
2298 Needed for debugging Postfix daemons with an X-windows debugger.
2299 XAUTHORITY
2301 Needed for debugging Postfix daemons with an X-windows debugger.
2302 MAIL_CONFIG
2304 Needed to make "postfix -c" work.
2305 Specify a list of names and/or name=value pairs, separated by white‐
2307 space or comma. Specify "{ name=value }" to protect whitespace or comma
2308 in parameter values (whitespace after the opening "{" and before the
2309 closing "}" is ignored). The form name=value is supported with Postfix
2310 version 2.1 and later; the use of {} is supported with Postfix 3.0 and
2311 later.
2312
2314 Time to pause before accepting a new message, when the message arrival
2315 rate exceeds the message delivery rate. This feature is turned on by
2316 default (it's disabled on SCO UNIX due to an SCO bug).
2317 With the default 100 Postfix SMTP server process limit, "in_flow_delay
2319 = 1s" limits the mail inflow to 100 messages per second above the num‐
2320 ber of messages delivered per second.
2321 Specify 0 to disable the feature. Valid delays are 0..10.
2323
2325 The network interface addresses that this mail system receives mail on.
2326 Specify "all" to receive mail on all network interfaces (default), and
2327 "loopback-only" to receive mail on loopback network interfaces only
2328 (Postfix version 2.2 and later). The parameter also controls delivery
2329 of mail to user@[ip.address].
2330 Note 1: you need to stop and start Postfix when this parameter changes.
2332 Note 2: address information may be enclosed inside [], but this form is
2334 not required here.
2335 When inet_interfaces specifies just one IPv4 and/or IPv6 address that
2337 is not a loopback address, the Postfix SMTP client will use this
2338 address as the IP source address for outbound mail. Support for IPv6 is
2339 available in Postfix version 2.2 and later.
2340 On a multi-homed firewall with separate Postfix instances listening on
2342 the "inside" and "outside" interfaces, this can prevent each instance
2343 from being able to reach remote SMTP servers on the "other side" of the
2344 firewall. Setting smtp_bind_address to 0.0.0.0 avoids the potential
2345 problem for IPv4, and setting smtp_bind_address6 to :: solves the prob‐
2346 lem for IPv6.
2347 A better solution for multi-homed firewalls is to leave inet_interfaces
2349 at the default value and instead use explicit IP addresses in the mas‐
2350 ter.cf SMTP server definitions. This preserves the Postfix SMTP
2351 client's loop detection, by ensuring that each side of the firewall
2352 knows that the other IP address is still the same host. Setting
2353 $inet_interfaces to a single IPv4 and/or IPV6 address is primarily use‐
2354 ful with virtual hosting of domains on secondary IP addresses, when
2355 each IP address serves a different domain (and has a different $myhost‐
2356 name setting).
2357 See also the proxy_interfaces parameter, for network addresses that are
2359 forwarded to Postfix by way of a proxy or address translator.
2360 Examples:
2362 inet_interfaces = all (DEFAULT)
2364 inet_interfaces = loopback-only (Postfix version 2.2 and later)
2365 inet_interfaces = 127.0.0.1
2366 inet_interfaces = 127.0.0.1, [::1] (Postfix version 2.2 and later)
2367 inet_interfaces = 192.168.1.2, 127.0.0.1
2368
2370 The Internet protocols Postfix will attempt to use when making or
2371 accepting connections. Specify one or more of "ipv4" or "ipv6", sepa‐
2372 rated by whitespace or commas. The form "all" is equivalent to "ipv4,
2373 ipv6" or "ipv4", depending on whether the operating system implements
2374 IPv6.
2375 With Postfix 2.8 and earlier the default is "ipv4". For backwards com‐
2377 patibility with these releases, the Postfix 2.9 and later upgrade pro‐
2378 cedure appends an explicit "inet_protocols = ipv4" setting to main.cf
2379 when no explicit setting is present. This compatibility workaround will
2380 be phased out as IPv6 deployment becomes more common.
2381 This feature is available in Postfix 2.2 and later.
2383 Note: you MUST stop and start Postfix after changing this parameter.
2385 On systems that pre-date IPV6_V6ONLY support (RFC 3493), an IPv6 server
2387 will also accept IPv4 connections, even when IPv4 is turned off with
2388 the inet_protocols parameter. On systems with IPV6_V6ONLY support,
2389 Postfix will use separate server sockets for IPv6 and IPv4, and each
2390 will accept only connections for the corresponding protocol.
2391 When IPv4 support is enabled via the inet_protocols parameter, Postfix
2393 will look up DNS type A records, and will convert IPv4-in-IPv6 client
2394 IP addresses (::ffff:1.2.3.4) to their original IPv4 form (1.2.3.4).
2395 The latter is needed on hosts that pre-date IPV6_V6ONLY support (RFC
2396 3493).
2397 When IPv6 support is enabled via the inet_protocols parameter, Postfix
2399 will do DNS type AAAA record lookups.
2400 When both IPv4 and IPv6 support are enabled, the Postfix SMTP client
2402 will choose the protocol as specified with the smtp_address_preference
2403 parameter. Postfix versions before 2.8 attempt to connect via IPv6
2404 before attempting to use IPv4.
2405 Examples:
2407 inet_protocols = ipv4
2409 inet_protocols = all (DEFAULT)
2410 inet_protocols = ipv6
2411 inet_protocols = ipv4, ipv6
2412
2414 The email address form that will be used in non-debug logging (info,
2415 warning, etc.). As of Postfix 3.5 when an address localpart contains
2416 spaces or other special characters, the localpart will be quoted, for
2417 example:
2418 from=<"name with spaces"@example.com>
2420 Older Postfix versions would log the internal (unquoted) form:
2422 from=<name with spaces@example.com>
2424 The external and internal forms are identical for the vast majority of
2426 email addresses that contain no spaces or other special characters in
2427 the localpart.
2428 The logging in external form is consistent with the address form that
2430 Postfix 3.2 and later prefer for most table lookups. This is therefore
2431 the more useful form for non-debug logging.
2432 Specify "info_log_address_format = internal" for backwards compatibil‐
2434 ity.
2435 Postfix uses the unquoted form internally, because an attacker can
2437 specify an email address in different forms by playing games with
2438 quotes and backslashes. An attacker should not be able to use such
2439 games to circumvent Postfix access policies.
2440 This feature is available in Postfix 3.5 and later.
2442
2444 The initial per-destination concurrency level for parallel delivery to
2445 the same destination. With per-destination recipient limit > 1, a des‐
2446 tination is a domain, otherwise it is a recipient.
2447 Use transport_initial_destination_concurrency to specify a trans‐
2449 port-specific override, where transport is the master.cf name of the
2450 message delivery transport (Postfix 2.5 and later).
2451 Warning: with concurrency of 1, one bad message can be enough to block
2453 all mail to a site.
2454
2456 What categories of Postfix-generated mail are subject to before-queue
2457 content inspection by non_smtpd_milters, header_checks and body_checks.
2458 Specify zero or more of the following, separated by whitespace or
2459 comma.
2460 bounce Inspect the content of delivery status notifications.
2462 notify Inspect the content of postmaster notifications by the smtp(8)
2464 and smtpd(8) processes.
2465 NOTE: It's generally not safe to enable content inspection of Post‐
2467 fix-generated email messages. The user is warned.
2468 This feature is available in Postfix 2.3 and later.
2470
2472 The numerical Postfix SMTP server response code when the client HELO or
2473 EHLO command parameter is rejected by the reject_invalid_helo_hostname
2474 restriction.
2475 Do not change this unless you have a complete understanding of RFC
2477 5321.
2478
2480 The time after which a client closes an idle internal communication
2481 channel. The purpose is to allow Postfix daemon processes to terminate
2482 voluntarily after they become idle. This is used, for example, by the
2483 Postfix address resolving and rewriting clients.
2484 With Postfix 2.4 the default value was reduced from 100s to 5s.
2486 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2488 The default time unit is s (seconds).
2489
2491 The time limit for sending or receiving information over an internal
2492 communication channel. The purpose is to break out of deadlock situa‐
2493 tions. If the time limit is exceeded the software aborts with a fatal
2494 error.
2495 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2497 The default time unit is s (seconds).
2498
2500 The time after which a client closes an active internal communication
2501 channel. The purpose is to allow Postfix daemon processes to terminate
2502 voluntarily after reaching their client limit. This is used, for exam‐
2503 ple, by the Postfix address resolving and rewriting clients.
2504 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2506 The default time unit is s (seconds).
2507 This feature is available in Postfix 2.1 and later.
2509
2511 Upon input, long lines are chopped up into pieces of at most this
2512 length; upon delivery, long lines are reconstructed.
2513
2515 The initial OpenLDAP LMDB database size limit in bytes. Each time a
2516 database becomes full, its size limit is doubled.
2517 This feature is available in Postfix 2.11 and later.
2519
2521 The LMTP-specific version of the smtp_address_preference configuration
2522 parameter. See there for details.
2523 This feature is available in Postfix 2.8 and later.
2525
2527 The LMTP-specific version of the smtp_address_verify_target configura‐
2528 tion parameter. See there for details.
2529 This feature is available in Postfix 3.0 and later.
2531
2533 When a remote LMTP server announces no DSN support, assume that the
2534 server performs final delivery, and send "delivered" delivery status
2535 notifications instead of "relayed". The default setting is backwards
2536 compatible to avoid the infinitesimal possibility of breaking existing
2537 LMTP-based content filters.
2538
2540 The LMTP-specific version of the smtp_balance_inet_protocols configura‐
2541 tion parameter. See there for details.
2542 This feature is available in Postfix 3.3 and later.
2544
2546 The LMTP-specific version of the smtp_bind_address configuration param‐
2547 eter. See there for details.
2548 This feature is available in Postfix 2.3 and later.
2550
2552 The LMTP-specific version of the smtp_bind_address6 configuration
2553 parameter. See there for details.
2554 This feature is available in Postfix 2.3 and later.
2556
2558 The LMTP-specific version of the smtp_body_checks configuration parame‐
2559 ter. See there for details.
2560 This feature is available in Postfix 2.5 and later.
2562
2564 Keep Postfix LMTP client connections open for up to $max_idle seconds.
2565 When the LMTP client receives a request for the same connection the
2566 connection is reused.
2567 This parameter is available in Postfix version 2.2 and earlier. With
2569 Postfix version 2.3 and later, see lmtp_connection_cache_on_demand,
2570 lmtp_connection_cache_destinations, or lmtp_connection_re‐
2571 use_time_limit.
2572 The effectiveness of cached connections will be determined by the num‐
2574 ber of remote LMTP servers in use, and the concurrency limit specified
2575 for the Postfix LMTP client. Cached connections are closed under any of
2576 the following conditions:
2577 · The Postfix LMTP client idle time limit is reached. This limit
2579 is specified with the Postfix max_idle configuration parameter.
2580 · A delivery request specifies a different destination than the
2582 one currently cached.
2583 · The per-process limit on the number of delivery requests is
2585 reached. This limit is specified with the Postfix max_use con‐
2586 figuration parameter.
2587 · Upon the onset of another delivery request, the remote LMTP
2589 server associated with the current session does not respond to
2590 the RSET command.
2591 Most of these limitations have been with the Postfix a connection cache
2593 that is shared among multiple LMTP client programs.
2594
2596 The LMTP-specific version of the smtp_cname_overrides_servername con‐
2597 figuration parameter. See there for details.
2598 This feature is available in Postfix 2.3 and later.
2600
2602 The Postfix LMTP client time limit for completing a TCP connection, or
2603 zero (use the operating system built-in time limit). When no connec‐
2604 tion can be made within the deadline, the LMTP client tries the next
2605 address on the mail exchanger list.
2606 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2608 The default time unit is s (seconds).
2609 Example:
2611 lmtp_connect_timeout = 30s
2613
2615 The LMTP-specific version of the smtp_connection_cache_destinations
2616 configuration parameter. See there for details.
2617 This feature is available in Postfix 2.3 and later.
2619
2621 The LMTP-specific version of the smtp_connection_cache_on_demand con‐
2622 figuration parameter. See there for details.
2623 This feature is available in Postfix 2.3 and later.
2625
2627 The LMTP-specific version of the smtp_connection_cache_time_limit con‐
2628 figuration parameter. See there for details.
2629 This feature is available in Postfix 2.3 and later.
2631
2633 The LMTP-specific version of the smtp_connection_reuse_count_limit con‐
2634 figuration parameter. See there for details.
2635 This feature is available in Postfix 2.11 and later.
2637
2639 The LMTP-specific version of the smtp_connection_reuse_time_limit con‐
2640 figuration parameter. See there for details.
2641 This feature is available in Postfix 2.3 and later.
2643
2645 The Postfix LMTP client time limit for sending the LMTP ".", and for
2646 receiving the remote LMTP server response. When no response is
2647 received within the deadline, a warning is logged that the mail may be
2648 delivered multiple times.
2649 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2651 The default time unit is s (seconds).
2652
2654 The Postfix LMTP client time limit for sending the LMTP DATA command,
2655 and for receiving the remote LMTP server response.
2656 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2658 The default time unit is s (seconds).
2659
2661 The Postfix LMTP client time limit for sending the LMTP message con‐
2662 tent. When the connection stalls for more than $lmtp_data_xfer_timeout
2663 the LMTP client terminates the transfer.
2664 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2666 The default time unit is s (seconds).
2667
2669 The LMTP-specific version of the smtp_defer_if_no_mx_address_found con‐
2670 figuration parameter. See there for details.
2671 This feature is available in Postfix 2.3 and later.
2673
2675 The LMTP-specific version of the smtp_delivery_status_filter configura‐
2676 tion parameter. See there for details.
2677 This feature is available in Postfix 3.0 and later.
2679
2681 rency_limit)
2682 The maximal number of parallel deliveries to the same destination via
2683 the lmtp message delivery transport. This limit is enforced by the
2684 queue manager. The message delivery transport name is the first field
2685 in the entry in the master.cf file.
2686
2688 ent_limit)
2689 The maximal number of recipients per message for the lmtp message
2690 delivery transport. This limit is enforced by the queue manager. The
2691 message delivery transport name is the first field in the entry in the
2692 master.cf file.
2693 Setting this parameter to a value of 1 changes the meaning of lmtp_des‐
2695 tination_concurrency_limit from concurrency per domain into concurrency
2696 per recipient.
2697
2699 Lookup tables, indexed by the remote LMTP server address, with case
2700 insensitive lists of LHLO keywords (pipelining, starttls, auth, etc.)
2701 that the Postfix LMTP client will ignore in the LHLO response from a
2702 remote LMTP server. See lmtp_discard_lhlo_keywords for details. The ta‐
2703 ble is not indexed by hostname for consistency with smtpd_dis‐
2704 card_ehlo_keyword_address_maps.
2705 This feature is available in Postfix 2.3 and later.
2707
2709 A case insensitive list of LHLO keywords (pipelining, starttls, auth,
2710 etc.) that the Postfix LMTP client will ignore in the LHLO response
2711 from a remote LMTP server.
2712 This feature is available in Postfix 2.3 and later.
2714 Notes:
2716 · Specify the silent-discard pseudo keyword to prevent this action
2718 from being logged.
2719 · Use the lmtp_discard_lhlo_keyword_address_maps feature to dis‐
2721 card LHLO keywords selectively.
2722
2724 Optional filter for Postfix LMTP client DNS lookup results. See
2725 smtp_dns_reply_filter for details including an example.
2726 This feature is available in Postfix 3.0 and later.
2728
2730 The LMTP-specific version of the smtp_dns_resolver_options configura‐
2731 tion parameter. See there for details.
2732 This feature is available in Postfix 2.8 and later.
2734
2736 The LMTP-specific version of the smtp_dns_support_level configuration
2737 parameter. See there for details.
2738 This feature is available in Postfix 2.11 and later.
2740
2742 The LMTP-specific version of the smtp_enforce_tls configuration parame‐
2743 ter. See there for details.
2744 This feature is available in Postfix 2.3 and later.
2746
2748 Optional list of relay hosts for LMTP destinations that can't be found
2749 or that are unreachable. In main.cf elements are separated by white‐
2750 space or commas.
2751 By default, mail is returned to the sender when a destination is not
2753 found, and delivery is deferred when a destination is unreachable.
2754 The fallback relays must be TCP destinations, specified without a lead‐
2756 ing "inet:" prefix. Specify a host or host:port. Since MX lookups do
2757 not apply with LMTP, there is no need to use the "[host]" or
2758 "[host]:port" forms. If you specify multiple LMTP destinations, Post‐
2759 fix will try them in the specified order.
2760 This feature is available in Postfix 3.1 and later.
2762
2764 The LMTP-specific version of the smtp_generic_maps configuration param‐
2765 eter. See there for details.
2766 This feature is available in Postfix 2.3 and later.
2768
2770 The LMTP-specific version of the smtp_header_checks configuration
2771 parameter. See there for details.
2772 This feature is available in Postfix 2.5 and later.
2774
2776 The LMTP-specific version of the smtp_host_lookup configuration parame‐
2777 ter. See there for details.
2778 This feature is available in Postfix 2.3 and later.
2780
2782 The hostname to send in the LMTP LHLO command.
2783 The default value is the machine hostname. Specify a hostname or
2785 [ip.add.re.ss].
2786 This information can be specified in the main.cf file for all LMTP
2788 clients, or it can be specified in the master.cf file for a specific
2789 client, for example:
2790 /etc/postfix/master.cf:
2792 mylmtp ... lmtp -o lmtp_lhlo_name=foo.bar.com
2793 This feature is available in Postfix 2.3 and later.
2795
2797 The Postfix LMTP client time limit for sending the LHLO command, and
2798 for receiving the initial remote LMTP server response.
2799 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2801 The default time unit is s (seconds).
2802
2804 The LMTP-specific version of the smtp_line_length_limit configuration
2805 parameter. See there for details.
2806 This feature is available in Postfix 2.3 and later.
2808
2810 The Postfix LMTP client time limit for sending the MAIL FROM command,
2811 and for receiving the remote LMTP server response.
2812 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2814 The default time unit is s (seconds).
2815
2817 The LMTP-specific version of the smtp_mime_header_checks configuration
2818 parameter. See there for details.
2819 This feature is available in Postfix 2.5 and later.
2821
2823 The LMTP-specific version of the smtp_mx_address_limit configuration
2824 parameter. See there for details.
2825 This feature is available in Postfix 2.3 and later.
2827
2829 The LMTP-specific version of the smtp_mx_session_limit configuration
2830 parameter. See there for details.
2831 This feature is available in Postfix 2.3 and later.
2833
2835 The LMTP-specific version of the smtp_nested_header_checks configura‐
2836 tion parameter. See there for details.
2837 This feature is available in Postfix 2.5 and later.
2839
2841 The LMTP-specific version of the smtp_per_record_deadline configuration
2842 parameter. See there for details.
2843 This feature is available in Postfix 2.9 and later.
2845
2847 The LMTP-specific version of the smtp_pix_workaround_delay_time config‐
2848 uration parameter. See there for details.
2849 This feature is available in Postfix 2.3 and later.
2851
2853 The LMTP-specific version of the smtp_pix_workaround_maps configuration
2854 parameter. See there for details.
2855 This feature is available in Postfix 2.4 and later.
2857
2859 The LMTP-specific version of the smtp_pix_workaround_threshold_time
2860 configuration parameter. See there for details.
2861 This feature is available in Postfix 2.3 and later.
2863
2865 The LMTP-specific version of the smtp_pix_workaround configuration
2866 parameter. See there for details.
2867 This feature is available in Postfix 2.4 and later.
2869
2871 The Postfix LMTP client time limit for sending the QUIT command, and
2872 for receiving the remote LMTP server response.
2873 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2875 The default time unit is s (seconds).
2876
2878 The LMTP-specific version of the smtp_quote_rfc821_envelope configura‐
2879 tion parameter. See there for details.
2880 This feature is available in Postfix 2.3 and later.
2882
2884 The LMTP-specific version of the smtp_randomize_addresses configuration
2885 parameter. See there for details.
2886 This feature is available in Postfix 2.3 and later.
2888
2890 The Postfix LMTP client time limit for sending the RCPT TO command, and
2891 for receiving the remote LMTP server response.
2892 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2894 The default time unit is s (seconds).
2895
2897 The LMTP-specific version of the smtp_reply_filter configuration param‐
2898 eter. See there for details.
2899 This feature is available in Postfix 2.7 and later.
2901
2903 The Postfix LMTP client time limit for sending the RSET command, and
2904 for receiving the remote LMTP server response. The LMTP client sends
2905 RSET in order to finish a recipient address probe, or to verify that a
2906 cached connection is still alive.
2907 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2909 The default time unit is s (seconds).
2910
2912 The LMTP-specific version of the smtp_sasl_auth_cache_name configura‐
2913 tion parameter. See there for details.
2914 This feature is available in Postfix 2.5 and later.
2916
2918 The LMTP-specific version of the smtp_sasl_auth_cache_time configura‐
2919 tion parameter. See there for details.
2920 This feature is available in Postfix 2.5 and later.
2922
2924 Enable SASL authentication in the Postfix LMTP client.
2925
2927 The LMTP-specific version of the smtp_sasl_auth_soft_bounce configura‐
2928 tion parameter. See there for details.
2929 This feature is available in Postfix 2.5 and later.
2931
2933 The LMTP-specific version of the smtp_sasl_mechanism_filter configura‐
2934 tion parameter. See there for details.
2935 This feature is available in Postfix 2.3 and later.
2937
2939 Optional Postfix LMTP client lookup tables with one username:password
2940 entry per host or domain. If a remote host or domain has no user‐
2941 name:password entry, then the Postfix LMTP client will not attempt to
2942 authenticate to the remote host.
2943
2945 Implementation-specific information that is passed through to the SASL
2946 plug-in implementation that is selected with lmtp_sasl_type. Typically
2947 this specifies the name of a configuration file or rendezvous point.
2948 This feature is available in Postfix 2.3 and later.
2950
2952 SASL security options; as of Postfix 2.3 the list of available features
2953 depends on the SASL client implementation that is selected with
2954 lmtp_sasl_type.
2955 The following security features are defined for the cyrus client SASL
2957 implementation:
2958 noplaintext
2960 Disallow authentication methods that use plaintext passwords.
2961 noactive
2963 Disallow authentication methods that are vulnerable to non-dic‐
2964 tionary active attacks.
2965 nodictionary
2967 Disallow authentication methods that are vulnerable to passive
2968 dictionary attack.
2969 noanonymous
2971 Disallow anonymous logins.
2972 Example:
2974 lmtp_sasl_security_options = noplaintext
2976
2978 The LMTP-specific version of the smtp_sasl_tls_security_options config‐
2979 uration parameter. See there for details.
2980 This feature is available in Postfix 2.3 and later.
2982
2984 rity_options)
2985 The LMTP-specific version of the smtp_sasl_tls_verified_secu‐
2986 rity_options configuration parameter. See there for details.
2987 This feature is available in Postfix 2.3 and later.
2989
2991 The SASL plug-in type that the Postfix LMTP client should use for
2992 authentication. The available types are listed with the "postconf -A"
2993 command.
2994 This feature is available in Postfix 2.3 and later.
2996
2998 The LMTP-specific version of the smtp_send_dummy_mail_auth configura‐
2999 tion parameter. See there for details.
3000 This feature is available in Postfix 2.9 and later.
3002
3004 Send an XFORWARD command to the remote LMTP server when the LMTP LHLO
3005 server response announces XFORWARD support. This allows an lmtp(8)
3006 delivery agent, used for content filter message injection, to forward
3007 the name, address, protocol and HELO name of the original client to the
3008 content filter and downstream queuing LMTP server. Before you change
3009 the value to yes, it is best to make sure that your content filter sup‐
3010 ports this command.
3011 This feature is available in Postfix 2.1 and later.
3013
3015 The LMTP-specific version of the smtp_sender_dependent_authentication
3016 configuration parameter. See there for details.
3017 This feature is available in Postfix 2.3 and later.
3019
3021 The LMTP-specific version of the smtp_skip_5xx_greeting configuration
3022 parameter. See there for details.
3023 This feature is available in Postfix 2.3 and later.
3025
3027 Wait for the response to the LMTP QUIT command.
3028
3030 The LMTP-specific version of the smtp_starttls_timeout configuration
3031 parameter. See there for details.
3032 This feature is available in Postfix 2.3 and later.
3034
3036 The default TCP port that the Postfix LMTP client connects to. Specify
3037 a symbolic name (see services(5)) or a numeric port.
3038
3040 The LMTP-specific version of the smtp_tls_CAfile configuration parame‐
3041 ter. See there for details.
3042 This feature is available in Postfix 2.3 and later.
3044
3046 The LMTP-specific version of the smtp_tls_CApath configuration parame‐
3047 ter. See there for details.
3048 This feature is available in Postfix 2.3 and later.
3050
3052 The LMTP-specific version of the smtp_tls_block_early_mail_reply con‐
3053 figuration parameter. See there for details.
3054 This feature is available in Postfix 2.7 and later.
3056
3058 The LMTP-specific version of the smtp_tls_cert_file configuration
3059 parameter. See there for details.
3060 This feature is available in Postfix 2.3 and later.
3062
3064 The LMTP-specific version of the smtp_tls_chain_files configuration
3065 parameter. See there for details.
3066 This feature is available in Postfix 3.4 and later.
3068
3070 The LMTP-specific version of the smtp_tls_ciphers configuration parame‐
3071 ter. See there for details.
3072 This feature is available in Postfix 2.6 and later.
3074
3076 The LMTP-specific version of the smtp_tls_connection_reuse configura‐
3077 tion parameter. See there for details.
3078 This feature is available in Postfix 3.4 and later.
3080
3082 The LMTP-specific version of the smtp_tls_dcert_file configuration
3083 parameter. See there for details.
3084 This feature is available in Postfix 2.3 and later.
3086
3088 The LMTP-specific version of the smtp_tls_dkey_file configuration
3089 parameter. See there for details.
3090 This feature is available in Postfix 2.3 and later.
3092
3094 The LMTP-specific version of the smtp_tls_eccert_file configuration
3095 parameter. See there for details.
3096 This feature is available in Postfix 2.6 and later, when Postfix is
3098 compiled and linked with OpenSSL 1.0.0 or later.
3099
3101 The LMTP-specific version of the smtp_tls_eckey_file configuration
3102 parameter. See there for details.
3103 This feature is available in Postfix 2.6 and later, when Postfix is
3105 compiled and linked with OpenSSL 1.0.0 or later.
3106
3108 The LMTP-specific version of the smtp_tls_enforce_peername configura‐
3109 tion parameter. See there for details.
3110 This feature is available in Postfix 2.3 and later.
3112
3114 The LMTP-specific version of the smtp_tls_exclude_ciphers configuration
3115 parameter. See there for details.
3116 This feature is available in Postfix 2.3 and later.
3118
3120 The LMTP-specific version of the smtp_tls_fingerprint_cert_match con‐
3121 figuration parameter. See there for details.
3122 This feature is available in Postfix 2.5 and later.
3124
3126 The LMTP-specific version of the smtp_tls_fingerprint_digest configura‐
3127 tion parameter. See there for details.
3128 This feature is available in Postfix 2.5 and later.
3130
3132 The LMTP-specific version of the smtp_tls_force_inse‐
3133 cure_host_tlsa_lookup configuration parameter. See there for details.
3134 This feature is available in Postfix 2.11 and later.
3136
3138 The LMTP-specific version of the smtp_tls_key_file configuration param‐
3139 eter. See there for details.
3140 This feature is available in Postfix 2.3 and later.
3142
3144 The LMTP-specific version of the smtp_tls_loglevel configuration param‐
3145 eter. See there for details.
3146 This feature is available in Postfix 2.3 and later.
3148
3150 The LMTP-specific version of the smtp_tls_mandatory_ciphers configura‐
3151 tion parameter. See there for details.
3152 This feature is available in Postfix 2.3 and later.
3154
3156 The LMTP-specific version of the smtp_tls_mandatory_exclude_ciphers
3157 configuration parameter. See there for details.
3158 This feature is available in Postfix 2.3 and later.
3160
3162 The LMTP-specific version of the smtp_tls_mandatory_protocols configu‐
3163 ration parameter. See there for details.
3164 This feature is available in Postfix 2.3 and later.
3166
3168 The LMTP-specific version of the smtp_tls_note_starttls_offer configu‐
3169 ration parameter. See there for details.
3170 This feature is available in Postfix 2.3 and later.
3172
3174 The LMTP-specific version of the smtp_tls_per_site configuration param‐
3175 eter. See there for details.
3176 This feature is available in Postfix 2.3 and later.
3178
3180 The LMTP-specific version of the smtp_tls_policy_maps configuration
3181 parameter. See there for details.
3182 This feature is available in Postfix 2.3 and later.
3184
3186 The LMTP-specific version of the smtp_tls_protocols configuration
3187 parameter. See there for details.
3188 This feature is available in Postfix 2.6 and later.
3190
3192 The LMTP-specific version of the smtp_tls_scert_verifydepth configura‐
3193 tion parameter. See there for details.
3194 This feature is available in Postfix 2.3 and later.
3196
3198 The LMTP-specific version of the smtp_tls_secure_cert_match configura‐
3199 tion parameter. See there for details.
3200 This feature is available in Postfix 2.3 and later.
3202
3204 The LMTP-specific version of the smtp_tls_security_level configuration
3205 parameter. See there for details.
3206 This feature is available in Postfix 2.3 and later.
3208
3210 The LMTP-specific version of the smtp_tls_servername configuration
3211 parameter. See there for details.
3212 This feature is available in Postfix 3.4 and later.
3214
3216 The LMTP-specific version of the smtp_tls_session_cache_database con‐
3217 figuration parameter. See there for details.
3218 This feature is available in Postfix 2.3 and later.
3220
3222 The LMTP-specific version of the smtp_tls_session_cache_timeout config‐
3223 uration parameter. See there for details.
3224 This feature is available in Postfix 2.3 and later.
3226
3228 The LMTP-specific version of the smtp_tls_trust_anchor_file configura‐
3229 tion parameter. See there for details.
3230 This feature is available in Postfix 2.11 and later.
3232
3234 The LMTP-specific version of the smtp_tls_verify_cert_match configura‐
3235 tion parameter. See there for details.
3236 This feature is available in Postfix 2.3 and later.
3238
3240 The LMTP-specific version of the smtp_use_tls configuration parameter.
3241 See there for details.
3242 This feature is available in Postfix 2.3 and later.
3244
3246 The Postfix LMTP client time limit for sending the XFORWARD command,
3247 and for receiving the remote LMTP server response.
3248 In case of problems the client does NOT try the next address on the
3250 mail exchanger list.
3251 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3253 The default time unit is s (seconds).
3254 This feature is available in Postfix 2.1 and later.
3256
3258 Optional shell program for local(8) delivery to non-Postfix command.
3259 By default, non-Postfix commands are executed directly; commands are
3260 given to given to the default shell (typically, /bin/sh) only when they
3261 contain shell meta characters or shell built-in commands.
3262 "sendmail's restricted shell" (smrsh) is what most people will use in
3264 order to restrict what programs can be run from e.g. .forward files
3265 (smrsh is part of the Sendmail distribution).
3266 Note: when a shell program is specified, it is invoked even when the
3268 command contains no shell built-in commands or meta characters.
3269 Example:
3271 local_command_shell = /some/where/smrsh -c
3273 local_command_shell = /bin/bash -c
3274
3276 Optional filter for the local(8) delivery agent to change the status
3277 code or explanatory text of successful or unsuccessful deliveries. See
3278 default_delivery_status_filter for details.
3279 This feature is available in Postfix 3.0 and later.
3281
3283 The maximal number of parallel deliveries via the local mail delivery
3284 transport to the same recipient (when "local_destination_recipi‐
3285 ent_limit = 1") or the maximal number of parallel deliveries to the
3286 same local domain (when "local_destination_recipient_limit > 1"). This
3287 limit is enforced by the queue manager. The message delivery transport
3288 name is the first field in the entry in the master.cf file.
3289 A low limit of 2 is recommended, just in case someone has an expensive
3291 shell command in a .forward file or in an alias (e.g., a mailing list
3292 manager). You don't want to run lots of those at the same time.
3293
3295 The maximal number of recipients per message delivery via the local
3296 mail delivery transport. This limit is enforced by the queue manager.
3297 The message delivery transport name is the first field in the entry in
3298 the master.cf file.
3299 Setting this parameter to a value > 1 changes the meaning of local_des‐
3301 tination_concurrency_limit from concurrency per recipient into concur‐
3302 rency per domain.
3303
3305 Rewrite message header addresses in mail from these clients and update
3306 incomplete addresses with the domain name in $myorigin or $mydomain;
3307 either don't rewrite message headers from other clients at all, or re‐
3308 write message headers and update incomplete addresses with the domain
3309 specified in the remote_header_rewrite_domain parameter.
3310 See the append_at_myorigin and append_dot_mydomain parameters for
3312 details of how domain names are appended to incomplete addresses.
3313 Specify a list of zero or more of the following:
3315 permit_inet_interfaces
3317 Append the domain name in $myorigin or $mydomain when the client
3318 IP address matches $inet_interfaces. This is enabled by default.
3319 permit_mynetworks
3321 Append the domain name in $myorigin or $mydomain when the client
3322 IP address matches any network or network address listed in
3323 $mynetworks. This setting will not prevent remote mail header
3324 address rewriting when mail from a remote client is forwarded by
3325 a neighboring system.
3326 permit_sasl_authenticated
3328 Append the domain name in $myorigin or $mydomain when the client
3329 is successfully authenticated via the RFC 4954 (AUTH) protocol.
3330 permit_tls_clientcerts
3332 Append the domain name in $myorigin or $mydomain when the remote
3333 SMTP client TLS certificate fingerprint or public key finger‐
3334 print (Postfix 2.9 and later) is listed in $relay_clientcerts.
3335 The fingerprint digest algorithm is configurable via the
3336 smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior
3337 to Postfix version 2.5).
3338 permit_tls_all_clientcerts
3340 Append the domain name in $myorigin or $mydomain when the remote
3341 SMTP client TLS certificate is successfully verified, regardless
3342 of whether it is listed on the server, and regardless of the
3343 certifying authority.
3344 check_address_map type:table
3346 type:table
3348 Append the domain name in $myorigin or $mydomain when the client
3349 IP address matches the specified lookup table. The lookup
3350 result is ignored, and no subnet lookup is done. This is suit‐
3351 able for, e.g., pop-before-smtp lookup tables.
3352 Examples:
3354 The Postfix < 2.2 backwards compatible setting: always rewrite message
3356 headers, and always append my own domain to incomplete header
3357 addresses.
3358 local_header_rewrite_clients = static:all
3360 The purist (and default) setting: rewrite headers only in mail from
3362 Postfix sendmail and in SMTP mail from this machine.
3363 local_header_rewrite_clients = permit_inet_interfaces
3365 The intermediate setting: rewrite header addresses and append $myorigin
3367 or $mydomain information only with mail from Postfix sendmail, from
3368 local clients, or from authorized SMTP clients.
3369 Note: this setting will not prevent remote mail header address rewrit‐
3371 ing when mail from a remote client is forwarded by a neighboring sys‐
3372 tem.
3373 local_header_rewrite_clients = permit_mynetworks,
3375 permit_sasl_authenticated permit_tls_clientcerts
3376 check_address_map hash:/etc/postfix/pop-before-smtp
3377
3379 Lookup tables with all names or addresses of local recipients: a recip‐
3380 ient address is local when its domain matches $mydestination,
3381 $inet_interfaces or $proxy_interfaces. Specify @domain as a wild-card
3382 for domains that do not have a valid recipient list. Technically,
3383 tables listed with $local_recipient_maps are used as lists: Postfix
3384 needs to know only if a lookup string is found or not, but it does not
3385 use the result from table lookup.
3386 Specify zero or more "type:name" lookup tables, separated by whitespace
3388 or comma. Tables will be searched in the specified order until a match
3389 is found.
3390 If this parameter is non-empty (the default), then the Postfix SMTP
3392 server will reject mail for unknown local users.
3393 To turn off local recipient checking in the Postfix SMTP server, spec‐
3395 ify "local_recipient_maps =" (i.e. empty).
3396 The default setting assumes that you use the default Postfix local
3398 delivery agent for local delivery. You need to update the local_recipi‐
3399 ent_maps setting if:
3400 · You redefine the local delivery agent in master.cf.
3402 · You redefine the "local_transport" setting in main.cf.
3404 · You use the "luser_relay", "mailbox_transport", or "fall‐
3406 back_transport" feature of the Postfix local(8) delivery agent.
3407 Details are described in the LOCAL_RECIPIENT_README file.
3409 Beware: if the Postfix SMTP server runs chrooted, you need to access
3411 the passwd file via the proxymap(8) service, in order to overcome
3412 chroot access restrictions. The alternative, maintaining a copy of the
3413 system password file in the chroot jail is not practical.
3414 Examples:
3416 local_recipient_maps =
3418
3420 The default mail delivery transport and next-hop destination for final
3421 delivery to domains listed with mydestination, and for [ipaddress] des‐
3422 tinations that match $inet_interfaces or $proxy_interfaces. This
3423 information can be overruled with the transport(5) table.
3424 By default, local mail is delivered to the transport called "local",
3426 which is just the name of a service that is defined the master.cf file.
3427 Specify a string of the form transport:nexthop, where transport is the
3429 name of a mail delivery transport defined in master.cf. The :nexthop
3430 destination is optional; its syntax is documented in the manual page of
3431 the corresponding delivery agent.
3432 Beware: if you override the default local delivery agent then you need
3434 to review the LOCAL_RECIPIENT_README document, otherwise the SMTP
3435 server may reject mail for local recipients.
3436
3438 Optional catch-all destination for unknown local(8) recipients. By
3439 default, mail for unknown recipients in domains that match $mydestina‐
3440 tion, $inet_interfaces or $proxy_interfaces is returned as undeliver‐
3441 able.
3442 The luser_relay value is not subject to Postfix configuration parameter
3444 $name expansion. Instead, the following $name expansions are done:
3445 $domain
3447 The recipient domain.
3448 $extension
3450 The recipient address extension.
3451 $home The recipient's home directory.
3453 $local The entire recipient address localpart.
3455 $recipient
3457 The full recipient address.
3458 $recipient_delimiter
3460 The address extension delimiter that was found in the recipient
3461 address (Postfix 2.11 and later), or the system-wide recipient
3462 address extension delimiter (Postfix 2.10 and earlier).
3463 $shell The recipient's login shell.
3465 $user The recipient username.
3467 ${name?value}
3469 Expands to value when $name has a non-empty value.
3470 ${name:value}
3472 Expands to value when $name has an empty value.
3473 Instead of $name you can also specify ${name} or $(name).
3475 Note: luser_relay works only for the Postfix local(8) delivery agent.
3477 Note: if you use this feature for accounts not in the UNIX password
3479 file, then you must specify "local_recipient_maps =" (i.e. empty) in
3480 the main.cf file, otherwise the Postfix SMTP server will reject mail
3481 for non-UNIX accounts with "User unknown in local recipient table".
3482 Examples:
3484 luser_relay = $user@other.host
3486 luser_relay = $local@other.host
3487 luser_relay = admin+$local
3488
3490 The mail system name that is displayed in Received: headers, in the
3491 SMTP greeting banner, and in bounced mail.
3492
3494 The UNIX system account that owns the Postfix queue and most Postfix
3495 daemon processes. Specify the name of an unprivileged user account
3496 that does not share a user or group ID with other accounts, and that
3497 owns no other files or processes on the system. In particular, don't
3498 specify nobody or daemon. PLEASE USE A DEDICATED USER ID AND GROUP ID.
3499 When this parameter value is changed you need to re-run "postfix
3501 set-permissions" (with Postfix version 2.0 and earlier: "/etc/post‐
3502 fix/post-install set-permissions".
3503
3505 The Postfix release date, in "YYYYMMDD" format.
3506
3508 The directory where local(8) UNIX-style mailboxes are kept. The default
3509 setting depends on the system type. Specify a name ending in / for
3510 maildir-style delivery.
3511 Note: maildir delivery is done with the privileges of the recipient.
3513 If you use the mail_spool_directory setting for maildir style delivery,
3514 then you must create the top-level maildir directory in advance. Post‐
3515 fix will not create it.
3516 Examples:
3518 mail_spool_directory = /var/mail
3520 mail_spool_directory = /var/spool/mail
3521
3523 The version of the mail system. Stable releases are named
3524 major.minor.patchlevel. Experimental releases also include the release
3525 date. The version string can be used in, for example, the SMTP greeting
3526 banner.
3527
3529 Optional external command that the local(8) delivery agent should use
3530 for mailbox delivery. The command is run with the user ID and the pri‐
3531 mary group ID privileges of the recipient. Exception: command delivery
3532 for root executes with $default_privs privileges. This is not a prob‐
3533 lem, because 1) mail for root should always be aliased to a real user
3534 and 2) don't log in as root, use "su" instead.
3535 The following environment variables are exported to the command:
3537 CLIENT_ADDRESS
3539 Remote client network address. Available in Postfix version 2.2
3540 and later.
3541 CLIENT_HELO
3543 Remote client EHLO command parameter. Available in Postfix ver‐
3544 sion 2.2 and later.
3545 CLIENT_HOSTNAME
3547 Remote client hostname. Available in Postfix version 2.2 and
3548 later.
3549 CLIENT_PROTOCOL
3551 Remote client protocol. Available in Postfix version 2.2 and
3552 later.
3553 DOMAIN The domain part of the recipient address.
3555 EXTENSION
3557 The optional address extension.
3558 HOME The recipient home directory.
3560 LOCAL The recipient address localpart.
3562 LOGNAME
3564 The recipient's username.
3565 ORIGINAL_RECIPIENT
3567 The entire recipient address, before any address rewriting or
3568 aliasing.
3569 RECIPIENT
3571 The full recipient address.
3572 SASL_METHOD
3574 SASL authentication method specified in the remote client AUTH
3575 command. Available in Postfix version 2.2 and later.
3576 SASL_SENDER
3578 SASL sender address specified in the remote client MAIL FROM
3579 command. Available in Postfix version 2.2 and later.
3580 SASL_USER
3582 SASL username specified in the remote client AUTH command.
3583 Available in Postfix version 2.2 and later.
3584 SENDER The full sender address.
3586 SHELL The recipient's login shell.
3588 USER The recipient username.
3590 Unlike other Postfix configuration parameters, the mailbox_command
3592 parameter is not subjected to $name substitutions. This is to make it
3593 easier to specify shell syntax (see example below).
3594 If you can, avoid shell meta characters because they will force Postfix
3596 to run an expensive shell process. If you're delivering via "procmail"
3597 then running a shell won't make a noticeable difference in the total
3598 cost.
3599 Note: if you use the mailbox_command feature to deliver mail sys‐
3601 tem-wide, you must set up an alias that forwards mail for root to a
3602 real user.
3603 The precedence of local(8) delivery features from high to low is:
3605 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3606 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3607 tory, fallback_transport_maps, fallback_transport and luser_relay.
3608 Examples:
3610 mailbox_command = /some/where/procmail
3612 mailbox_command = /some/where/procmail -a "$EXTENSION"
3613 mailbox_command = /some/where/maildrop -d "$USER"
3614 -f "$SENDER" "$EXTENSION"
3615
3617 Optional lookup tables with per-recipient external commands to use for
3618 local(8) mailbox delivery. Behavior is as with mailbox_command.
3619 The precedence of local(8) delivery features from high to low is:
3621 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3622 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3623 tory, fallback_transport_maps, fallback_transport and luser_relay.
3624 Specify zero or more "type:name" lookup tables, separated by whitespace
3626 or comma. Tables will be searched in the specified order until a match
3627 is found.
3628
3630 How to lock a UNIX-style local(8) mailbox before attempting delivery.
3631 For a list of available file locking methods, use the "postconf -l"
3632 command.
3633 This setting is ignored with maildir style delivery, because such
3635 deliveries are safe without explicit locks.
3636 Note: The dotlock method requires that the recipient UID or GID has
3638 write access to the parent directory of the mailbox file.
3639 Note: the default setting of this parameter is system dependent.
3641
3643 The maximal size of any local(8) individual mailbox or maildir file, or
3644 zero (no limit). In fact, this limits the size of any file that is
3645 written to upon local delivery, including files written by external
3646 commands that are executed by the local(8) delivery agent.
3647 This limit must not be smaller than the message size limit.
3649
3651 Optional message delivery transport that the local(8) delivery agent
3652 should use for mailbox delivery to all local recipients, whether or not
3653 they are found in the UNIX passwd database.
3654 The precedence of local(8) delivery features from high to low is:
3656 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3657 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3658 tory, fallback_transport_maps, fallback_transport and luser_relay.
3659
3661 Optional lookup tables with per-recipient message delivery transports
3662 to use for local(8) mailbox delivery, whether or not the recipients are
3663 found in the UNIX passwd database.
3664 The precedence of local(8) delivery features from high to low is:
3666 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3667 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3668 tory, fallback_transport_maps, fallback_transport and luser_relay.
3669 Specify zero or more "type:name" lookup tables, separated by whitespace
3671 or comma. Tables will be searched in the specified order until a match
3672 is found.
3673 For safety reasons, this feature does not allow $number substitutions
3675 in regular expression maps.
3676 This feature is available in Postfix 2.3 and later.
3678
3680 The name of an optional logfile that is written by the Postfix post‐
3681 logd(8) service. An empty value selects logging to syslogd(8). Specify
3682 "/dev/stdout" to select logging to standard output. Stdout logging
3683 requires that Postfix is started with "postfix start-fg".
3684 Note 1: The maillog_file parameter value must contain a prefix that is
3686 specified with the maillog_file_prefixes parameter.
3687 Note 2: Some Postfix non-daemon programs may still log information to
3689 syslogd(8), before they have processed their configuration parameters
3690 and command-line options.
3691 This feature is available in Postfix 3.4 and later.
3693
3695 The program to run after rotating $maillog_file with "postfix logro‐
3696 tate". The command is run with the rotated logfile name as its first
3697 argument.
3698 This feature is available in Postfix 3.4 and later.
3700
3702 A list of allowed prefixes for a maillog_file value. This is a safety
3703 feature to contain the damage from a single configuration mistake.
3704 Specify one or more prefix strings, separated by comma or whitespace.
3705 This feature is available in Postfix 3.4 and later.
3707
3709 The format of the suffix to append to $maillog_file while rotating the
3710 file with "postfix logrotate". See strftime(3) for syntax. The default
3711 suffix, YYYYMMDD-HHMMSS, allows logs to be rotated frequently.
3712 This feature is available in Postfix 3.4 and later.
3714
3716 Sendmail compatibility feature that specifies where the Postfix
3717 mailq(1) command is installed. This command can be used to list the
3718 Postfix mail queue.
3719
3721 Where the Postfix manual pages are installed.
3722
3724 Obsolete feature: use the reject_rbl_client feature instead.
3725
3727 The numerical Postfix SMTP server response code when a remote SMTP
3728 client request is blocked by the reject_rbl_client,
3729 reject_rhsbl_client, reject_rhsbl_reverse_client, reject_rhsbl_sender
3730 or reject_rhsbl_recipient restriction.
3731 Do not change this unless you have a complete understanding of RFC
3733 5321.
3734
3736 What addresses are subject to address masquerading.
3738 By default, address masquerading is limited to envelope sender
3740 addresses, and to header sender and header recipient addresses. This
3741 allows you to use address masquerading on a mail gateway while still
3742 being able to forward mail to users on individual machines.
3743 Specify zero or more of: envelope_sender, envelope_recipient,
3745 header_sender, header_recipient
3746
3748 Optional list of domains whose subdomain structure will be stripped off
3749 in email addresses.
3750 The list is processed left to right, and processing stops at the first
3752 match. Thus,
3753 masquerade_domains = foo.example.com example.com
3755 strips "user@any.thing.foo.example.com" to "user@foo.example.com", but
3757 strips "user@any.thing.else.example.com" to "user@example.com".
3758 A domain name prefixed with ! means do not masquerade this domain or
3760 its subdomains. Thus,
3761 masquerade_domains = !foo.example.com example.com
3763 does not change "user@any.thing.foo.example.com" or "user@foo.exam‐
3765 ple.com", but strips "user@any.thing.else.example.com" to "user@exam‐
3766 ple.com".
3767 Note: with Postfix version 2.2, message header address masquerading
3769 happens only when message header address rewriting is enabled:
3770 · The message is received with the Postfix sendmail(1) command,
3772 · The message is received from a network client that matches
3774 $local_header_rewrite_clients,
3775 · The message is received from the network, and the
3777 remote_header_rewrite_domain parameter specifies a non-empty
3778 value.
3779 To get the behavior before Postfix version 2.2, specify
3781 "local_header_rewrite_clients = static:all".
3782 Example:
3784 masquerade_domains = $mydomain
3786
3788 Optional list of user names that are not subjected to address mas‐
3789 querading, even when their addresses match $masquerade_domains.
3790 By default, address masquerading makes no exceptions.
3792 Specify a list of user names, "/file/name" or "type:table" patterns,
3794 separated by commas and/or whitespace. The list is matched left to
3795 right, and the search stops on the first match. A "/file/name" pattern
3796 is replaced by its contents; a "type:table" lookup table is matched
3797 when a name matches a lookup key (the lookup result is ignored). Con‐
3798 tinue long lines by starting the next line with whitespace. Specify
3799 "!pattern" to exclude a name from the list. The form "!/file/name" is
3800 supported only in Postfix version 2.4 and later.
3801 Examples:
3803 masquerade_exceptions = root, mailer-daemon
3805 masquerade_exceptions = root
3806
3808 Selectively disable master(8) listener ports by service type or by ser‐
3809 vice name and type. Specify a list of service types ("inet", "unix",
3810 "fifo", or "pass") or "name/type" tuples, where "name" is the first
3811 field of a master.cf entry and "type" is a service type. As with other
3812 Postfix matchlists, a search stops at the first match. Specify "!pat‐
3813 tern" to exclude a service from the list. By default, all master(8)
3814 listener ports are enabled.
3815 Note: this feature does not support "/file/name" or "type:table" pat‐
3817 terns, nor does it support wildcards such as "*" or "all". This is
3818 intentional.
3819 Examples:
3821 # With Postfix 2.6..2.10 use '.' instead of '/'.
3823 # Turn on all master(8) listener ports (the default).
3824 master_service_disable =
3825 # Turn off only the main SMTP listener port.
3826 master_service_disable = smtp/inet
3827 # Turn off all TCP/IP listener ports.
3828 master_service_disable = inet
3829 # Turn off all TCP/IP listener ports except "foo".
3830 master_service_disable = !foo/inet, inet
3831 This feature is available in Postfix 2.6 and later.
3833
3835 The maximum amount of time that an idle Postfix daemon process waits
3836 for an incoming connection before terminating voluntarily. This param‐
3837 eter is ignored by the Postfix queue manager and by other long-lived
3838 Postfix daemon processes.
3839 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3841 The default time unit is s (seconds).
3842
3844 The maximal number of incoming connections that a Postfix daemon
3845 process will service before terminating voluntarily. This parameter is
3846 ignored by the Postfix queue manager and by other long-lived Postfix
3847 daemon processes.
3848
3850 The maximal time between attempts to deliver a deferred message.
3851 This parameter should be set to a value greater than or equal to $mini‐
3853 mal_backoff_time. See also $queue_run_delay.
3854 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3856 The default time unit is s (seconds).
3857
3859 Consider a message as undeliverable, when delivery fails with a tempo‐
3860 rary error, and the time in the queue has reached the maxi‐
3861 mal_queue_lifetime limit.
3862 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3864 The default time unit is d (days).
3865 Specify 0 when mail delivery should be tried only once.
3867
3869 Names of message headers that the cleanup(8) daemon will remove after
3870 applying header_checks(5) and before invoking Milter applications. The
3871 default setting is compatible with Postfix < 3.0.
3872 Specify a list of header names, separated by comma or space. Names are
3874 matched in a case-insensitive manner. The list of supported header
3875 names is limited only by available memory.
3876 This feature is available in Postfix 3.0 and later.
3878
3880 The set of characters that Postfix will reject in message content. The
3881 usual C-like escape sequences are recognized: \a \b \f \n \r \t \v \ddd
3882 (up to three octal digits) and \\.
3883 Note 1: this feature does not recognize text that requires MIME decod‐
3885 ing. It inspects raw message content, just like header_checks and
3886 body_checks.
3887 Note 2: this feature is disabled with "receive_override_options =
3889 no_header_body_checks".
3890 Example:
3892 message_reject_characters = \0
3894 This feature is available in Postfix 2.3 and later.
3896
3898 The maximal size in bytes of a message, including envelope information.
3899 Note: be careful when making changes. Excessively small values will
3901 result in the loss of non-delivery notifications, when a bounce message
3902 size exceeds the local or remote MTA's message size limit.
3903
3905 The set of characters that Postfix will remove from message content.
3906 The usual C-like escape sequences are recognized: \a \b \f \n \r \t \v
3907 \ddd (up to three octal digits) and \\.
3908 Note 1: this feature does not recognize text that requires MIME decod‐
3910 ing. It inspects raw message content, just like header_checks and
3911 body_checks.
3912 Note 2: this feature is disabled with "receive_override_options =
3914 no_header_body_checks".
3915 Example:
3917 message_strip_characters = \0
3919 This feature is available in Postfix 2.3 and later.
3921
3923 The location of non-executable files that are shared among multiple
3924 Postfix instances, such as postfix-files, dynamicmaps.cf, and the
3925 multi-instance template files main.cf.proto and master.cf.proto. This
3926 directory should contain only Postfix-related files. Typically, the
3927 meta_directory parameter has the same default as the config_directory
3928 parameter (/etc/postfix or /usr/local/etc/postfix).
3929 For backwards compatibility with Postfix versions 2.6..2.11, specify
3931 "meta_directory = $daemon_directory" in main.cf before installing or
3932 upgrading Postfix, or specify "meta_directory = /path/name" on the
3933 "make makefiles", "make install" or "make upgrade" command line.
3934 This feature is available in Postfix 3.0 and later.
3936
3938 The time limit for sending an SMTP command to a Milter (mail filter)
3939 application, and for receiving the response.
3940 Specify a non-zero time value (an integral value plus an optional
3942 one-letter suffix that specifies the time unit).
3943 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3945 The default time unit is s (seconds).
3946 This feature is available in Postfix 2.3 and later.
3948
3950 The macros that are sent to Milter (mail filter) applications after
3951 completion of an SMTP connection. See MILTER_README for a list of
3952 available macro names and their meanings.
3953 This feature is available in Postfix 2.3 and later.
3955
3957 The time limit for connecting to a Milter (mail filter) application,
3958 and for negotiating protocol options.
3959 Specify a non-zero time value (an integral value plus an optional
3961 one-letter suffix that specifies the time unit).
3962 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3964 The default time unit is s (seconds).
3965 This feature is available in Postfix 2.3 and later.
3967
3969 The time limit for sending message content to a Milter (mail filter)
3970 application, and for receiving the response.
3971 Specify a non-zero time value (an integral value plus an optional
3973 one-letter suffix that specifies the time unit).
3974 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3976 The default time unit is s (seconds).
3977 This feature is available in Postfix 2.3 and later.
3979
3981 The macros that are sent to version 4 or higher Milter (mail filter)
3982 applications after the SMTP DATA command. See MILTER_README for a list
3983 of available macro names and their meanings.
3984 This feature is available in Postfix 2.3 and later.
3986
3988 The default action when a Milter (mail filter) response is unavailable
3989 (for example, bad Postfix configuration or Milter failure). Specify one
3990 of the following:
3991 accept Proceed as if the mail filter was not present.
3993 reject Reject all further commands in this session with a permanent
3995 status code.
3996 tempfail
3998 Reject all further commands in this session with a temporary
3999 status code.
4000 quarantine
4002 Like "accept", but freeze the message in the "hold" queue.
4003 Available with Postfix 2.6 and later.
4004 This feature is available in Postfix 2.3 and later.
4006
4008 The macros that are sent to Milter (mail filter) applications after the
4009 message end-of-data. See MILTER_README for a list of available macro
4010 names and their meanings.
4011 This feature is available in Postfix 2.3 and later.
4013
4015 The macros that are sent to Milter (mail filter) applications after the
4016 end of the message header. See MILTER_README for a list of available
4017 macro names and their meanings.
4018 This feature is available in Postfix 2.5 and later.
4020
4022 Optional lookup tables for content inspection of message headers that
4023 are produced by Milter applications. See the header_checks(5) manual
4024 page available actions. Currently, PREPEND is not implemented.
4025 The following example sends all mail that is marked as SPAM to a spam
4027 handling machine. Note that matches are case-insensitive by default.
4028 /etc/postfix/main.cf:
4030 milter_header_checks = pcre:/etc/postfix/milter_header_checks
4031 /etc/postfix/milter_header_checks:
4033 /^X-SPAM-FLAG:\s+YES/ FILTER mysmtp:sanitizer.example.com:25
4034 The milter_header_checks mechanism could also be used for whitelisting.
4036 For example it could be used to skip heavy content inspection for
4037 DKIM-signed mail from known friendly domains.
4038 This feature is available in Postfix 2.7, and as an optional patch for
4040 Postfix 2.6.
4041
4043 The macros that are sent to Milter (mail filter) applications after the
4044 SMTP HELO or EHLO command. See MILTER_README for a list of available
4045 macro names and their meanings.
4046 This feature is available in Postfix 2.3 and later.
4048
4050 The {daemon_name} macro value for Milter (mail filter) applications.
4051 See MILTER_README for a list of available macro names and their mean‐
4052 ings.
4053 This feature is available in Postfix 2.3 and later.
4055
4057 Optional list of name=value pairs that specify default values for arbi‐
4058 trary macros that Postfix may send to Milter applications. These
4059 defaults are used when there is no corresponding information from the
4060 message delivery context.
4061 Specify name=value or {name}=value pairs separated by comma or white‐
4063 space. Enclose a pair in "{}" when a value contains comma or white‐
4064 space (this form ignores whitespace after the enclosing "{", around the
4065 "=", and before the enclosing "}").
4066 This feature is available in Postfix 3.1 and later.
4068
4070 The {v} macro value for Milter (mail filter) applications. See MIL‐
4071 TER_README for a list of available macro names and their meanings.
4072 This feature is available in Postfix 2.3 and later.
4074
4076 The macros that are sent to Milter (mail filter) applications after the
4077 SMTP MAIL FROM command. See MILTER_README for a list of available macro
4078 names and their meanings.
4079 This feature is available in Postfix 2.3 and later.
4081
4083 The mail filter protocol version and optional protocol extensions for
4084 communication with a Milter application; prior to Postfix 2.6 the
4085 default protocol is 2. Postfix sends this version number during the
4086 initial protocol handshake. It should match the version number that is
4087 expected by the mail filter application (or by its Milter library).
4088 Protocol versions:
4090 2 Use Sendmail 8 mail filter protocol version 2 (default with
4092 Sendmail version 8.11 .. 8.13 and Postfix version 2.3 .. 2.5).
4093 3 Use Sendmail 8 mail filter protocol version 3.
4095 4 Use Sendmail 8 mail filter protocol version 4.
4097 6 Use Sendmail 8 mail filter protocol version 6 (default with
4099 Sendmail version 8.14 and Postfix version 2.6).
4100 Protocol extensions:
4102 no_header_reply
4104 Specify this when the Milter application will not reply for each
4105 individual message header.
4106 This feature is available in Postfix 2.3 and later.
4108
4110 The macros that are sent to Milter (mail filter) applications after the
4111 SMTP RCPT TO command. See MILTER_README for a list of available macro
4112 names and their meanings.
4113 This feature is available in Postfix 2.3 and later.
4115
4117 The macros that are sent to version 3 or higher Milter (mail filter)
4118 applications after an unknown SMTP command. See MILTER_README for a
4119 list of available macro names and their meanings.
4120 This feature is available in Postfix 2.3 and later.
4122
4124 The maximal length of MIME multipart boundary strings. The MIME proces‐
4125 sor is unable to distinguish between boundary strings that do not dif‐
4126 fer in the first $mime_boundary_length_limit characters.
4127 This feature is available in Postfix 2.0 and later.
4129
4131 Optional lookup tables for content inspection of MIME related message
4132 headers, as described in the header_checks(5) manual page.
4133 This feature is available in Postfix 2.0 and later.
4135
4137 The maximal recursion level that the MIME processor will handle. Post‐
4138 fix refuses mail that is nested deeper than the specified limit.
4139 This feature is available in Postfix 2.0 and later.
4141
4143 The minimal time between attempts to deliver a deferred message; prior
4144 to Postfix 2.4 the default value was 1000s.
4145 This parameter also limits the time an unreachable destination is kept
4147 in the short-term, in-memory, destination status cache.
4148 This parameter should be set greater than or equal to $queue_run_delay.
4150 See also $maximal_backoff_time.
4151 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4153 The default time unit is s (seconds).
4154
4156 An optional list of non-default Postfix configuration directories;
4157 these directories belong to additional Postfix instances that share the
4158 Postfix executable files and documentation with the default Postfix
4159 instance, and that are started, stopped, etc., together with the
4160 default Postfix instance. Specify a list of pathnames separated by
4161 comma or whitespace.
4162 When $multi_instance_directories is empty, the postfix(1) command runs
4164 in single-instance mode and operates on a single Postfix instance only.
4165 Otherwise, the postfix(1) command runs in multi-instance mode and
4166 invokes the multi-instance manager specified with the
4167 multi_instance_wrapper parameter. The multi-instance manager in turn
4168 executes postfix(1) commands for the default instance and for all Post‐
4169 fix instances in $multi_instance_directories.
4170 Currently, this parameter setting is ignored except for the default
4172 main.cf file.
4173 This feature is available in Postfix 2.6 and later.
4175
4177 Allow this Postfix instance to be started, stopped, etc., by a
4178 multi-instance manager. By default, new instances are created in a
4179 safe state that prevents them from being started inadvertently. This
4180 parameter is reserved for the multi-instance manager.
4181 This feature is available in Postfix 2.6 and later.
4183
4185 The optional instance group name of this Postfix instance. A group
4186 identifies closely-related Postfix instances that the multi-instance
4187 manager can start, stop, etc., as a unit. This parameter is reserved
4188 for the multi-instance manager.
4189 This feature is available in Postfix 2.6 and later.
4191
4193 The optional instance name of this Postfix instance. This name becomes
4194 also the default value for the syslog_name parameter.
4195 This feature is available in Postfix 2.6 and later.
4197
4199 The pathname of a multi-instance manager command that the postfix(1)
4200 command invokes when the multi_instance_directories parameter value is
4201 non-empty. The pathname may be followed by initial command arguments
4202 separated by whitespace; shell metacharacters such as quotes are not
4203 supported in this context.
4204 The postfix(1) command invokes the manager command with the postfix(1)
4206 non-option command arguments on the manager command line, and with all
4207 installation configuration parameters exported into the manager command
4208 process environment. The manager command in turn invokes the postfix(1)
4209 command for individual Postfix instances as "postfix -c config_direc‐
4210 tory command".
4211 This feature is available in Postfix 2.6 and later.
4213
4215 The numerical Postfix SMTP server response code when a remote SMTP
4216 client request is blocked by the reject_multi_recipient_bounce restric‐
4217 tion.
4218 Do not change this unless you have a complete understanding of RFC
4220 5321.
4221 This feature is available in Postfix 2.1 and later.
4223
4225 The list of domains that are delivered via the $local_transport mail
4226 delivery transport. By default this is the Postfix local(8) delivery
4227 agent which looks up all recipients in /etc/passwd and /etc/aliases.
4228 The SMTP server validates recipient addresses with $local_recipi‐
4229 ent_maps and rejects non-existent recipients. See also the local domain
4230 class in the ADDRESS_CLASS_README file.
4231 The default mydestination value specifies names for the local machine
4233 only. On a mail domain gateway, you should also include $mydomain.
4234 The $local_transport delivery method is also selected for mail
4236 addressed to user@[the.net.work.address] of the mail system (the IP
4237 addresses specified with the inet_interfaces and proxy_interfaces
4238 parameters).
4239 Warnings:
4241 · Do not specify the names of virtual domains - those domains are
4243 specified elsewhere. See VIRTUAL_README for more information.
4244 · Do not specify the names of domains that this machine is backup
4246 MX host for. See STANDARD_CONFIGURATION_README for how to set up
4247 backup MX hosts.
4248 · By default, the Postfix SMTP server rejects mail for recipients
4250 not listed with the local_recipient_maps parameter. See the
4251 postconf(5) manual for a description of the local_recipient_maps
4252 and unknown_local_recipient_reject_code parameters.
4253 Specify a list of host or domain names, "/file/name" or "type:table"
4255 patterns, separated by commas and/or whitespace. A "/file/name" pattern
4256 is replaced by its contents; a "type:table" lookup table is matched
4257 when a name matches a lookup key (the lookup result is ignored). Con‐
4258 tinue long lines by starting the next line with whitespace.
4259 Examples:
4261 mydestination = $myhostname, localhost.$mydomain $mydomain
4263 mydestination = $myhostname, localhost.$mydomain www.$mydomain, ftp.$mydomain
4264
4266 The internet domain name of this mail system. The default is to use
4267 $myhostname minus the first component, or "localdomain" (Postfix 2.3
4268 and later). $mydomain is used as a default value for many other con‐
4269 figuration parameters.
4270 Example:
4272 mydomain = domain.tld
4274
4276 The internet hostname of this mail system. The default is to use the
4277 fully-qualified domain name (FQDN) from gethostname(), or to use the
4278 non-FQDN result from gethostname() and append ".$mydomain". $myhost‐
4279 name is used as a default value for many other configuration parame‐
4280 ters.
4281 Example:
4283 myhostname = host.example.com
4285
4287 The list of "trusted" remote SMTP clients that have more privileges
4288 than "strangers".
4289 In particular, "trusted" SMTP clients are allowed to relay mail through
4291 Postfix. See the smtpd_relay_restrictions parameter description in the
4292 postconf(5) manual.
4293 You can specify the list of "trusted" network addresses by hand or you
4295 can let Postfix do it for you (which is the default). See the descrip‐
4296 tion of the mynetworks_style parameter for more information.
4297 If you specify the mynetworks list by hand, Postfix ignores the mynet‐
4299 works_style setting.
4300 Specify a list of network addresses or network/netmask patterns, sepa‐
4302 rated by commas and/or whitespace. Continue long lines by starting the
4303 next line with whitespace.
4304 The netmask specifies the number of bits in the network part of a host
4306 address. You can also specify "/file/name" or "type:table" patterns.
4307 A "/file/name" pattern is replaced by its contents; a "type:table"
4308 lookup table is matched when a table entry matches a lookup string (the
4309 lookup result is ignored).
4310 The list is matched left to right, and the search stops on the first
4312 match. Specify "!pattern" to exclude an address or network block from
4313 the list. The form "!/file/name" is supported only in Postfix version
4314 2.4 and later.
4315 Note 1: Pattern matching of domain names is controlled by the or
4317 absence of "mynetworks" in the parent_domain_matches_subdomains parame‐
4318 ter value.
4319 Note 2: IP version 6 address information must be specified inside [] in
4321 the mynetworks value, and in files specified with "/file/name". IP
4322 version 6 addresses contain the ":" character, and would otherwise be
4323 confused with a "type:table" pattern.
4324 Examples:
4326 mynetworks = 127.0.0.0/8 168.100.189.0/28
4328 mynetworks = !192.168.0.1, 192.168.0.0/28
4329 mynetworks = 127.0.0.0/8 168.100.189.0/28 [::1]/128 [2001:240:587::]/64
4330 mynetworks = $config_directory/mynetworks
4331 mynetworks = hash:/etc/postfix/network_table
4332
4334 The method to generate the default value for the mynetworks parameter.
4335 This is the list of trusted networks for relay access control etc.
4336 · Specify "mynetworks_style = host" when Postfix should "trust"
4338 only the local machine.
4339 · Specify "mynetworks_style = subnet" when Postfix should "trust"
4341 remote SMTP clients in the same IP subnetworks as the local
4342 machine. On Linux, this works correctly only with interfaces
4343 specified with the "ifconfig" command.
4344 · Specify "mynetworks_style = class" when Postfix should "trust"
4346 remote SMTP clients in the same IP class A/B/C networks as the
4347 local machine. Caution: this may cause Postfix to "trust" your
4348 entire provider's network. Instead, specify an explicit mynet‐
4349 works list by hand, as described with the mynetworks configura‐
4350 tion parameter.
4351
4353 The domain name that locally-posted mail appears to come from, and that
4354 locally posted mail is delivered to. The default, $myhostname, is ade‐
4355 quate for small sites. If you run a domain with multiple machines, you
4356 should (1) change this to $mydomain and (2) set up a domain-wide alias
4357 database that aliases each user to user@that.users.mailhost.
4358 Example:
4360 myorigin = $mydomain
4362
4364 Optional lookup tables for content inspection of non-MIME message head‐
4365 ers in attached messages, as described in the header_checks(5) manual
4366 page.
4367 This feature is available in Postfix 2.0 and later.
4369
4371 Sendmail compatibility feature that specifies the location of the
4372 newaliases(1) command. This command can be used to rebuild the local(8)
4373 aliases(5) database.
4374
4376 The numerical Postfix SMTP server reply code when a client request is
4377 rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender
4378 or reject_non_fqdn_recipient restriction.
4379
4381 A list of Milter (mail filter) applications for new mail that does not
4382 arrive via the Postfix smtpd(8) server. This includes local submission
4383 via the sendmail(1) command line, new mail that arrives via the Postfix
4384 qmqpd(8) server, and old mail that is re-injected into the queue with
4385 "postsuper -r". Specify space or comma as separator. See the MIL‐
4386 TER_README document for details.
4387 This feature is available in Postfix 2.3 and later.
4389
4391 The list of error classes that are reported to the postmaster. The
4392 default is to report only the most serious problems. The paranoid may
4393 wish to turn on the policy (UCE and mail relaying) and protocol error
4394 (broken mail software) reports.
4395 NOTE: postmaster notifications may contain confidential information
4397 such as SASL passwords or message content. It is the system adminis‐
4398 trator's responsibility to treat such information with care.
4399 The error classes are:
4401 bounce (also implies 2bounce)
4403 Send the postmaster copies of the headers of bounced mail, and
4404 send transcripts of SMTP sessions when Postfix rejects mail. The
4405 notification is sent to the address specified with the
4406 bounce_notice_recipient configuration parameter (default: post‐
4407 master).
4408 2bounce
4410 Send undeliverable bounced mail to the postmaster. The notifica‐
4411 tion is sent to the address specified with the
4412 2bounce_notice_recipient configuration parameter (default: post‐
4413 master).
4414 data Send the postmaster a transcript of the SMTP session with an
4416 error because a critical data file was unavailable. The notifi‐
4417 cation is sent to the address specified with the
4418 error_notice_recipient configuration parameter (default: post‐
4419 master).
4420 This feature is available in Postfix 2.9 and later.
4421 delay Send the postmaster copies of the headers of delayed mail (see
4423 delay_warning_time). The notification is sent to the address
4424 specified with the delay_notice_recipient configuration parame‐
4425 ter (default: postmaster).
4426 policy Send the postmaster a transcript of the SMTP session when a
4428 client request was rejected because of (UCE) policy. The notifi‐
4429 cation is sent to the address specified with the
4430 error_notice_recipient configuration parameter (default: post‐
4431 master).
4432 protocol
4434 Send the postmaster a transcript of the SMTP session in case of
4435 client or server protocol errors. The notification is sent to
4436 the address specified with the error_notice_recipient configura‐
4437 tion parameter (default: postmaster).
4438 resource
4440 Inform the postmaster of mail not delivered due to resource
4441 problems. The notification is sent to the address specified
4442 with the error_notice_recipient configuration parameter
4443 (default: postmaster).
4444 software
4446 Inform the postmaster of mail not delivered due to software
4447 problems. The notification is sent to the address specified
4448 with the error_notice_recipient configuration parameter
4449 (default: postmaster).
4450 Examples:
4452 notify_classes = bounce, delay, policy, protocol, resource, software
4454 notify_classes = 2bounce, resource, software
4455
4457 The numerical reply code when the Postfix SMTP server rejects a sender
4458 or recipient address because its domain has a nullmx DNS record (an MX
4459 record with an empty hostname). This is one of the possible replies
4460 from the restrictions reject_unknown_sender_domain and
4461 reject_unknown_recipient_domain.
4462 This feature is available in Postfix 3.0 and later.
4464
4466 The location of the OpenSSL command line program openssl(1). This is
4467 used by the "postfix tls" command to create private keys, certificate
4468 signing requests, self-signed certificates, and to compute public key
4469 digests for DANE TLSA records. In multi-instance environments, this
4470 parameter is always determined from the configuration of the default
4471 Postfix instance.
4472 Example:
4474 /etc/postfix/main.cf:
4476 # NetBSD pkgsrc:
4477 openssl_path = /usr/pkg/bin/openssl
4478 # Local build:
4479 openssl_path = /usr/local/bin/openssl
4480 This feature is available in Postfix 3.1 and later.
4482
4484 Enable special treatment for owner-listname entries in the aliases(5)
4485 file, and don't split owner-listname and listname-request address
4486 localparts when the recipient_delimiter is set to "-". This feature is
4487 useful for mailing lists.
4488
4490 A list of Postfix features where the pattern "example.com" also matches
4491 subdomains of example.com, instead of requiring an explicit ".exam‐
4492 ple.com" pattern. This is planned backwards compatibility: eventu‐
4493 ally, all Postfix features are expected to require explicit ".exam‐
4494 ple.com" style patterns when you really want to match subdomains.
4495 The following Postfix feature names are supported.
4497 Postfix version 1.0 and later
4499 debug_peer_list, fast_flush_domains, mynetworks, per‐
4500 mit_mx_backup_networks, relay_domains, transport_maps
4501 Postfix version 1.1 and later
4503 qmqpd_authorized_clients, smtpd_access_maps,
4504 Postfix version 2.8 and later
4506 postscreen_access_list
4507 Postfix version 3.0 and later
4509 smtpd_client_event_limit_exceptions
4510
4512 Restrict the use of the permit_mx_backup SMTP access feature to only
4513 domains whose primary MX hosts match the listed networks. The parame‐
4514 ter value syntax is the same as with the mynetworks parameter; note,
4515 however, that the default value is empty.
4516 Pattern matching of domain names is controlled by the presence or
4518 absence of "permit_mx_backup_networks" in the par‐
4519 ent_domain_matches_subdomains parameter value.
4520
4522 The name of the pickup(8) service. This service picks up local mail
4523 submissions from the Postfix maildrop queue.
4524 This feature is available in Postfix 2.0 and later.
4526
4528 Optional filter for the pipe(8) delivery agent to change the delivery
4529 status code or explanatory text of successful or unsuccessful deliver‐
4530 ies. See default_delivery_status_filter for details.
4531 This feature is available in Postfix 3.0 and later.
4533
4535 The numerical Postfix SMTP server response code when a request is
4536 rejected by the reject_plaintext_session restriction.
4537 This feature is available in Postfix 2.3 and later.
4539
4541 The name of the postlogd(8) service entry in master.cf. This service
4542 appends logfile records to the file specified with the maillog_file
4543 parameter.
4544 This feature is available in Postfix 3.4 and later.
4546
4548 How much time a postlogd(8) process may take to process a request
4549 before it is terminated by a built-in watchdog timer. This is a safety
4550 mechanism that prevents postlogd(8) from becoming non-responsive due to
4551 a bug in Postfix itself or in system software. This limit cannot be set
4552 under 10s.
4553 Specify a non-zero time value (an integral value plus an optional
4555 one-letter suffix that specifies the time unit). Time units: s (sec‐
4556 onds), m (minutes), h (hours), d (days), w (weeks).
4557 This feature is available in Postfix 3.4 and later.
4559
4561 The postfix(1) commands that the postmulti(1) instance manager treats
4562 as "control" commands, that operate on running instances. For these
4563 commands, disabled instances are skipped.
4564 This feature is available in Postfix 2.6 and later.
4566
4568 The postfix(1) commands that the postmulti(1) instance manager treats
4569 as "start" commands. For these commands, disabled instances are
4570 "checked" rather than "started", and failure to "start" a member
4571 instance of an instance group will abort the start-up of later
4572 instances.
4573 This feature is available in Postfix 2.6 and later.
4575
4577 The postfix(1) commands that the postmulti(1) instance manager treats
4578 as "stop" commands. For these commands, disabled instances are skipped,
4579 and enabled instances are processed in reverse order.
4580 This feature is available in Postfix 2.6 and later.
4582
4584 Permanent white/blacklist for remote SMTP client IP addresses.
4585 postscreen(8) searches this list immediately after a remote SMTP client
4586 connects. Specify a comma- or whitespace-separated list of commands
4587 (in upper or lower case) or lookup tables. The search stops upon the
4588 first command that fires for the client IP address.
4589 permit_mynetworks
4591 Whitelist the client and terminate the search if the client IP
4592 address matches $mynetworks. Do not subject the client to any
4593 before/after 220 greeting tests. Pass the connection immedi‐
4594 ately to a Postfix SMTP server process.
4595 Pattern matching of domain names is controlled by the presence
4596 or absence of "postscreen_access_list" in the par‐
4597 ent_domain_matches_subdomains parameter value.
4598 type:table
4600 Query the specified lookup table. Each table lookup result is an
4601 access list, except that access lists inside a table cannot
4602 specify type:table entries.
4603 To discourage the use of hash, btree, etc. tables, there is no
4604 support for substring matching like smtpd(8). Use CIDR tables
4605 instead.
4606 permit
4608 Whitelist the client and terminate the search. Do not subject
4609 the client to any before/after 220 greeting tests. Pass the con‐
4610 nection immediately to a Postfix SMTP server process.
4611 reject
4613 Blacklist the client and terminate the search. Subject the
4614 client to the action configured with the postscreen_black‐
4615 list_action configuration parameter.
4616 dunno All postscreen(8) access lists implicitly have this command at
4618 the end.
4619 When dunno is executed inside a lookup table, return from the
4620 lookup table and evaluate the next command.
4621 When dunno is executed outside a lookup table, terminate the
4622 search, and subject the client to the configured before/after
4623 220 greeting tests.
4624 Example:
4626 /etc/postfix/main.cf:
4628 postscreen_access_list = permit_mynetworks,
4629 cidr:/etc/postfix/postscreen_access.cidr
4630 postscreen_blacklist_action = enforce
4631 /etc/postfix/postscreen_access.cidr:
4633 # Rules are evaluated in the order as specified.
4634 # Blacklist 192.168.* except 192.168.0.1.
4635 192.168.0.1 dunno
4636 192.168.0.0/16 reject
4637 This feature is available in Postfix 2.8.
4639
4641 The action that postscreen(8) takes when a remote SMTP client sends a
4642 bare newline character, that is, a newline not preceded by carriage
4643 return. Specify one of the following:
4644 ignore Ignore the failure of this test. Allow other tests to complete.
4646 Do not repeat this test before some the result from some other
4647 test expires. This option is useful for testing and collecting
4648 statistics without blocking mail permanently.
4649 enforce
4651 Allow other tests to complete. Reject attempts to deliver mail
4652 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4653 mation. Repeat this test the next time the client connects.
4654 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4656 this test the next time the client connects.
4657 This feature is available in Postfix 2.8.
4659
4661 Enable "bare newline" SMTP protocol tests in the postscreen(8) server.
4662 These tests are expensive: a remote SMTP client must disconnect after
4663 it passes the test, before it can talk to a real Postfix SMTP server.
4664 This feature is available in Postfix 2.8.
4666
4668 The amount of time that postscreen(8) will use the result from a suc‐
4669 cessful "bare newline" SMTP protocol test. During this time, the client
4670 IP address is excluded from this test. The default is long because a
4671 remote SMTP client must disconnect after it passes the test, before it
4672 can talk to a real Postfix SMTP server.
4673 Specify a non-zero time value (an integral value plus an optional
4675 one-letter suffix that specifies the time unit). Time units: s (sec‐
4676 onds), m (minutes), h (hours), d (days), w (weeks).
4677 This feature is available in Postfix 2.8.
4679
4681 The action that postscreen(8) takes when a remote SMTP client is perma‐
4682 nently blacklisted with the postscreen_access_list parameter. Specify
4683 one of the following:
4684 ignore (default)
4686 Ignore this result. Allow other tests to complete. Repeat this
4687 test the next time the client connects. This option is useful
4688 for testing and collecting statistics without blocking mail.
4689 enforce
4691 Allow other tests to complete. Reject attempts to deliver mail
4692 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4693 mation. Repeat this test the next time the client connects.
4694 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4696 this test the next time the client connects.
4697 This feature is available in Postfix 2.8.
4699
4701 The amount of time between postscreen(8) cache cleanup runs. Cache
4702 cleanup increases the load on the cache database and should therefore
4703 not be run frequently. This feature requires that the cache database
4704 supports the "delete" and "sequence" operators. Specify a zero inter‐
4705 val to disable cache cleanup.
4706 After each cache cleanup run, the postscreen(8) daemon logs the number
4708 of entries that were retained and dropped. A cleanup run is logged as
4709 "partial" when the daemon terminates early after "postfix reload",
4710 "postfix stop", or no requests for $max_idle seconds.
4711 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4713 This feature is available in Postfix 2.8.
4715
4717 Persistent storage for the postscreen(8) server decisions.
4718 To share a postscreen(8) cache between multiple postscreen(8)
4720 instances, use "postscreen_cache_map = proxy:btree:/path/to/file".
4721 This requires Postfix version 2.9 or later; earlier proxymap(8) imple‐
4722 mentations don't support cache cleanup. For an alternative approach see
4723 the memcache_table(5) manpage.
4724 This feature is available in Postfix 2.8.
4726
4728 The amount of time that postscreen(8) will cache an expired temporary
4729 whitelist entry before it is removed. This prevents clients from being
4730 logged as "NEW" just because their cache entry expired an hour ago. It
4731 also prevents the cache from filling up with clients that passed some
4732 deep protocol test once and never came back.
4733 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4735 This feature is available in Postfix 2.8.
4737
4739 tion_count_limit)
4740 How many simultaneous connections any remote SMTP client is allowed to
4741 have with the postscreen(8) daemon. By default, this limit is the same
4742 as with the Postfix SMTP server. Note that the triage process can take
4743 several seconds, with the time spent in postscreen_greet_wait delay,
4744 and with the time spent talking to the postscreen(8) built-in dummy
4745 SMTP protocol engine.
4746 This feature is available in Postfix 2.8.
4748
4750 The limit on the total number of commands per SMTP session for
4751 postscreen(8)'s built-in SMTP protocol engine. This SMTP engine defers
4752 or rejects all attempts to deliver mail, therefore there is no need to
4753 enforce separate limits on the number of junk commands and error com‐
4754 mands.
4755 This feature is available in Postfix 2.8.
4757
4759 A mechanism to transform commands from remote SMTP clients. See
4760 smtpd_command_filter for further details.
4761 This feature is available in Postfix 2.8 and later.
4763
4765 The time limit to read an entire command line with postscreen(8)'s
4766 built-in SMTP protocol engine.
4767 This feature is available in Postfix 2.8.
4769
4771 Disable the SMTP VRFY command in the postscreen(8) daemon. See dis‐
4772 able_vrfy_command for details.
4773 This feature is available in Postfix 2.8.
4775
4777 card_ehlo_keyword_address_maps)
4778 Lookup tables, indexed by the remote SMTP client address, with case
4779 insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
4780 that the postscreen(8) server will not send in the EHLO response to a
4781 remote SMTP client. See smtpd_discard_ehlo_keywords for details. The
4782 table is not searched by hostname for robustness reasons.
4783 This feature is available in Postfix 2.8 and later.
4785
4787 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
4788 etc.) that the postscreen(8) server will not send in the EHLO response
4789 to a remote SMTP client. See smtpd_discard_ehlo_keywords for details.
4790 This feature is available in Postfix 2.8 and later.
4792
4794 The action that postscreen(8) takes when a remote SMTP client's com‐
4795 bined DNSBL score is equal to or greater than a threshold (as defined
4796 with the postscreen_dnsbl_sites and postscreen_dnsbl_threshold parame‐
4797 ters). Specify one of the following:
4798 ignore (default)
4800 Ignore the failure of this test. Allow other tests to complete.
4801 Repeat this test the next time the client connects. This option
4802 is useful for testing and collecting statistics without blocking
4803 mail.
4804 enforce
4806 Allow other tests to complete. Reject attempts to deliver mail
4807 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4808 mation. Repeat this test the next time the client connects.
4809 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4811 this test the next time the client connects.
4812 This feature is available in Postfix 2.8.
4814
4816 ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h)
4817 The maximum amount of time that postscreen(8) will use the result from
4818 a successful DNS-based reputation test before a client IP address is
4819 required to pass that test again. If the DNS reply specifies a shorter
4820 TTL value, that value will be used unless it would be smaller than
4821 postscreen_dnsbl_min_ttl.
4822 Specify a non-zero time value (an integral value plus an optional
4824 one-letter suffix that specifies the time unit). Time units: s (sec‐
4825 onds), m (minutes), h (hours), d (days), w (weeks).
4826 This feature is available in Postfix 3.1. The default setting is back‐
4828 wards-compatible with older Postfix versions.
4829
4831 The minimum amount of time that postscreen(8) will use the result from
4832 a successful DNS-based reputation test before a client IP address is
4833 required to pass that test again. If the DNS reply specifies a larger
4834 TTL value, that value will be used unless it would be larger than
4835 postscreen_dnsbl_max_ttl.
4836 Specify a non-zero time value (an integral value plus an optional
4838 one-letter suffix that specifies the time unit). Time units: s (sec‐
4839 onds), m (minutes), h (hours), d (days), w (weeks).
4840 This feature is available in Postfix 3.1.
4842
4844 A mapping from actual DNSBL domain name which includes a secret pass‐
4845 word, to the DNSBL domain name that postscreen will reply with when it
4846 rejects mail. When no mapping is found, the actual DNSBL domain will
4847 be used.
4848 For maximal stability it is best to use a file that is read into memory
4850 such as pcre:, regexp: or texthash: (texthash: is similar to hash:,
4851 except a) there is no need to run postmap(1) before the file can be
4852 used, and b) texthash: does not detect changes after the file is read).
4853 Example:
4855 /etc/postfix/main.cf:
4857 postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
4858 /etc/postfix/dnsbl_reply:
4860 secret.zen.spamhaus.org zen.spamhaus.org
4861 This feature is available in Postfix 2.8.
4863
4865 Optional list of DNS white/blacklist domains, filters and weight fac‐
4866 tors. When the list is non-empty, the dnsblog(8) daemon will query
4867 these domains with the IP addresses of remote SMTP clients, and
4868 postscreen(8) will update an SMTP client's DNSBL score with each
4869 non-error reply.
4870 Caution: when postscreen rejects mail, it replies with the DNSBL domain
4872 name. Use the postscreen_dnsbl_reply_map feature to hide "password"
4873 information in DNSBL domain names.
4874 When a client's score is equal to or greater than the threshold speci‐
4876 fied with postscreen_dnsbl_threshold, postscreen(8) can drop the con‐
4877 nection with the remote SMTP client.
4878 Specify a list of domain=filter*weight entries, separated by comma or
4880 whitespace.
4881 · When no "=filter" is specified, postscreen(8) will use any
4883 non-error DNSBL reply. Otherwise, postscreen(8) uses only DNSBL
4884 replies that match the filter. The filter has the form d.d.d.d,
4885 where each d is a number, or a pattern inside [] that contains
4886 one or more ";"-separated numbers or number..number ranges.
4887 · When no "*weight" is specified, postscreen(8) increments the
4889 remote SMTP client's DNSBL score by 1. Otherwise, the weight
4890 must be an integral number, and postscreen(8) adds the specified
4891 weight to the remote SMTP client's DNSBL score. Specify a nega‐
4892 tive number for whitelisting.
4893 · When one postscreen_dnsbl_sites entry produces multiple DNSBL
4895 responses, postscreen(8) applies the weight at most once.
4896 Examples:
4898 To use example.com as a high-confidence blocklist, and to block mail
4900 with example.net and example.org only when both agree:
4901 postscreen_dnsbl_threshold = 2
4903 postscreen_dnsbl_sites = example.com*2, example.net, example.org
4904 To filter only DNSBL replies containing 127.0.0.4:
4906 postscreen_dnsbl_sites = example.com=127.0.0.4
4908 This feature is available in Postfix 2.8.
4910
4912 The inclusive lower bound for blocking a remote SMTP client, based on
4913 its combined DNSBL score as defined with the postscreen_dnsbl_sites
4914 parameter.
4915 This feature is available in Postfix 2.8.
4917
4919 The time limit for DNSBL or DNSWL lookups. This is separate from the
4920 timeouts in the dnsblog(8) daemon which are defined by system
4921 resolver(3) routines.
4922 This feature is available in Postfix 3.0.
4924
4926 The amount of time that postscreen(8) will use the result from a suc‐
4927 cessful DNS-based reputation test before a client IP address is
4928 required to pass that test again.
4929 Specify a non-zero time value (an integral value plus an optional
4931 one-letter suffix that specifies the time unit). Time units: s (sec‐
4932 onds), m (minutes), h (hours), d (days), w (weeks).
4933 This feature is available in Postfix 2.8-3.0. It was replaced by
4935 postscreen_dnsbl_max_ttl in Postfix 3.1.
4936
4938 Allow a remote SMTP client to skip "before" and "after 220 greeting"
4939 protocol tests, based on its combined DNSBL score as defined with the
4940 postscreen_dnsbl_sites parameter.
4941 Specify a negative value to enable this feature. When a client passes
4943 the postscreen_dnsbl_whitelist_threshold without having failed other
4944 tests, all pending or disabled tests are flagged as completed with a
4945 time-to-live value equal to postscreen_dnsbl_ttl. When a test was
4946 already completed, its time-to-live value is updated if it was less
4947 than postscreen_dnsbl_ttl.
4948 This feature is available in Postfix 2.11.
4950
4952 Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
4953 require that clients use TLS encryption. See
4954 smtpd_postscreen_enforce_tls for details.
4955 This feature is available in Postfix 2.8 and later. Preferably, use
4957 postscreen_tls_security_level instead.
4958
4960 List of characters that are permitted in postscreen_reject_footer
4961 attribute expansions. See smtpd_expansion_filter for further details.
4962 This feature is available in Postfix 2.8 and later.
4964
4966 List of commands that the postscreen(8) server considers in violation
4967 of the SMTP protocol. See smtpd_forbidden_commands for syntax, and
4968 postscreen_non_smtp_command_action for possible actions.
4969 This feature is available in Postfix 2.8.
4971
4973 The action that postscreen(8) takes when a remote SMTP client speaks
4974 before its turn within the time specified with the
4975 postscreen_greet_wait parameter. Specify one of the following:
4976 ignore (default)
4978 Ignore the failure of this test. Allow other tests to complete.
4979 Repeat this test the next time the client connects. This option
4980 is useful for testing and collecting statistics without blocking
4981 mail.
4982 enforce
4984 Allow other tests to complete. Reject attempts to deliver mail
4985 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4986 mation. Repeat this test the next time the client connects.
4987 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4989 this test the next time the client connects.
4990 In either case, postscreen(8) will not whitelist the remote SMTP client
4992 IP address.
4993 This feature is available in Postfix 2.8.
4995
4997 The text in the optional "220-text..." server response that
4998 postscreen(8) sends ahead of the real Postfix SMTP server's "220
4999 text..." response, in an attempt to confuse bad SMTP clients so that
5000 they speak before their turn (pre-greet). Specify an empty value to
5001 disable this feature.
5002 This feature is available in Postfix 2.8.
5004
5006 The amount of time that postscreen(8) will use the result from a suc‐
5007 cessful PREGREET test. During this time, the client IP address is
5008 excluded from this test. The default is relatively short, because a
5009 good client can immediately talk to a real Postfix SMTP server.
5010 Specify a non-zero time value (an integral value plus an optional
5012 one-letter suffix that specifies the time unit). Time units: s (sec‐
5013 onds), m (minutes), h (hours), d (days), w (weeks).
5014 This feature is available in Postfix 2.8.
5016
5018 The amount of time that postscreen(8) will wait for an SMTP client to
5019 send a command before its turn, and for DNS blocklist lookup results to
5020 arrive (default: up to 2 seconds under stress, up to 6 seconds other‐
5021 wise).
5022 Specify a non-zero time value (an integral value plus an optional
5024 one-letter suffix that specifies the time unit).
5025 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5027 This feature is available in Postfix 2.8.
5029
5031 Require that a remote SMTP client sends HELO or EHLO before commencing
5032 a MAIL transaction.
5033 This feature is available in Postfix 2.8.
5035
5037 The action that postscreen(8) takes when a remote SMTP client sends
5038 non-SMTP commands as specified with the postscreen_forbidden_commands
5039 parameter. Specify one of the following:
5040 ignore Ignore the failure of this test. Allow other tests to complete.
5042 Do not repeat this test before some the result from some other
5043 test expires. This option is useful for testing and collecting
5044 statistics without blocking mail permanently.
5045 enforce
5047 Allow other tests to complete. Reject attempts to deliver mail
5048 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
5049 mation. Repeat this test the next time the client connects.
5050 drop Drop the connection immediately with a 521 SMTP reply. Repeat
5052 this test the next time the client connects. This action is the
5053 same as with the Postfix SMTP server's smtpd_forbidden_commands
5054 feature.
5055 This feature is available in Postfix 2.8.
5057
5059 Enable "non-SMTP command" tests in the postscreen(8) server. These
5060 tests are expensive: a client must disconnect after it passes the test,
5061 before it can talk to a real Postfix SMTP server.
5062 This feature is available in Postfix 2.8.
5064
5066 The amount of time that postscreen(8) will use the result from a suc‐
5067 cessful "non_smtp_command" SMTP protocol test. During this time, the
5068 client IP address is excluded from this test. The default is long
5069 because a client must disconnect after it passes the test, before it
5070 can talk to a real Postfix SMTP server.
5071 Specify a non-zero time value (an integral value plus an optional
5073 one-letter suffix that specifies the time unit). Time units: s (sec‐
5074 onds), m (minutes), h (hours), d (days), w (weeks).
5075 This feature is available in Postfix 2.8.
5077
5079 The action that postscreen(8) takes when a remote SMTP client sends
5080 multiple commands instead of sending one command and waiting for the
5081 server to respond. Specify one of the following:
5082 ignore Ignore the failure of this test. Allow other tests to complete.
5084 Do not repeat this test before some the result from some other
5085 test expires. This option is useful for testing and collecting
5086 statistics without blocking mail permanently.
5087 enforce
5089 Allow other tests to complete. Reject attempts to deliver mail
5090 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
5091 mation. Repeat this test the next time the client connects.
5092 drop Drop the connection immediately with a 521 SMTP reply. Repeat
5094 this test the next time the client connects.
5095 This feature is available in Postfix 2.8.
5097
5099 Enable "pipelining" SMTP protocol tests in the postscreen(8) server.
5100 These tests are expensive: a good client must disconnect after it
5101 passes the test, before it can talk to a real Postfix SMTP server.
5102 This feature is available in Postfix 2.8.
5104
5106 The amount of time that postscreen(8) will use the result from a suc‐
5107 cessful "pipelining" SMTP protocol test. During this time, the client
5108 IP address is excluded from this test. The default is long because a
5109 good client must disconnect after it passes the test, before it can
5110 talk to a real Postfix SMTP server.
5111 Specify a non-zero time value (an integral value plus an optional
5113 one-letter suffix that specifies the time unit). Time units: s (sec‐
5114 onds), m (minutes), h (hours), d (days), w (weeks).
5115 This feature is available in Postfix 2.8.
5117
5119 The number of clients that can be waiting for service from a real Post‐
5120 fix SMTP server process. When this queue is full, all clients will
5121 receive a 421 response.
5122 This feature is available in Postfix 2.8.
5124
5126 The number of non-whitelisted clients that can be waiting for a deci‐
5127 sion whether they will receive service from a real Postfix SMTP server
5128 process. When this queue is full, all non-whitelisted clients will
5129 receive a 421 response.
5130 This feature is available in Postfix 2.8.
5132
5134 Optional information that is appended after a 4XX or 5XX postscreen(8)
5135 server response. See smtpd_reject_footer for further details.
5136 This feature is available in Postfix 2.8 and later.
5138
5140 Optional lookup table for information that is appended after a 4XX or
5141 5XX postscreen(8) server response. See smtpd_reject_footer_maps for
5142 further details.
5143 This feature is available in Postfix 3.4 and later.
5145
5147 The SMTP TLS security level for the postscreen(8) server; when a
5148 non-empty value is specified, this overrides the obsolete parameters
5149 postscreen_use_tls and postscreen_enforce_tls. See smtpd_tls_secu‐
5150 rity_level for details.
5151 This feature is available in Postfix 2.8 and later.
5153
5155 The name of the proxy protocol used by an optional before-postscreen
5156 proxy agent. When a proxy agent is used, this protocol conveys local
5157 and remote address and port information. Specify
5158 "postscreen_upstream_proxy_protocol = haproxy" to enable the haproxy
5159 protocol; version 2 is supported with Postfix 3.5 and later.
5160 This feature is available in Postfix 2.10 and later.
5162
5164 The time limit for the proxy protocol specified with the
5165 postscreen_upstream_proxy_protocol parameter.
5166 This feature is available in Postfix 2.10 and later.
5168
5170 Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
5171 but do not require that clients use TLS encryption.
5172 This feature is available in Postfix 2.8 and later. Preferably, use
5174 postscreen_tls_security_level instead.
5175
5177 How much time a postscreen(8) process may take to respond to a remote
5178 SMTP client command or to perform a cache operation before it is termi‐
5179 nated by a built-in watchdog timer. This is a safety mechanism that
5180 prevents postscreen(8) from becoming non-responsive due to a bug in
5181 Postfix itself or in system software. To avoid false alarms and unnec‐
5182 essary cache corruption this limit cannot be set under 10s.
5183 Specify a non-zero time value (an integral value plus an optional
5185 one-letter suffix that specifies the time unit). Time units: s (sec‐
5186 onds), m (minutes), h (hours), d (days), w (weeks).
5187 This feature is available in Postfix 2.8.
5189
5191 A list of local postscreen(8) server IP addresses where a
5192 non-whitelisted remote SMTP client can obtain postscreen(8)'s temporary
5193 whitelist status. This status is required before the client can talk to
5194 a Postfix SMTP server process. By default, a client can obtain
5195 postscreen(8)'s whitelist status on any local postscreen(8) server IP
5196 address.
5197 When postscreen(8) listens on both primary and backup MX addresses, the
5199 postscreen_whitelist_interfaces parameter can be configured to give the
5200 temporary whitelist status only when a client connects to a primary MX
5201 address. Once a client is whitelisted it can talk to a Postfix SMTP
5202 server on any address. Thus, clients that connect only to backup MX
5203 addresses will never become whitelisted, and will never be allowed to
5204 talk to a Postfix SMTP server process.
5205 Specify a list of network addresses or network/netmask patterns, sepa‐
5207 rated by commas and/or whitespace. The netmask specifies the number of
5208 bits in the network part of a host address. Continue long lines by
5209 starting the next line with whitespace.
5210 You can also specify "/file/name" or "type:table" patterns. A
5212 "/file/name" pattern is replaced by its contents; a "type:table" lookup
5213 table is matched when a table entry matches a lookup string (the lookup
5214 result is ignored).
5215 The list is matched left to right, and the search stops on the first
5217 match. Specify "!pattern" to exclude an address or network block from
5218 the list.
5219 Note: IP version 6 address information must be specified inside [] in
5221 the postscreen_whitelist_interfaces value, and in files specified with
5222 "/file/name". IP version 6 addresses contain the ":" character, and
5223 would otherwise be confused with a "type:table" pattern.
5224 Example:
5226 /etc/postfix/main.cf:
5228 # Don't whitelist connections to the backup IP address.
5229 postscreen_whitelist_interfaces = !168.100.189.8, static:all
5230 This feature is available in Postfix 2.9 and later.
5232
5234 The message delivery contexts where the Postfix local(8) delivery agent
5235 prepends a Delivered-To: message header with the address that the mail
5236 was delivered to. This information is used for mail delivery loop
5237 detection.
5238 By default, the Postfix local delivery agent prepends a Delivered-To:
5240 header when forwarding mail and when delivering to file (mailbox) and
5241 command. Turning off the Delivered-To: header when forwarding mail is
5242 not recommended.
5243 Specify zero or more of forward, file, or command.
5245 Example:
5247 prepend_delivered_header = forward
5249
5251 The process ID of a Postfix command or daemon process.
5252
5254 The location of Postfix PID files relative to $queue_directory. This
5255 is a read-only parameter.
5256
5258 The process name of a Postfix command or daemon process.
5259
5261 What address lookup tables copy an address extension from the lookup
5262 key to the lookup result.
5263 For example, with a virtual(5) mapping of "joe@example.com =>
5265 joe.user@example.net", the address "joe+foo@example.com" would rewrite
5266 to "joe.user+foo@example.net".
5267 Specify zero or more of canonical, virtual, alias, forward, include or
5269 generic. These cause address extension propagation with canonical(5),
5270 virtual(5), and aliases(5) maps, with local(8) .forward and :include:
5271 file lookups, and with smtp(8) generic maps, respectively.
5272 Note: enabling this feature for types other than canonical and virtual
5274 is likely to cause problems when mail is forwarded to other sites,
5275 especially with mail that is sent to a mailing list exploder address.
5276 Examples:
5278 propagate_unmatched_extensions = canonical, virtual, alias,
5280 forward, include
5281 propagate_unmatched_extensions = canonical, virtual
5282
5284 The network interface addresses that this mail system receives mail on
5285 by way of a proxy or network address translation unit.
5286 This feature is available in Postfix 2.0 and later.
5288 You must specify your "outside" proxy/NAT addresses when your system is
5290 a backup MX host for other domains, otherwise mail delivery loops will
5291 happen when the primary MX host is down.
5292 Example:
5294 proxy_interfaces = 1.2.3.4
5296
5298 The lookup tables that the proxymap(8) server is allowed to access for
5299 the read-only service.
5300 Specify zero or more "type:name" lookup tables, separated by whitespace
5302 or comma. Table references that don't begin with proxy: are ignored.
5303 This feature is available in Postfix 2.0 and later.
5305
5307 The lookup tables that the proxymap(8) server is allowed to access for
5308 the read-write service. Postfix-owned local database files should be
5309 stored under the Postfix-owned data_directory. Table references that
5310 don't begin with proxy: are ignored.
5311 This feature is available in Postfix 2.5 and later.
5313
5315 The name of the proxymap read-only table lookup service. This service
5316 is normally implemented by the proxymap(8) daemon.
5317 This feature is available in Postfix 2.6 and later.
5319
5321 The name of the proxywrite read-write table lookup service. This ser‐
5322 vice is normally implemented by the proxymap(8) daemon.
5323 This feature is available in Postfix 2.6 and later.
5325
5327 The minimal delay between warnings that a specific destination is clog‐
5328 ging up the Postfix active queue. Specify 0 to disable.
5329 This feature is enabled with the helpful_warnings parameter.
5331 This feature is available in Postfix 2.0 and later.
5333
5335 How much time a Postfix queue manager process may take to handle a
5336 request before it is terminated by a built-in watchdog timer.
5337 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5339 The default time unit is s (seconds).
5340 This feature is available in Postfix 2.8 and later.
5342
5344 Obsolete feature: the percentage of delivery resources that a busy mail
5345 system will use up for delivery of a large mailing list message.
5346 This feature exists only in the oqmgr(8) old queue manager. The current
5348 queue manager solves the problem in a better way.
5349
5351 The time limit for the queue manager to send or receive information
5352 over an internal communication channel. The purpose is to break out of
5353 deadlock situations. If the time limit is exceeded the software either
5354 retries or aborts the operation.
5355 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5357 The default time unit is s (seconds).
5358 This feature is available in Postfix 2.8 and later.
5360
5362 The maximal number of messages in the active queue.
5363
5365 The maximal number of recipients held in memory by the Postfix queue
5366 manager, and the maximal size of the short-term, in-memory "dead" des‐
5367 tination status cache.
5368
5370 The minimal number of in-memory recipients for any message. This takes
5371 priority over any other in-memory recipient limits (i.e., the global
5372 qmgr_message_recipient_limit and the per transport _recipient_limit) if
5373 necessary. The minimum value allowed for this parameter is 1.
5374
5376 What remote QMQP clients are allowed to connect to the Postfix QMQP
5377 server port.
5378 By default, no client is allowed to use the service. This is because
5380 the QMQP server will relay mail to any destination.
5381 Specify a list of client patterns. A list pattern specifies a host
5383 name, a domain name, an internet address, or a network/mask pattern,
5384 where the mask specifies the number of bits in the network part. When
5385 a pattern specifies a file name, its contents are substituted for the
5386 file name; when a pattern is a "type:table" table specification, table
5387 lookup is used instead.
5388 Patterns are separated by whitespace and/or commas. In order to reverse
5390 the result, precede a pattern with an exclamation point (!). The form
5391 "!/file/name" is supported only in Postfix version 2.4 and later.
5392 Pattern matching of domain names is controlled by the presence or
5394 absence of "qmqpd_authorized_clients" in the parent_domain_matches_sub‐
5395 domains parameter value.
5396 Example:
5398 qmqpd_authorized_clients = !192.168.0.1, 192.168.0.0/24
5400
5402 Enable logging of the remote QMQP client port in addition to the host‐
5403 name and IP address. The logging format is "host[address]:port".
5404 This feature is available in Postfix 2.5 and later.
5406
5408 How long the Postfix QMQP server will pause before sending a negative
5409 reply to the remote QMQP client. The purpose is to slow down confused
5410 or malicious clients.
5411 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5413 The default time unit is s (seconds).
5414
5416 The time limit for sending or receiving information over the network.
5417 If a read or write operation blocks for more than $qmqpd_timeout sec‐
5418 onds the Postfix QMQP server gives up and disconnects.
5419 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5421 The default time unit is s (seconds).
5422
5424 The location of the Postfix top-level queue directory. This is the root
5425 directory of Postfix daemon processes that run chrooted.
5426
5428 The maximal number of (name=value) attributes that may be stored in a
5429 Postfix queue file. The limit is enforced by the cleanup(8) server.
5430 This feature is available in Postfix 2.0 and later.
5432
5434 The minimal amount of free space in bytes in the queue file system that
5435 is needed to receive mail. This is currently used by the Postfix SMTP
5436 server to decide if it will accept any mail at all.
5437 By default, the Postfix SMTP server rejects MAIL FROM commands when the
5439 amount of free space is less than 1.5*$message_size_limit (Postfix ver‐
5440 sion 2.1 and later). To specify a higher minimum free space limit,
5441 specify a queue_minfree value that is at least 1.5*$message_size_limit.
5442 With Postfix versions 2.0 and earlier, a queue_minfree value of zero
5444 means there is no minimum required amount of free space.
5445
5447 The time between deferred queue scans by the queue manager; prior to
5448 Postfix 2.4 the default value was 1000s.
5449 This parameter should be set less than or equal to $minimal_back‐
5451 off_time. See also $maximal_backoff_time.
5452 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5454 The default time unit is s (seconds).
5455
5457 The name of the qmgr(8) service. This service manages the Postfix queue
5458 and schedules delivery requests.
5459 This feature is available in Postfix 2.0 and later.
5461
5463 Optional lookup tables with RBL response templates. The tables are
5464 indexed by the RBL domain name. By default, Postfix uses the default
5465 template as specified with the default_rbl_reply configuration parame‐
5466 ter. See there for a discussion of the syntax of RBL reply templates.
5467 This feature is available in Postfix 2.0 and later.
5469
5471 The location of Postfix README files that describe how to build, con‐
5472 figure or operate a specific Postfix subsystem or feature.
5473
5475 Enable or disable recipient validation, built-in content filtering, or
5476 address mapping. Typically, these are specified in master.cf as com‐
5477 mand-line arguments for the smtpd(8), qmqpd(8) or pickup(8) daemons.
5478 Specify zero or more of the following options. The options override
5480 main.cf settings and are either implemented by smtpd(8), qmqpd(8), or
5481 pickup(8) themselves, or they are forwarded to the cleanup server.
5482 no_unknown_recipient_checks
5484 Do not try to reject unknown recipients (SMTP server only).
5485 This is typically specified AFTER an external content filter.
5486 no_address_mappings
5488 Disable canonical address mapping, virtual alias map expansion,
5489 address masquerading, and automatic BCC (blind carbon-copy)
5490 recipients. This is typically specified BEFORE an external con‐
5491 tent filter.
5492 no_header_body_checks
5494 Disable header/body_checks. This is typically specified AFTER an
5495 external content filter.
5496 no_milters
5498 Disable Milter (mail filter) applications. This is typically
5499 specified AFTER an external content filter.
5500 Note: when the "BEFORE content filter" receive_override_options setting
5502 is specified in the main.cf file, specify the "AFTER content filter"
5503 receive_override_options setting in master.cf (and vice versa).
5504 Examples:
5506 receive_override_options =
5508 no_unknown_recipient_checks, no_header_body_checks
5509 receive_override_options = no_address_mappings
5510 This feature is available in Postfix 2.1 and later.
5512
5514 Optional BCC (blind carbon-copy) address lookup tables, indexed by
5515 recipient address. The BCC address (multiple results are not sup‐
5516 ported) is added when mail enters from outside of Postfix.
5517 Specify zero or more "type:name" lookup tables, separated by whitespace
5519 or comma. Tables will be searched in the specified order until a match
5520 is found.
5521 The table search order is as follows:
5523 · Look up the "user+extension@domain.tld" address including the
5525 optional address extension.
5526 · Look up the "user@domain.tld" address without the optional
5528 address extension.
5529 · Look up the "user+extension" address local part when the recipi‐
5531 ent domain equals $myorigin, $mydestination, $inet_interfaces or
5532 $proxy_interfaces.
5533 · Look up the "user" address local part when the recipient domain
5535 equals $myorigin, $mydestination, $inet_interfaces or
5536 $proxy_interfaces.
5537 · Look up the "@domain.tld" part.
5539 Note: with Postfix 2.3 and later the BCC address is added as if it was
5541 specified with NOTIFY=NONE. The sender will not be notified when the
5542 BCC address is undeliverable, as long as all down-stream software
5543 implements RFC 3461.
5544 Note: with Postfix 2.2 and earlier the sender will unconditionally be
5546 notified when the BCC address is undeliverable.
5547 Note: automatic BCC recipients are produced only for new mail. To
5549 avoid mailer loops, automatic BCC recipients are not generated after
5550 Postfix forwards mail internally, or after Postfix generates mail
5551 itself.
5552 Example:
5554 recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
5556 After a change, run "postmap /etc/postfix/recipient_bcc".
5558 This feature is available in Postfix 2.1 and later.
5560
5562 What addresses are subject to recipient_canonical_maps address mapping.
5563 By default, recipient_canonical_maps address mapping is applied to
5564 envelope recipient addresses, and to header recipient addresses.
5565 Specify one or more of: envelope_recipient, header_recipient
5567 This feature is available in Postfix 2.2 and later.
5569
5571 Optional address mapping lookup tables for envelope and header recipi‐
5572 ent addresses. The table format and lookups are documented in canoni‐
5573 cal(5).
5574 Note: $recipient_canonical_maps is processed before $canonical_maps.
5576 Example:
5578 recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
5580
5582 The set of characters that can separate a user name from its extension
5583 (example: user+foo), or a .forward file name from its extension (exam‐
5584 ple: .forward+foo). Basically, the software tries user+foo and .for‐
5585 ward+foo before trying user and .forward. This implementation recog‐
5586 nizes one delimiter character and one extension per email address or
5587 .forward file name.
5588 When the recipient_delimiter set contains multiple characters (Postfix
5590 2.11 and later), a user name or .forward file name is separated from
5591 its extension by the first character that matches the recipient_delim‐
5592 iter set.
5593 See canonical(5), local(8), relocated(5) and virtual(5) for the effects
5595 of recipient_delimiter on lookups in aliases, canonical, virtual, and
5596 relocated maps, and see the propagate_unmatched_extensions parameter
5597 for propagating an extension from one email address to another.
5598 When used in command_execution_directory, forward_path, or luser_relay,
5600 ${recipient_delimiter} is replaced with the actual recipient delimiter
5601 that was found in the recipient email address (Postfix 2.11 and later),
5602 or it is replaced with the main.cf recipient_delimiter parameter value
5603 (Postfix 2.10 and earlier).
5604 The recipient_delimiter is not applied to the mailer-daemon address,
5606 the postmaster address, or the double-bounce address. With the default
5607 "owner_request_special = yes" setting, the recipient_delimiter is also
5608 not applied to addresses with the special "owner-" prefix or the spe‐
5609 cial "-request" suffix.
5610 Examples:
5612 # Handle Postfix-style extensions.
5614 recipient_delimiter = +
5615 # Handle both Postfix and qmail extensions (Postfix 2.11 and later).
5617 recipient_delimiter = +-
5618 # Use .forward for mail without address extension, and for mail with
5620 # an unrecognized address extension.
5621 forward_path = $home/.forward${recipient_delimiter}${extension},
5622 $home/.forward
5623
5625 The numerical Postfix SMTP server response code when a remote SMTP
5626 client request is rejected by the "reject" restriction.
5627 Do not change this unless you have a complete understanding of RFC
5629 5321.
5630
5632 The Postfix SMTP server's action when a reject-type restriction fails
5633 due to a temporary error condition. Specify "defer" to defer the remote
5634 SMTP client request immediately. With the default "defer_if_permit"
5635 action, the Postfix SMTP server continues to look for opportunities to
5636 reject mail, and defers the client request only if it would otherwise
5637 be accepted.
5638 For finer control, see: unverified_recipient_tempfail_action, unveri‐
5640 fied_sender_tempfail_action, unknown_address_tempfail_action, and
5641 unknown_helo_hostname_tempfail_action.
5642 This feature is available in Postfix 2.6 and later.
5644
5646 List of tables with remote SMTP client-certificate fingerprints or pub‐
5647 lic key fingerprints (Postfix 2.9 and later) for which the Postfix SMTP
5648 server will allow access with the permit_tls_clientcerts feature. The
5649 fingerprint digest algorithm is configurable via the smtpd_tls_finger‐
5650 print_digest parameter (hard-coded as md5 prior to Postfix version
5651 2.5).
5652 Postfix lookup tables are in the form of (key, value) pairs. Since we
5654 only need the key, the value can be chosen freely, e.g. the name of
5655 the user or host: D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80
5656 lutzpc.at.home
5657 Example:
5659 relay_clientcerts = hash:/etc/postfix/relay_clientcerts
5661 For more fine-grained control, use check_ccert_access to select an
5663 appropriate access(5) policy for each client. See RESTRIC‐
5664 TION_CLASS_README.
5665 Note: Postfix 2.9.0-2.9.5 computed the public key fingerprint incor‐
5667 rectly. To use public-key fingerprints, upgrade to Postfix 2.9.6 or
5668 later.
5669 This feature is available with Postfix version 2.2.
5671
5673 rency_limit)
5674 The maximal number of parallel deliveries to the same destination via
5675 the relay message delivery transport. This limit is enforced by the
5676 queue manager. The message delivery transport name is the first field
5677 in the entry in the master.cf file.
5678 This feature is available in Postfix 2.0 and later.
5680
5682 ent_limit)
5683 The maximal number of recipients per message for the relay message
5684 delivery transport. This limit is enforced by the queue manager. The
5685 message delivery transport name is the first field in the entry in the
5686 master.cf file.
5687 Setting this parameter to a value of 1 changes the meaning of
5689 relay_destination_concurrency_limit from concurrency per domain into
5690 concurrency per recipient.
5691 This feature is available in Postfix 2.0 and later.
5693
5695 What destination domains (and subdomains thereof) this system will
5696 relay mail to. For details about how the relay_domains value is used,
5697 see the description of the permit_auth_destination and
5698 reject_unauth_destination SMTP recipient restrictions.
5699 Domains that match $relay_domains are delivered with the $relay_trans‐
5701 port mail delivery transport. The SMTP server validates recipient
5702 addresses with $relay_recipient_maps and rejects non-existent recipi‐
5703 ents. See also the relay domains address class in the
5704 ADDRESS_CLASS_README file.
5705 Note: Postfix will not automatically forward mail for domains that list
5707 this system as their primary or backup MX host. See the per‐
5708 mit_mx_backup restriction in the postconf(5) manual page.
5709 Specify a list of host or domain names, "/file/name" patterns or
5711 "type:table" lookup tables, separated by commas and/or whitespace.
5712 Continue long lines by starting the next line with whitespace. A
5713 "/file/name" pattern is replaced by its contents; a "type:table" lookup
5714 table is matched when a (parent) domain appears as lookup key. Specify
5715 "!pattern" to exclude a domain from the list. The form "!/file/name" is
5716 supported only in Postfix version 2.4 and later.
5717 Pattern matching of domain names is controlled by the presence or
5719 absence of "relay_domains" in the parent_domain_matches_subdomains
5720 parameter value.
5721
5723 The numerical Postfix SMTP server response code when a client request
5724 is rejected by the reject_unauth_destination recipient restriction.
5725 Do not change this unless you have a complete understanding of RFC
5727 5321.
5728
5730 Optional lookup tables with all valid addresses in the domains that
5731 match $relay_domains. Specify @domain as a wild-card for domains that
5732 have no valid recipient list, and become a source of backscatter mail:
5733 Postfix accepts spam for non-existent recipients and then floods inno‐
5734 cent people with undeliverable mail. Technically, tables listed with
5735 $relay_recipient_maps are used as lists: Postfix needs to know only if
5736 a lookup string is found or not, but it does not use the result from
5737 table lookup.
5738 Specify zero or more "type:name" lookup tables, separated by whitespace
5740 or comma. Tables will be searched in the specified order until a match
5741 is found.
5742 If this parameter is non-empty, then the Postfix SMTP server will
5744 reject mail to unknown relay users. This feature is off by default.
5745 See also the relay domains address class in the ADDRESS_CLASS_README
5747 file.
5748 Example:
5750 relay_recipient_maps = hash:/etc/postfix/relay_recipients
5752 This feature is available in Postfix 2.0 and later.
5754
5756 The default mail delivery transport and next-hop destination for remote
5757 delivery to domains listed with $relay_domains. In order of decreasing
5758 precedence, the nexthop destination is taken from $relay_transport,
5759 $sender_dependent_relayhost_maps, $relayhost, or from the recipient
5760 domain. This information can be overruled with the transport(5) table.
5761 Specify a string of the form transport:nexthop, where transport is the
5763 name of a mail delivery transport defined in master.cf. The :nexthop
5764 destination is optional; its syntax is documented in the manual page of
5765 the corresponding delivery agent.
5766 See also the relay domains address class in the ADDRESS_CLASS_README
5768 file.
5769 This feature is available in Postfix 2.0 and later.
5771
5773 The next-hop destination(s) for non-local mail; overrides non-local
5774 domains in recipient addresses. This information is overruled with
5775 relay_transport, sender_dependent_default_transport_maps,
5776 default_transport, sender_dependent_relayhost_maps and with the trans‐
5777 port(5) table.
5778 On an intranet, specify the organizational domain name. If your inter‐
5780 nal DNS uses no MX records, specify the name of the intranet gateway
5781 host instead.
5782 In the case of SMTP or LMTP delivery, specify one or more destinations
5784 in the form of a domain name, hostname, hostname:port, [hostname]:port,
5785 [hostaddress] or [hostaddress]:port, separated by comma or whitespace.
5786 The form [hostname] turns off MX lookups. Multiple destinations are
5787 supported in Postfix 3.5 and later.
5788 If you're connected via UUCP, see the UUCP_README file for useful
5790 information.
5791 Examples:
5793 relayhost = $mydomain
5795 relayhost = [gateway.example.com]
5796 relayhost = mail1.example:587, mail2.example:587
5797 relayhost = [an.ip.add.ress]
5798
5800 Optional lookup tables with new contact information for users or
5801 domains that no longer exist. The table format and lookups are docu‐
5802 mented in relocated(5).
5803 Specify zero or more "type:name" lookup tables, separated by whitespace
5805 or comma. Tables will be searched in the specified order until a match
5806 is found.
5807 If you use this feature, run "postmap /etc/postfix/relocated" to build
5809 the necessary DBM or DB file after change, then "postfix reload" to
5810 make the changes visible.
5811 Examples:
5813 relocated_maps = dbm:/etc/postfix/relocated
5815 relocated_maps = hash:/etc/postfix/relocated
5816
5818 Don't rewrite message headers from remote clients at all when this
5819 parameter is empty; otherwise, rewrite message headers and append the
5820 specified domain name to incomplete addresses. The local_header_re‐
5821 write_clients parameter controls what clients Postfix considers local.
5822 Examples:
5824 The safe setting: append "domain.invalid" to incomplete header
5826 addresses from remote SMTP clients, so that those addresses cannot be
5827 confused with local addresses.
5828 remote_header_rewrite_domain = domain.invalid
5830 The default, purist, setting: don't rewrite headers from remote clients
5832 at all.
5833 remote_header_rewrite_domain =
5835
5837 Require that a local(8) recipient's home directory exists before mail
5838 delivery is attempted. By default this test is disabled. It can be
5839 useful for environments that import home directories to the mail server
5840 (IMPORTING HOME DIRECTORIES IS NOT RECOMMENDED).
5841
5843 Reset the local(8) delivery agent's idea of the owner-alias attribute,
5844 when delivering mail to a child alias that does not have its own owner
5845 alias.
5846 This feature is available in Postfix 2.8 and later. With older Postfix
5848 releases, the behavior is as if this parameter is set to "yes".
5849 As documented in aliases(5), when an alias name has a companion alias
5851 named owner-name, this will replace the envelope sender address, so
5852 that delivery errors will be reported to the owner alias instead of the
5853 sender. This configuration is recommended for mailing lists.
5854 A less known property of the owner alias is that it also forces the
5856 local(8) delivery agent to write local and remote addresses from alias
5857 expansion to a new queue file, instead of attempting to deliver mail to
5858 local addresses as soon as they come out of alias expansion.
5859 Writing local addresses from alias expansion to a new queue file allows
5861 for robust handling of temporary delivery errors: errors with one local
5862 member have no effect on deliveries to other members of the list. On
5863 the other hand, delivery to local addresses as soon as they come out of
5864 alias expansion is fragile: a temporary error with one local address
5865 from alias expansion will cause the entire alias to be expanded repeat‐
5866 edly until the error goes away, or until the message expires in the
5867 queue. In that case, a problem with one list member results in multi‐
5868 ple message deliveries to other list members.
5869 The default behavior of Postfix 2.8 and later is to keep the
5871 owner-alias attribute of the parent alias, when delivering mail to a
5872 child alias that does not have its own owner alias. Then, local
5873 addresses from that child alias will be written to a new queue file,
5874 and a temporary error with one local address will not affect delivery
5875 to other mailing list members.
5876 Unfortunately, older Postfix releases reset the owner-alias attribute
5878 when delivering mail to a child alias that does not have its own owner
5879 alias. To be precise, this resets only the decision to create a new
5880 queue file, not the decision to override the envelope sender address.
5881 The local(8) delivery agent then attempts to deliver local addresses as
5882 soon as they come out of child alias expansion. If delivery to any
5883 address from child alias expansion fails with a temporary error condi‐
5884 tion, the entire mailing list may be expanded repeatedly until the mail
5885 expires in the queue, resulting in multiple deliveries of the same mes‐
5886 sage to mailing list members.
5887
5889 Resolve a recipient address safely instead of correctly, by looking
5890 inside quotes.
5891 By default, the Postfix address resolver does not quote the address
5893 localpart as per RFC 822, so that additional @ or % or ! operators
5894 remain visible. This behavior is safe but it is also technically incor‐
5895 rect.
5896 If you specify "resolve_dequoted_address = no", then the Postfix
5898 resolver will not know about additional @ etc. operators in the address
5899 localpart. This opens opportunities for obscure mail relay attacks with
5900 user@domain@domain addresses when Postfix provides backup MX service
5901 for Sendmail systems.
5902
5904 Resolve an address that ends in the "@" null domain as if the local
5905 hostname were specified, instead of rejecting the address as invalid.
5906 This feature is available in Postfix 2.1 and later. Earlier versions
5908 always resolve the null domain as the local hostname.
5909 The Postfix SMTP server uses this feature to reject mail from or to
5911 addresses that end in the "@" null domain, and from addresses that re‐
5912 write into a form that ends in the "@" null domain.
5913
5915 Resolve "user@ipaddress" as "user@[ipaddress]", instead of rejecting
5916 the address as invalid.
5917 This feature is available in Postfix 2.3 and later.
5919
5921 The name of the address rewriting service. This service rewrites
5922 addresses to standard form and resolves them to a (delivery method,
5923 next-hop host, recipient) triple.
5924 This feature is available in Postfix 2.0 and later.
5926
5928 The name of the directory with example Postfix configuration files.
5929 Starting with Postfix 2.1, these files have been replaced with the
5930 postconf(5) manual page.
5931
5933 When authenticating to a remote SMTP or LMTP server with the default
5934 setting "no", send no SASL authoriZation ID (authzid); send only the
5935 SASL authentiCation ID (authcid) plus the authcid's password.
5936 The non-default setting "yes" enables the behavior of older Postfix
5938 versions. These always send a SASL authzid that is equal to the SASL
5939 authcid, but this causes interoperability problems with some SMTP
5940 servers.
5941 This feature is available in Postfix 2.4.4 and later.
5943
5945 This parameter should not be used. It was replaced by sender_depen‐
5946 dent_relayhost_maps in Postfix version 2.3.
5947
5949 Optional BCC (blind carbon-copy) address lookup tables, indexed by
5950 sender address. The BCC address (multiple results are not supported)
5951 is added when mail enters from outside of Postfix.
5952 Specify zero or more "type:name" lookup tables, separated by whitespace
5954 or comma. Tables will be searched in the specified order until a match
5955 is found.
5956 The table search order is as follows:
5958 · Look up the "user+extension@domain.tld" address including the
5960 optional address extension.
5961 · Look up the "user@domain.tld" address without the optional
5963 address extension.
5964 · Look up the "user+extension" address local part when the sender
5966 domain equals $myorigin, $mydestination, $inet_interfaces or
5967 $proxy_interfaces.
5968 · Look up the "user" address local part when the sender domain
5970 equals $myorigin, $mydestination, $inet_interfaces or
5971 $proxy_interfaces.
5972 · Look up the "@domain.tld" part.
5974 Note: with Postfix 2.3 and later the BCC address is added as if it was
5976 specified with NOTIFY=NONE. The sender will not be notified when the
5977 BCC address is undeliverable, as long as all down-stream software
5978 implements RFC 3461.
5979 Note: with Postfix 2.2 and earlier the sender will be notified when the
5981 BCC address is undeliverable.
5982 Note: automatic BCC recipients are produced only for new mail. To
5984 avoid mailer loops, automatic BCC recipients are not generated after
5985 Postfix forwards mail internally, or after Postfix generates mail
5986 itself.
5987 Example:
5989 sender_bcc_maps = hash:/etc/postfix/sender_bcc
5991 After a change, run "postmap /etc/postfix/sender_bcc".
5993 This feature is available in Postfix 2.1 and later.
5995
5997 What addresses are subject to sender_canonical_maps address mapping.
5998 By default, sender_canonical_maps address mapping is applied to enve‐
5999 lope sender addresses, and to header sender addresses.
6000 Specify one or more of: envelope_sender, header_sender
6002 This feature is available in Postfix 2.2 and later.
6004
6006 Optional address mapping lookup tables for envelope and header sender
6007 addresses. The table format and lookups are documented in canoni‐
6008 cal(5).
6009 Example: you want to rewrite the SENDER address "user@ugly.domain" to
6011 "user@pretty.domain", while still being able to send mail to the RECIP‐
6012 IENT address "user@ugly.domain".
6013 Note: $sender_canonical_maps is processed before $canonical_maps.
6015 Example:
6017 sender_canonical_maps = hash:/etc/postfix/sender_canonical
6019
6021 A sender-dependent override for the global default_transport parameter
6022 setting. The tables are searched by the envelope sender address and
6023 @domain. A lookup result of DUNNO terminates the search without over‐
6024 riding the global default_transport parameter setting. This informa‐
6025 tion is overruled with the transport(5) table.
6026 Specify zero or more "type:name" lookup tables, separated by whitespace
6028 or comma. Tables will be searched in the specified order until a match
6029 is found.
6030 Note: this overrides default_transport, not transport_maps, and there‐
6032 fore the expected syntax is that of default_transport, not the syntax
6033 of transport_maps. Specifically, this does not support the trans‐
6034 port_maps syntax for null transport, null nexthop, or null email
6035 addresses.
6036 For safety reasons, this feature does not allow $number substitutions
6038 in regular expression maps.
6039 This feature is available in Postfix 2.7 and later.
6041
6043 A sender-dependent override for the global relayhost parameter setting.
6044 The tables are searched by the envelope sender address and @domain. A
6045 lookup result of DUNNO terminates the search without overriding the
6046 global relayhost parameter setting (Postfix 2.6 and later). This infor‐
6047 mation is overruled with relay_transport, sender_depen‐
6048 dent_default_transport_maps, default_transport and with the trans‐
6049 port(5) table.
6050 Specify zero or more "type:name" lookup tables, separated by whitespace
6052 or comma. Tables will be searched in the specified order until a match
6053 is found.
6054 For safety reasons, this feature does not allow $number substitutions
6056 in regular expression maps.
6057 This feature is available in Postfix 2.3 and later.
6059
6061 Controls how the Postfix sendmail command converts email message line
6062 endings from <CR><LF> into UNIX format (<LF>).
6063 always Always convert message lines ending in <CR><LF>. This setting is
6065 the default with Postfix 2.9 and later.
6066 strict Convert message lines ending in <CR><LF> only if the first input
6068 line ends in <CR><LF>. This setting is backwards-compatible with
6069 Postfix 2.8 and earlier.
6070 never Never convert message lines ending in <CR><LF>. This setting
6072 exists for completeness only.
6073 This feature is available in Postfix 2.9 and later.
6075
6077 A Sendmail compatibility feature that specifies the location of the
6078 Postfix sendmail(1) command. This command can be used to submit mail
6079 into the Postfix queue.
6080
6082 The master.cf service name of a Postfix daemon process. This can be
6083 used to distinguish the logging from different services that use the
6084 same program name.
6085 Example master.cf entries:
6087 # Distinguish inbound MTA logging from submission and smtps logging.
6089 smtp inet n - n - - smtpd
6090 submission inet n - n - - smtpd
6091 -o syslog_name=postfix/$service_name
6092 smtps inet n - n - - smtpd
6093 -o syslog_name=postfix/$service_name
6094 # Distinguish outbound MTA logging from inbound relay logging.
6096 smtp unix - - n - - smtp
6097 relay unix - - n - - smtp
6098 -o syslog_name=postfix/$service_name
6099
6101 How long the Postfix master(8) waits before forking a server that
6102 appears to be malfunctioning.
6103 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6105 The default time unit is s (seconds).
6106
6108 The group ownership of set-gid Postfix commands and of group-writable
6109 Postfix directories. When this parameter value is changed you need to
6110 re-run "postfix set-permissions" (with Postfix version 2.0 and earlier:
6111 "/etc/postfix/post-install set-permissions".
6112
6114 The location of Postfix dynamically-linked libraries (libpostfix-*.so),
6115 and the default location of Postfix database plugins (postfix-*.so)
6116 that have a relative pathname in the dynamicmaps.cf file. The
6117 shlib_directory parameter defaults to "no" when Postfix dynami‐
6118 cally-linked libraries and database plugins are disabled at compile
6119 time, otherwise it typically defaults to /usr/lib/postfix or
6120 /usr/local/lib/postfix.
6121 Notes:
6123 · The directory specified with shlib_directory should contain only
6125 Postfix-related files. Postfix dynamically-linked libraries and
6126 database plugins should not be installed in a "public" system
6127 directory such as /usr/lib or /usr/local/lib. Linking Postfix
6128 dynamically-linked library files or database plugins into
6129 non-Postfix programs is not supported. Postfix dynami‐
6130 cally-linked libraries and database plugins implement a Post‐
6131 fix-internal API that changes without maintaining compatibility.
6132 · You can change the shlib_directory value after Postfix is built.
6134 However, you may have to run ldconfig or equivalent to prevent
6135 Postfix programs from failing because the libpostfix-*.so files
6136 are not found. No ldconfig command is needed if you keep the
6137 libpostfix-*.so files in the compiled-in default $shlib_direc‐
6138 tory location.
6139 This feature is available in Postfix 3.0 and later.
6141
6143 Display the name of the recipient table in the "User unknown"
6144 responses. The extra detail makes troubleshooting easier but also
6145 reveals information that is nobody else's business.
6146 This feature is available in Postfix 2.0 and later.
6148
6150 The name of the showq(8) service. This service produces mail queue sta‐
6151 tus reports.
6152 This feature is available in Postfix 2.0 and later.
6154
6156 The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP client
6157 will try first, when a destination has IPv6 and IPv4 addresses with
6158 equal MX preference. This feature has no effect unless the inet_proto‐
6159 cols setting enables both IPv4 and IPv6.
6160 Postfix SMTP client address preference has evolved. With Postfix 2.8
6162 the default is "ipv6"; earlier implementations are hard-coded to prefer
6163 IPv6 over IPv4.
6164 Notes for mail delivery between sites that have both IPv4 and IPv6 con‐
6166 nectivity:
6167 · The setting "smtp_address_preference = ipv6" is unsafe. It can
6169 fail to deliver mail when there is an outage that affects IPv6,
6170 while the destination is still reachable over IPv4.
6171 · The setting "smtp_address_preference = any" is safe. With this,
6173 mail will eventually be delivered even if there is an outage
6174 that affects IPv6 or IPv4, as long as it does not affect both.
6175 This feature is available in Postfix 2.8 and later.
6177
6179 In the context of email address verification, the SMTP protocol stage
6180 that determines whether an email address is deliverable. Specify one
6181 of "rcpt" or "data". The latter is needed with remote SMTP servers
6182 that reject recipients after the DATA command. Use transport_maps to
6183 apply this feature selectively:
6184 /etc/postfix/main.cf:
6186 transport_maps = hash:/etc/postfix/transport
6187 /etc/postfix/transport:
6189 smtp-domain-that-verifies-after-data smtp-data-target:
6190 lmtp-domain-that-verifies-after-data lmtp-data-target:
6191 /etc/postfix/master.cf:
6193 smtp-data-target unix - - n - - smtp
6194 -o smtp_address_verify_target=data
6195 lmtp-data-target unix - - n - - lmtp
6196 -o lmtp_address_verify_target=data
6197 Unselective use of the "data" target does no harm, but will result in
6199 unnecessary "lost connection after DATA" events at remote SMTP/LMTP
6200 servers.
6201 This feature is available in Postfix 3.0 and later.
6203
6205 Always send EHLO at the start of an SMTP session.
6206 With "smtp_always_send_ehlo = no", the Postfix SMTP client sends EHLO
6208 only when the word "ESMTP" appears in the server greeting banner (exam‐
6209 ple: 220 spike.porcupine.org ESMTP Postfix).
6210
6212 When a remote destination resolves to a combination of IPv4 and IPv6
6213 addresses, ensure that the Postfix SMTP client can try both address
6214 types before it runs into the smtp_mx_address_limit.
6215 This avoids an interoperability problem when a destination resolves to
6217 primarily IPv6 addresses, the smtp_address_limit feature eliminates
6218 most or all IPv4 addresses, and the destination is not reachable over
6219 IPv6.
6220 This feature is available in Postfix 3.3 and later.
6222
6224 An optional numerical network address that the Postfix SMTP client
6225 should bind to when making an IPv4 connection.
6226 This can be specified in the main.cf file for all SMTP clients, or it
6228 can be specified in the master.cf file for a specific client, for exam‐
6229 ple:
6230 /etc/postfix/master.cf:
6232 smtp ... smtp -o smtp_bind_address=11.22.33.44
6233 Note 1: when inet_interfaces specifies no more than one IPv4 address,
6235 and that address is a non-loopback address, it is automatically used as
6236 the smtp_bind_address. This supports virtual IP hosting, but can be a
6237 problem on multi-homed firewalls. See the inet_interfaces documentation
6238 for more detail.
6239 Note 2: address information may be enclosed inside [], but this form is
6241 not required here.
6242
6244 An optional numerical network address that the Postfix SMTP client
6245 should bind to when making an IPv6 connection.
6246 This feature is available in Postfix 2.2 and later.
6248 This can be specified in the main.cf file for all SMTP clients, or it
6250 can be specified in the master.cf file for a specific client, for exam‐
6251 ple:
6252 /etc/postfix/master.cf:
6254 smtp ... smtp -o smtp_bind_address6=1:2:3:4:5:6:7:8
6255 Note 1: when inet_interfaces specifies no more than one IPv6 address,
6257 and that address is a non-loopback address, it is automatically used as
6258 the smtp_bind_address6. This supports virtual IP hosting, but can be a
6259 problem on multi-homed firewalls. See the inet_interfaces documentation
6260 for more detail.
6261 Note 2: address information may be enclosed inside [], but this form is
6263 not recommended here.
6264
6266 Restricted body_checks(5) tables for the Postfix SMTP client. These
6267 tables are searched while mail is being delivered. Actions that change
6268 the delivery time or destination are not available.
6269 This feature is available in Postfix 2.5 and later.
6271
6273 When the remote SMTP servername is a DNS CNAME, replace the servername
6274 with the result from CNAME expansion for the purpose of logging, SASL
6275 password lookup, TLS policy decisions, or TLS certificate verification.
6276 The value "no" hardens Postfix smtp_tls_per_site hostname-based poli‐
6277 cies against false hostname information in DNS CNAME records, and makes
6278 SASL password file lookups more predictable. This is the default set‐
6279 ting as of Postfix 2.3.
6280 When DNS CNAME records are validated with secure DNS lookups
6282 (smtp_dns_support_level = dnssec), they are always allowed to override
6283 the above servername (Postfix 2.11 and later).
6284 This feature is available in Postfix 2.2.9 and later.
6286
6288 The Postfix SMTP client time limit for completing a TCP connection, or
6289 zero (use the operating system built-in time limit).
6290 When no connection can be made within the deadline, the Postfix SMTP
6292 client tries the next address on the mail exchanger list. Specify 0 to
6293 disable the time limit (i.e. use whatever timeout is implemented by the
6294 operating system).
6295 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6297 The default time unit is s (seconds).
6298
6300 Permanently enable SMTP connection caching for the specified destina‐
6301 tions. With SMTP connection caching, a connection is not closed imme‐
6302 diately after completion of a mail transaction. Instead, the connec‐
6303 tion is kept open for up to $smtp_connection_cache_time_limit seconds.
6304 This allows connections to be reused for other deliveries, and can
6305 improve mail delivery performance.
6306 Specify a comma or white space separated list of destinations or
6308 pseudo-destinations:
6309 · if mail is sent without a relay host: a domain name (the
6311 right-hand side of an email address, without the [] around a
6312 numeric IP address),
6313 · if mail is sent via a relay host: a relay host name (without []
6315 or non-default TCP port), as specified in main.cf or in the
6316 transport map,
6317 · if mail is sent via a UNIX-domain socket: a pathname (without
6319 the unix: prefix),
6320 · a /file/name with domain names and/or relay host names as
6322 defined above,
6323 · a "type:table" with domain names and/or relay host names on the
6325 left-hand side. The right-hand side result from "type:table"
6326 lookups is ignored.
6327 This feature is available in Postfix 2.2 and later.
6329
6331 Temporarily enable SMTP connection caching while a destination has a
6332 high volume of mail in the active queue. With SMTP connection caching,
6333 a connection is not closed immediately after completion of a mail
6334 transaction. Instead, the connection is kept open for up to $smtp_con‐
6335 nection_cache_time_limit seconds. This allows connections to be reused
6336 for other deliveries, and can improve mail delivery performance.
6337 This feature is available in Postfix 2.2 and later.
6339
6341 When SMTP connection caching is enabled, the amount of time that an
6342 unused SMTP client socket is kept open before it is closed. Do not
6343 specify larger values without permission from the remote sites.
6344 This feature is available in Postfix 2.2 and later.
6346
6348 When SMTP connection caching is enabled, the number of times that an
6349 SMTP session may be reused before it is closed, or zero (no limit).
6350 With a reuse count limit of N, a connection is used up to N+1 times.
6351 NOTE: This feature is unsafe. When a high-volume destination has multi‐
6353 ple inbound MTAs, then the slowest inbound MTA will attract the most
6354 connections to that destination. This limitation does not exist with
6355 the smtp_connection_reuse_time_limit feature.
6356 This feature is available in Postfix 2.11.
6358
6360 The amount of time during which Postfix will use an SMTP connection
6361 repeatedly. The timer starts when the connection is initiated (i.e. it
6362 includes the connect, greeting and helo latency, in addition to the
6363 latencies of subsequent mail delivery transactions).
6364 This feature addresses a performance stability problem with remote SMTP
6366 servers. This problem is not specific to Postfix: it can happen when
6367 any MTA sends large amounts of SMTP email to a site that has multiple
6368 MX hosts.
6369 The problem starts when one of a set of MX hosts becomes slower than
6371 the rest. Even though SMTP clients connect to fast and slow MX hosts
6372 with equal probability, the slow MX host ends up with more simultaneous
6373 inbound connections than the faster MX hosts, because the slow MX host
6374 needs more time to serve each client request.
6375 The slow MX host becomes a connection attractor. If one MX host
6377 becomes N times slower than the rest, it dominates mail delivery
6378 latency unless there are more than N fast MX hosts to counter the
6379 effect. And if the number of MX hosts is smaller than N, the mail
6380 delivery latency becomes effectively that of the slowest MX host
6381 divided by the total number of MX hosts.
6382 The solution uses connection caching in a way that differs from Postfix
6384 version 2.2. By limiting the amount of time during which a connection
6385 can be used repeatedly (instead of limiting the number of deliveries
6386 over that connection), Postfix not only restores fairness in the dis‐
6387 tribution of simultaneous connections across a set of MX hosts, it also
6388 favors deliveries over connections that perform well, which is exactly
6389 what we want.
6390 The default reuse time limit, 300s, is comparable to the various smtp
6392 transaction timeouts which are fair estimates of maximum excess latency
6393 for a slow delivery. Note that hosts may accept thousands of messages
6394 over a single connection within the default connection reuse time
6395 limit. This number is much larger than the default Postfix version 2.2
6396 limit of 10 messages per cached connection. It may prove necessary to
6397 lower the limit to avoid interoperability issues with MTAs that exhibit
6398 bugs when many messages are delivered via a single connection. A lower
6399 reuse time limit risks losing the benefit of connection reuse when the
6400 average connection and mail delivery latency exceeds the reuse time
6401 limit.
6402 This feature is available in Postfix 2.3 and later.
6404
6406 The Postfix SMTP client time limit for sending the SMTP ".", and for
6407 receiving the remote SMTP server response.
6408 When no response is received within the deadline, a warning is logged
6410 that the mail may be delivered multiple times.
6411 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6413 The default time unit is s (seconds).
6414
6416 The Postfix SMTP client time limit for sending the SMTP DATA command,
6417 and for receiving the remote SMTP server response.
6418 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6420 The default time unit is s (seconds).
6421
6423 The Postfix SMTP client time limit for sending the SMTP message con‐
6424 tent. When the connection makes no progress for more than
6425 $smtp_data_xfer_timeout seconds the Postfix SMTP client terminates the
6426 transfer.
6427 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6429 The default time unit is s (seconds).
6430
6432 Defer mail delivery when no MX record resolves to an IP address.
6433 The default (no) is to return the mail as undeliverable. With older
6435 Postfix versions the default was to keep trying to deliver the mail
6436 until someone fixed the MX record or until the mail was too old.
6437 Note: the Postfix SMTP client always ignores MX records with equal or
6439 worse preference than the local MTA itself.
6440 This feature is available in Postfix 2.1 and later.
6442
6444 Optional filter for the smtp(8) delivery agent to change the delivery
6445 status code or explanatory text of successful or unsuccessful deliver‐
6446 ies. See default_delivery_status_filter for details.
6447 NOTE: This feature modifies Postfix SMTP client error or non-error mes‐
6449 sages that may or may not be derived from remote SMTP server responses.
6450 In contrast, the smtp_reply_filter feature modifies remote SMTP server
6451 responses only.
6452
6454 rency_limit)
6455 The maximal number of parallel deliveries to the same destination via
6456 the smtp message delivery transport. This limit is enforced by the
6457 queue manager. The message delivery transport name is the first field
6458 in the entry in the master.cf file.
6459
6461 ent_limit)
6462 The maximal number of recipients per message for the smtp message
6463 delivery transport. This limit is enforced by the queue manager. The
6464 message delivery transport name is the first field in the entry in the
6465 master.cf file.
6466 Setting this parameter to a value of 1 changes the meaning of smtp_des‐
6468 tination_concurrency_limit from concurrency per domain into concurrency
6469 per recipient.
6470
6472 Lookup tables, indexed by the remote SMTP server address, with case
6473 insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
6474 that the Postfix SMTP client will ignore in the EHLO response from a
6475 remote SMTP server. See smtp_discard_ehlo_keywords for details. The ta‐
6476 ble is not indexed by hostname for consistency with smtpd_dis‐
6477 card_ehlo_keyword_address_maps.
6478 Specify zero or more "type:name" lookup tables, separated by whitespace
6480 or comma. Tables will be searched in the specified order until a match
6481 is found.
6482 This feature is available in Postfix 2.2 and later.
6484
6486 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
6487 etc.) that the Postfix SMTP client will ignore in the EHLO response
6488 from a remote SMTP server.
6489 This feature is available in Postfix 2.2 and later.
6491 Notes:
6493 · Specify the silent-discard pseudo keyword to prevent this action
6495 from being logged.
6496 · Use the smtp_discard_ehlo_keyword_address_maps feature to dis‐
6498 card EHLO keywords selectively.
6499
6501 Optional filter for Postfix SMTP client DNS lookup results. Specify
6502 zero or more lookup tables. The lookup tables are searched in the
6503 given order for a match with the DNS lookup result, converted to the
6504 following form:
6505 name ttl class type preference value
6507 The class field is always "IN", the preference field exists only for MX
6509 records, the names of hosts, domains, etc. end in ".", and those names
6510 are in ASCII form (xn--mumble form in the case of UTF8 names).
6511 When a match is found, the table lookup result specifies an action. By
6513 default, the table query and the action name are case-insensitive.
6514 Currently, only the IGNORE action is implemented.
6515 Notes:
6517 · Postfix DNS reply filters have no effect on implicit DNS lookups
6519 through nsswitch.conf or equivalent mechanisms.
6520 · The Postfix SMTP/LMTP client uses smtp_dns_reply_filter and
6522 lmtp_dns_reply_filter only to discover a remote SMTP or LMTP
6523 service (record types MX, A, AAAAA, and TLSA). These lookups
6524 are also made to implement the features reject_unverified_sender
6525 and reject_unverified_recipient.
6526 · The Postfix SMTP/LMTP client defers mail delivery when a filter
6528 removes all lookup results from a successful query.
6529 · Postfix SMTP server uses smtpd_dns_reply_filter only to look up
6531 MX, A, AAAAA, and TXT records to implement the features
6532 reject_unknown_helo_hostname, reject_unknown_sender_domain,
6533 reject_unknown_recipient_domain, reject_rbl_*, and
6534 reject_rhsbl_*.
6535 · The Postfix SMTP server logs a warning or defers mail delivery
6537 when a filter removes all lookup results from a successful
6538 query.
6539 Example: ignore Google AAAA records in Postfix SMTP client DNS lookups,
6541 because Google sometimes hard-rejects mail from IPv6 clients with valid
6542 PTR etc. records.
6543 /etc/postfix/main.cf:
6545 smtp_dns_reply_filter = pcre:/etc/postfix/smtp_dns_reply_filter
6546 /etc/postfix/smtp_dns_reply_filter:
6548 # /domain ttl IN AAAA address/ action, all case-insensitive.
6549 # Note: the domain name ends in ".".
6550 /^\S+\.google\.com\.\s+\S+\s+\S+\s+AAAA\s+/ IGNORE
6551 This feature is available in Postfix 3.0 and later.
6553
6555 DNS Resolver options for the Postfix SMTP client. Specify zero or more
6556 of the following options, separated by comma or whitespace. Option
6557 names are case-sensitive. Some options refer to domain names that are
6558 specified in the file /etc/resolv.conf or equivalent.
6559 res_defnames
6561 Append the current domain name to single-component names (those
6562 that do not contain a "." character). This can produce incorrect
6563 results, and is the hard-coded behavior prior to Postfix 2.8.
6564 res_dnsrch
6566 Search for host names in the current domain and in parent
6567 domains. This can produce incorrect results and is therefore not
6568 recommended.
6569 This feature is available in Postfix 2.8 and later.
6571
6573 Level of DNS support in the Postfix SMTP client. With "smtp_dns_sup‐
6574 port_level" left at its empty default value, the legacy "dis‐
6575 able_dns_lookups" parameter controls whether DNS is enabled in the
6576 Postfix SMTP client, otherwise the legacy parameter is ignored.
6577 Specify one of the following:
6579 disabled
6581 Disable DNS lookups. No MX lookups are performed and hostname
6582 to address lookups are unconditionally "native". This setting
6583 is not appropriate for hosts that deliver mail to the public
6584 Internet. Some obsolete how-to documents recommend disabling
6585 DNS lookups in some configurations with content_filters. This
6586 is no longer required and strongly discouraged.
6587 enabled
6589 Enable DNS lookups. Nexthop destination domains not enclosed in
6590 "[]" will be subject to MX lookups. If "dns" and "native" are
6591 included in the "smtp_host_lookup" parameter value, DNS will be
6592 queried first to resolve MX-host A records, followed by "native"
6593 lookups if no answer is found in DNS.
6594 dnssec Enable DNSSEC lookups. The "dnssec" setting differs from the
6596 "enabled" setting above in the following ways:
6597 · Any MX lookups will set RES_USE_DNSSEC and RES_USE_EDNS0 to
6599 request DNSSEC-validated responses. If the MX response is
6600 DNSSEC-validated the corresponding hostnames are considered val‐
6601 idated.
6602 · The address lookups of validated hostnames are also validated,
6604 (provided of course "smtp_host_lookup" includes "dns", see
6605 below).
6606 · Temporary failures in DNSSEC-enabled hostname-to-address resolu‐
6608 tion block any "native" lookups. Additional "native" lookups
6609 only happen when DNSSEC lookups hard-fail (NODATA or NXDOMAIN).
6610 The Postfix SMTP client considers non-MX "[nexthop]" and "[nex‐
6612 thop]:port" destinations equivalent to statically-validated MX records
6613 of the form "nexthop. IN MX 0 nexthop." Therefore, with "dnssec" sup‐
6614 port turned on, validated hostname-to-address lookups apply to the nex‐
6615 thop domain of any "[nexthop]" or "[nexthop]:port" destination. This
6616 is also true for LMTP "inet:host" and "inet:host:port" destinations, as
6617 LMTP hostnames are never subject to MX lookups.
6618 The "dnssec" setting is recommended only if you plan to use the dane or
6620 dane-only TLS security level, otherwise enabling DNSSEC support in
6621 Postfix offers no additional security. Postfix DNSSEC support relies
6622 on an upstream recursive nameserver that validates DNSSEC signatures.
6623 Such a DNS server will always filter out forged DNS responses, even
6624 when Postfix itself is not configured to use DNSSEC.
6625 When using Postfix DANE support the "smtp_host_lookup" parameter should
6627 include "dns", as DANE is not applicable to hosts resolved via "native"
6628 lookups.
6629 As mentioned above, Postfix is not a validating stub resolver; it
6631 relies on the system's configured DNSSEC-validating recursive name‐
6632 server to perform all DNSSEC validation. Since this nameserver's
6633 DNSSEC-validated responses will be fully trusted, it is strongly recom‐
6634 mended that the MTA host have a local DNSSEC-validating recursive
6635 caching nameserver listening on a loopback address, and be configured
6636 to use only this nameserver for all lookups. Otherwise, Postfix may
6637 remain subject to man-in-the-middle attacks that forge responses from
6638 the recursive nameserver
6639 DNSSEC support requires a version of Postfix compiled against a reason‐
6641 ably-modern DNS resolver(3) library that implements the RES_USE_DNSSEC
6642 and RES_USE_EDNS0 resolver options.
6643 This feature is available in Postfix 2.11 and later.
6645
6647 Enforcement mode: require that remote SMTP servers use TLS encryption,
6648 and never send mail in the clear. This also requires that the remote
6649 SMTP server hostname matches the information in the remote server cer‐
6650 tificate, and that the remote SMTP server certificate was issued by a
6651 CA that is trusted by the Postfix SMTP client. If the certificate
6652 doesn't verify or the hostname doesn't match, delivery is deferred and
6653 mail stays in the queue.
6654 The server hostname is matched against all names provided as dNSNames
6656 in the SubjectAlternativeName. If no dNSNames are specified, the Com‐
6657 monName is checked. The behavior may be changed with the
6658 smtp_tls_enforce_peername option.
6659 This option is useful only if you are definitely sure that you will
6661 only connect to servers that support RFC 2487 _and_ that provide valid
6662 server certificates. Typical use is for clients that send all their
6663 email to a dedicated mailhub.
6664 This feature is available in Postfix 2.2 and later. With Postfix 2.3
6666 and later use smtp_tls_security_level instead.
6667
6669 Optional list of relay hosts for SMTP destinations that can't be found
6670 or that are unreachable. With Postfix 2.2 and earlier this parameter is
6671 called fallback_relay.
6672 By default, mail is returned to the sender when a destination is not
6674 found, and delivery is deferred when a destination is unreachable.
6675 With bulk email deliveries, it can be beneficial to run the fallback
6677 relay MTA on the same host, so that it can reuse the sender IP address.
6678 This speeds up deliveries that are delayed by IP-based reputation sys‐
6679 tems (greylist, etc.).
6680 The fallback relays must be SMTP destinations. Specify a domain, host,
6682 host:port, [host]:port, [address] or [address]:port; the form [host]
6683 turns off MX lookups. If you specify multiple SMTP destinations, Post‐
6684 fix will try them in the specified order.
6685 To prevent mailer loops between MX hosts and fall-back hosts, Postfix
6687 version 2.2 and later will not use the fallback relays for destinations
6688 that it is MX host for (assuming DNS lookup is turned on).
6689
6691 Optional lookup tables that perform address rewriting in the Postfix
6692 SMTP client, typically to transform a locally valid address into a
6693 globally valid address when sending mail across the Internet. This is
6694 needed when the local machine does not have its own Internet domain
6695 name, but uses something like localdomain.local instead.
6696 Specify zero or more "type:name" lookup tables, separated by whitespace
6698 or comma. Tables will be searched in the specified order until a match
6699 is found.
6700 The table format and lookups are documented in generic(5); examples are
6702 shown in the ADDRESS_REWRITING_README and STANDARD_CONFIGURATION_README
6703 documents.
6704 This feature is available in Postfix 2.2 and later.
6706
6708 Restricted header_checks(5) tables for the Postfix SMTP client. These
6709 tables are searched while mail is being delivered. Actions that change
6710 the delivery time or destination are not available.
6711 This feature is available in Postfix 2.5 and later.
6713
6715 The hostname to send in the SMTP HELO or EHLO command.
6716 The default value is the machine hostname. Specify a hostname or
6718 [ip.add.re.ss].
6719 This information can be specified in the main.cf file for all SMTP
6721 clients, or it can be specified in the master.cf file for a specific
6722 client, for example:
6723 /etc/postfix/master.cf:
6725 mysmtp ... smtp -o smtp_helo_name=foo.bar.com
6726 This feature is available in Postfix 2.0 and later.
6728
6730 The Postfix SMTP client time limit for sending the HELO or EHLO com‐
6731 mand, and for receiving the initial remote SMTP server response.
6732 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6734 The default time unit is s (seconds).
6735
6737 What mechanisms the Postfix SMTP client uses to look up a host's IP
6738 address. This parameter is ignored when DNS lookups are disabled (see:
6739 disable_dns_lookups and smtp_dns_support_level). The "dns" mechanism
6740 is always tried before "native" if both are listed.
6741 Specify one of the following:
6743 dns Hosts can be found in the DNS (preferred).
6745 native Use the native naming service only (nsswitch.conf, or equivalent
6747 mechanism).
6748 dns, native
6750 Use the native service for hosts not found in the DNS.
6751 This feature is available in Postfix 2.1 and later.
6753
6755 The maximal length of message header and body lines that Postfix will
6756 send via SMTP. This limit does not include the <CR><LF> at the end of
6757 each line. Longer lines are broken by inserting "<CR><LF><SPACE>", to
6758 minimize the damage to MIME formatted mail.
6759 The Postfix limit of 998 characters not including <CR><LF> is consis‐
6761 tent with the SMTP limit of 1000 characters including <CR><LF>. The
6762 Postfix limit was 990 with Postfix 2.8 and earlier.
6763
6765 The Postfix SMTP client time limit for sending the MAIL FROM command,
6766 and for receiving the remote SMTP server response.
6767 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6769 The default time unit is s (seconds).
6770
6772 Restricted mime_header_checks(5) tables for the Postfix SMTP client.
6773 These tables are searched while mail is being delivered. Actions that
6774 change the delivery time or destination are not available.
6775 This feature is available in Postfix 2.5 and later.
6777
6779 The maximal number of MX (mail exchanger) IP addresses that can result
6780 from Postfix SMTP client mail exchanger lookups, or zero (no limit).
6781 Prior to Postfix version 2.3, this limit was disabled by default.
6782 This feature is available in Postfix 2.1 and later.
6784
6786 The maximal number of SMTP sessions per delivery request before the
6787 Postfix SMTP client gives up or delivers to a fall-back relay host, or
6788 zero (no limit). This restriction ignores sessions that fail to com‐
6789 plete the SMTP initial handshake (Postfix version 2.2 and earlier) or
6790 that fail to complete the EHLO and TLS handshake (Postfix version 2.3
6791 and later).
6792 This feature is available in Postfix 2.1 and later.
6794
6796 Restricted nested_header_checks(5) tables for the Postfix SMTP client.
6797 These tables are searched while mail is being delivered. Actions that
6798 change the delivery time or destination are not available.
6799 This feature is available in Postfix 2.5 and later.
6801
6803 Never send EHLO at the start of an SMTP session. See also the
6804 smtp_always_send_ehlo parameter.
6805
6807 Change the behavior of the smtp_*_timeout time limits, from a time
6808 limit per read or write system call, to a time limit to send or receive
6809 a complete record (an SMTP command line, SMTP response line, SMTP mes‐
6810 sage content line, or TLS protocol message). This limits the impact
6811 from hostile peers that trickle data one byte at a time.
6812 Note: when per-record deadlines are enabled, a short timeout may cause
6814 problems with TLS over very slow network connections. The reasons are
6815 that a TLS protocol message can be up to 16 kbytes long (with TLSv1),
6816 and that an entire TLS protocol message must be sent or received within
6817 the per-record deadline.
6818 This feature is available in Postfix 2.9 and later. With older Postfix
6820 releases, the behavior is as if this parameter is set to "no".
6821
6823 How long the Postfix SMTP client pauses before sending ".<CR><LF>" in
6824 order to work around the PIX firewall "<CR><LF>.<CR><LF>" bug.
6825 Choosing a too short time makes this workaround ineffective when send‐
6827 ing large messages over slow network connections.
6828
6830 Lookup tables, indexed by the remote SMTP server address, with per-des‐
6831 tination workarounds for CISCO PIX firewall bugs. The table is not
6832 indexed by hostname for consistency with smtp_discard_ehlo_key‐
6833 word_address_maps.
6834 Specify zero or more "type:name" lookup tables, separated by whitespace
6836 or comma. Tables will be searched in the specified order until a match
6837 is found.
6838 This feature is available in Postfix 2.4 and later.
6840
6842 How long a message must be queued before the Postfix SMTP client turns
6843 on the PIX firewall "<CR><LF>.<CR><LF>" bug workaround for delivery
6844 through firewalls with "smtp fixup" mode turned on.
6845 By default, the workaround is turned off for mail that is queued for
6847 less than 500 seconds. In other words, the workaround is normally
6848 turned off for the first delivery attempt.
6849 Specify 0 to enable the PIX firewall "<CR><LF>.<CR><LF>" bug workaround
6851 upon the first delivery attempt.
6852
6854 A list that specifies zero or more workarounds for CISCO PIX firewall
6855 bugs. These workarounds are implemented by the Postfix SMTP client.
6856 Workaround names are separated by comma or space, and are case insensi‐
6857 tive. This parameter setting can be overruled with per-destination
6858 smtp_pix_workaround_maps settings.
6859 delay_dotcrlf
6861 Insert a delay before sending ".<CR><LF>" after the end of the
6862 message content. The delay is subject to the smtp_pix_work‐
6863 around_delay_time and smtp_pix_workaround_threshold_time parame‐
6864 ter settings.
6865 disable_esmtp
6867 Disable all extended SMTP commands: send HELO instead of EHLO.
6868 This feature is available in Postfix 2.4 and later. The default set‐
6870 tings are backwards compatible with earlier Postfix versions.
6871
6873 The Postfix SMTP client time limit for sending the QUIT command, and
6874 for receiving the remote SMTP server response.
6875 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6877 The default time unit is s (seconds).
6878
6880 Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO commands
6881 as required by RFC 5321. This includes putting quotes around an address
6882 localpart that ends in ".".
6883 The default is to comply with RFC 5321. If you have to send mail to a
6885 broken SMTP server, configure a special SMTP client in master.cf:
6886 /etc/postfix/master.cf:
6888 broken-smtp . . . smtp -o smtp_quote_rfc821_envelope=no
6889 and route mail for the destination in question to the "broken-smtp"
6891 message delivery with a transport(5) table.
6892 This feature is available in Postfix 2.1 and later.
6894
6896 Randomize the order of equal-preference MX host addresses. This is a
6897 performance feature of the Postfix SMTP client.
6898
6900 The Postfix SMTP client time limit for sending the SMTP RCPT TO com‐
6901 mand, and for receiving the remote SMTP server response.
6902 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6904 The default time unit is s (seconds).
6905
6907 A mechanism to transform replies from remote SMTP servers one line at a
6908 time. This is a last-resort tool to work around server replies that
6909 break interoperability with the Postfix SMTP client. Other uses
6910 involve fault injection to test Postfix's handling of invalid
6911 responses.
6912 Notes:
6914 · In the case of a multi-line reply, the Postfix SMTP client uses
6916 the final reply line's numerical SMTP reply code and enhanced
6917 status code.
6918 · The numerical SMTP reply code (XYZ) takes precedence over the
6920 enhanced status code (X.Y.Z). When the enhanced status code
6921 initial digit differs from the SMTP reply code initial digit, or
6922 when no enhanced status code is present, the Postfix SMTP client
6923 uses a generic enhanced status code (X.0.0) instead.
6924 Specify the name of a "type:table" lookup table. The search string is a
6926 single SMTP reply line as received from the remote SMTP server, except
6927 that the trailing <CR><LF> are removed. When the lookup succeeds, the
6928 result replaces the single SMTP reply line.
6929 Examples:
6931 /etc/postfix/main.cf:
6933 smtp_reply_filter = pcre:/etc/postfix/reply_filter
6934 /etc/postfix/reply_filter:
6936 # Transform garbage into "250-filler..." so that it looks like
6937 # one line from a multi-line reply. It does not matter what we
6938 # substitute here as long it has the right syntax. The Postfix
6939 # SMTP client will use the final line's numerical SMTP reply
6940 # code and enhanced status code.
6941 !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage
6942 This feature is available in Postfix 2.7.
6944
6946 The Postfix SMTP client time limit for sending the RSET command, and
6947 for receiving the remote SMTP server response. The SMTP client sends
6948 RSET in order to finish a recipient address probe, or to verify that a
6949 cached session is still usable.
6950 This feature is available in Postfix 2.1 and later.
6952
6954 An optional table to prevent repeated SASL authentication failures with
6955 the same remote SMTP server hostname, username and password. Each table
6956 (key, value) pair contains a server name, a username and password, and
6957 the full server response. This information is stored when a remote SMTP
6958 server rejects an authentication attempt with a 535 reply code. As
6959 long as the smtp_sasl_password_maps information does no change, and as
6960 long as the smtp_sasl_auth_cache_name information does not expire (see
6961 smtp_sasl_auth_cache_time) the Postfix SMTP client avoids SASL authen‐
6962 tication attempts with the same server, username and password, and
6963 instead bounces or defers mail as controlled with the
6964 smtp_sasl_auth_soft_bounce configuration parameter.
6965 Use a per-destination delivery concurrency of 1 (for example,
6967 "smtp_destination_concurrency_limit = 1", "relay_destination_concur‐
6968 rency_limit = 1", etc.), otherwise multiple delivery agents may experi‐
6969 ence a login failure at the same time.
6970 The table must be accessed via the proxywrite service, i.e. the map
6972 name must start with "proxy:". The table should be stored under the
6973 directory specified with the data_directory parameter.
6974 This feature uses cryptographic hashing to protect plain-text pass‐
6976 words, and requires that Postfix is compiled with TLS support.
6977 Example:
6979 smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
6981 This feature is available in Postfix 2.5 and later.
6983
6985 The maximal age of an smtp_sasl_auth_cache_name entry before it is
6986 removed.
6987 This feature is available in Postfix 2.5 and later.
6989
6991 Enable SASL authentication in the Postfix SMTP client. By default, the
6992 Postfix SMTP client uses no authentication.
6993 Example:
6995 smtp_sasl_auth_enable = yes
6997
6999 When a remote SMTP server rejects a SASL authentication request with a
7000 535 reply code, defer mail delivery instead of returning mail as unde‐
7001 liverable. The latter behavior was hard-coded prior to Postfix version
7002 2.5.
7003 Note: the setting "yes" overrides the global soft_bounce parameter, but
7005 the setting "no" does not.
7006 Example:
7008 # Default as of Postfix 2.5
7010 smtp_sasl_auth_soft_bounce = yes
7011 # The old hard-coded default
7012 smtp_sasl_auth_soft_bounce = no
7013 This feature is available in Postfix 2.5 and later.
7015
7017 If non-empty, a Postfix SMTP client filter for the remote SMTP server's
7018 list of offered SASL mechanisms. Different client and server implemen‐
7019 tations may support different mechanism lists; by default, the Postfix
7020 SMTP client will use the intersection of the two. smtp_sasl_mecha‐
7021 nism_filter specifies an optional third mechanism list to intersect
7022 with.
7023 Specify mechanism names, "/file/name" patterns or "type:table" lookup
7025 tables. The right-hand side result from "type:table" lookups is
7026 ignored. Specify "!pattern" to exclude a mechanism name from the list.
7027 The form "!/file/name" is supported only in Postfix version 2.4 and
7028 later.
7029 This feature is available in Postfix 2.2 and later.
7031 Examples:
7033 smtp_sasl_mechanism_filter = plain, login
7035 smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs
7036 smtp_sasl_mechanism_filter = !gssapi, !login, static:rest
7037
7039 Optional Postfix SMTP client lookup tables with one username:password
7040 entry per sender, remote hostname or next-hop domain. Per-sender lookup
7041 is done only when sender-dependent authentication is enabled. If no
7042 username:password entry is found, then the Postfix SMTP client will not
7043 attempt to authenticate to the remote host.
7044 The Postfix SMTP client opens the lookup table before going to chroot
7046 jail, so you can leave the password file in /etc/postfix.
7047 Specify zero or more "type:name" lookup tables, separated by whitespace
7049 or comma. Tables will be searched in the specified order until a match
7050 is found.
7051
7053 Implementation-specific information that the Postfix SMTP client passes
7054 through to the SASL plug-in implementation that is selected with
7055 smtp_sasl_type. Typically this specifies the name of a configuration
7056 file or rendezvous point.
7057 This feature is available in Postfix 2.3 and later.
7059
7061 Postfix SMTP client SASL security options; as of Postfix 2.3 the list
7062 of available features depends on the SASL client implementation that is
7063 selected with smtp_sasl_type.
7064 The following security features are defined for the cyrus client SASL
7066 implementation:
7067 Specify zero or more of the following:
7069 noplaintext
7071 Disallow methods that use plaintext passwords.
7072 noactive
7074 Disallow methods subject to active (non-dictionary) attack.
7075 nodictionary
7077 Disallow methods subject to passive (dictionary) attack.
7078 noanonymous
7080 Disallow methods that allow anonymous authentication.
7081 mutual_auth
7083 Only allow methods that provide mutual authentication (not
7084 available with SASL version 1).
7085 Example:
7087 smtp_sasl_security_options = noplaintext
7089
7091 The SASL authentication security options that the Postfix SMTP client
7092 uses for TLS encrypted SMTP sessions.
7093 This feature is available in Postfix 2.2 and later.
7095
7097 rity_options)
7098 The SASL authentication security options that the Postfix SMTP client
7099 uses for TLS encrypted SMTP sessions with a verified server certifi‐
7100 cate.
7101 When mail is sent to the public MX host for the recipient's domain,
7103 server certificates are by default optional, and delivery proceeds even
7104 if certificate verification fails. For delivery via a submission ser‐
7105 vice that requires SASL authentication, it may be appropriate to send
7106 plaintext passwords only when the connection to the server is strongly
7107 encrypted and the server identity is verified.
7108 The smtp_sasl_tls_verified_security_options parameter makes it possible
7110 to only enable plaintext mechanisms when a secure connection to the
7111 server is available. Submission servers subject to this policy must
7112 either have verifiable certificates or offer suitable non-plaintext
7113 SASL mechanisms.
7114 This feature is available in Postfix 2.6 and later.
7116
7118 The SASL plug-in type that the Postfix SMTP client should use for
7119 authentication. The available types are listed with the "postconf -A"
7120 command.
7121 This feature is available in Postfix 2.3 and later.
7123
7125 Whether or not to append the "AUTH=<>" option to the MAIL FROM command
7126 in SASL-authenticated SMTP sessions. The default is not to send this,
7127 to avoid problems with broken remote SMTP servers. Before Postfix 2.9
7128 the behavior is as if "smtp_send_dummy_mail_auth = yes".
7129 This feature is available in Postfix 2.9 and later.
7131
7133 Send the non-standard XFORWARD command when the Postfix SMTP server
7134 EHLO response announces XFORWARD support.
7135 This allows a Postfix SMTP delivery agent, used for injecting mail into
7137 a content filter, to forward the name, address, protocol and HELO name
7138 of the original client to the content filter and downstream queuing
7139 SMTP server. This can produce more useful logging than local‐
7140 host[127.0.0.1] etc.
7141 This feature is available in Postfix 2.1 and later.
7143
7145 Enable sender-dependent authentication in the Postfix SMTP client; this
7146 is available only with SASL authentication, and disables SMTP connec‐
7147 tion caching to ensure that mail from different senders will use the
7148 appropriate credentials.
7149 This feature is available in Postfix 2.3 and later.
7151
7153 Skip SMTP servers that greet with a 4XX status code (go away, try again
7154 later).
7155 By default, the Postfix SMTP client moves on the next mail exchanger.
7157 Specify "smtp_skip_4xx_greeting = no" if Postfix should defer delivery
7158 immediately.
7159 This feature is available in Postfix 2.0 and earlier. Later Postfix
7161 versions always skip remote SMTP servers that greet with a 4XX status
7162 code.
7163
7165 Skip remote SMTP servers that greet with a 5XX status code.
7166 By default, the Postfix SMTP client moves on the next mail exchanger.
7168 Specify "smtp_skip_5xx_greeting = no" if Postfix should bounce the mail
7169 immediately. Caution: the latter behavior appears to contradict RFC
7170 2821.
7171
7173 Do not wait for the response to the SMTP QUIT command.
7174
7176 Time limit for Postfix SMTP client write and read operations during TLS
7177 startup and shutdown handshake procedures.
7178 This feature is available in Postfix 2.2 and later.
7180
7182 The default TCP port that the Postfix SMTP client connects to. Specify
7183 a symbolic name (see services(5)) or a numeric port.
7184
7186 A file containing CA certificates of root CAs trusted to sign either
7187 remote SMTP server certificates or intermediate CA certificates. These
7188 are loaded into memory before the smtp(8) client enters the chroot
7189 jail. If the number of trusted roots is large, consider using
7190 smtp_tls_CApath instead, but note that the latter directory must be
7191 present in the chroot jail if the smtp(8) client is chrooted. This file
7192 may also be used to augment the client certificate trust chain, but it
7193 is best to include all the required certificates directly in
7194 $smtp_tls_cert_file (or, Postfix >= 3.4 $smtp_tls_chain_files).
7195 Specify "smtp_tls_CAfile = /path/to/system_CA_file" to use ONLY the
7197 system-supplied default Certification Authority certificates.
7198 Specify "tls_append_default_CA = no" to prevent Postfix from appending
7200 the system-supplied default CAs and trusting third-party certificates.
7201 Example:
7203 smtp_tls_CAfile = /etc/postfix/CAcert.pem
7205 This feature is available in Postfix 2.2 and later.
7207
7209 Directory with PEM format Certification Authority certificates that the
7210 Postfix SMTP client uses to verify a remote SMTP server certificate.
7211 Don't forget to create the necessary "hash" links with, for example,
7212 "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
7213 To use this option in chroot mode, this directory (or a copy) must be
7215 inside the chroot jail.
7216 Specify "smtp_tls_CApath = /path/to/system_CA_directory" to use ONLY
7218 the system-supplied default Certification Authority certificates.
7219 Specify "tls_append_default_CA = no" to prevent Postfix from appending
7221 the system-supplied default CAs and trusting third-party certificates.
7222 Example:
7224 smtp_tls_CApath = /etc/postfix/certs
7226 This feature is available in Postfix 2.2 and later.
7228
7230 Try to detect a mail hijacking attack based on a TLS protocol vulnera‐
7231 bility (CVE-2009-3555), where an attacker prepends malicious HELO,
7232 MAIL, RCPT, DATA commands to a Postfix SMTP client TLS session. The
7233 attack would succeed with non-Postfix SMTP servers that reply to the
7234 malicious HELO, MAIL, RCPT, DATA commands after negotiating the Postfix
7235 SMTP client TLS session.
7236 This feature is available in Postfix 2.7.
7238
7240 File with the Postfix SMTP client RSA certificate in PEM format. This
7241 file may also contain the Postfix SMTP client private RSA key, and
7242 these may be the same as the Postfix SMTP server RSA certificate and
7243 key file. With Postfix >= 3.4 the preferred way to configure client
7244 keys and certificates is via the "smtp_tls_chain_files" parameter.
7245 Do not configure client certificates unless you must present client TLS
7247 certificates to one or more servers. Client certificates are not usu‐
7248 ally needed, and can cause problems in configurations that work well
7249 without them. The recommended setting is to let the defaults stand:
7250 smtp_tls_cert_file =
7252 smtp_tls_key_file =
7253 smtp_tls_eccert_file =
7254 smtp_tls_eckey_file =
7255 # Obsolete DSA parameters
7256 smtp_tls_dcert_file =
7257 smtp_tls_dkey_file =
7258 # Postfix >= 3.4 interface
7259 smtp_tls_chain_files =
7260 The best way to use the default settings is to comment out the above
7262 parameters in main.cf if present.
7263 To enable remote SMTP servers to verify the Postfix SMTP client cer‐
7265 tificate, the issuing CA certificates must be made available to the
7266 server. You should include the required certificates in the client cer‐
7267 tificate file, the client certificate first, then the issuing CA(s)
7268 (bottom-up order).
7269 Example: the certificate for "client.example.com" was issued by "inter‐
7271 mediate CA" which itself has a certificate issued by "root CA". As the
7272 "root" super-user create the client.pem file with:
7273 # umask 077
7275 # cat client_key.pem client_cert.pem intermediate_CA.pem > chain.pem
7276 If you also want to verify remote SMTP server certificates issued by
7278 these CAs, you can add the CA certificates to the smtp_tls_CAfile, in
7279 which case it is not necessary to have them in the smtp_tls_cert_file,
7280 smtp_tls_dcert_file (obsolete) or smtp_tls_eccert_file.
7281 A certificate supplied here must be usable as an SSL client certificate
7283 and hence pass the "openssl verify -purpose sslclient ..." test.
7284 Example:
7286 smtp_tls_cert_file = /etc/postfix/chain.pem
7288 This feature is available in Postfix 2.2 and later.
7290
7292 List of one or more PEM files, each holding one or more private keys
7293 directly followed by a corresponding certificate chain. The file names
7294 are separated by commas and/or whitespace. This parameter obsoletes
7295 the legacy algorithm-specific key and certificate file settings. When
7296 this parameter is non-empty, the legacy parameters are ignored, and a
7297 warning is logged if any are also non-empty.
7298 With the proliferation of multiple private key algorithms-which, as of
7300 OpenSSL 1.1.1, include DSA (obsolete), RSA, ECDSA, Ed25519 and Ed448-it
7301 is increasingly impractical to use separate parameters to configure the
7302 key and certificate chain for each algorithm. Therefore, Postfix now
7303 supports storing multiple keys and corresponding certificate chains in
7304 a single file or in a set of files.
7305 Each key must appear immediately before the corresponding certificate,
7307 optionally followed by additional issuer certificates that complete the
7308 certificate chain for that key. When multiple files are specified,
7309 they are equivalent to a single file that is concatenated from those
7310 files in the given order. Thus, while a key must always precede its
7311 certificate and issuer chain, it can be in a separate file, so long as
7312 that file is listed immediately before the file that holds the corre‐
7313 sponding certificate chain. Once all the files are concatenated, the
7314 sequence of PEM objects must be: key1, cert1, [chain1], key2, cert2,
7315 [chain2], ..., keyN, certN, [chainN].
7316 Storing the private key in the same file as the corresponding certifi‐
7318 cate is more reliable. With the key and certificate in separate files,
7319 there is a chance that during key rollover a Postfix process might load
7320 a private key and certificate from separate files that don't match.
7321 Various operational errors may even result in a persistent broken con‐
7322 figuration in which the certificate does not match the private key.
7323 The file or files must contain at most one key of each type. If, for
7325 example, two or more RSA keys and corresponding chains are listed,
7326 depending on the version of OpenSSL either only the last one will be
7327 used or an configuration error may be detected. Note that while
7328 "Ed25519" and "Ed448" are considered separate algorithms, the various
7329 ECDSA curves (typically one of prime256v1, secp384r1 or secp521r1) are
7330 considered as different parameters of a single "ECDSA" algorithm, so it
7331 is not presently possible to configure keys for more than one ECDSA
7332 curve.
7333 Example (separate files for each key and corresponding certificate
7335 chain):
7336 /etc/postfix/main.cf:
7338 smtp_tls_chain_files =
7339 ${config_directory}/ed25519.pem,
7340 ${config_directory}/ed448.pem,
7341 ${config_directory}/rsa.pem
7342 /etc/postfix/ed25519.pem:
7344 -----BEGIN PRIVATE KEY-----
7345 MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
7346 -----END PRIVATE KEY-----
7347 -----BEGIN CERTIFICATE-----
7348 MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
7349 ...
7350 nC0egv51YPDWxEHom4QA
7351 -----END CERTIFICATE-----
7352 /etc/postfix/ed448.pem:
7354 -----BEGIN PRIVATE KEY-----
7355 MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
7356 LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
7357 -----END PRIVATE KEY-----
7358 -----BEGIN CERTIFICATE-----
7359 MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
7360 ...
7361 pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
7362 -----END CERTIFICATE-----
7363 /etc/postfix/rsa.pem:
7365 -----BEGIN PRIVATE KEY-----
7366 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
7367 ...
7368 ahQkZ3+krcaJvDSMgvu0tDc=
7369 -----END PRIVATE KEY-----
7370 -----BEGIN CERTIFICATE-----
7371 MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
7372 ...
7373 Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
7374 -----END CERTIFICATE-----
7375 Example (all keys and certificates in a single file):
7377 /etc/postfix/main.cf:
7379 smtp_tls_chain_files = ${config_directory}/chains.pem
7380 /etc/postfix/chains.pem:
7382 -----BEGIN PRIVATE KEY-----
7383 MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
7384 -----END PRIVATE KEY-----
7385 -----BEGIN CERTIFICATE-----
7386 MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
7387 ...
7388 nC0egv51YPDWxEHom4QA
7389 -----END CERTIFICATE-----
7390 -----BEGIN PRIVATE KEY-----
7391 MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
7392 LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
7393 -----END PRIVATE KEY-----
7394 -----BEGIN CERTIFICATE-----
7395 MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
7396 ...
7397 pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
7398 -----END CERTIFICATE-----
7399 -----BEGIN PRIVATE KEY-----
7400 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
7401 ...
7402 ahQkZ3+krcaJvDSMgvu0tDc=
7403 -----END PRIVATE KEY-----
7404 -----BEGIN CERTIFICATE-----
7405 MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
7406 ...
7407 Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
7408 -----END CERTIFICATE-----
7409 This feature is available in Postfix 3.4 and later.
7411
7413 Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS cipher
7414 list. As this feature applies to all TLS security levels, it is easy to
7415 create interoperability problems by choosing a non-default cipher list.
7416 Do not use a non-default TLS cipher list on hosts that deliver email to
7417 the public Internet: you will be unable to send email to servers that
7418 only support the ciphers you exclude. Using a restricted cipher list
7419 may be more appropriate for an internal MTA, where one can exert some
7420 control over the TLS software and settings of the peer servers.
7421 Note: do not use "" quotes around the parameter value.
7423 This feature is available in Postfix version 2.2. It is not used with
7425 Postfix 2.3 and later; use smtp_tls_mandatory_ciphers instead.
7426
7428 The minimum TLS cipher grade that the Postfix SMTP client will use with
7429 opportunistic TLS encryption. Cipher types listed in
7430 smtp_tls_exclude_ciphers are excluded from the base definition of the
7431 selected cipher grade. The default value is "medium" for Postfix
7432 releases after the middle of 2015, "export" for older releases.
7433 When TLS is mandatory the cipher grade is chosen via the
7435 smtp_tls_mandatory_ciphers configuration parameter, see there for syn‐
7436 tax details. See smtp_tls_policy_maps for information on how to config‐
7437 ure ciphers on a per-destination basis.
7438 This feature is available in Postfix 2.6 and later. With earlier Post‐
7440 fix releases only the smtp_tls_mandatory_ciphers parameter is imple‐
7441 mented, and opportunistic TLS always uses "export" or better (i.e. all)
7442 ciphers.
7443
7445 Try to make multiple deliveries per TLS-encrypted connection. This
7446 uses the tlsproxy(8) service to encrypt an SMTP connection, uses the
7447 scache(8) service to save that connection, and relies on hints from the
7448 qmgr(8) daemon.
7449 See "Client-side TLS connection reuse" for background details.
7451 This feature is available in Postfix 3.4 and later.
7453
7455 The TLS policy for MX hosts with "secure" TLSA records when the nexthop
7456 destination security level is dane, but the MX record was found via an
7457 "insecure" MX lookup. The choices are:
7458 may The TLSA records will be ignored and TLS will be optional. If
7460 the MX host does not appear to support STARTTLS, or the STARTTLS
7461 handshake fails, mail may be sent in the clear.
7462 encrypt
7464 The TLSA records will signal a requirement to use TLS. While
7465 TLS encryption will be required, authentication will not be per‐
7466 formed.
7467 dane (default)
7469 The TLSA records will be used just as with "secure" MX records.
7470 TLS encryption will be required, and, if at least one of the
7471 TLSA records is "usable", authentication will be required. When
7472 authentication succeeds, it will be logged only as "Trusted",
7473 not "Verified", because the MX host name could have been forged.
7474 Though with "insecure" MX records an active attacker can compro‐
7475 mise SMTP transport security by returning forged MX records,
7476 such attacks are "tamper-evident" since any forged MX hostnames
7477 will be recorded in the mail logs. Attackers who place a high
7478 value staying hidden may be deterred from forging MX records.
7479 This feature is available in Postfix 3.1 and later. The may policy is
7481 backwards-compatible with earlier Postfix versions.
7482
7484 File with the Postfix SMTP client DSA certificate in PEM format. This
7485 file may also contain the Postfix SMTP client private DSA key. The DSA
7486 algorithm is obsolete and should not be used.
7487 See the discussion under smtp_tls_cert_file for more details.
7489 Example:
7491 smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
7493 This feature is available in Postfix 2.2 and later.
7495
7497 File with the Postfix SMTP client DSA private key in PEM format. This
7498 file may be combined with the Postfix SMTP client DSA certificate file
7499 specified with $smtp_tls_dcert_file. The DSA algorithm is obsolete and
7500 should not be used.
7501 The private key must be accessible without a pass-phrase, i.e. it must
7503 not be encrypted. File permissions should grant read-only access to the
7504 system superuser account ("root"), and no access to anyone else.
7505 This feature is available in Postfix 2.2 and later.
7507
7509 File with the Postfix SMTP client ECDSA certificate in PEM format.
7510 This file may also contain the Postfix SMTP client ECDSA private key.
7511 With Postfix >= 3.4 the preferred way to configure client keys and cer‐
7512 tificates is via the "smtp_tls_chain_files" parameter.
7513 See the discussion under smtp_tls_cert_file for more details.
7515 Example:
7517 smtp_tls_eccert_file = /etc/postfix/ecdsa-ccert.pem
7519 This feature is available in Postfix 2.6 and later, when Postfix is
7521 compiled and linked with OpenSSL 1.0.0 or later.
7522
7524 File with the Postfix SMTP client ECDSA private key in PEM format.
7525 This file may be combined with the Postfix SMTP client ECDSA certifi‐
7526 cate file specified with $smtp_tls_eccert_file. With Postfix >= 3.4
7527 the preferred way to configure client keys and certificates is via the
7528 "smtp_tls_chain_files" parameter.
7529 The private key must be accessible without a pass-phrase, i.e. it must
7531 not be encrypted. File permissions should grant read-only access to the
7532 system superuser account ("root"), and no access to anyone else.
7533 This feature is available in Postfix 2.6 and later, when Postfix is
7535 compiled and linked with OpenSSL 1.0.0 or later.
7536
7538 With mandatory TLS encryption, require that the remote SMTP server
7539 hostname matches the information in the remote SMTP server certificate.
7540 As of RFC 2487 the requirements for hostname checking for MTA clients
7541 are not specified.
7542 This option can be set to "no" to disable strict peer name checking.
7544 This setting has no effect on sessions that are controlled via the
7545 smtp_tls_per_site table.
7546 Disabling the hostname verification can make sense in closed environ‐
7548 ment where special CAs are created. If not used carefully, this option
7549 opens the danger of a "man-in-the-middle" attack (the CommonName of
7550 this attacker will be logged).
7551 This feature is available in Postfix 2.2 and later. With Postfix 2.3
7553 and later use smtp_tls_security_level instead.
7554
7556 List of ciphers or cipher types to exclude from the Postfix SMTP client
7557 cipher list at all TLS security levels. This is not an OpenSSL
7558 cipherlist, it is a simple list separated by whitespace and/or commas.
7559 The elements are a single cipher, or one or more "+" separated cipher
7560 properties, in which case only ciphers matching all the properties are
7561 excluded.
7562 Examples (some of these will cause problems):
7564 smtp_tls_exclude_ciphers = aNULL
7566 smtp_tls_exclude_ciphers = MD5, DES
7567 smtp_tls_exclude_ciphers = DES+MD5
7568 smtp_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
7569 smtp_tls_exclude_ciphers = kEDH+aRSA
7570 The first setting, disables anonymous ciphers. The next setting dis‐
7572 ables ciphers that use the MD5 digest algorithm or the (single) DES
7573 encryption algorithm. The next setting disables ciphers that use MD5
7574 and DES together. The next setting disables the two ciphers
7575 "AES256-SHA" and "DES-CBC3-MD5". The last setting disables ciphers that
7576 use "EDH" key exchange with RSA authentication.
7577 This feature is available in Postfix 2.3 and later.
7579
7581 List of acceptable remote SMTP server certificate fingerprints for the
7582 "fingerprint" TLS security level (smtp_tls_security_level = finger‐
7583 print). At this security level, Certification Authorities are not used,
7584 and certificate expiration times are ignored. Instead, server certifi‐
7585 cates are verified directly via their certificate fingerprint or public
7586 key fingerprint (Postfix 2.9 and later). The fingerprint is a message
7587 digest of the server certificate (or public key). The digest algorithm
7588 is selected via the smtp_tls_fingerprint_digest parameter.
7589 When an smtp_tls_policy_maps table entry specifies the "fingerprint"
7591 security level, any "match" attributes in that entry specify the list
7592 of valid fingerprints for the corresponding destination. Multiple fin‐
7593 gerprints can be combined with a "|" delimiter in a single match
7594 attribute, or multiple match attributes can be employed.
7595 Example: Certificate fingerprint verification with internal mailhub.
7597 Two matching fingerprints are listed. The relayhost may be multiple
7598 physical hosts behind a load-balancer, each with its own private/public
7599 key and self-signed certificate. Alternatively, a single relayhost may
7600 be in the process of switching from one set of private/public keys to
7601 another, and both keys are trusted just prior to the transition.
7602 relayhost = [mailhub.example.com]
7604 smtp_tls_security_level = fingerprint
7605 smtp_tls_fingerprint_digest = md5
7606 smtp_tls_fingerprint_cert_match =
7607 3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
7608 EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
7609 Example: Certificate fingerprint verification with selected destina‐
7611 tions. As in the example above, we show two matching fingerprints:
7612 /etc/postfix/main.cf:
7614 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
7615 smtp_tls_fingerprint_digest = md5
7616 /etc/postfix/tls_policy:
7618 example.com fingerprint
7619 match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
7620 match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
7621 This feature is available in Postfix 2.5 and later.
7623
7625 The message digest algorithm used to construct remote SMTP server cer‐
7626 tificate fingerprints. At the "fingerprint" TLS security level
7627 (smtp_tls_security_level = fingerprint), the server certificate is ver‐
7628 ified by directly matching its certificate fingerprint or its public
7629 key fingerprint (Postfix 2.9 and later). The fingerprint is the message
7630 digest of the server certificate (or its public key) using the selected
7631 algorithm. With a digest algorithm resistant to "second pre-image"
7632 attacks, it is not feasible to create a new public key and a matching
7633 certificate (or public/private key-pair) that has the same fingerprint.
7634 The default algorithm is md5; this is consistent with the backwards
7636 compatible setting of the digest used to verify client certificates in
7637 the SMTP server.
7638 The best practice algorithm is now sha1. Recent advances in hash func‐
7640 tion cryptanalysis have led to md5 being deprecated in favor of sha1.
7641 However, as long as there are no known "second pre-image" attacks
7642 against md5, its use in this context can still be considered safe.
7643 While additional digest algorithms are often available with OpenSSL's
7645 libcrypto, only those used by libssl in SSL cipher suites are available
7646 to Postfix. For now this means just md5 or sha1.
7647 To find the fingerprint of a specific certificate file, with a specific
7649 digest algorithm, run:
7650 $ openssl x509 -noout -fingerprint -digest -in certfile.pem
7652 The text to the right of "=" sign is the desired fingerprint. For
7654 example:
7655 $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
7657 SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
7658 To extract the public key fingerprint from an X.509 certificate, you
7660 need to extract the public key from the certificate and compute the
7661 appropriate digest of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
7662 key" option of the "x509" command extracts the public key always in
7663 "PEM" format. We pipe the result to another OpenSSL command that con‐
7664 verts the key to DER and then to the "dgst" command to compute the fin‐
7665 gerprint.
7666 The actual command to transform the key to DER format depends on the
7668 version of OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" com‐
7669 mand supports all key types. With OpenSSL 0.9.8 and earlier, the key
7670 type is always RSA (nobody uses DSA, and EC keys are not fully sup‐
7671 ported by 0.9.8), so the "rsa" command is used.
7672 # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
7674 $ openssl x509 -in cert.pem -noout -pubkey |
7675 openssl pkey -pubin -outform DER |
7676 openssl dgst -sha1 -c
7677 (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
7678 # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
7680 $ openssl x509 -in cert.pem -noout -pubkey |
7681 openssl rsa -pubin -outform DER |
7682 openssl dgst -md5 -c
7683 (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
7684 The Postfix SMTP server and client log the peer (leaf) certificate fin‐
7686 gerprint and public key fingerprint when the TLS loglevel is 2 or
7687 higher.
7688 Note: Postfix 2.9.0-2.9.5 computed the public key fingerprint incor‐
7690 rectly. To use public-key fingerprints, upgrade to Postfix 2.9.6 or
7691 later.
7692 This feature is available in Postfix 2.5 and later.
7694
7696 Lookup the associated DANE TLSA RRset even when a hostname is not an
7697 alias and its address records lie in an unsigned zone. This is
7698 unlikely to ever yield DNSSEC validated results, since child zones of
7699 unsigned zones are also unsigned in the absence of DLV or locally con‐
7700 figured non-root trust-anchors. We anticipate that such mechanisms
7701 will not be used for just the "_tcp" subdomain of a host. Suppressing
7702 the TLSA RRset lookup reduces latency and avoids potential interoper‐
7703 ability problems with nameservers for unsigned zones that are not pre‐
7704 pared to handle the new TLSA RRset.
7705 This feature is available in Postfix 2.11.
7707
7709 File with the Postfix SMTP client RSA private key in PEM format. This
7710 file may be combined with the Postfix SMTP client RSA certificate file
7711 specified with $smtp_tls_cert_file. With Postfix >= 3.4 the preferred
7712 way to configure client keys and certificates is via the
7713 "smtp_tls_chain_files" parameter.
7714 The private key must be accessible without a pass-phrase, i.e. it must
7716 not be encrypted. File permissions should grant read-only access to the
7717 system superuser account ("root"), and no access to anyone else.
7718 Example:
7720 smtp_tls_key_file = $smtp_tls_cert_file
7722 This feature is available in Postfix 2.2 and later.
7724
7726 Enable additional Postfix SMTP client logging of TLS activity. Each
7727 logging level also includes the information that is logged at a lower
7728 logging level.
7729 0 Disable logging of TLS activity.
7731 1 Log only a summary message on TLS handshake completion - no
7733 logging of remote SMTP server certificate trust-chain verifica‐
7734 tion errors if server certificate verification is not required.
7735 With Postfix 2.8 and earlier, log the summary message and uncon‐
7736 ditionally log trust-chain verification errors.
7737 2 Also log levels during TLS negotiation.
7739 3 Also log hexadecimal and ASCII dump of TLS negotiation
7741 process.
7742 4 Also log hexadecimal and ASCII dump of complete transmission
7744 after STARTTLS.
7745 Do not use "smtp_tls_loglevel = 2" or higher except in case of prob‐
7747 lems. Use of loglevel 4 is strongly discouraged.
7748 This feature is available in Postfix 2.2 and later.
7750
7752 The minimum TLS cipher grade that the Postfix SMTP client will use with
7753 mandatory TLS encryption. The default value "medium" is suitable for
7754 most destinations with which you may want to enforce TLS, and is beyond
7755 the reach of today's cryptanalytic methods. See smtp_tls_policy_maps
7756 for information on how to configure ciphers on a per-destination basis.
7757 The following cipher grades are supported:
7759 export Enable "EXPORT" grade or better OpenSSL ciphers. The underlying
7761 cipherlist is specified via the tls_export_cipherlist configura‐
7762 tion parameter, which you are strongly encouraged to not change.
7763 This choice is insecure and SHOULD NOT be used.
7764 low Enable "LOW" grade or better OpenSSL ciphers. The underlying
7766 cipherlist is specified via the tls_low_cipherlist configuration
7767 parameter, which you are strongly encouraged to not change.
7768 This choice is insecure and SHOULD NOT be used.
7769 medium Enable "MEDIUM" grade or better OpenSSL ciphers. The underlying
7771 cipherlist is specified via the tls_medium_cipherlist configura‐
7772 tion parameter, which you are strongly encouraged to not change.
7773 high Enable only "HIGH" grade OpenSSL ciphers. This setting may be
7775 appropriate when all mandatory TLS destinations (e.g. when all
7776 mail is routed to a suitably capable relayhost) support at least
7777 one "HIGH" grade cipher. The underlying cipherlist is specified
7778 via the tls_high_cipherlist configuration parameter, which you
7779 are strongly encouraged to not change.
7780 null Enable only the "NULL" OpenSSL ciphers, these provide authenti‐
7782 cation without encryption. This setting is only appropriate in
7783 the rare case that all servers are prepared to use NULL ciphers
7784 (not normally enabled in TLS servers). A plausible use-case is
7785 an LMTP server listening on a UNIX-domain socket that is config‐
7786 ured to support "NULL" ciphers. The underlying cipherlist is
7787 specified via the tls_null_cipherlist configuration parameter,
7788 which you are strongly encouraged to not change.
7789 The underlying cipherlists for grades other than "null" include anony‐
7791 mous ciphers, but these are automatically filtered out if the Postfix
7792 SMTP client is configured to verify server certificates. You are very
7793 unlikely to need to take any steps to exclude anonymous ciphers, they
7794 are excluded automatically as necessary. If you must exclude anonymous
7795 ciphers at the "may" or "encrypt" security levels, when the Postfix
7796 SMTP client does not need or use peer certificates, set
7797 "smtp_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers only
7798 when TLS is enforced, set "smtp_tls_mandatory_exclude_ciphers = aNULL".
7799 This feature is available in Postfix 2.3 and later.
7801
7803 Additional list of ciphers or cipher types to exclude from the Postfix
7804 SMTP client cipher list at mandatory TLS security levels. This list
7805 works in addition to the exclusions listed with
7806 smtp_tls_exclude_ciphers (see there for syntax details).
7807 Starting with Postfix 2.6, the mandatory cipher exclusions can be spec‐
7809 ified on a per-destination basis via the TLS policy "exclude"
7810 attribute. See smtp_tls_policy_maps for notes and examples.
7811 This feature is available in Postfix 2.3 and later.
7813
7815 List of SSL/TLS protocols that the Postfix SMTP client will use with
7816 mandatory TLS encryption. In main.cf the values are separated by
7817 whitespace, commas or colons. In the policy table "protocols" attribute
7818 (see smtp_tls_policy_maps) the only valid separator is colon. An empty
7819 value means allow all protocols. The valid protocol names, (see \fBfB‐
7820 SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1". The default
7821 value is "!SSLv2, !SSLv3" for Postfix releases after the middle of
7822 2015, "!SSLv2" for older releases.
7823 With Postfix >= 2.5 the parameter syntax was expanded to support proto‐
7825 col exclusions. One can explicitly exclude "SSLv2" by setting
7826 "smtp_tls_mandatory_protocols = !SSLv2". To exclude both "SSLv2" and
7827 "SSLv3" set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
7828 the protocols to include, rather than protocols to exclude, is sup‐
7829 ported, but not recommended. The exclusion form more closely matches
7830 the underlying OpenSSL interface semantics.
7831 The range of protocols advertised by an SSL/TLS client must be contigu‐
7833 ous. When a protocol version is enabled, disabling any higher version
7834 implicitly disables all versions above that higher version. Thus, for
7835 example (assuming the OpenSSL library supports both SSLv2 and SSLv3):
7836 smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
7838 also disables any protocols version higher than TLSv1 leaving only
7839 "SSLv3" enabled.
7840 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
7842 "TLSv1.2". When Postfix <= 2.5 is linked against OpenSSL 1.0.1 or
7843 later, these, or any other new protocol versions, cannot be disabled
7844 except by also disabling "TLSv1" (typically leaving just "SSLv3"). The
7845 latest patch levels of Postfix >= 2.6, and all versions of Postfix >=
7846 2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2".
7847 OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4
7849 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
7850 abled, if need be, via "!TLSv1.3".
7851 At the dane and dane-only security levels, when usable TLSA records are
7853 obtained for the remote SMTP server, the Postfix SMTP client is obli‐
7854 gated to include the SNI TLS extension in its SSL client hello message.
7855 This may help the remote SMTP server live up to its promise to provide
7856 a certificate that matches its TLSA records. Since TLS extensions
7857 require TLS 1.0 or later, the Postfix SMTP client must disable "SSLv2"
7858 and "SSLv3" when SNI is required. If you use "dane" or "dane-only" do
7859 not disable TLSv1, except perhaps via the policy table for destinations
7860 which you are sure will support "TLSv1.1" or "TLSv1.2".
7861 See the documentation of the smtp_tls_policy_maps parameter and
7863 TLS_README for more information about security levels.
7864 Example:
7866 # Preferred syntax with Postfix >= 2.5:
7868 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
7869 # Legacy syntax:
7870 smtp_tls_mandatory_protocols = TLSv1
7871 This feature is available in Postfix 2.3 and later.
7873
7875 Log the hostname of a remote SMTP server that offers STARTTLS, when TLS
7876 is not already enabled for that server.
7877 The logfile record looks like:
7879 postfix/smtp[pid]: Host offered STARTTLS: [name.of.host]
7881 This feature is available in Postfix 2.2 and later.
7883
7885 Optional lookup tables with the Postfix SMTP client TLS usage policy by
7886 next-hop destination and by remote SMTP server hostname. When both
7887 lookups succeed, the more specific per-site policy (NONE, MUST, etc)
7888 overrides the less specific one (MAY), and the more secure per-site
7889 policy (MUST, etc) overrides the less secure one (NONE). With Postfix
7890 2.3 and later smtp_tls_per_site is strongly discouraged: use
7891 smtp_tls_policy_maps instead.
7892 Use of the bare hostname as the per-site table lookup key is discour‐
7894 aged. Always use the full destination nexthop (enclosed in [] with a
7895 possible ":port" suffix). A recipient domain or MX-enabled transport
7896 next-hop with no port suffix may look like a bare hostname, but is
7897 still a suitable destination.
7898 Specify a next-hop destination or server hostname on the left-hand
7900 side; no wildcards are allowed. The next-hop destination is either the
7901 recipient domain, or the destination specified with a transport(5) ta‐
7902 ble, the relayhost parameter, or the relay_transport parameter. On the
7903 right hand side specify one of the following keywords:
7904 NONE Don't use TLS at all. This overrides a less specific MAY lookup
7906 result from the alternate host or next-hop lookup key, and over‐
7907 rides the global smtp_use_tls, smtp_enforce_tls, and
7908 smtp_tls_enforce_peername settings.
7909 MAY Try to use TLS if the server announces support, otherwise use
7911 the unencrypted connection. This has less precedence than a more
7912 specific result (including NONE) from the alternate host or
7913 next-hop lookup key, and has less precedence than the more spe‐
7914 cific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peer‐
7915 name = yes".
7916 MUST_NOPEERMATCH
7918 Require TLS encryption, but do not require that the remote SMTP
7919 server hostname matches the information in the remote SMTP
7920 server certificate, or that the server certificate was issued by
7921 a trusted CA. This overrides a less secure NONE or a less spe‐
7922 cific MAY lookup result from the alternate host or next-hop
7923 lookup key, and overrides the global smtp_use_tls,
7924 smtp_enforce_tls and smtp_tls_enforce_peername settings.
7925 MUST Require TLS encryption, require that the remote SMTP server
7927 hostname matches the information in the remote SMTP server cer‐
7928 tificate, and require that the remote SMTP server certificate
7929 was issued by a trusted CA. This overrides a less secure NONE
7930 and MUST_NOPEERMATCH or a less specific MAY lookup result from
7931 the alternate host or next-hop lookup key, and overrides the
7932 global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peer‐
7933 name settings.
7934 The above keywords correspond to the "none", "may", "encrypt" and "ver‐
7936 ify" security levels for the new smtp_tls_security_level parameter
7937 introduced in Postfix 2.3. Starting with Postfix 2.3, and independently
7938 of how the policy is specified, the smtp_tls_mandatory_ciphers and
7939 smtp_tls_mandatory_protocols parameters apply when TLS encryption is
7940 mandatory. Connections for which encryption is optional typically
7941 enable all "export" grade and better ciphers (see smtp_tls_ciphers and
7942 smtp_tls_protocols).
7943 As long as no secure DNS lookup mechanism is available, false hostnames
7945 in MX or CNAME responses can change the server hostname that Postfix
7946 uses for TLS policy lookup and server certificate verification. Even
7947 with a perfect match between the server hostname and the server cer‐
7948 tificate, there is no guarantee that Postfix is connected to the right
7949 server. See TLS_README (Closing a DNS loophole with obsolete per-site
7950 TLS policies) for a possible work-around.
7951 This feature is available in Postfix 2.2 and later. With Postfix 2.3
7953 and later use smtp_tls_policy_maps instead.
7954
7956 Optional lookup tables with the Postfix SMTP client TLS security policy
7957 by next-hop destination; when a non-empty value is specified, this
7958 overrides the obsolete smtp_tls_per_site parameter. See TLS_README for
7959 a more detailed discussion of TLS security levels.
7960 Specify zero or more "type:name" lookup tables, separated by whitespace
7962 or comma. Tables will be searched in the specified order until a match
7963 is found.
7964 The TLS policy table is indexed by the full next-hop destination, which
7966 is either the recipient domain, or the verbatim next-hop specified in
7967 the transport table, $local_transport, $virtual_transport,
7968 $relay_transport or $default_transport. This includes any enclosing
7969 square brackets and any non-default destination server port suffix. The
7970 LMTP socket type prefix (inet: or unix:) is not included in the lookup
7971 key.
7972 Only the next-hop domain, or $myhostname with LMTP over UNIX-domain
7974 sockets, is used as the nexthop name for certificate verification. The
7975 port and any enclosing square brackets are used in the table lookup
7976 key, but are not used for server name verification.
7977 When the lookup key is a domain name without enclosing square brackets
7979 or any :port suffix (typically the recipient domain), and the full
7980 domain is not found in the table, just as with the transport(5) table,
7981 the parent domain starting with a leading "." is matched recursively.
7982 This allows one to specify a security policy for a recipient domain and
7983 all its sub-domains.
7984 The lookup result is a security level, followed by an optional list of
7986 whitespace and/or comma separated name=value attributes that override
7987 related main.cf settings. The TLS security levels in order of increas‐
7988 ing security are:
7989 none No TLS. No additional attributes are supported at this level.
7991 may Opportunistic TLS. Since sending in the clear is acceptable,
7993 demanding stronger than default TLS security merely reduces
7994 interoperability. The optional "ciphers", "exclude", and "proto‐
7995 cols" attributes (available for opportunistic TLS with Postfix
7996 >= 2.6) and "connection_reuse" attribute (Postfix >= 3.4) over‐
7997 ride the "smtp_tls_ciphers", "smtp_tls_exclude_ciphers",
7998 "smtp_tls_protocols", and "smtp_tls_connection_reuse" configura‐
7999 tion parameters. When opportunistic TLS handshakes fail, Postfix
8000 retries the connection with TLS disabled. This allows mail
8001 delivery to sites with non-interoperable TLS implementations.
8002 encrypt
8004 Mandatory TLS encryption. At this level and higher, the optional
8005 "protocols" attribute overrides the main.cf smtp_tls_manda‐
8006 tory_protocols parameter, the optional "ciphers" attribute over‐
8007 rides the main.cf smtp_tls_mandatory_ciphers parameter, the
8008 optional "exclude" attribute (Postfix >= 2.6) overrides the
8009 main.cf smtp_tls_mandatory_exclude_ciphers parameter, and the
8010 optional "connection_reuse" attribute (Postfix >= 3.4) overrides
8011 the main.cf smtp_tls_connection_reuse parameter. In the policy
8012 table, multiple protocols or excluded ciphers must be separated
8013 by colons, as attribute values may not contain whitespace or
8014 commas.
8015 dane Opportunistic DANE TLS. The TLS policy for the destination is
8017 obtained via TLSA records in DNSSEC. If no TLSA records are
8018 found, the effective security level used is may. If TLSA
8019 records are found, but none are usable, the effective security
8020 level is encrypt. When usable TLSA records are obtained for the
8021 remote SMTP server, the server certificate must match the TLSA
8022 records. RFC 7672 (DANE) TLS authentication and DNSSEC support
8023 is available with Postfix 2.11 and later. The optional "connec‐
8024 tion_reuse" attribute (Postfix >= 3.4) overrides the main.cf
8025 smtp_tls_connection_reuse parameter.
8026 dane-only
8028 Mandatory DANE TLS. The TLS policy for the destination is
8029 obtained via TLSA records in DNSSEC. If no TLSA records are
8030 found, or none are usable, no connection is made to the server.
8031 When usable TLSA records are obtained for the remote SMTP
8032 server, the server certificate must match the TLSA records. RFC
8033 7672 (DANE) TLS authentication and DNSSEC support is available
8034 with Postfix 2.11 and later. The optional "connection_reuse"
8035 attribute (Postfix >= 3.4) overrides the main.cf smtp_tls_con‐
8036 nection_reuse parameter.
8037 fingerprint
8039 Certificate fingerprint verification. Available with Postfix 2.5
8040 and later. At this security level, there are no trusted Certifi‐
8041 cation Authorities. The certificate trust chain, expiration
8042 date, ... are not checked. Instead, the optional match
8043 attribute, or else the main.cf smtp_tls_fingerprint_cert_match
8044 parameter, lists the certificate fingerprints or the public key
8045 fingerprint (Postfix 2.9 and later) of the valid server certifi‐
8046 cate. The digest algorithm used to calculate the fingerprint is
8047 selected by the smtp_tls_fingerprint_digest parameter. Multiple
8048 fingerprints can be combined with a "|" delimiter in a single
8049 match attribute, or multiple match attributes can be employed.
8050 The ":" character is not used as a delimiter as it occurs
8051 between each pair of fingerprint (hexadecimal) digits. The
8052 optional "connection_reuse" attribute (Postfix >= 3.4) overrides
8053 the main.cf smtp_tls_connection_reuse parameter.
8054 verify Mandatory TLS verification. At this security level, DNS MX
8056 lookups are trusted to be secure enough, and the name verified
8057 in the server certificate is usually obtained indirectly via
8058 unauthenticated DNS MX lookups. The optional "match" attribute
8059 overrides the main.cf smtp_tls_verify_cert_match parameter. In
8060 the policy table, multiple match patterns and strategies must be
8061 separated by colons. In practice explicit control over matching
8062 is more common with the "secure" policy, described below. The
8063 optional "connection_reuse" attribute (Postfix >= 3.4) overrides
8064 the main.cf smtp_tls_connection_reuse parameter.
8065 secure Secure-channel TLS. At this security level, DNS MX lookups,
8067 though potentially used to determine the candidate next-hop
8068 gateway IP addresses, are not trusted to be secure enough for
8069 TLS peername verification. Instead, the default name verified in
8070 the server certificate is obtained directly from the next-hop,
8071 or is explicitly specified via the optional match attribute
8072 which overrides the main.cf smtp_tls_secure_cert_match parame‐
8073 ter. In the policy table, multiple match patterns and strategies
8074 must be separated by colons. The match attribute is most useful
8075 when multiple domains are supported by common server, the policy
8076 entries for additional domains specify matching rules for the
8077 primary domain certificate. While transport table overrides
8078 routing the secondary domains to the primary nexthop also allow
8079 secure verification, they risk delivery to the wrong destination
8080 when domains change hands or are re-assigned to new gateways.
8081 With the "match" attribute approach, routing is not perturbed,
8082 and mail is deferred if verification of a new MX host fails. The
8083 optional "connection_reuse" attribute (Postfix >= 3.4) overrides
8084 the main.cf smtp_tls_connection_reuse parameter.
8085 Example:
8087 /etc/postfix/main.cf:
8089 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
8090 # Postfix 2.5 and later
8091 smtp_tls_fingerprint_digest = md5
8092 /etc/postfix/tls_policy:
8094 example.edu none
8095 example.mil may
8096 example.gov encrypt protocols=TLSv1
8097 example.com verify ciphers=high
8098 example.net secure
8099 .example.net secure match=.example.net:example.net
8100 [mail.example.org]:587 secure match=nexthop
8101 # Postfix 2.5 and later
8102 [thumb.example.org] fingerprint
8103 match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
8104 match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
8105 Note: The hostname strategy if listed in a non-default setting of
8107 smtp_tls_secure_cert_match or in the match attribute in the policy ta‐
8108 ble can render the secure level vulnerable to DNS forgery. Do not use
8109 the hostname strategy for secure-channel configurations in environments
8110 where DNS security is not assured.
8111 This feature is available in Postfix 2.3 and later.
8113
8115 List of TLS protocols that the Postfix SMTP client will exclude or
8116 include with opportunistic TLS encryption. The default value is
8117 "!SSLv2, !SSLv3" for Postfix releases after the middle of 2015,
8118 "!SSLv2" for older releases. Before Postfix 2.6, the Postfix SMTP
8119 client would use all protocols with opportunistic TLS.
8120 In main.cf the values are separated by whitespace, commas or colons. In
8122 the policy table (see smtp_tls_policy_maps) the only valid separator is
8123 colon. An empty value means allow all protocols. The valid protocol
8124 names, (see \fBfBSSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".
8125 The range of protocols advertised by an SSL/TLS client must be contigu‐
8127 ous. When a protocol version is enabled, disabling any higher version
8128 implicitly disables all versions above that higher version. Thus, for
8129 example (assuming the OpenSSL library supports both SSLv2 and SSLv3):
8130 smtp_tls_protocols = !SSLv2, !TLSv1
8132 also disables any protocols version higher than TLSv1 leaving only
8133 "SSLv3" enabled.
8134 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
8136 "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all versions
8137 of Postfix >= 2.10 can explicitly disable support for "TLSv1.1" or
8138 "TLSv1.2"
8139 OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4
8141 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
8142 abled, if need be, via "!TLSv1.3".
8143 To include a protocol list its name, to exclude it, prefix the name
8145 with a "!" character. To exclude SSLv2 for opportunistic TLS set
8146 "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
8147 "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols
8148 to include, rather than protocols to exclude, is supported, but not
8149 recommended. The exclusion form more closely matches the underlying
8150 OpenSSL interface semantics.
8151 Example:
8153 # TLSv1 or better:
8154 smtp_tls_protocols = !SSLv2, !SSLv3
8155 This feature is available in Postfix 2.6 and later.
8157
8159 The verification depth for remote SMTP server certificates. A depth of
8160 1 is sufficient if the issuing CA is listed in a local CA file.
8161 The default verification depth is 9 (the OpenSSL default) for compati‐
8163 bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
8164 value was 5, but the limit was not actually enforced. If you have set
8165 this to a lower non-default value, certificates with longer trust
8166 chains may now fail to verify. Certificate chains with 1 or 2 CAs are
8167 common, deeper chains are more rare and any number between 5 and 9
8168 should suffice in practice. You can choose a lower number if, for exam‐
8169 ple, you trust certificates directly signed by an issuing CA but not
8170 any CAs it delegates to.
8171 This feature is available in Postfix 2.2 and later.
8173
8175 How the Postfix SMTP client verifies the server certificate peername
8176 for the "secure" TLS security level. In a "secure" TLS policy table
8177 ($smtp_tls_policy_maps) entry the optional "match" attribute overrides
8178 this main.cf setting.
8179 This parameter specifies one or more patterns or strategies separated
8181 by commas, whitespace or colons. In the policy table the only valid
8182 separator is the colon character.
8183 For a description of the pattern and strategy syntax see the
8185 smtp_tls_verify_cert_match parameter. The "hostname" strategy should be
8186 avoided in this context, as in the absence of a secure global DNS,
8187 using the results of MX lookups in certificate verification is not
8188 immune to active (man-in-the-middle) attacks on DNS.
8189 Sample main.cf setting:
8191 smtp_tls_secure_cert_match = nexthop
8193 Sample policy table override:
8195 example.net secure match=example.com:.example.com
8197 .example.net secure match=example.com:.example.com
8198 This feature is available in Postfix 2.3 and later.
8200
8202 The default SMTP TLS security level for the Postfix SMTP client; when a
8203 non-empty value is specified, this overrides the obsolete parameters
8204 smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
8205 Specify one of the following security levels:
8207 none No TLS. TLS will not be used unless enabled for specific desti‐
8209 nations via smtp_tls_policy_maps.
8210 may Opportunistic TLS. Use TLS if this is supported by the remote
8212 SMTP server, otherwise use plaintext. Since sending in the clear
8213 is acceptable, demanding stronger than default TLS security
8214 merely reduces interoperability. The "smtp_tls_ciphers" and
8215 "smtp_tls_protocols" (Postfix >= 2.6) configuration parameters
8216 provide control over the protocols and cipher grade used with
8217 opportunistic TLS. With earlier releases the opportunistic TLS
8218 cipher grade is always "export" and no protocols are disabled.
8219 When TLS handshakes fail, the connection is retried with TLS
8220 disabled. This allows mail delivery to sites with non-interop‐
8221 erable TLS implementations.
8222 encrypt
8224 Mandatory TLS encryption. Since a minimum level of security is
8225 intended, it is reasonable to be specific about sufficiently
8226 secure protocol versions and ciphers. At this security level and
8227 higher, the main.cf parameters smtp_tls_mandatory_protocols and
8228 smtp_tls_mandatory_ciphers specify the TLS protocols and minimum
8229 cipher grade which the administrator considers secure enough for
8230 mandatory encrypted sessions. This security level is not an
8231 appropriate default for systems delivering mail to the Internet.
8232 dane Opportunistic DANE TLS. At this security level, the TLS policy
8234 for the destination is obtained via DNSSEC. For TLSA policy to
8235 be in effect, the destination domain's containing DNS zone must
8236 be signed and the Postfix SMTP client's operating system must be
8237 configured to send its DNS queries to a recursive DNS nameserver
8238 that is able to validate the signed records. Each MX host's DNS
8239 zone should also be signed, and should publish DANE TLSA (RFC
8240 7672) records that specify how that MX host's TLS certificate is
8241 to be verified. TLSA records do not preempt the normal SMTP MX
8242 host selection algorithm, if some MX hosts support TLSA and oth‐
8243 ers do not, TLS security will vary from delivery to delivery.
8244 It is up to the domain owner to configure their MX hosts and
8245 their DNS sensibly. To configure the Postfix SMTP client for
8246 DNSSEC lookups see the documentation for the smtp_dns_sup‐
8247 port_level main.cf parameter. When DNSSEC-validated TLSA
8248 records are not found the effective tls security level is "may".
8249 When TLSA records are found, but are all unusable the effective
8250 security level is "encrypt". For purposes of protocol and
8251 cipher selection, the "dane" security level is treated like a
8252 "mandatory" TLS security level, and weak ciphers and protocols
8253 are disabled. Since DANE authenticates server certificates the
8254 "aNULL" cipher-suites are transparently excluded at this level,
8255 no need to configure this manually. RFC 7672 (DANE) TLS authen‐
8256 tication is available with Postfix 2.11 and later.
8257 dane-only
8259 Mandatory DANE TLS. This is just like "dane" above, but DANE
8260 TLSA authentication is required. There is no fallback to "may"
8261 or "encrypt" when TLSA records are missing or unusable. RFC
8262 7672 (DANE) TLS authentication is available with Postfix 2.11
8263 and later.
8264 fingerprint
8266 Certificate fingerprint verification. At this security level,
8267 there are no trusted Certification Authorities. The certificate
8268 trust chain, expiration date, etc., are not checked. Instead,
8269 the smtp_tls_fingerprint_cert_match parameter lists the certifi‐
8270 cate fingerprint or public key fingerprint (Postfix 2.9 and
8271 later) of the valid server certificate. The digest algorithm
8272 used to calculate the fingerprint is selected by the
8273 smtp_tls_fingerprint_digest parameter. Available with Postfix
8274 2.5 and later.
8275 verify Mandatory TLS verification. At this security level, DNS MX
8277 lookups are trusted to be secure enough, and the name verified
8278 in the server certificate is usually obtained indirectly via
8279 unauthenticated DNS MX lookups. The smtp_tls_verify_cert_match
8280 parameter controls how the server name is verified. In practice
8281 explicit control over matching is more common at the "secure"
8282 level, described below. This security level is not an appropri‐
8283 ate default for systems delivering mail to the Internet.
8284 secure Secure-channel TLS. At this security level, DNS MX lookups,
8286 though potentially used to determine the candidate next-hop
8287 gateway IP addresses, are not trusted to be secure enough for
8288 TLS peername verification. Instead, the default name verified in
8289 the server certificate is obtained from the next-hop domain as
8290 specified in the smtp_tls_secure_cert_match configuration param‐
8291 eter. The default matching rule is that a server certificate
8292 matches when its name is equal to or is a sub-domain of the nex‐
8293 thop domain. This security level is not an appropriate default
8294 for systems delivering mail to the Internet.
8295 Examples:
8297 # No TLS. Formerly: smtp_use_tls=no and smtp_enforce_tls=no.
8299 smtp_tls_security_level = none
8300 # Opportunistic TLS.
8302 smtp_tls_security_level = may
8303 # Postfix >= 2.6:
8304 # Do not tweak opportunistic ciphers or protocol unless it is essential
8305 # to do so (if a security vulnerability is found in the SSL library that
8306 # can be mitigated by disabling a particular protocol or raising the
8307 # cipher grade from "export" to "low" or "medium").
8308 smtp_tls_ciphers = export
8309 smtp_tls_protocols = !SSLv2, !SSLv3
8310 # Mandatory (high-grade) TLS encryption.
8312 smtp_tls_security_level = encrypt
8313 smtp_tls_mandatory_ciphers = high
8314 # Mandatory TLS verification of hostname or nexthop domain.
8316 smtp_tls_security_level = verify
8317 smtp_tls_mandatory_ciphers = high
8318 smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
8319 # Secure channel TLS with exact nexthop name match.
8321 smtp_tls_security_level = secure
8322 smtp_tls_mandatory_protocols = TLSv1
8323 smtp_tls_mandatory_ciphers = high
8324 smtp_tls_secure_cert_match = nexthop
8325 # Certificate fingerprint verification (Postfix >= 2.5).
8327 # The CA-less "fingerprint" security level only scales to a limited
8328 # number of destinations. As a global default rather than a per-site
8329 # setting, this is practical when mail for all recipients is sent
8330 # to a central mail hub.
8331 relayhost = [mailhub.example.com]
8332 smtp_tls_security_level = fingerprint
8333 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
8334 smtp_tls_mandatory_ciphers = high
8335 smtp_tls_fingerprint_cert_match =
8336 3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
8337 EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
8338 This feature is available in Postfix 2.3 and later.
8340
8342 Optional name to send to the remote SMTP server in the TLS Server Name
8343 Indication (SNI) extension. The SNI extension is always on when DANE
8344 is used to authenticate the server, and in that case the SNI name sent
8345 is the one required by RFC7672 and this parameter is ignored.
8346 Some SMTP servers use the received SNI name to select an appropriate
8348 certificate chain to present to the client. While this may improve
8349 interoperability with such servers, it may reduce interoperability with
8350 other servers that choose to abort the connection when they don't have
8351 a certificate chain configured for the requested name. Such servers
8352 should select a default certificate chain and continue the handshake,
8353 but some may not. Therefore, absent DANE, no SNI name is sent by
8354 default.
8355 The SNI name must be either a valid DNS hostname, or else one of the
8357 special values hostname or nexthop, which select either the remote
8358 hostname or the nexthop domain respectively. DNS names for SNI must be
8359 in A-label (punycode) form. Invalid DNS names log a configuration
8360 error warning and mail delivery is deferred.
8361 Except when using a relayhost to forward all email, the only sensible
8363 non-empty main.cf setting for this parameter is hostname. Other
8364 non-empty values are only practical on a per-destination basis via the
8365 servername attribute of the Postfix TLS policy table. When in doubt,
8366 leave this parameter empty, and configure per-destination SNI as
8367 needed.
8368 This feature is available in Postfix 3.4 and later.
8370
8372 Name of the file containing the optional Postfix SMTP client TLS ses‐
8373 sion cache. Specify a database type that supports enumeration, such as
8374 btree or sdbm; there is no need to support concurrent access. The file
8375 is created if it does not exist. The smtp(8) daemon does not use this
8376 parameter directly, rather the cache is implemented indirectly in the
8377 tlsmgr(8) daemon. This means that per-smtp-instance master.cf overrides
8378 of this parameter are not effective. Note, that each of the cache
8379 databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
8380 base, $smtp_tls_session_cache_database (and with Postfix 2.3 and later
8381 $lmtp_tls_session_cache_database), needs to be stored separately. It is
8382 not at this time possible to store multiple caches in a single data‐
8383 base.
8384 Note: dbm databases are not suitable. TLS session objects are too
8386 large.
8387 As of version 2.5, Postfix no longer uses root privileges when opening
8389 this file. The file should now be stored under the Postfix-owned
8390 data_directory. As a migration aid, an attempt to open the file under a
8391 non-Postfix directory is redirected to the Postfix-owned data_direc‐
8392 tory, and a warning is logged.
8393 Example:
8395 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
8397 This feature is available in Postfix 2.2 and later.
8399
8401 The expiration time of Postfix SMTP client TLS session cache informa‐
8402 tion. A cache cleanup is performed periodically every $smtp_tls_ses‐
8403 sion_cache_timeout seconds. As with $smtp_tls_session_cache_database,
8404 this parameter is implemented in the tlsmgr(8) daemon and therefore
8405 per-smtp-instance master.cf overrides are not possible.
8406 As of Postfix 2.11 this setting cannot exceed 100 days. If set <= 0,
8408 session caching is disabled. If set to a positive value less than 2
8409 minutes, the minimum value of 2 minutes is used instead.
8410 This feature is available in Postfix 2.2 and later.
8412
8414 Zero or more PEM-format files with trust-anchor certificates and/or
8415 public keys. If the parameter is not empty the root CAs in CAfile and
8416 CApath are no longer trusted. Rather, the Postfix SMTP client will
8417 only trust certificate-chains signed by one of the trust-anchors con‐
8418 tained in the chosen files. The specified trust-anchor certificates
8419 and public keys are not subject to expiration, and need not be
8420 (self-signed) root CAs. They may, if desired, be intermediate certifi‐
8421 cates. Therefore, these certificates also may be found "in the middle"
8422 of the trust chain presented by the remote SMTP server, and any
8423 untrusted issuing parent certificates will be ignored. Specify a list
8424 of pathnames separated by comma or whitespace.
8425 Whether specified in main.cf, or on a per-destination basis, the
8427 trust-anchor PEM file must be accessible to the Postfix SMTP client in
8428 the chroot jail if applicable. The trust-anchor file should contain
8429 only certificates and public keys, no private key material, and must be
8430 readable by the non-privileged $mail_owner user. This allows destina‐
8431 tions to be bound to a set of specific CAs or public keys without
8432 trusting the same CAs for all destinations.
8433 The main.cf parameter supports single-purpose Postfix installations
8435 that send mail to a fixed set of SMTP peers. At most sites, if
8436 trust-anchor files are used at all, they will be specified on a
8437 per-destination basis via the "tafile" attribute of the "verify" and
8438 "secure" levels in smtp_tls_policy_maps.
8439 The underlying mechanism is in support of RFC 7672 (DANE TLSA), which
8441 defines mechanisms for an SMTP client MTA to securely determine server
8442 TLS certificates via DNS.
8443 If you want your trust anchors to be public keys, with OpenSSL you can
8445 extract a single PEM public key from a PEM X.509 file containing a sin‐
8446 gle certificate, as follows:
8447 $ openssl x509 -in cert.pem -out ta-key.pem -noout -pubkey
8449 This feature is available in Postfix 2.11 and later.
8451
8453 How the Postfix SMTP client verifies the server certificate peername
8454 for the "verify" TLS security level. In a "verify" TLS policy table
8455 ($smtp_tls_policy_maps) entry the optional "match" attribute overrides
8456 this main.cf setting.
8457 This parameter specifies one or more patterns or strategies separated
8459 by commas, whitespace or colons. In the policy table the only valid
8460 separator is the colon character.
8461 Patterns specify domain names, or domain name suffixes:
8463 example.com
8465 Match the example.com domain, i.e. one of the names the server
8466 certificate must be example.com, upper and lower case distinc‐
8467 tions are ignored.
8468 .example.com
8470 Match subdomains of the example.com domain, i.e. match a name in
8471 the server certificate that consists of a non-zero number of
8472 labels followed by a .example.com suffix. Case distinctions are
8473 ignored.
8474 Strategies specify a transformation from the next-hop domain to the
8476 expected name in the server certificate:
8477 nexthop
8479 Match against the next-hop domain, which is either the recipient
8480 domain, or the transport next-hop configured for the domain
8481 stripped of any optional socket type prefix, enclosing square
8482 brackets and trailing port. When MX lookups are not suppressed,
8483 this is the original nexthop domain prior to the MX lookup, not
8484 the result of the MX lookup. For LMTP delivery via UNIX-domain
8485 sockets, the verified next-hop name is $myhostname. This strat‐
8486 egy is suitable for use with the "secure" policy. Case is
8487 ignored.
8488 dot-nexthop
8490 As above, but match server certificate names that are subdomains
8491 of the next-hop domain. Case is ignored.
8492 hostname
8494 Match against the hostname of the server, often obtained via an
8495 unauthenticated DNS MX lookup. For LMTP delivery via UNIX-domain
8496 sockets, the verified name is $myhostname. This matches the ver‐
8497 ification strategy of the "MUST" keyword in the obsolete
8498 smtp_tls_per_site table, and is suitable for use with the "ver‐
8499 ify" security level. When the next-hop name is enclosed in
8500 square brackets to suppress MX lookups, the "hostname" strategy
8501 is the same as the "nexthop" strategy. Case is ignored.
8502 Sample main.cf setting:
8504 smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
8506 Sample policy table override:
8508 example.com verify match=hostname:nexthop
8510 .example.com verify match=example.com:.example.com:hostname
8511 This feature is available in Postfix 2.3 and later.
8513
8515 Request that the Postfix SMTP client connects using the legacy SMTPS
8516 protocol instead of using the STARTTLS command.
8517 This mode requires "smtp_tls_security_level = encrypt" or stronger.
8519 Example: deliver all remote mail via a provider's server "mail.exam‐
8521 ple.com".
8522 /etc/postfix/main.cf:
8524 # Client-side SMTPS requires "encrypt" or stronger.
8525 smtp_tls_security_level = encrypt
8526 smtp_tls_wrappermode = yes
8527 # The [] suppress MX lookups.
8528 relayhost = [mail.example.com]:465
8529 More examples are in TLS_README, including examples for older Postfix
8531 versions.
8532 This feature is available in Postfix 3.0 and later.
8534
8536 Opportunistic mode: use TLS when a remote SMTP server announces START‐
8537 TLS support, otherwise send the mail in the clear. Beware: some SMTP
8538 servers offer STARTTLS even if it is not configured. With Postfix <
8539 2.3, if the TLS handshake fails, and no other server is available,
8540 delivery is deferred and mail stays in the queue. If this is a concern
8541 for you, use the smtp_tls_per_site feature instead.
8542 This feature is available in Postfix 2.2 and later. With Postfix 2.3
8544 and later use smtp_tls_security_level instead.
8545
8547 The Postfix SMTP client time limit for sending the XFORWARD command,
8548 and for receiving the remote SMTP server response.
8549 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
8551 The default time unit is s (seconds).
8552 This feature is available in Postfix 2.1 and later.
8554
8556 What remote SMTP clients are allowed to specify the XVERP command.
8557 This command requests that mail be delivered one recipient at a time
8558 with a per recipient return address.
8559 By default, no clients are allowed to specify XVERP.
8561 This parameter was renamed with Postfix version 2.1. The default value
8563 is backwards compatible with Postfix version 2.0.
8564 Specify a list of network/netmask patterns, separated by commas and/or
8566 whitespace. The mask specifies the number of bits in the network part
8567 of a host address. You can also specify hostnames or .domain names (the
8568 initial dot causes the domain to match any name below it),
8569 "/file/name" or "type:table" patterns. A "/file/name" pattern is
8570 replaced by its contents; a "type:table" lookup table is matched when a
8571 table entry matches a lookup string (the lookup result is ignored).
8572 Continue long lines by starting the next line with whitespace. Specify
8573 "!pattern" to exclude an address or network block from the list. The
8574 form "!/file/name" is supported only in Postfix version 2.4 and later.
8575 Note: IP version 6 address information must be specified inside [] in
8577 the smtpd_authorized_verp_clients value, and in files specified with
8578 "/file/name". IP version 6 addresses contain the ":" character, and
8579 would otherwise be confused with a "type:table" pattern.
8580
8582 What remote SMTP clients are allowed to use the XCLIENT feature. This
8583 command overrides remote SMTP client information that is used for
8584 access control. Typical use is for SMTP-based content filters, fetch‐
8585 mail-like programs, or SMTP server access rule testing. See the
8586 XCLIENT_README document for details.
8587 This feature is available in Postfix 2.1 and later.
8589 By default, no clients are allowed to specify XCLIENT.
8591 Specify a list of network/netmask patterns, separated by commas and/or
8593 whitespace. The mask specifies the number of bits in the network part
8594 of a host address. You can also specify hostnames or .domain names (the
8595 initial dot causes the domain to match any name below it),
8596 "/file/name" or "type:table" patterns. A "/file/name" pattern is
8597 replaced by its contents; a "type:table" lookup table is matched when a
8598 table entry matches a lookup string (the lookup result is ignored).
8599 Continue long lines by starting the next line with whitespace. Specify
8600 "!pattern" to exclude an address or network block from the list. The
8601 form "!/file/name" is supported only in Postfix version 2.4 and later.
8602 Note: IP version 6 address information must be specified inside [] in
8604 the smtpd_authorized_xclient_hosts value, and in files specified with
8605 "/file/name". IP version 6 addresses contain the ":" character, and
8606 would otherwise be confused with a "type:table" pattern.
8607
8609 What remote SMTP clients are allowed to use the XFORWARD feature. This
8610 command forwards information that is used to improve logging after
8611 SMTP-based content filters. See the XFORWARD_README document for
8612 details.
8613 This feature is available in Postfix 2.1 and later.
8615 By default, no clients are allowed to specify XFORWARD.
8617 Specify a list of network/netmask patterns, separated by commas and/or
8619 whitespace. The mask specifies the number of bits in the network part
8620 of a host address. You can also specify hostnames or .domain names (the
8621 initial dot causes the domain to match any name below it),
8622 "/file/name" or "type:table" patterns. A "/file/name" pattern is
8623 replaced by its contents; a "type:table" lookup table is matched when a
8624 table entry matches a lookup string (the lookup result is ignored).
8625 Continue long lines by starting the next line with whitespace. Specify
8626 "!pattern" to exclude an address or network block from the list. The
8627 form "!/file/name" is supported only in Postfix version 2.4 and later.
8628 Note: IP version 6 address information must be specified inside [] in
8630 the smtpd_authorized_xforward_hosts value, and in files specified with
8631 "/file/name". IP version 6 addresses contain the ":" character, and
8632 would otherwise be confused with a "type:table" pattern.
8633
8635 The text that follows the 220 status code in the SMTP greeting banner.
8636 Some people like to see the mail version advertised. By default, Post‐
8637 fix shows no version.
8638 You MUST specify $myhostname at the start of the text. This is required
8640 by the SMTP protocol.
8641 Example:
8643 smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
8645
8647 The maximal number of AUTH commands that any client is allowed to send
8648 to this service per time unit, regardless of whether or not Postfix
8649 actually accepts those commands. The time unit is specified with the
8650 anvil_rate_time_unit configuration parameter.
8651 By default, there is no limit on the number AUTH commands that a client
8653 may send.
8654 To disable this feature, specify a limit of 0.
8656 WARNING: The purpose of this feature is to limit abuse. It must not be
8658 used to regulate legitimate mail traffic.
8659 This feature is available in Postfix 3.1 and later.
8661
8663 How many simultaneous connections any client is allowed to make to this
8664 service. By default, the limit is set to half the default process
8665 limit value.
8666 To disable this feature, specify a limit of 0.
8668 WARNING: The purpose of this feature is to limit abuse. It must not be
8670 used to regulate legitimate mail traffic.
8671 This feature is available in Postfix 2.2 and later.
8673
8675 The maximal number of connection attempts any client is allowed to make
8676 to this service per time unit. The time unit is specified with the
8677 anvil_rate_time_unit configuration parameter.
8678 By default, a client can make as many connections per time unit as
8680 Postfix can accept.
8681 To disable this feature, specify a limit of 0.
8683 WARNING: The purpose of this feature is to limit abuse. It must not be
8685 used to regulate legitimate mail traffic.
8686 This feature is available in Postfix 2.2 and later.
8688 Example:
8690 smtpd_client_connection_rate_limit = 1000
8692
8694 Clients that are excluded from smtpd_client_*_count/rate_limit restric‐
8695 tions. See the mynetworks parameter description for the parameter value
8696 syntax.
8697 By default, clients in trusted networks are excluded. Specify a list of
8699 network blocks, hostnames or .domain names (the initial dot causes the
8700 domain to match any name below it).
8701 Note: IP version 6 address information must be specified inside [] in
8703 the smtpd_client_event_limit_exceptions value, and in files specified
8704 with "/file/name". IP version 6 addresses contain the ":" character,
8705 and would otherwise be confused with a "type:table" pattern.
8706 Pattern matching of domain names is controlled by the presence or
8708 absence of "smtpd_client_event_limit_exceptions" in the par‐
8709 ent_domain_matches_subdomains parameter value (postfix 3.0 and later).
8710 This feature is available in Postfix 2.2 and later.
8712
8714 The maximal number of message delivery requests that any client is
8715 allowed to make to this service per time unit, regardless of whether or
8716 not Postfix actually accepts those messages. The time unit is speci‐
8717 fied with the anvil_rate_time_unit configuration parameter.
8718 By default, a client can send as many message delivery requests per
8720 time unit as Postfix can accept.
8721 To disable this feature, specify a limit of 0.
8723 WARNING: The purpose of this feature is to limit abuse. It must not be
8725 used to regulate legitimate mail traffic.
8726 This feature is available in Postfix 2.2 and later.
8728 Example:
8730 smtpd_client_message_rate_limit = 1000
8732
8734 The maximal number of new (i.e., uncached) TLS sessions that a remote
8735 SMTP client is allowed to negotiate with this service per time unit.
8736 The time unit is specified with the anvil_rate_time_unit configuration
8737 parameter.
8738 By default, a remote SMTP client can negotiate as many new TLS sessions
8740 per time unit as Postfix can accept.
8741 To disable this feature, specify a limit of 0. Otherwise, specify a
8743 limit that is at least the per-client concurrent session limit, or else
8744 legitimate client sessions may be rejected.
8745 WARNING: The purpose of this feature is to limit abuse. It must not be
8747 used to regulate legitimate mail traffic.
8748 This feature is available in Postfix 2.3 and later.
8750 Example:
8752 smtpd_client_new_tls_session_rate_limit = 100
8754
8756 Enable logging of the remote SMTP client port in addition to the host‐
8757 name and IP address. The logging format is "host[address]:port".
8758 This feature is available in Postfix 2.5 and later.
8760
8762 The maximal number of recipient addresses that any client is allowed to
8763 send to this service per time unit, regardless of whether or not Post‐
8764 fix actually accepts those recipients. The time unit is specified with
8765 the anvil_rate_time_unit configuration parameter.
8766 By default, a client can send as many recipient addresses per time unit
8768 as Postfix can accept.
8769 To disable this feature, specify a limit of 0.
8771 WARNING: The purpose of this feature is to limit abuse. It must not be
8773 used to regulate legitimate mail traffic.
8774 This feature is available in Postfix 2.2 and later.
8776 Example:
8778 smtpd_client_recipient_rate_limit = 1000
8780
8782 Optional restrictions that the Postfix SMTP server applies in the con‐
8783 text of a client connection request. See SMTPD_ACCESS_README, section
8784 "Delayed evaluation of SMTP access restriction lists" for a discussion
8785 of evaluation context and time.
8786 The default is to allow all connection requests.
8788 Specify a list of restrictions, separated by commas and/or whitespace.
8790 Continue long lines by starting the next line with whitespace.
8791 Restrictions are applied in the order as specified; the first restric‐
8792 tion that matches wins.
8793 The following restrictions are specific to client hostname or client
8795 network address information.
8796 check_ccert_access type:table
8798 By default use the remote SMTP client certificate fingerprint or
8799 the public key fingerprint (Postfix 2.9 and later) as lookup key
8800 for the specified access(5) database; with Postfix version 2.2,
8801 also require that the remote SMTP client certificate is verified
8802 successfully. The fingerprint digest algorithm is configurable
8803 via the smtpd_tls_fingerprint_digest parameter (hard-coded as
8804 md5 prior to Postfix version 2.5). This feature requires
8805 "smtpd_tls_ask_ccert = yes" and is available with Postfix ver‐
8806 sion 2.2 and later.
8807 Alternatively, check_ccert_access accepts an explicit search
8808 order (Postfix 3.5 and later). The default search order as
8809 described above corresponds with:
8810 check_ccert_access { type:table, { search_order = cert_finger‐
8811 print, pubkey_fingerprint } }
8812 The commas are optional.
8813 check_client_access type:table
8815 Search the specified access database for the client hostname,
8816 parent domains, client IP address, or networks obtained by
8817 stripping least significant octets. See the access(5) manual
8818 page for details.
8819 check_client_a_access type:table
8821 Search the specified access(5) database for the IP addresses for
8822 the client hostname, and execute the corresponding action.
8823 Note: a result of "OK" is not allowed for safety reasons.
8824 Instead, use DUNNO in order to exclude specific hosts from
8825 blacklists. This feature is available in Postfix 3.0 and later.
8826 check_client_mx_access type:table
8828 Search the specified access(5) database for the MX hosts for the
8829 client hostname, and execute the corresponding action. Note: a
8830 result of "OK" is not allowed for safety reasons. Instead, use
8831 DUNNO in order to exclude specific hosts from blacklists. This
8832 feature is available in Postfix 2.7 and later.
8833 check_client_ns_access type:table
8835 Search the specified access(5) database for the DNS servers for
8836 the client hostname, and execute the corresponding action.
8837 Note: a result of "OK" is not allowed for safety reasons.
8838 Instead, use DUNNO in order to exclude specific hosts from
8839 blacklists. This feature is available in Postfix 2.7 and later.
8840 check_reverse_client_hostname_access type:table
8842 Search the specified access database for the unverified reverse
8843 client hostname, parent domains, client IP address, or networks
8844 obtained by stripping least significant octets. See the
8845 access(5) manual page for details. Note: a result of "OK" is
8846 not allowed for safety reasons. Instead, use DUNNO in order to
8847 exclude specific hosts from blacklists. This feature is avail‐
8848 able in Postfix 2.6 and later.
8849 check_reverse_client_hostname_a_access type:table
8851 Search the specified access(5) database for the IP addresses for
8852 the unverified reverse client hostname, and execute the corre‐
8853 sponding action. Note: a result of "OK" is not allowed for
8854 safety reasons. Instead, use DUNNO in order to exclude specific
8855 hosts from blacklists. This feature is available in Postfix 3.0
8856 and later.
8857 check_reverse_client_hostname_mx_access type:table
8859 Search the specified access(5) database for the MX hosts for the
8860 unverified reverse client hostname, and execute the correspond‐
8861 ing action. Note: a result of "OK" is not allowed for safety
8862 reasons. Instead, use DUNNO in order to exclude specific hosts
8863 from blacklists. This feature is available in Postfix 2.7 and
8864 later.
8865 check_reverse_client_hostname_ns_access type:table
8867 Search the specified access(5) database for the DNS servers for
8868 the unverified reverse client hostname, and execute the corre‐
8869 sponding action. Note: a result of "OK" is not allowed for
8870 safety reasons. Instead, use DUNNO in order to exclude specific
8871 hosts from blacklists. This feature is available in Postfix 2.7
8872 and later.
8873 check_sasl_access type:table
8875 Use the remote SMTP client SASL user name as lookup key for the
8876 specified access(5) database. The lookup key has the form "user‐
8877 name@domainname" when the smtpd_sasl_local_domain parameter
8878 value is non-empty. Unlike the check_client_access feature,
8879 check_sasl_access does not perform matches of parent domains or
8880 IP subnet ranges. This feature is available with Postfix ver‐
8881 sion 2.11 and later.
8882 permit_inet_interfaces
8884 Permit the request when the client IP address matches
8885 $inet_interfaces.
8886 permit_mynetworks
8888 Permit the request when the client IP address matches any net‐
8889 work or network address listed in $mynetworks.
8890 permit_sasl_authenticated
8892 Permit the request when the client is successfully authenticated
8893 via the RFC 4954 (AUTH) protocol.
8894 permit_tls_all_clientcerts
8896 Permit the request when the remote SMTP client certificate is
8897 verified successfully. This option must be used only if a spe‐
8898 cial CA issues the certificates and only this CA is listed as
8899 trusted CA. Otherwise, clients with a third-party certificate
8900 would also be allowed to relay. Specify "tls_append_default_CA
8901 = no" when the trusted CA is specified with smtpd_tls_CAfile or
8902 smtpd_tls_CApath, to prevent Postfix from appending the sys‐
8903 tem-supplied default CAs. This feature requires
8904 "smtpd_tls_ask_ccert = yes" and is available with Postfix ver‐
8905 sion 2.2 and later.
8906 permit_tls_clientcerts
8908 Permit the request when the remote SMTP client certificate fin‐
8909 gerprint or public key fingerprint (Postfix 2.9 and later) is
8910 listed in $relay_clientcerts. The fingerprint digest algorithm
8911 is configurable via the smtpd_tls_fingerprint_digest parameter
8912 (hard-coded as md5 prior to Postfix version 2.5). This feature
8913 requires "smtpd_tls_ask_ccert = yes" and is available with Post‐
8914 fix version 2.2 and later.
8915 reject_rbl_client rbl_domain=d.d.d.d
8917 Reject the request when the reversed client network address is
8918 listed with the A record "d.d.d.d" under rbl_domain (Postfix
8919 version 2.1 and later only). Each "d" is a number, or a pattern
8920 inside "[]" that contains one or more ";"-separated numbers or
8921 number..number ranges (Postfix version 2.8 and later). If no
8922 "=d.d.d.d" is specified, reject the request when the reversed
8923 client network address is listed with any A record under
8924 rbl_domain.
8925 The maps_rbl_reject_code parameter specifies the response code
8926 for rejected requests (default: 554), the default_rbl_reply
8927 parameter specifies the default server reply, and the
8928 rbl_reply_maps parameter specifies tables with server replies
8929 indexed by rbl_domain. This feature is available in Postfix 2.0
8930 and later.
8931 permit_dnswl_client dnswl_domain=d.d.d.d
8933 Accept the request when the reversed client network address is
8934 listed with the A record "d.d.d.d" under dnswl_domain. Each "d"
8935 is a number, or a pattern inside "[]" that contains one or more
8936 ";"-separated numbers or number..number ranges. If no
8937 "=d.d.d.d" is specified, accept the request when the reversed
8938 client network address is listed with any A record under
8939 dnswl_domain.
8940 For safety, permit_dnswl_client is silently ignored when it
8941 would override reject_unauth_destination. The result is
8942 DEFER_IF_REJECT when whitelist lookup fails. This feature is
8943 available in Postfix 2.8 and later.
8944 reject_rhsbl_client rbl_domain=d.d.d.d
8946 Reject the request when the client hostname is listed with the A
8947 record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
8948 only). Each "d" is a number, or a pattern inside "[]" that con‐
8949 tains one or more ";"-separated numbers or number..number ranges
8950 (Postfix version 2.8 and later). If no "=d.d.d.d" is specified,
8951 reject the request when the client hostname is listed with any A
8952 record under rbl_domain. See the reject_rbl_client description
8953 above for additional RBL related configuration parameters. This
8954 feature is available in Postfix 2.0 and later; with Postfix ver‐
8955 sion 2.8 and later, reject_rhsbl_reverse_client will usually
8956 produce better results.
8957 permit_rhswl_client rhswl_domain=d.d.d.d
8959 Accept the request when the client hostname is listed with the A
8960 record "d.d.d.d" under rhswl_domain. Each "d" is a number, or a
8961 pattern inside "[]" that contains one or more ";"-separated num‐
8962 bers or number..number ranges. If no "=d.d.d.d" is specified,
8963 accept the request when the client hostname is listed with any A
8964 record under rhswl_domain.
8965 Caution: client name whitelisting is fragile, since the client
8966 name lookup can fail due to temporary outages. Client name
8967 whitelisting should be used only to reduce false positives in
8968 e.g. DNS-based blocklists, and not for making access rule
8969 exceptions.
8970 For safety, permit_rhswl_client is silently ignored when it
8971 would override reject_unauth_destination. The result is
8972 DEFER_IF_REJECT when whitelist lookup fails. This feature is
8973 available in Postfix 2.8 and later.
8974 reject_rhsbl_reverse_client rbl_domain=d.d.d.d
8976 Reject the request when the unverified reverse client hostname
8977 is listed with the A record "d.d.d.d" under rbl_domain. Each
8978 "d" is a number, or a pattern inside "[]" that contains one or
8979 more ";"-separated numbers or number..number ranges. If no
8980 "=d.d.d.d" is specified, reject the request when the unverified
8981 reverse client hostname is listed with any A record under
8982 rbl_domain. See the reject_rbl_client description above for
8983 additional RBL related configuration parameters. This feature
8984 is available in Postfix 2.8 and later.
8985 reject_unknown_client_hostname (with Postfix < 2.3:
8987 reject_unknown_client)
8988 Reject the request when 1) the client IP address->name mapping
8989 fails, or 2) the name->address mapping fails, or 3) the
8990 name->address mapping does not match the client IP address.
8991 This is a stronger restriction than the
8992 reject_unknown_reverse_client_hostname feature, which triggers
8993 only under condition 1) above.
8994 The unknown_client_reject_code parameter specifies the response
8995 code for rejected requests (default: 450). The reply is always
8996 450 in case the address->name or name->address lookup failed due
8997 to a temporary problem.
8998 reject_unknown_reverse_client_hostname
9000 Reject the request when the client IP address has no
9001 address->name mapping.
9002 This is a weaker restriction than the
9003 reject_unknown_client_hostname feature, which requires not only
9004 that the address->name and name->address mappings exist, but
9005 also that the two mappings reproduce the client IP address.
9006 The unknown_client_reject_code parameter specifies the response
9007 code for rejected requests (default: 450). The reply is always
9008 450 in case the address->name lookup failed due to a temporary
9009 problem.
9010 This feature is available in Postfix 2.3 and later.
9011 In addition, you can use any of the following generic restrictions.
9013 These restrictions are applicable in any SMTP command context.
9014 check_policy_service servername
9016 Query the specified policy server. See the SMTPD_POLICY_README
9017 document for details. This feature is available in Postfix 2.1
9018 and later.
9019 defer Defer the request. The client is told to try again later. This
9021 restriction is useful at the end of a restriction list, to make
9022 the default policy explicit.
9023 The defer_code parameter specifies the SMTP server reply code
9024 (default: 450).
9025 defer_if_permit
9027 Defer the request if some later restriction would result in an
9028 explicit or implicit PERMIT action. This is useful when a
9029 blacklisting feature fails due to a temporary problem. This
9030 feature is available in Postfix version 2.1 and later.
9031 defer_if_reject
9033 Defer the request if some later restriction would result in a
9034 REJECT action. This is useful when a whitelisting feature fails
9035 due to a temporary problem. This feature is available in Post‐
9036 fix version 2.1 and later.
9037 permit Permit the request. This restriction is useful at the end of a
9039 restriction list, to make the default policy explicit.
9040 reject_multi_recipient_bounce
9042 Reject the request when the envelope sender is the null address,
9043 and the message has multiple envelope recipients. This usage has
9044 rare but legitimate applications: under certain conditions,
9045 multi-recipient mail that was posted with the DSN option
9046 NOTIFY=NEVER may be forwarded with the null sender address.
9047 Note: this restriction can only work reliably when used in
9048 smtpd_data_restrictions or smtpd_end_of_data_restrictions,
9049 because the total number of recipients is not known at an ear‐
9050 lier stage of the SMTP conversation. Use at the RCPT stage will
9051 only reject the second etc. recipient.
9052 The multi_recipient_bounce_reject_code parameter specifies the
9053 response code for rejected requests (default: 550). This fea‐
9054 ture is available in Postfix 2.1 and later.
9055 reject_plaintext_session
9057 Reject the request when the connection is not encrypted. This
9058 restriction should not be used before the client has had a
9059 chance to negotiate encryption with the AUTH or STARTTLS com‐
9060 mands.
9061 The plaintext_reject_code parameter specifies the response code
9062 for rejected requests (default: 450). This feature is avail‐
9063 able in Postfix 2.3 and later.
9064 reject_unauth_pipelining
9066 Reject the request when the client sends SMTP commands ahead of
9067 time where it is not allowed, or when the client sends SMTP com‐
9068 mands ahead of time without knowing that Postfix actually sup‐
9069 ports ESMTP command pipelining. This stops mail from bulk mail
9070 software that improperly uses ESMTP command pipelining in order
9071 to speed up deliveries.
9072 With Postfix 2.6 and later, the SMTP server sets a per-session
9073 flag whenever it detects illegal pipelining, including pipelined
9074 HELO or EHLO commands. The reject_unauth_pipelining feature sim‐
9075 ply tests whether the flag was set at any point in time during
9076 the session.
9077 With older Postfix versions, reject_unauth_pipelining checks the
9078 current status of the input read queue, and its usage is not
9079 recommended in contexts other than smtpd_data_restrictions.
9080 reject Reject the request. This restriction is useful at the end of a
9082 restriction list, to make the default policy explicit. The
9083 reject_code configuration parameter specifies the response code
9084 for rejected requests (default: 554).
9085 sleep seconds
9087 Pause for the specified number of seconds and proceed with the
9088 next restriction in the list, if any. This may stop zombie mail
9089 when used as:
9090 /etc/postfix/main.cf:
9091 smtpd_client_restrictions =
9092 sleep 1, reject_unauth_pipelining
9093 smtpd_delay_reject = no
9094 This feature is available in Postfix 2.3.
9095 warn_if_reject
9097 A safety net for testing. When "warn_if_reject" is placed before
9098 a reject-type restriction, access table query, or check_pol‐
9099 icy_service query, this logs a "reject_warning" message instead
9100 of rejecting a request (when a reject-type restriction fails due
9101 to a temporary error, this logs a "reject_warning" message for
9102 any implicit "defer_if_permit" actions that would normally pre‐
9103 vent mail from being accepted by some later access restriction).
9104 This feature has no effect on defer_if_reject restrictions.
9105 Other restrictions that are valid in this context:
9107 · SMTP command specific restrictions that are described under the
9109 smtpd_helo_restrictions, smtpd_sender_restrictions or
9110 smtpd_recipient_restrictions parameters. When helo, sender or
9111 recipient restrictions are listed under smtpd_client_restric‐
9112 tions, they have effect only with "smtpd_delay_reject = yes", so
9113 that $smtpd_client_restrictions is evaluated at the time of the
9114 RCPT TO command.
9115 Example:
9117 smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname
9119
9121 A mechanism to transform commands from remote SMTP clients. This is a
9122 last-resort tool to work around client commands that break interoper‐
9123 ability with the Postfix SMTP server. Other uses involve fault injec‐
9124 tion to test Postfix's handling of invalid commands.
9125 Specify the name of a "type:table" lookup table. The search string is
9127 the SMTP command as received from the remote SMTP client, except that
9128 initial whitespace and the trailing <CR><LF> are removed. The result
9129 value is executed by the Postfix SMTP server.
9130 There is no need to use smtpd_command_filter for the following cases:
9132 · Use "resolve_numeric_domain = yes" to accept "user@ipaddress".
9134 · Postfix already accepts the correct form "user@[ipaddress]". Use
9136 virtual_alias_maps or canonical_maps to translate these into
9137 domain names if necessary.
9138 · Use "strict_rfc821_envelopes = no" to accept "RCPT TO:<User Name
9140 <user@example.com>>". Postfix will ignore the "User Name" part
9141 and deliver to the <user@example.com> address.
9142 Examples of problems that can be solved with the smtpd_command_filter
9144 feature:
9145 /etc/postfix/main.cf:
9147 smtpd_command_filter = pcre:/etc/postfix/command_filter
9148 /etc/postfix/command_filter:
9150 # Work around clients that send malformed HELO commands.
9151 /^HELO\s*$/ HELO domain.invalid
9152 # Work around clients that send empty lines.
9154 /^\s*$/ NOOP
9155 # Work around clients that send RCPT TO:<'user@domain'>.
9157 # WARNING: do not lose the parameters that follow the address.
9158 /^(RCPT\s+TO:\s*<)'([^[:space:]]+)'(>.*)/ $1$2$3
9159 # Append XVERP to MAIL FROM commands to request VERP-style delivery.
9161 # See VERP_README for more information on how to use Postfix VERP.
9162 /^(MAIL FROM:\s*<listname@example\.com>.*)/ $1 XVERP
9163 # Bounce-never mail sink. Use notify_classes=bounce,resource,software
9165 # to send bounced mail to the postmaster (with message body removed).
9166 /^(RCPT\s+TO:\s*<.*>.*)\s+NOTIFY=\S+(.*)/ $1 NOTIFY=NEVER$2
9167 /^(RCPT\s+TO:.*)/ $1 NOTIFY=NEVER
9168 This feature is available in Postfix 2.7.
9170
9172 Optional access restrictions that the Postfix SMTP server applies in
9173 the context of the SMTP DATA command. See SMTPD_ACCESS_README, section
9174 "Delayed evaluation of SMTP access restriction lists" for a discussion
9175 of evaluation context and time.
9176 This feature is available in Postfix 2.0 and later.
9178 Specify a list of restrictions, separated by commas and/or whitespace.
9180 Continue long lines by starting the next line with whitespace.
9181 Restrictions are applied in the order as specified; the first restric‐
9182 tion that matches wins.
9183 The following restrictions are valid in this context:
9185 · Generic restrictions that can be used in any SMTP command con‐
9187 text, described under smtpd_client_restrictions.
9188 · SMTP command specific restrictions described under
9190 smtpd_client_restrictions, smtpd_helo_restrictions,
9191 smtpd_sender_restrictions or smtpd_recipient_restrictions.
9192 · However, no recipient information is available in the case of
9194 multi-recipient mail. Acting on only one recipient would be mis‐
9195 leading, because any decision will affect all recipients
9196 equally. Acting on all recipients would require a possibly very
9197 large amount of memory, and would also be misleading for the
9198 reasons mentioned before.
9199 Examples:
9201 smtpd_data_restrictions = reject_unauth_pipelining
9203 smtpd_data_restrictions = reject_multi_recipient_bounce
9204
9206 Postpone the start of an SMTP mail transaction until a valid RCPT TO
9207 command is received. Specify "no" to create a mail transaction as soon
9208 as the Postfix SMTP server receives a valid MAIL FROM command.
9209 With sites that reject lots of mail, the default setting reduces the
9211 use of disk, CPU and memory resources. The downside is that rejected
9212 recipients are logged with NOQUEUE instead of a mail transaction ID.
9213 This complicates the logfile analysis of multi-recipient mail.
9214 This feature is available in Postfix 2.3 and later.
9216
9218 Wait until the RCPT TO command before evaluating $smtpd_client_restric‐
9219 tions, $smtpd_helo_restrictions and $smtpd_sender_restrictions, or wait
9220 until the ETRN command before evaluating $smtpd_client_restrictions and
9221 $smtpd_helo_restrictions.
9222 This feature is turned on by default because some clients apparently
9224 mis-behave when the Postfix SMTP server rejects commands before RCPT
9225 TO.
9226 The default setting has one major benefit: it allows Postfix to log
9228 recipient address information when rejecting a client name/address or
9229 sender address, so that it is possible to find out whose mail is being
9230 rejected.
9231
9233 Lookup tables, indexed by the remote SMTP client address, with case
9234 insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
9235 that the Postfix SMTP server will not send in the EHLO response to a
9236 remote SMTP client. See smtpd_discard_ehlo_keywords for details. The
9237 tables are not searched by hostname for robustness reasons.
9238 Specify zero or more "type:name" lookup tables, separated by whitespace
9240 or comma. Tables will be searched in the specified order until a match
9241 is found.
9242 This feature is available in Postfix 2.2 and later.
9244
9246 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
9247 etc.) that the Postfix SMTP server will not send in the EHLO response
9248 to a remote SMTP client.
9249 This feature is available in Postfix 2.2 and later.
9251 Notes:
9253 · Specify the silent-discard pseudo keyword to prevent this action
9255 from being logged.
9256 · Use the smtpd_discard_ehlo_keyword_address_maps feature to dis‐
9258 card EHLO keywords selectively.
9259
9261 Optional filter for Postfix SMTP server DNS lookup results. See
9262 smtp_dns_reply_filter for details including an example.
9263 This feature is available in Postfix 3.0 and later.
9265
9267 Optional access restrictions that the Postfix SMTP server applies in
9268 the context of the SMTP END-OF-DATA command. See SMTPD_ACCESS_README,
9269 section "Delayed evaluation of SMTP access restriction lists" for a
9270 discussion of evaluation context and time.
9271 This feature is available in Postfix 2.2 and later.
9273 See smtpd_data_restrictions for details and limitations.
9275
9277 Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
9278 require that clients use TLS encryption. According to RFC 2487 this
9279 MUST NOT be applied in case of a publicly-referenced SMTP server. This
9280 option is therefore off by default.
9281 Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes".
9283 Note 2: when invoked via "sendmail -bs", Postfix will never offer
9285 STARTTLS due to insufficient privileges to access the server private
9286 key. This is intended behavior.
9287 This feature is available in Postfix 2.2 and later. With Postfix 2.3
9289 and later use smtpd_tls_security_level instead.
9290
9292 With Postfix version 2.1 and later: the SMTP server response delay
9293 after a client has made more than $smtpd_soft_error_limit errors, and
9294 fewer than $smtpd_hard_error_limit errors, without delivering mail.
9295 With Postfix version 2.0 and earlier: the SMTP server delay before
9297 sending a reject (4xx or 5xx) response, when the client has made fewer
9298 than $smtpd_soft_error_limit errors without delivering mail.
9299
9301 Optional restrictions that the Postfix SMTP server applies in the con‐
9302 text of a client ETRN command. See SMTPD_ACCESS_README, section
9303 "Delayed evaluation of SMTP access restriction lists" for a discussion
9304 of evaluation context and time.
9305 The Postfix ETRN implementation accepts only destinations that are eli‐
9307 gible for the Postfix "fast flush" service. See the ETRN_README file
9308 for details.
9309 Specify a list of restrictions, separated by commas and/or whitespace.
9311 Continue long lines by starting the next line with whitespace.
9312 Restrictions are applied in the order as specified; the first restric‐
9313 tion that matches wins.
9314 The following restrictions are specific to the domain name information
9316 received with the ETRN command.
9317 check_etrn_access type:table
9319 Search the specified access database for the ETRN domain name or
9320 its parent domains. See the access(5) manual page for details.
9321 Other restrictions that are valid in this context:
9323 · Generic restrictions that can be used in any SMTP command con‐
9325 text, described under smtpd_client_restrictions.
9326 · SMTP command specific restrictions described under
9328 smtpd_client_restrictions and smtpd_helo_restrictions.
9329 Example:
9331 smtpd_etrn_restrictions = permit_mynetworks, reject
9333
9335 What characters are allowed in $name expansions of RBL reply templates.
9336 Characters not in the allowed set are replaced by "_". Use C like
9337 escapes to specify special characters such as whitespace.
9338 The smtpd_expansion_filter value is not subject to Postfix configura‐
9340 tion parameter $name expansion.
9341 This feature is available in Postfix 2.0 and later.
9343
9345 List of commands that cause the Postfix SMTP server to immediately ter‐
9346 minate the session with a 221 code. This can be used to disconnect
9347 clients that obviously attempt to abuse the system. In addition to the
9348 commands listed in this parameter, commands that follow the "Label:"
9349 format of message headers will also cause a disconnect.
9350 This feature is available in Postfix 2.2 and later.
9352
9354 The maximal number of errors a remote SMTP client is allowed to make
9355 without delivering mail. The Postfix SMTP server disconnects when the
9356 limit is exceeded. Normally the default limit is 20, but it changes
9357 under overload to just 1. With Postfix 2.5 and earlier, the SMTP server
9358 always allows up to 20 errors by default.
9359
9361 Require that a remote SMTP client introduces itself with the HELO or
9362 EHLO command before sending the MAIL command or other commands that
9363 require EHLO negotiation.
9364 Example:
9366 smtpd_helo_required = yes
9368
9370 Optional restrictions that the Postfix SMTP server applies in the con‐
9371 text of a client HELO command. See SMTPD_ACCESS_README, section
9372 "Delayed evaluation of SMTP access restriction lists" for a discussion
9373 of evaluation context and time.
9374 The default is to permit everything.
9376 Note: specify "smtpd_helo_required = yes" to fully enforce this
9378 restriction (without "smtpd_helo_required = yes", a client can simply
9379 skip smtpd_helo_restrictions by not sending HELO or EHLO).
9380 Specify a list of restrictions, separated by commas and/or whitespace.
9382 Continue long lines by starting the next line with whitespace.
9383 Restrictions are applied in the order as specified; the first restric‐
9384 tion that matches wins.
9385 The following restrictions are specific to the hostname information
9387 received with the HELO or EHLO command.
9388 check_helo_access type:table
9390 Search the specified access(5) database for the HELO or EHLO
9391 hostname or parent domains, and execute the corresponding
9392 action. Note: specify "smtpd_helo_required = yes" to fully
9393 enforce this restriction (without "smtpd_helo_required = yes", a
9394 client can simply skip check_helo_access by not sending HELO or
9395 EHLO).
9396 check_helo_a_access type:table
9398 Search the specified access(5) database for the IP addresses for
9399 the HELO or EHLO hostname, and execute the corresponding action.
9400 Note 1: a result of "OK" is not allowed for safety reasons.
9401 Instead, use DUNNO in order to exclude specific hosts from
9402 blacklists. Note 2: specify "smtpd_helo_required = yes" to
9403 fully enforce this restriction (without "smtpd_helo_required =
9404 yes", a client can simply skip check_helo_a_access by not send‐
9405 ing HELO or EHLO). This feature is available in Postfix 3.0 and
9406 later.
9407 check_helo_mx_access type:table
9409 Search the specified access(5) database for the MX hosts for the
9410 HELO or EHLO hostname, and execute the corresponding action.
9411 Note 1: a result of "OK" is not allowed for safety reasons.
9412 Instead, use DUNNO in order to exclude specific hosts from
9413 blacklists. Note 2: specify "smtpd_helo_required = yes" to
9414 fully enforce this restriction (without "smtpd_helo_required =
9415 yes", a client can simply skip check_helo_mx_access by not send‐
9416 ing HELO or EHLO). This feature is available in Postfix 2.1 and
9417 later.
9418 check_helo_ns_access type:table
9420 Search the specified access(5) database for the DNS servers for
9421 the HELO or EHLO hostname, and execute the corresponding action.
9422 Note 1: a result of "OK" is not allowed for safety reasons.
9423 Instead, use DUNNO in order to exclude specific hosts from
9424 blacklists. Note 2: specify "smtpd_helo_required = yes" to
9425 fully enforce this restriction (without "smtpd_helo_required =
9426 yes", a client can simply skip check_helo_ns_access by not send‐
9427 ing HELO or EHLO). This feature is available in Postfix 2.1 and
9428 later.
9429 reject_invalid_helo_hostname (with Postfix < 2.3: reject_invalid_host‐
9431 name)
9432 Reject the request when the HELO or EHLO hostname is malformed.
9433 Note: specify "smtpd_helo_required = yes" to fully enforce this
9434 restriction (without "smtpd_helo_required = yes", a client can
9435 simply skip reject_invalid_helo_hostname by not sending HELO or
9436 EHLO).
9437 The invalid_hostname_reject_code specifies the response code for
9438 rejected requests (default: 501).
9439 reject_non_fqdn_helo_hostname (with Postfix < 2.3:
9441 reject_non_fqdn_hostname)
9442 Reject the request when the HELO or EHLO hostname is not in
9443 fully-qualified domain or address literal form, as required by
9444 the RFC. Note: specify "smtpd_helo_required = yes" to fully
9445 enforce this restriction (without "smtpd_helo_required = yes", a
9446 client can simply skip reject_non_fqdn_helo_hostname by not
9447 sending HELO or EHLO).
9448 The non_fqdn_reject_code parameter specifies the response code
9449 for rejected requests (default: 504).
9450 reject_rhsbl_helo rbl_domain=d.d.d.d
9452 Reject the request when the HELO or EHLO hostname is listed with
9453 the A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and
9454 later only). Each "d" is a number, or a pattern inside "[]"
9455 that contains one or more ";"-separated numbers or number..num‐
9456 ber ranges (Postfix version 2.8 and later). If no "=d.d.d.d" is
9457 specified, reject the request when the HELO or EHLO hostname is
9458 listed with any A record under rbl_domain. See the
9459 reject_rbl_client description for additional RBL related config‐
9460 uration parameters. Note: specify "smtpd_helo_required = yes"
9461 to fully enforce this restriction (without "smtpd_helo_required
9462 = yes", a client can simply skip reject_rhsbl_helo by not send‐
9463 ing HELO or EHLO). This feature is available in Postfix 2.0 and
9464 later.
9465 reject_unknown_helo_hostname (with Postfix < 2.3: reject_unknown_host‐
9467 name)
9468 Reject the request when the HELO or EHLO hostname has no DNS A
9469 or MX record.
9470 The reply is specified with the unknown_hostname_reject_code
9471 parameter (default: 450) or unknown_helo_hostname_temp‐
9472 fail_action (default: defer_if_permit). See the respective
9473 parameter descriptions for details.
9474 Note: specify "smtpd_helo_required = yes" to fully enforce this
9475 restriction (without "smtpd_helo_required = yes", a client can
9476 simply skip reject_unknown_helo_hostname by not sending HELO or
9477 EHLO).
9478 Other restrictions that are valid in this context:
9480 · Generic restrictions that can be used in any SMTP command con‐
9482 text, described under smtpd_client_restrictions.
9483 · Client hostname or network address specific restrictions
9485 described under smtpd_client_restrictions.
9486 · SMTP command specific restrictions described under
9488 smtpd_sender_restrictions or smtpd_recipient_restrictions. When
9489 sender or recipient restrictions are listed under
9490 smtpd_helo_restrictions, they have effect only with
9491 "smtpd_delay_reject = yes", so that $smtpd_helo_restrictions is
9492 evaluated at the time of the RCPT TO command.
9493 Examples:
9495 smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname
9497 smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname
9498
9500 The maximal number of lines in the Postfix SMTP server command history
9501 before it is flushed upon receipt of EHLO, RSET, or end of DATA.
9502
9504 The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote
9505 SMTP client can send before the Postfix SMTP server starts to increment
9506 the error counter with each junk command. The junk command count is
9507 reset after mail is delivered. See also the smtpd_error_sleep_time and
9508 smtpd_soft_error_limit configuration parameters. Normally the default
9509 limit is 100, but it changes under overload to just 1. With Postfix 2.5
9510 and earlier, the SMTP server always allows up to 100 junk commands by
9511 default.
9512
9514 Enable logging of the named "permit" actions in SMTP server access
9515 lists (by default, the SMTP server logs "reject" actions but not "per‐
9516 mit" actions). This feature does not affect conditional actions such
9517 as "defer_if_permit".
9518 Specify a list of "permit" action names, "/file/name" or "type:table"
9520 patterns, separated by commas and/or whitespace. The list is matched
9521 left to right, and the search stops on the first match. A "/file/name"
9522 pattern is replaced by its contents; a "type:table" lookup table is
9523 matched when a name matches a lookup key (the lookup result is
9524 ignored). Continue long lines by starting the next line with white‐
9525 space. Specify "!pattern" to exclude a name from the list.
9526 Examples:
9528 /etc/postfix/main.cf:
9530 # Log all "permit" actions.
9531 smtpd_log_access_permit_actions = static:all
9532 /etc/postfix/main.cf:
9534 # Log "permit_dnswl_client" only.
9535 smtpd_log_access_permit_actions = permit_dnswl_client
9536 This feature is available in Postfix 2.10 and later.
9538
9540 Lookup tables with Milter settings per remote SMTP client IP address.
9541 The lookup result overrides the smtpd_milters setting, and has the same
9542 syntax.
9543 Note: lookup tables cannot return empty responses. Specify a lookup
9545 result of DISABLE (case does not matter) to indicate that Milter sup‐
9546 port should be disabled.
9547 Example to disable Milters for local clients:
9549 /etc/postfix/main.cf:
9551 smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
9552 smtpd_milters = inet:host:port, { inet:host:port, ... }, ...
9553 /etc/postfix/smtpd_milter_map:
9555 # Disable Milters for local clients.
9556 127.0.0.0/8 DISABLE
9557 192.168.0.0/16 DISABLE
9558 ::/64 DISABLE
9559 2001:db8::/32 DISABLE
9560 This feature is available in Postfix 3.2 and later.
9562
9564 A list of Milter (mail filter) applications for new mail that arrives
9565 via the Postfix smtpd(8) server. Specify space or comma as separator.
9566 See the MILTER_README document for details.
9567 This feature is available in Postfix 2.3 and later.
9569
9571 List of commands that the Postfix SMTP server replies to with "250 Ok",
9572 without doing any syntax checks and without changing state. This list
9573 overrides any commands built into the Postfix SMTP server.
9574
9576 The lookup key to be used in SMTP access(5) tables instead of the null
9577 sender address.
9578
9580 Attempt to look up the remote SMTP client hostname, and verify that the
9581 name matches the client IP address. A client name is set to "unknown"
9582 when it cannot be looked up or verified, or when name lookup is dis‐
9583 abled. Turning off name lookup reduces delays due to DNS lookup and
9584 increases the maximal inbound delivery rate.
9585 This feature is available in Postfix 2.3 and later.
9587
9589 Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
9590 time limits, from a time limit per read or write system call, to a time
9591 limit to send or receive a complete record (an SMTP command line, SMTP
9592 response line, SMTP message content line, or TLS protocol message).
9593 This limits the impact from hostile peers that trickle data one byte at
9594 a time.
9595 Note: when per-record deadlines are enabled, a short timeout may cause
9597 problems with TLS over very slow network connections. The reasons are
9598 that a TLS protocol message can be up to 16 kbytes long (with TLSv1),
9599 and that an entire TLS protocol message must be sent or received within
9600 the per-record deadline.
9601 This feature is available in Postfix 2.9 and later. With older Postfix
9603 releases, the behavior is as if this parameter is set to "no".
9604
9606 problem)
9607 The default action when an SMTPD policy service request fails. Specify
9608 "DUNNO" to behave as if the failed SMTPD policy service request was
9609 not sent, and to continue processing other access restrictions, if any.
9610 Limitations:
9612 · This parameter may specify any value that would be a valid SMTPD
9614 policy server response (or access(5) map lookup result). An
9615 access(5) map or policy server in this parameter value may need
9616 to be declared in advance with a restriction_class setting.
9617 · If the specified action invokes another check_policy_service
9619 request, that request will have the built-in default action.
9620 This feature is available in Postfix 3.0 and later.
9622
9624 The time after which an idle SMTPD policy service connection is closed.
9625 This feature is available in Postfix 2.1 and later.
9627
9629 The time after which an active SMTPD policy service connection is
9630 closed.
9631 This feature is available in Postfix 2.1 and later.
9633
9635 Optional information that the Postfix SMTP server specifies in the
9636 "policy_context" attribute of a policy service request (originally, to
9637 share the same service endpoint among multiple check_policy_service
9638 clients).
9639 This feature is available in Postfix 3.1 and later.
9641
9643 The maximal number of requests per SMTPD policy service connection, or
9644 zero (no limit). Once a connection reaches this limit, the connection
9645 is closed and the next request will be sent over a new connection. This
9646 is a workaround to avoid error-recovery delays with policy servers that
9647 cannot maintain a persistent connection.
9648 This feature is available in Postfix 3.0 and later.
9650
9652 The delay between attempts to resend a failed SMTPD policy service
9653 request. Specify a value greater than zero.
9654 This feature is available in Postfix 3.0 and later.
9656
9658 The time limit for connecting to, writing to, or receiving from a dele‐
9659 gated SMTPD policy server.
9660 This feature is available in Postfix 2.1 and later.
9662
9664 The maximal number of attempts to send an SMTPD policy service request
9665 before giving up. Specify a value greater than zero.
9666 This feature is available in Postfix 3.0 and later.
9668
9670 How the Postfix SMTP server announces itself to the proxy filter. By
9671 default, the Postfix hostname is used.
9672 This feature is available in Postfix 2.1 and later.
9674
9676 The hostname and TCP port of the mail filtering proxy server. The
9677 proxy receives all mail from the Postfix SMTP server, and is supposed
9678 to give the result to another Postfix SMTP server process.
9679 Specify "host:port" or "inet:host:port" for a TCP endpoint, or
9681 "unix:pathname" for a UNIX-domain endpoint. The host can be specified
9682 as an IP address or as a symbolic name; no MX lookups are done. When
9683 no "host" or "host:" are specified, the local machine is assumed.
9684 Pathname interpretation is relative to the Postfix queue directory.
9685 This feature is available in Postfix 2.1 and later.
9687 The "inet:" and "unix:" prefixes are available in Postfix 2.3 and
9689 later.
9690
9692 List of options that control how the Postfix SMTP server communicates
9693 with a before-queue content filter. Specify zero or more of the follow‐
9694 ing, separated by comma or whitespace.
9695 speed_adjust
9697 Do not connect to a before-queue content filter until an entire
9698 message has been received. This reduces the number of simultane‐
9699 ous before-queue content filter processes.
9700 NOTE 1: A filter must not selectively reject recipients of a
9702 multi-recipient message. Rejecting all recipients is OK, as is accept‐
9703 ing all recipients.
9704 NOTE 2: This feature increases the minimum amount of free queue space
9706 by $message_size_limit. The extra space is needed to save the message
9707 to a temporary file.
9708 This feature is available in Postfix 2.7 and later.
9710
9712 The time limit for connecting to a proxy filter and for sending or
9713 receiving information. When a connection fails the client gets a
9714 generic error message while more detailed information is logged to the
9715 maillog file.
9716 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
9718 The default time unit is s (seconds).
9719 This feature is available in Postfix 2.1 and later.
9721
9723 The maximal number of recipients that the Postfix SMTP server accepts
9724 per message delivery request.
9725
9727 The number of recipients that a remote SMTP client can send in excess
9728 of the limit specified with $smtpd_recipient_limit, before the Postfix
9729 SMTP server increments the per-session error count for each excess
9730 recipient.
9731
9733 Optional restrictions that the Postfix SMTP server applies in the con‐
9734 text of a client RCPT TO command, after smtpd_relay_restrictions. See
9735 SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access
9736 restriction lists" for a discussion of evaluation context and time.
9737 With Postfix versions before 2.10, the rules for relay permission and
9739 spam blocking were combined under smtpd_recipient_restrictions, result‐
9740 ing in error-prone configuration. As of Postfix 2.10, relay permission
9741 rules are preferably implemented with smtpd_relay_restrictions, so that
9742 a permissive spam blocking policy under smtpd_recipient_restrictions
9743 will no longer result in a permissive mail relay policy.
9744 For backwards compatibility, sites that migrate from Postfix versions
9746 before 2.10 can set smtpd_relay_restrictions to the empty value, and
9747 use smtpd_recipient_restrictions exactly as before.
9748 IMPORTANT: Either the smtpd_relay_restrictions or the smtpd_recipi‐
9750 ent_restrictions parameter must specify at least one of the following
9751 restrictions. Otherwise Postfix will refuse to receive mail:
9752 reject, reject_unauth_destination
9754 defer, defer_if_permit, defer_unauth_destination
9756 Specify a list of restrictions, separated by commas and/or whitespace.
9758 Continue long lines by starting the next line with whitespace.
9759 Restrictions are applied in the order as specified; the first restric‐
9760 tion that matches wins.
9761 The following restrictions are specific to the recipient address that
9763 is received with the RCPT TO command.
9764 check_recipient_access type:table
9766 Search the specified access(5) database for the resolved RCPT TO
9767 address, domain, parent domains, or localpart@, and execute the
9768 corresponding action.
9769 check_recipient_a_access type:table
9771 Search the specified access(5) database for the IP addresses for
9772 the RCPT TO domain, and execute the corresponding action. Note:
9773 a result of "OK" is not allowed for safety reasons. Instead, use
9774 DUNNO in order to exclude specific hosts from blacklists. This
9775 feature is available in Postfix 3.0 and later.
9776 check_recipient_mx_access type:table
9778 Search the specified access(5) database for the MX hosts for the
9779 RCPT TO domain, and execute the corresponding action. Note: a
9780 result of "OK" is not allowed for safety reasons. Instead, use
9781 DUNNO in order to exclude specific hosts from blacklists. This
9782 feature is available in Postfix 2.1 and later.
9783 check_recipient_ns_access type:table
9785 Search the specified access(5) database for the DNS servers for
9786 the RCPT TO domain, and execute the corresponding action. Note:
9787 a result of "OK" is not allowed for safety reasons. Instead, use
9788 DUNNO in order to exclude specific hosts from blacklists. This
9789 feature is available in Postfix 2.1 and later.
9790 permit_auth_destination
9792 Permit the request when one of the following is true:
9793 · Postfix is mail forwarder: the resolved RCPT TO domain matches
9795 $relay_domains or a subdomain thereof, and the address contains
9796 no sender-specified routing (user@elsewhere@domain),
9797 · Postfix is the final destination: the resolved RCPT TO domain
9799 matches $mydestination, $inet_interfaces, $proxy_interfaces,
9800 $virtual_alias_domains, or $virtual_mailbox_domains, and the
9801 address contains no sender-specified routing (user@else‐
9802 where@domain).
9803 permit_mx_backup
9805 Permit the request when the local mail system is backup MX for
9806 the RCPT TO domain, or when the domain is an authorized destina‐
9807 tion (see permit_auth_destination for definition).
9808 · Safety: permit_mx_backup does not accept addresses that have
9810 sender-specified routing information (example: user@else‐
9811 where@domain).
9812 · Safety: permit_mx_backup can be vulnerable to mis-use when
9814 access is not restricted with permit_mx_backup_networks.
9815 · Safety: as of Postfix version 2.3, permit_mx_backup no longer
9817 accepts the address when the local mail system is primary MX for
9818 the recipient domain. Exception: permit_mx_backup accepts the
9819 address when it specifies an authorized destination (see per‐
9820 mit_auth_destination for definition).
9821 · Limitation: mail may be rejected in case of a temporary DNS
9823 lookup problem with Postfix prior to version 2.0.
9824 reject_non_fqdn_recipient
9826 Reject the request when the RCPT TO address specifies a domain
9827 that is not in fully-qualified domain form, as required by the
9828 RFC.
9829 The non_fqdn_reject_code parameter specifies the response code
9830 for rejected requests (default: 504).
9831 reject_rhsbl_recipient rbl_domain=d.d.d.d
9833 Reject the request when the RCPT TO domain is listed with the A
9834 record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
9835 only). Each "d" is a number, or a pattern inside "[]" that con‐
9836 tains one or more ";"-separated numbers or number..number ranges
9837 (Postfix version 2.8 and later). If no "=d.d.d.d" is specified,
9838 reject the request when the RCPT TO domain is listed with any A
9839 record under rbl_domain.
9840 The maps_rbl_reject_code parameter specifies the response code
9841 for rejected requests (default: 554); the default_rbl_reply
9842 parameter specifies the default server reply; and the
9843 rbl_reply_maps parameter specifies tables with server replies
9844 indexed by rbl_domain. This feature is available in Postfix
9845 version 2.0 and later.
9846 reject_unauth_destination
9848 Reject the request unless one of the following is true:
9849 · Postfix is mail forwarder: the resolved RCPT TO domain matches
9851 $relay_domains or a subdomain thereof, and contains no
9852 sender-specified routing (user@elsewhere@domain),
9853 · Postfix is the final destination: the resolved RCPT TO domain
9855 matches $mydestination, $inet_interfaces, $proxy_interfaces,
9856 $virtual_alias_domains, or $virtual_mailbox_domains, and con‐
9857 tains no sender-specified routing (user@elsewhere@domain).
9858 The relay_domains_reject_code parameter specifies the response
9859 code for rejected requests (default: 554).
9860 defer_unauth_destination
9862 Reject the same requests as reject_unauth_destination, with a
9863 non-permanent error code. This feature is available in Postfix
9864 2.10 and later.
9865 reject_unknown_recipient_domain
9867 Reject the request when Postfix is not final destination for the
9868 recipient domain, and the RCPT TO domain has 1) no DNS MX and no
9869 DNS A record or 2) a malformed MX record such as a record with a
9870 zero-length MX hostname (Postfix version 2.3 and later).
9871 The reply is specified with the unknown_address_reject_code
9872 parameter (default: 450), unknown_address_tempfail_action
9873 (default: defer_if_permit), or 556 (nullmx, Postfix 3.0 and
9874 later). See the respective parameter descriptions for details.
9875 reject_unlisted_recipient (with Postfix version 2.0: check_recipi‐
9877 ent_maps)
9878 Reject the request when the RCPT TO address is not listed in the
9879 list of valid recipients for its domain class. See the
9880 smtpd_reject_unlisted_recipient parameter description for
9881 details. This feature is available in Postfix 2.1 and later.
9882 reject_unverified_recipient
9884 Reject the request when mail to the RCPT TO address is known to
9885 bounce, or when the recipient address destination is not reach‐
9886 able. Address verification information is managed by the ver‐
9887 ify(8) server; see the ADDRESS_VERIFICATION_README file for
9888 details.
9889 The unverified_recipient_reject_code parameter specifies the
9890 numerical response code when an address is known to bounce
9891 (default: 450, change into 550 when you are confident that it is
9892 safe to do so).
9893 The unverified_recipient_defer_code parameter specifies the
9894 numerical response code when an address probe failed due to a
9895 temporary problem (default: 450).
9896 The unverified_recipient_tempfail_action parameter specifies the
9897 action after address probe failure due to a temporary problem
9898 (default: defer_if_permit).
9899 This feature breaks for aliased addresses with "enable_origi‐
9900 nal_recipient = no" (Postfix <= 3.2).
9901 This feature is available in Postfix 2.1 and later.
9902 Other restrictions that are valid in this context:
9904 · Generic restrictions that can be used in any SMTP command con‐
9906 text, described under smtpd_client_restrictions.
9907 · SMTP command specific restrictions described under
9909 smtpd_client_restrictions, smtpd_helo_restrictions and
9910 smtpd_sender_restrictions.
9911 Example:
9913 # The Postfix before 2.10 default mail relay policy. Later Postfix
9915 # versions implement this preferably with smtpd_relay_restrictions.
9916 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
9917
9919 Optional information that is appended after each Postfix SMTP server
9920 4XX or 5XX response.
9921 The following example uses "\c" at the start of the template (supported
9923 in Postfix 2.10 and later) to suppress the line break between the reply
9924 text and the footer text. With earlier Postfix versions, the footer
9925 text always begins on a new line, and the "\c" is output literally.
9926 /etc/postfix/main.cf:
9928 smtpd_reject_footer = \c. For assistance, call 800-555-0101.
9929 Please provide the following information in your problem report:
9930 time ($localtime), client ($client_address) and server
9931 ($server_name).
9932 Server response:
9934 550-5.5.1 <user@example> Recipient address rejected: User
9936 unknown. For assistance, call 800-555-0101. Please provide the
9937 following information in your problem report: time (Jan 4 15:42:00),
9938 client (192.168.1.248) and server (mail1.example.com).
9939 Note: the above text is meant to make it easier to find the Postfix
9941 logfile records for a failed SMTP session. The text itself is not
9942 logged to the Postfix SMTP server's maillog file.
9943 Be sure to keep the text as short as possible. Long text may be trun‐
9945 cated before it is logged to the remote SMTP client's maillog file, or
9946 before it is returned to the sender in a delivery status notification.
9947 The template text is not subject to Postfix configuration parameter
9949 $name expansion. Instead, this feature supports a limited number of
9950 $name attributes in the footer text. These attributes are replaced with
9951 their current value for the SMTP session.
9952 Note: specify $$name in footer text that is looked up from regexp: or
9954 pcre:-based smtpd_reject_footer_maps, otherwise the Postfix server will
9955 not use the footer text and will log a warning instead.
9956 client_address
9958 The Client IP address that is logged in the maillog file.
9959 client_port
9961 The client TCP port that is logged in the maillog file.
9962 localtime
9964 The server local time (Mmm dd hh:mm:ss) that is logged in the
9965 maillog file.
9966 server_name
9968 The server's myhostname value. This attribute is made available
9969 for sites with multiple MTAs (perhaps behind a load-balancer),
9970 where the server name can help the server support team to
9971 quickly find the right log files.
9972 Notes:
9974 · NOT SUPPORTED are other attributes such as sender, recipient, or
9976 main.cf parameters.
9977 · For safety reasons, text that does not match $smtpd_expan‐
9979 sion_filter is censored.
9980 This feature supports the two-character sequence \n as a request for a
9982 line break in the footer text. Postfix automatically inserts after each
9983 line break the three-digit SMTP reply code (and optional enhanced sta‐
9984 tus code) from the original Postfix reject message.
9985 To work around mail software that mis-handles multi-line replies, spec‐
9987 ify the two-character sequence \c at the start of the template. This
9988 suppresses the line break between the reply text and the footer text
9989 (Postfix 2.10 and later).
9990 This feature is available in Postfix 2.8 and later.
9992
9994 Lookup tables, indexed by the complete Postfix SMTP server 4xx or 5xx
9995 response, with reject footer templates. See smtpd_reject_footer for
9996 details.
9997 Specify zero or more "type:name" lookup tables, separated by whitespace
9999 or comma. Tables will be searched in the specified order until a match
10000 is found.
10001 This feature is available in Postfix 3.4 and later.
10003
10005 Request that the Postfix SMTP server rejects mail for unknown recipient
10006 addresses, even when no explicit reject_unlisted_recipient access
10007 restriction is specified. This prevents the Postfix queue from filling
10008 up with undeliverable MAILER-DAEMON messages.
10009 An address is always considered "known" when it matches a virtual(5)
10011 alias or a canonical(5) mapping.
10012 · The recipient domain matches $mydestination, $inet_interfaces or
10014 $proxy_interfaces, but the recipient is not listed in
10015 $local_recipient_maps, and $local_recipient_maps is not null.
10016 · The recipient domain matches $virtual_alias_domains but the
10018 recipient is not listed in $virtual_alias_maps.
10019 · The recipient domain matches $virtual_mailbox_domains but the
10021 recipient is not listed in $virtual_mailbox_maps, and $vir‐
10022 tual_mailbox_maps is not null.
10023 · The recipient domain matches $relay_domains but the recipient is
10025 not listed in $relay_recipient_maps, and $relay_recipient_maps
10026 is not null.
10027 This feature is available in Postfix 2.1 and later.
10029
10031 Request that the Postfix SMTP server rejects mail from unknown sender
10032 addresses, even when no explicit reject_unlisted_sender access restric‐
10033 tion is specified. This can slow down an explosion of forged mail from
10034 worms or viruses.
10035 An address is always considered "known" when it matches a virtual(5)
10037 alias or a canonical(5) mapping.
10038 · The sender domain matches $mydestination, $inet_interfaces or
10040 $proxy_interfaces, but the sender is not listed in $local_recip‐
10041 ient_maps, and $local_recipient_maps is not null.
10042 · The sender domain matches $virtual_alias_domains but the sender
10044 is not listed in $virtual_alias_maps.
10045 · The sender domain matches $virtual_mailbox_domains but the
10047 sender is not listed in $virtual_mailbox_maps, and $vir‐
10048 tual_mailbox_maps is not null.
10049 · The sender domain matches $relay_domains but the sender is not
10051 listed in $relay_recipient_maps, and $relay_recipient_maps is
10052 not null.
10053 This feature is available in Postfix 2.1 and later.
10055
10057 cated, defer_unauth_destination)
10058 Access restrictions for mail relay control that the Postfix SMTP server
10059 applies in the context of the RCPT TO command, before smtpd_recipi‐
10060 ent_restrictions. See SMTPD_ACCESS_README, section "Delayed evaluation
10061 of SMTP access restriction lists" for a discussion of evaluation con‐
10062 text and time.
10063 With Postfix versions before 2.10, the rules for relay permission and
10065 spam blocking were combined under smtpd_recipient_restrictions, result‐
10066 ing in error-prone configuration. As of Postfix 2.10, relay permission
10067 rules are preferably implemented with smtpd_relay_restrictions, so that
10068 a permissive spam blocking policy under smtpd_recipient_restrictions
10069 will no longer result in a permissive mail relay policy.
10070 For backwards compatibility, sites that migrate from Postfix versions
10072 before 2.10 can set smtpd_relay_restrictions to the empty value, and
10073 use smtpd_recipient_restrictions exactly as before.
10074 By default, the Postfix SMTP server accepts:
10076 · Mail from clients whose IP address matches $mynetworks, or:
10078 · Mail to remote destinations that match $relay_domains, except
10080 for addresses that contain sender-specified routing (user@else‐
10081 where@domain), or:
10082 · Mail to local destinations that match $inet_interfaces or
10084 $proxy_interfaces, $mydestination, $virtual_alias_domains, or
10085 $virtual_mailbox_domains.
10086 IMPORTANT: Either the smtpd_relay_restrictions or the smtpd_recipi‐
10088 ent_restrictions parameter must specify at least one of the following
10089 restrictions. Otherwise Postfix will refuse to receive mail:
10090 reject, reject_unauth_destination
10092 defer, defer_if_permit, defer_unauth_destination
10094 Specify a list of restrictions, separated by commas and/or whitespace.
10096 Continue long lines by starting the next line with whitespace. The
10097 same restrictions are available as documented under smtpd_recipi‐
10098 ent_restrictions.
10099 This feature is available in Postix 2.10 and later.
10101
10103 User-defined aliases for groups of access restrictions. The aliases can
10104 be specified in smtpd_recipient_restrictions etc., and on the
10105 right-hand side of a Postfix access(5) table.
10106 One major application is for implementing per-recipient UCE control.
10108 See the RESTRICTION_CLASS_README document for other examples.
10109
10111 The application name that the Postfix SMTP server uses for SASL server
10112 initialization. This controls the name of the SASL configuration file.
10113 The default value is smtpd, corresponding to a SASL configuration file
10114 named smtpd.conf.
10115 This feature is available in Postfix 2.1 and 2.2. With Postfix 2.3 it
10117 was renamed to smtpd_sasl_path.
10118
10120 Enable SASL authentication in the Postfix SMTP server. By default, the
10121 Postfix SMTP server does not use authentication.
10122 If a remote SMTP client is authenticated, the permit_sasl_authenticated
10124 access restriction can be used to permit relay access, like this:
10125 # With Postfix 2.10 and later, the mail relay policy is
10127 # preferably specified under smtpd_relay_restrictions.
10128 smtpd_relay_restrictions =
10129 permit_mynetworks, permit_sasl_authenticated, ...
10130 # With Postfix before 2.10, the relay policy can be
10132 # specified only under smtpd_recipient_restrictions.
10133 smtpd_recipient_restrictions =
10134 permit_mynetworks, permit_sasl_authenticated, ...
10135 To reject all SMTP connections from unauthenticated clients, specify
10137 "smtpd_delay_reject = yes" (which is the default) and use:
10138 smtpd_client_restrictions = permit_sasl_authenticated, reject
10140 See the SASL_README file for SASL configuration and operation details.
10142
10144 Report the SASL authenticated user name in the smtpd(8) Received mes‐
10145 sage header.
10146 This feature is available in Postfix 2.3 and later.
10148
10150 What remote SMTP clients the Postfix SMTP server will not offer AUTH
10151 support to.
10152 Some clients (Netscape 4 at least) have a bug that causes them to
10154 require a login and password whenever AUTH is offered, whether it's
10155 necessary or not. To work around this, specify, for example, $mynet‐
10156 works to prevent Postfix from offering AUTH to local clients.
10157 Specify a list of network/netmask patterns, separated by commas and/or
10159 whitespace. The mask specifies the number of bits in the network part
10160 of a host address. You can also "/file/name" or "type:table" patterns.
10161 A "/file/name" pattern is replaced by its contents; a "type:table"
10162 lookup table is matched when a table entry matches a lookup string (the
10163 lookup result is ignored). Continue long lines by starting the next
10164 line with whitespace. Specify "!pattern" to exclude an address or net‐
10165 work block from the list. The form "!/file/name" is supported only in
10166 Postfix version 2.4 and later.
10167 Note: IP version 6 address information must be specified inside [] in
10169 the smtpd_sasl_exceptions_networks value, and in files specified with
10170 "/file/name". IP version 6 addresses contain the ":" character, and
10171 would otherwise be confused with a "type:table" pattern.
10172 Example:
10174 smtpd_sasl_exceptions_networks = $mynetworks
10176 This feature is available in Postfix 2.1 and later.
10178
10180 The name of the Postfix SMTP server's local SASL authentication realm.
10181 By default, the local authentication realm name is the null string.
10183 Examples:
10185 smtpd_sasl_local_domain = $mydomain
10187 smtpd_sasl_local_domain = $myhostname
10188
10190 Implementation-specific information that the Postfix SMTP server passes
10191 through to the SASL plug-in implementation that is selected with
10192 smtpd_sasl_type. Typically this specifies the name of a configuration
10193 file or rendezvous point.
10194 This feature is available in Postfix 2.3 and later. In earlier releases
10196 it was called smtpd_sasl_application_name.
10197
10199 The maximum length of a SASL client's response to a server challenge.
10200 When the client's "initial response" is longer than the normal limit
10201 for SMTP commands, the client must omit its initial response, and wait
10202 for an empty server challenge; it can then send what would have been
10203 its "initial response" as a response to the empty server challenge.
10204 RFC4954 requires the server to accept client responses up to at least
10205 12288 octets of base64-encoded text. The default value is therefore
10206 also the minimum value accepted for this parameter.
10207 This feature is available in Postfix 3.4 and later. Prior versions use
10209 "line_length_limit", which may need to be raised to accommodate larger
10210 client responses, as may be needed with GSSAPI authentication of Win‐
10211 dows AD users who are members of many groups.
10212
10214 Postfix SMTP server SASL security options; as of Postfix 2.3 the list
10215 of available features depends on the SASL server implementation that is
10216 selected with smtpd_sasl_type.
10217 The following security features are defined for the cyrus server SASL
10219 implementation:
10220 Restrict what authentication mechanisms the Postfix SMTP server will
10222 offer to the client. The list of available authentication mechanisms
10223 is system dependent.
10224 Specify zero or more of the following:
10226 noplaintext
10228 Disallow methods that use plaintext passwords.
10229 noactive
10231 Disallow methods subject to active (non-dictionary) attack.
10232 nodictionary
10234 Disallow methods subject to passive (dictionary) attack.
10235 noanonymous
10237 Disallow methods that allow anonymous authentication.
10238 forward_secrecy
10240 Only allow methods that support forward secrecy (Dovecot only).
10241 mutual_auth
10243 Only allow methods that provide mutual authentication (not
10244 available with Cyrus SASL version 1).
10245 By default, the Postfix SMTP server accepts plaintext passwords but not
10247 anonymous logins.
10248 Warning: it appears that clients try authentication methods in the
10250 order as advertised by the server (e.g., PLAIN ANONYMOUS CRAM-MD5)
10251 which means that if you disable plaintext passwords, clients will log
10252 in anonymously, even when they should be able to use CRAM-MD5. So, if
10253 you disable plaintext logins, disable anonymous logins too. Postfix
10254 treats anonymous login as no authentication.
10255 Example:
10257 smtpd_sasl_security_options = noanonymous, noplaintext
10259
10261 The service name that is passed to the SASL plug-in that is selected
10262 with smtpd_sasl_type and smtpd_sasl_path.
10263 This feature is available in Postfix 2.11 and later. Prior versions
10265 behave as if "smtp" is specified.
10266
10268 The SASL authentication security options that the Postfix SMTP server
10269 uses for TLS encrypted SMTP sessions.
10270 This feature is available in Postfix 2.2 and later.
10272
10274 The SASL plug-in type that the Postfix SMTP server should use for
10275 authentication. The available types are listed with the "postconf -a"
10276 command.
10277 This feature is available in Postfix 2.3 and later.
10279
10281 Optional lookup table with the SASL login names that own the sender
10282 (MAIL FROM) addresses.
10283 Specify zero or more "type:name" lookup tables, separated by whitespace
10285 or comma. Tables will be searched in the specified order until a match
10286 is found. With lookups from indexed files such as DB or DBM, or from
10287 networked tables such as NIS, LDAP or SQL, the following search opera‐
10288 tions are done with a sender address of user@domain:
10289 1) user@domain
10291 This table lookup is always done and has the highest precedence.
10292 2) user
10294 This table lookup is done only when the domain part of the
10295 sender address matches $myorigin, $mydestination, $inet_inter‐
10296 faces or $proxy_interfaces.
10297 3) @domain
10299 This table lookup is done last and has the lowest precedence.
10300 In all cases the result of table lookup must be either "not found" or a
10302 list of SASL login names separated by comma and/or whitespace.
10303
10305 Optional restrictions that the Postfix SMTP server applies in the con‐
10306 text of a client MAIL FROM command. See SMTPD_ACCESS_README, section
10307 "Delayed evaluation of SMTP access restriction lists" for a discussion
10308 of evaluation context and time.
10309 The default is to permit everything.
10311 Specify a list of restrictions, separated by commas and/or whitespace.
10313 Continue long lines by starting the next line with whitespace.
10314 Restrictions are applied in the order as specified; the first restric‐
10315 tion that matches wins.
10316 The following restrictions are specific to the sender address received
10318 with the MAIL FROM command.
10319 check_sender_access type:table
10321 Search the specified access(5) database for the MAIL FROM
10322 address, domain, parent domains, or localpart@, and execute the
10323 corresponding action.
10324 check_sender_a_access type:table
10326 Search the specified access(5) database for the IP addresses for
10327 the MAIL FROM domain, and execute the corresponding action.
10328 Note: a result of "OK" is not allowed for safety reasons.
10329 Instead, use DUNNO in order to exclude specific hosts from
10330 blacklists. This feature is available in Postfix 3.0 and later.
10331 check_sender_mx_access type:table
10333 Search the specified access(5) database for the MX hosts for the
10334 MAIL FROM domain, and execute the corresponding action. Note: a
10335 result of "OK" is not allowed for safety reasons. Instead, use
10336 DUNNO in order to exclude specific hosts from blacklists. This
10337 feature is available in Postfix 2.1 and later.
10338 check_sender_ns_access type:table
10340 Search the specified access(5) database for the DNS servers for
10341 the MAIL FROM domain, and execute the corresponding action.
10342 Note: a result of "OK" is not allowed for safety reasons.
10343 Instead, use DUNNO in order to exclude specific hosts from
10344 blacklists. This feature is available in Postfix 2.1 and later.
10345 reject_authenticated_sender_login_mismatch
10347 Enforces the reject_sender_login_mismatch restriction for
10348 authenticated clients only. This feature is available in Postfix
10349 version 2.1 and later.
10350 reject_known_sender_login_mismatch
10352 Apply the reject_sender_login_mismatch restriction only to MAIL
10353 FROM addresses that are known in $smtpd_sender_login_maps. This
10354 feature is available in Postfix version 2.11 and later.
10355 reject_non_fqdn_sender
10357 Reject the request when the MAIL FROM address specifies a domain
10358 that is not in fully-qualified domain form as required by the
10359 RFC.
10360 The non_fqdn_reject_code parameter specifies the response code
10361 for rejected requests (default: 504).
10362 reject_rhsbl_sender rbl_domain=d.d.d.d
10364 Reject the request when the MAIL FROM domain is listed with the
10365 A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and
10366 later only). Each "d" is a number, or a pattern inside "[]"
10367 that contains one or more ";"-separated numbers or number..num‐
10368 ber ranges (Postfix version 2.8 and later). If no "=d.d.d.d" is
10369 specified, reject the request when the MAIL FROM domain is
10370 listed with any A record under rbl_domain.
10371 The maps_rbl_reject_code parameter specifies the response code
10372 for rejected requests (default: 554); the default_rbl_reply
10373 parameter specifies the default server reply; and the
10374 rbl_reply_maps parameter specifies tables with server replies
10375 indexed by rbl_domain. This feature is available in Postfix 2.0
10376 and later.
10377 reject_sender_login_mismatch
10379 Reject the request when $smtpd_sender_login_maps specifies an
10380 owner for the MAIL FROM address, but the client is not (SASL)
10381 logged in as that MAIL FROM address owner; or when the client is
10382 (SASL) logged in, but the client login name doesn't own the MAIL
10383 FROM address according to $smtpd_sender_login_maps.
10384 reject_unauthenticated_sender_login_mismatch
10386 Enforces the reject_sender_login_mismatch restriction for unau‐
10387 thenticated clients only. This feature is available in Postfix
10388 version 2.1 and later.
10389 reject_unknown_sender_domain
10391 Reject the request when Postfix is not final destination for the
10392 sender address, and the MAIL FROM domain has 1) no DNS MX and no
10393 DNS A record, or 2) a malformed MX record such as a record with
10394 a zero-length MX hostname (Postfix version 2.3 and later).
10395 The reply is specified with the unknown_address_reject_code
10396 parameter (default: 450), unknown_address_tempfail_action
10397 (default: defer_if_permit), or 550 (nullmx, Postfix 3.0 and
10398 later). See the respective parameter descriptions for details.
10399 reject_unlisted_sender
10401 Reject the request when the MAIL FROM address is not listed in
10402 the list of valid recipients for its domain class. See the
10403 smtpd_reject_unlisted_sender parameter description for details.
10404 This feature is available in Postfix 2.1 and later.
10405 reject_unverified_sender
10407 Reject the request when mail to the MAIL FROM address is known
10408 to bounce, or when the sender address destination is not reach‐
10409 able. Address verification information is managed by the ver‐
10410 ify(8) server; see the ADDRESS_VERIFICATION_README file for
10411 details.
10412 The unverified_sender_reject_code parameter specifies the numer‐
10413 ical response code when an address is known to bounce (default:
10414 450, change into 550 when you are confident that it is safe to
10415 do so).
10416 The unverified_sender_defer_code specifies the numerical
10417 response code when an address probe failed due to a temporary
10418 problem (default: 450).
10419 The unverified_sender_tempfail_action parameter specifies the
10420 action after address probe failure due to a temporary problem
10421 (default: defer_if_permit).
10422 This feature breaks for aliased addresses with "enable_origi‐
10423 nal_recipient = no" (Postfix <= 3.2).
10424 This feature is available in Postfix 2.1 and later.
10425 Other restrictions that are valid in this context:
10427 · Generic restrictions that can be used in any SMTP command con‐
10429 text, described under smtpd_client_restrictions.
10430 · SMTP command specific restrictions described under
10432 smtpd_client_restrictions and smtpd_helo_restrictions.
10433 · SMTP command specific restrictions described under smtpd_recipi‐
10435 ent_restrictions. When recipient restrictions are listed under
10436 smtpd_sender_restrictions, they have effect only with
10437 "smtpd_delay_reject = yes", so that $smtpd_sender_restrictions
10438 is evaluated at the time of the RCPT TO command.
10439 Examples:
10441 smtpd_sender_restrictions = reject_unknown_sender_domain
10443 smtpd_sender_restrictions = reject_unknown_sender_domain,
10444 check_sender_access hash:/etc/postfix/access
10445
10447 The internal service that postscreen(8) hands off allowed connections
10448 to. In a future version there may be different classes of SMTP service.
10449 This feature is available in Postfix 2.8.
10451
10453 The number of errors a remote SMTP client is allowed to make without
10454 delivering mail before the Postfix SMTP server slows down all its
10455 responses.
10456 · With Postfix version 2.1 and later, the Postfix SMTP server
10458 delays all responses by $smtpd_error_sleep_time seconds.
10459 · With Postfix versions 2.0 and earlier, the Postfix SMTP server
10461 delays all responses by (number of errors) seconds.
10462
10464 The time limit for Postfix SMTP server write and read operations during
10465 TLS startup and shutdown handshake procedures. The current default
10466 value is stress-dependent. Before Postfix version 2.8, it was fixed at
10467 300s.
10468 This feature is available in Postfix 2.2 and later.
10470
10472 The time limit for sending a Postfix SMTP server response and for
10473 receiving a remote SMTP client request. Normally the default limit is
10474 300s, but it changes under overload to just 10s. With Postfix 2.5 and
10475 earlier, the SMTP server always uses a time limit of 300s by default.
10476 Note: if you set SMTP time limits to very large values you may have to
10478 update the global ipc_timeout parameter.
10479 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
10481 The default time unit is s (seconds).
10482
10484 A file containing (PEM format) CA certificates of root CAs trusted to
10485 sign either remote SMTP client certificates or intermediate CA certifi‐
10486 cates. These are loaded into memory before the smtpd(8) server enters
10487 the chroot jail. If the number of trusted roots is large, consider
10488 using smtpd_tls_CApath instead, but note that the latter directory must
10489 be present in the chroot jail if the smtpd(8) server is chrooted. This
10490 file may also be used to augment the server certificate trust chain,
10491 but it is best to include all the required certificates directly in the
10492 server certificate file.
10493 Specify "smtpd_tls_CAfile = /path/to/system_CA_file" to use ONLY the
10495 system-supplied default Certification Authority certificates.
10496 Specify "tls_append_default_CA = no" to prevent Postfix from appending
10498 the system-supplied default CAs and trusting third-party certificates.
10499 By default (see smtpd_tls_ask_ccert), client certificates are not
10501 requested, and smtpd_tls_CAfile should remain empty. If you do make use
10502 of client certificates, the distinguished names (DNs) of the Certifica‐
10503 tion Authorities listed in smtpd_tls_CAfile are sent to the remote SMTP
10504 client in the client certificate request message. MUAs with multiple
10505 client certificates may use the list of preferred Certification Author‐
10506 ities to select the correct client certificate. You may want to put
10507 your "preferred" CA or CAs in this file, and install other trusted CAs
10508 in $smtpd_tls_CApath.
10509 Example:
10511 smtpd_tls_CAfile = /etc/postfix/CAcert.pem
10513 This feature is available in Postfix 2.2 and later.
10515
10517 A directory containing (PEM format) CA certificates of root CAs trusted
10518 to sign either remote SMTP client certificates or intermediate CA cer‐
10519 tificates. Do not forget to create the necessary "hash" links with, for
10520 example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
10521 smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
10522 inside the chroot jail.
10523 Specify "smtpd_tls_CApath = /path/to/system_CA_directory" to use ONLY
10525 the system-supplied default Certification Authority certificates.
10526 Specify "tls_append_default_CA = no" to prevent Postfix from appending
10528 the system-supplied default CAs and trusting third-party certificates.
10529 By default (see smtpd_tls_ask_ccert), client certificates are not
10531 requested, and smtpd_tls_CApath should remain empty. In contrast to
10532 smtpd_tls_CAfile, DNs of Certification Authorities installed in
10533 $smtpd_tls_CApath are not included in the client certificate request
10534 message. MUAs with multiple client certificates may use the list of
10535 preferred Certification Authorities to select the correct client cer‐
10536 tificate. You may want to put your "preferred" CA or CAs in
10537 $smtpd_tls_CAfile, and install the remaining trusted CAs in
10538 $smtpd_tls_CApath.
10539 Example:
10541 smtpd_tls_CApath = /etc/postfix/certs
10543 This feature is available in Postfix 2.2 and later.
10545
10547 Force the Postfix SMTP server to issue a TLS session id, even when TLS
10548 session caching is turned off (smtpd_tls_session_cache_database is
10549 empty). This behavior is compatible with Postfix < 2.3.
10550 With Postfix 2.3 and later the Postfix SMTP server can disable session
10552 id generation when TLS session caching is turned off. This keeps remote
10553 SMTP clients from caching sessions that almost certainly cannot be
10554 re-used.
10555 By default, the Postfix SMTP server always generates TLS session ids.
10557 This works around a known defect in mail client applications such as MS
10558 Outlook, and may also prevent interoperability issues with other MTAs.
10559 Example:
10561 smtpd_tls_always_issue_session_ids = no
10563 This feature is available in Postfix 2.3 and later.
10565
10567 Ask a remote SMTP client for a client certificate. This information is
10568 needed for certificate based mail relaying with, for example, the per‐
10569 mit_tls_clientcerts feature.
10570 Some clients such as Netscape will either complain if no certificate is
10572 available (for the list of CAs in $smtpd_tls_CAfile) or will offer mul‐
10573 tiple client certificates to choose from. This may be annoying, so this
10574 option is "off" by default.
10575 This feature is available in Postfix 2.2 and later.
10577
10579 When TLS encryption is optional in the Postfix SMTP server, do not
10580 announce or accept SASL authentication over unencrypted connections.
10581 This feature is available in Postfix 2.2 and later.
10583
10585 The verification depth for remote SMTP client certificates. A depth of
10586 1 is sufficient if the issuing CA is listed in a local CA file.
10587 The default verification depth is 9 (the OpenSSL default) for compati‐
10589 bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
10590 value was 5, but the limit was not actually enforced. If you have set
10591 this to a lower non-default value, certificates with longer trust
10592 chains may now fail to verify. Certificate chains with 1 or 2 CAs are
10593 common, deeper chains are more rare and any number between 5 and 9
10594 should suffice in practice. You can choose a lower number if, for exam‐
10595 ple, you trust certificates directly signed by an issuing CA but not
10596 any CAs it delegates to.
10597 This feature is available in Postfix 2.2 and later.
10599
10601 File with the Postfix SMTP server RSA certificate in PEM format. This
10602 file may also contain the Postfix SMTP server private RSA key. With
10603 Postfix >= 3.4 the preferred way to configure server keys and certifi‐
10604 cates is via the "smtpd_tls_chain_files" parameter.
10605 Public Internet MX hosts without certificates signed by a "reputable"
10607 CA must generate, and be prepared to present to most clients, a
10608 self-signed or private-CA signed certificate. The client will not be
10609 able to authenticate the server, but unless it is running Postfix 2.3
10610 or similar software, it will still insist on a server certificate.
10611 For servers that are not public Internet MX hosts, Postfix supports
10613 configurations with no certificates. This entails the use of just the
10614 anonymous TLS ciphers, which are not supported by typical SMTP clients.
10615 Since some clients may not fall back to plain text after a TLS hand‐
10616 shake failure, a certificate-less Postfix SMTP server will be unable to
10617 receive email from some TLS-enabled clients. To avoid accidental con‐
10618 figurations with no certificates, Postfix enables certificate-less
10619 operation only when the administrator explicitly sets
10620 "smtpd_tls_cert_file = none". This ensures that new Postfix SMTP server
10621 configurations will not accidentally enable TLS without certificates.
10622 Note that server certificates are not optional in TLS 1.3. To run with‐
10624 out certificates you'd have to disable the TLS 1.3 protocol by includ‐
10625 ing '!TLSv1.3' in "smtpd_tls_protocols" and perhaps also
10626 "smtpd_tls_mandatory_protocols". It is simpler instead to just config‐
10627 ure a certificate chain. Certificate-less operation is not recom‐
10628 mended.
10629 Both RSA and DSA certificates are supported. When both types are
10631 present, the cipher used determines which certificate will be presented
10632 to the client. For Netscape and OpenSSL clients without special cipher
10633 choices the RSA certificate is preferred.
10634 To enable a remote SMTP client to verify the Postfix SMTP server cer‐
10636 tificate, the issuing CA certificates must be made available to the
10637 client. You should include the required certificates in the server cer‐
10638 tificate file, the server certificate first, then the issuing CA(s)
10639 (bottom-up order).
10640 Example: the certificate for "server.example.com" was issued by "inter‐
10642 mediate CA" which itself has a certificate of "root CA". Create the
10643 server.pem file with "cat server_cert.pem intermediate_CA.pem
10644 root_CA.pem > server.pem".
10645 If you also want to verify client certificates issued by these CAs, you
10647 can add the CA certificates to the smtpd_tls_CAfile, in which case it
10648 is not necessary to have them in the smtpd_tls_cert_file,
10649 smtpd_tls_dcert_file (obsolete) or smtpd_tls_eccert_file.
10650 A certificate supplied here must be usable as an SSL server certificate
10652 and hence pass the "openssl verify -purpose sslserver ..." test.
10653 Example:
10655 smtpd_tls_cert_file = /etc/postfix/server.pem
10657 This feature is available in Postfix 2.2 and later.
10659
10661 List of one or more PEM files, each holding one or more private keys
10662 directly followed by a corresponding certificate chain. The file names
10663 are separated by commas and/or whitespace. This parameter obsoletes
10664 the legacy algorithm-specific key and certificate file settings. When
10665 this parameter is non-empty, the legacy parameters are ignored, and a
10666 warning is logged if any are also non-empty.
10667 With the proliferation of multiple private key algorithms-which, as of
10669 OpenSSL 1.1.1, include DSA (obsolete), RSA, ECDSA, Ed25519 and Ed448-it
10670 is increasingly impractical to use separate parameters to configure the
10671 key and certificate chain for each algorithm. Therefore, Postfix now
10672 supports storing multiple keys and corresponding certificate chains in
10673 a single file or in a set of files.
10674 Each key must appear immediately before the corresponding certificate,
10676 optionally followed by additional issuer certificates that complete the
10677 certificate chain for that key. When multiple files are specified,
10678 they are equivalent to a single file that is concatenated from those
10679 files in the given order. Thus, while a key must always precede its
10680 certificate and issuer chain, it can be in a separate file, so long as
10681 that file is listed immediately before the file that holds the corre‐
10682 sponding certificate chain. Once all the files are concatenated, the
10683 sequence of PEM objects must be: key1, cert1, [chain1], key2, cert2,
10684 [chain2], ..., keyN, certN, [chainN].
10685 Storing the private key in the same file as the corresponding certifi‐
10687 cate is more reliable. With the key and certificate in separate files,
10688 there is a chance that during key rollover a Postfix process might load
10689 a private key and certificate from separate files that don't match.
10690 Various operational errors may even result in a persistent broken con‐
10691 figuration in which the certificate does not match the private key.
10692 The file or files must contain at most one key of each type. If, for
10694 example, two or more RSA keys and corresponding chains are listed,
10695 depending on the version of OpenSSL either only the last one will be
10696 used or an configuration error may be detected. Note that while
10697 "Ed25519" and "Ed448" are considered separate algorithms, the various
10698 ECDSA curves (typically one of prime256v1, secp384r1 or secp521r1) are
10699 considered as different parameters of a single "ECDSA" algorithm, so it
10700 is not presently possible to configure keys for more than one ECDSA
10701 curve.
10702 RSA is still the most widely supported algorithm. Presently (late
10704 2018), ECDSA support is common, but not yet universal, and Ed25519 and
10705 Ed448 support is mostly absent. Therefore, an RSA key should generally
10706 be configured, along with any additional keys for the other algorithms
10707 when desired.
10708 Example (separate files for each key and corresponding certificate
10710 chain):
10711 /etc/postfix/main.cf:
10713 smtpd_tls_chain_files =
10714 ${config_directory}/ed25519.pem,
10715 ${config_directory}/ed448.pem,
10716 ${config_directory}/rsa.pem
10717 /etc/postfix/ed25519.pem:
10719 -----BEGIN PRIVATE KEY-----
10720 MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
10721 -----END PRIVATE KEY-----
10722 -----BEGIN CERTIFICATE-----
10723 MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
10724 ...
10725 nC0egv51YPDWxEHom4QA
10726 -----END CERTIFICATE-----
10727 /etc/postfix/ed448.pem:
10729 -----BEGIN PRIVATE KEY-----
10730 MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
10731 LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
10732 -----END PRIVATE KEY-----
10733 -----BEGIN CERTIFICATE-----
10734 MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
10735 ...
10736 pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
10737 -----END CERTIFICATE-----
10738 /etc/postfix/rsa.pem:
10740 -----BEGIN PRIVATE KEY-----
10741 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
10742 ...
10743 ahQkZ3+krcaJvDSMgvu0tDc=
10744 -----END PRIVATE KEY-----
10745 -----BEGIN CERTIFICATE-----
10746 MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
10747 ...
10748 Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
10749 -----END CERTIFICATE-----
10750 Example (all keys and certificates in a single file):
10752 /etc/postfix/main.cf:
10754 smtpd_tls_chain_files = ${config_directory}/chains.pem
10755 /etc/postfix/chains.pem:
10757 -----BEGIN PRIVATE KEY-----
10758 MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
10759 -----END PRIVATE KEY-----
10760 -----BEGIN CERTIFICATE-----
10761 MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
10762 ...
10763 nC0egv51YPDWxEHom4QA
10764 -----END CERTIFICATE-----
10765 -----BEGIN PRIVATE KEY-----
10766 MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
10767 LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
10768 -----END PRIVATE KEY-----
10769 -----BEGIN CERTIFICATE-----
10770 MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
10771 ...
10772 pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
10773 -----END CERTIFICATE-----
10774 -----BEGIN PRIVATE KEY-----
10775 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
10776 ...
10777 ahQkZ3+krcaJvDSMgvu0tDc=
10778 -----END PRIVATE KEY-----
10779 -----BEGIN CERTIFICATE-----
10780 MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
10781 ...
10782 Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
10783 -----END CERTIFICATE-----
10784 This feature is available in Postfix 3.4 and later.
10786
10788 Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS cipher
10789 list. It is easy to create interoperability problems by choosing a
10790 non-default cipher list. Do not use a non-default TLS cipherlist for MX
10791 hosts on the public Internet. Clients that begin the TLS handshake, but
10792 are unable to agree on a common cipher, may not be able to send any
10793 email to the SMTP server. Using a restricted cipher list may be more
10794 appropriate for a dedicated MSA or an internal mailhub, where one can
10795 exert some control over the TLS software and settings of the connecting
10796 clients.
10797 Note: do not use "" quotes around the parameter value.
10799 This feature is available with Postfix version 2.2. It is not used with
10801 Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead.
10802
10804 The minimum TLS cipher grade that the Postfix SMTP server will use with
10805 opportunistic TLS encryption. Cipher types listed in
10806 smtpd_tls_exclude_ciphers are excluded from the base definition of the
10807 selected cipher grade. The default value is "medium" for Postfix
10808 releases after the middle of 2015, "export" for older releases.
10809 When TLS is mandatory the cipher grade is chosen via the
10811 smtpd_tls_mandatory_ciphers configuration parameter, see there for syn‐
10812 tax details.
10813 This feature is available in Postfix 2.6 and later. With earlier Post‐
10815 fix releases only the smtpd_tls_mandatory_ciphers parameter is imple‐
10816 mented, and opportunistic TLS always uses "export" or better (i.e. all)
10817 ciphers.
10818
10820 File with the Postfix SMTP server DSA certificate in PEM format. This
10821 file may also contain the Postfix SMTP server private DSA key. The DSA
10822 algorithm is obsolete and should not be used.
10823 See the discussion under smtpd_tls_cert_file for more details.
10825 Example:
10827 smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
10829 This feature is available in Postfix 2.2 and later.
10831
10833 File with DH parameters that the Postfix SMTP server should use with
10834 non-export EDH ciphers.
10835 Instead of using the exact same parameter sets as distributed with
10837 other TLS packages, it is more secure to generate your own set of
10838 parameters with something like the following commands:
10839 openssl dhparam -out /etc/postfix/dh512.pem 512
10841 openssl dhparam -out /etc/postfix/dh1024.pem 1024
10842 openssl dhparam -out /etc/postfix/dh2048.pem 2048
10843 It is safe to share the same DH parameters between multiple Postfix
10845 instances. If you prefer, you can generate separate parameters for
10846 each instance.
10847 If you want to take maximal advantage of ciphers that offer forward
10849 secrecy see the Getting started section of FORWARD_SECRECY_README. The
10850 full document conveniently presents all information about Postfix "per‐
10851 fect" forward secrecy support in one place: what forward secrecy is,
10852 how to tweak settings, and what you can expect to see when Postfix uses
10853 ciphers with forward secrecy.
10854 Example:
10856 smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
10858 This feature is available with Postfix version 2.2.
10860
10862 File with DH parameters that the Postfix SMTP server should use with
10863 export-grade EDH ciphers. The default SMTP server cipher grade is
10864 "medium" with Postfix releases after the middle of 2015, and as a
10865 result export-grade cipher suites are by default not used.
10866 See also the discussion under the smtpd_tls_dh1024_param_file configu‐
10868 ration parameter.
10869 Example:
10871 smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
10873 This feature is available with Postfix version 2.2.
10875
10877 File with the Postfix SMTP server DSA private key in PEM format. This
10878 file may be combined with the Postfix SMTP server DSA certificate file
10879 specified with $smtpd_tls_dcert_file. The DSA algorithm is obsolete and
10880 should not be used.
10881 The private key must be accessible without a pass-phrase, i.e. it must
10883 not be encrypted. File permissions should grant read-only access to the
10884 system superuser account ("root"), and no access to anyone else.
10885 This feature is available in Postfix 2.2 and later.
10887
10889 File with the Postfix SMTP server ECDSA certificate in PEM format.
10890 This file may also contain the Postfix SMTP server private ECDSA key.
10891 With Postfix >= 3.4 the preferred way to configure server keys and cer‐
10892 tificates is via the "smtpd_tls_chain_files" parameter.
10893 See the discussion under smtpd_tls_cert_file for more details.
10895 Example:
10897 smtpd_tls_eccert_file = /etc/postfix/ecdsa-scert.pem
10899 This feature is available in Postfix 2.6 and later, when Postfix is
10901 compiled and linked with OpenSSL 1.0.0 or later.
10902
10904 File with the Postfix SMTP server ECDSA private key in PEM format.
10905 This file may be combined with the Postfix SMTP server ECDSA certifi‐
10906 cate file specified with $smtpd_tls_eccert_file. With Postfix >= 3.4
10907 the preferred way to configure server keys and certificates is via the
10908 "smtpd_tls_chain_files" parameter.
10909 The private key must be accessible without a pass-phrase, i.e. it must
10911 not be encrypted. File permissions should grant read-only access to the
10912 system superuser account ("root"), and no access to anyone else.
10913 This feature is available in Postfix 2.6 and later, when Postfix is
10915 compiled and linked with OpenSSL 1.0.0 or later.
10916
10918 The Postfix SMTP server security grade for ephemeral elliptic-curve
10919 Diffie-Hellman (EECDH) key exchange.
10920 The available choices are:
10922 none Don't use EECDH. Ciphers based on EECDH key exchange will be
10924 disabled. This is the default in Postfix versions 2.6 and 2.7.
10925 strong Use EECDH with approximately 128 bits of security at a reason‐
10927 able computational cost. This is the current best-practice
10928 trade-off between security and computational efficiency. This is
10929 the default in Postfix version 2.8 and later.
10930 ultra Use EECDH with approximately 192 bits of security at computa‐
10932 tional cost that is approximately twice as high as 128 bit
10933 strength ECC. Barring significant progress in attacks on ellip‐
10934 tic curve crypto-systems, the "strong" curve is sufficient for
10935 most users.
10936 auto Use the most preferred curve that is supported by both the
10938 client and the server. This setting requires Postfix >= 3.2
10939 compiled and linked with OpenSSL >= 1.0.2. This is the default
10940 setting under the above conditions.
10941 If you want to take maximal advantage of ciphers that offer forward
10943 secrecy see the Getting started section of FORWARD_SECRECY_README. The
10944 full document conveniently presents all information about Postfix "per‐
10945 fect" forward secrecy support in one place: what forward secrecy is,
10946 how to tweak settings, and what you can expect to see when Postfix uses
10947 ciphers with forward secrecy.
10948 This feature is available in Postfix 2.6 and later, when it is compiled
10950 and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
10951 have not been disabled by the vendor.
10952
10954 List of ciphers or cipher types to exclude from the SMTP server cipher
10955 list at all TLS security levels. Excluding valid ciphers can create
10956 interoperability problems. DO NOT exclude ciphers unless it is essen‐
10957 tial to do so. This is not an OpenSSL cipherlist; it is a simple list
10958 separated by whitespace and/or commas. The elements are a single
10959 cipher, or one or more "+" separated cipher properties, in which case
10960 only ciphers matching all the properties are excluded.
10961 Examples (some of these will cause problems):
10963 smtpd_tls_exclude_ciphers = aNULL
10965 smtpd_tls_exclude_ciphers = MD5, DES
10966 smtpd_tls_exclude_ciphers = DES+MD5
10967 smtpd_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
10968 smtpd_tls_exclude_ciphers = kEDH+aRSA
10969 The first setting disables anonymous ciphers. The next setting disables
10971 ciphers that use the MD5 digest algorithm or the (single) DES encryp‐
10972 tion algorithm. The next setting disables ciphers that use MD5 and DES
10973 together. The next setting disables the two ciphers "AES256-SHA" and
10974 "DES-CBC3-MD5". The last setting disables ciphers that use "EDH" key
10975 exchange with RSA authentication.
10976 This feature is available in Postfix 2.3 and later.
10978
10980 The message digest algorithm to construct remote SMTP client-certifi‐
10981 cate fingerprints or public key fingerprints (Postfix 2.9 and later)
10982 for check_ccert_access and permit_tls_clientcerts. The default algo‐
10983 rithm is md5, for backwards compatibility with Postfix releases prior
10984 to 2.5.
10985 Advances in hash function cryptanalysis have led to md5 being depre‐
10987 cated in favor of sha1. However, as long as there are no known "second
10988 pre-image" attacks against md5, its use in this context can still be
10989 considered safe.
10990 While additional digest algorithms are often available with OpenSSL's
10992 libcrypto, only those used by libssl in SSL cipher suites are available
10993 to Postfix.
10994 To find the fingerprint of a specific certificate file, with a specific
10996 digest algorithm, run:
10997 $ openssl x509 -noout -fingerprint -digest -in certfile.pem
10999 The text to the right of "=" sign is the desired fingerprint. For
11001 example:
11002 $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
11004 SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
11005 To extract the public key fingerprint from an X.509 certificate, you
11007 need to extract the public key from the certificate and compute the
11008 appropriate digest of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
11009 key" option of the "x509" command extracts the public key always in
11010 "PEM" format. We pipe the result to another OpenSSL command that con‐
11011 verts the key to DER and then to the "dgst" command to compute the fin‐
11012 gerprint.
11013 The actual command to transform the key to DER format depends on the
11015 version of OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" com‐
11016 mand supports all key types. With OpenSSL 0.9.8 and earlier, the key
11017 type is always RSA (nobody uses DSA, and EC keys are not fully sup‐
11018 ported by 0.9.8), so the "rsa" command is used.
11019 # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
11021 $ openssl x509 -in cert.pem -noout -pubkey |
11022 openssl pkey -pubin -outform DER |
11023 openssl dgst -sha1 -c
11024 (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
11025 # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
11027 $ openssl x509 -in cert.pem -noout -pubkey |
11028 openssl rsa -pubin -outform DER |
11029 openssl dgst -md5 -c
11030 (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
11031 The Postfix SMTP server and client log the peer (leaf) certificate fin‐
11033 gerprint and public key fingerprint when the TLS loglevel is 2 or
11034 higher.
11035 Note: Postfix 2.9.0-2.9.5 computed the public key fingerprint incor‐
11037 rectly. To use public-key fingerprints, upgrade to Postfix 2.9.6 or
11038 later.
11039 Example: client-certificate access table, with sha1 fingerprints:
11041 /etc/postfix/main.cf:
11043 smtpd_tls_fingerprint_digest = sha1
11044 smtpd_client_restrictions =
11045 check_ccert_access hash:/etc/postfix/access,
11046 reject
11047 /etc/postfix/access:
11048 # Action folded to next line...
11049 AF:88:7C:AD:51:95:6F:36:96:F6:01:FB:2E:48:CD:AB:49:25:A2:3B
11050 OK
11051 85:16:78:FD:73:6E:CE:70:E0:31:5F:0D:3C:C8:6D:C4:2C:24:59:E1
11052 permit_auth_destination
11053 This feature is available in Postfix 2.5 and later.
11055
11057 File with the Postfix SMTP server RSA private key in PEM format. This
11058 file may be combined with the Postfix SMTP server RSA certificate file
11059 specified with $smtpd_tls_cert_file. With Postfix >= 3.4 the preferred
11060 way to configure server keys and certificates is via the
11061 "smtpd_tls_chain_files" parameter.
11062 The private key must be accessible without a pass-phrase, i.e. it must
11064 not be encrypted. File permissions should grant read-only access to the
11065 system superuser account ("root"), and no access to anyone else.
11066
11068 Enable additional Postfix SMTP server logging of TLS activity. Each
11069 logging level also includes the information that is logged at a lower
11070 logging level.
11071 0 Disable logging of TLS activity.
11073 1 Log only a summary message on TLS handshake completion - no
11075 logging of client certificate trust-chain verification errors if
11076 client certificate verification is not required. With Postfix
11077 2.8 and earlier, log the summary message, peer certificate sum‐
11078 mary information and unconditionally log trust-chain verifica‐
11079 tion errors.
11080 2 Also log levels during TLS negotiation.
11082 3 Also log hexadecimal and ASCII dump of TLS negotiation
11084 process.
11085 4 Also log hexadecimal and ASCII dump of complete transmission
11087 after STARTTLS.
11088 Do not use "smtpd_tls_loglevel = 2" or higher except in case of prob‐
11090 lems. Use of loglevel 4 is strongly discouraged.
11091 This feature is available in Postfix 2.2 and later.
11093
11095 The minimum TLS cipher grade that the Postfix SMTP server will use with
11096 mandatory TLS encryption. The default grade ("medium") is sufficiently
11097 strong that any benefit from globally restricting TLS sessions to a
11098 more stringent grade is likely negligible, especially given the fact
11099 that many implementations still do not offer any stronger ("high"
11100 grade) ciphers, while those that do, will always use "high" grade
11101 ciphers. So insisting on "high" grade ciphers is generally counter-pro‐
11102 ductive. Allowing "export" or "low" ciphers is typically not a good
11103 idea, as systems limited to just these are limited to obsolete
11104 browsers. No known SMTP clients fail to support at least one "medium"
11105 or "high" grade cipher.
11106 The following cipher grades are supported:
11108 export Enable "EXPORT" grade or stronger OpenSSL ciphers. The underly‐
11110 ing cipherlist is specified via the tls_export_cipherlist con‐
11111 figuration parameter, which you are strongly encouraged to not
11112 change. This choice is insecure and SHOULD NOT be used.
11113 low Enable "LOW" grade or stronger OpenSSL ciphers. The underlying
11115 cipherlist is specified via the tls_low_cipherlist configuration
11116 parameter, which you are strongly encouraged to not change.
11117 This choice is insecure and SHOULD NOT be used.
11118 medium Enable "MEDIUM" grade or stronger OpenSSL ciphers. These use
11120 128-bit or longer symmetric bulk-encryption keys. This is the
11121 default minimum strength for mandatory TLS encryption. The
11122 underlying cipherlist is specified via the tls_medium_cipherlist
11123 configuration parameter, which you are strongly encouraged to
11124 not change.
11125 high Enable only "HIGH" grade OpenSSL ciphers. The underlying
11127 cipherlist is specified via the tls_high_cipherlist configura‐
11128 tion parameter, which you are strongly encouraged to not change.
11129 null Enable only the "NULL" OpenSSL ciphers, these provide authenti‐
11131 cation without encryption. This setting is only appropriate in
11132 the rare case that all clients are prepared to use NULL ciphers
11133 (not normally enabled in TLS clients). The underlying cipherlist
11134 is specified via the tls_null_cipherlist configuration parame‐
11135 ter, which you are strongly encouraged to not change.
11136 Cipher types listed in smtpd_tls_mandatory_exclude_ciphers or
11138 smtpd_tls_exclude_ciphers are excluded from the base definition of the
11139 selected cipher grade. See smtpd_tls_ciphers for cipher controls that
11140 apply to opportunistic TLS.
11141 The underlying cipherlists for grades other than "null" include anony‐
11143 mous ciphers, but these are automatically filtered out if the server is
11144 configured to ask for remote SMTP client certificates. You are very
11145 unlikely to need to take any steps to exclude anonymous ciphers, they
11146 are excluded automatically as required. If you must exclude anonymous
11147 ciphers even when Postfix does not need or use peer certificates, set
11148 "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers only
11149 when TLS is enforced, set "smtpd_tls_mandatory_exclude_ciphers =
11150 aNULL".
11151 This feature is available in Postfix 2.3 and later.
11153
11155 Additional list of ciphers or cipher types to exclude from the Postfix
11156 SMTP server cipher list at mandatory TLS security levels. This list
11157 works in addition to the exclusions listed with
11158 smtpd_tls_exclude_ciphers (see there for syntax details).
11159 This feature is available in Postfix 2.3 and later.
11161
11163 The SSL/TLS protocols accepted by the Postfix SMTP server with manda‐
11164 tory TLS encryption. If the list is empty, the server supports all
11165 available SSL/TLS protocol versions. A non-empty value is a list of
11166 protocol names separated by whitespace, commas or colons. The sup‐
11167 ported protocol names are "SSLv2", "SSLv3" and "TLSv1", and are not
11168 case sensitive. The default value is "!SSLv2, !SSLv3" for Postfix
11169 releases after the middle of 2015, "!SSLv2" for older releases.
11170 With Postfix >= 2.5 the parameter syntax was expanded to support proto‐
11172 col exclusions. One can explicitly exclude "SSLv2" by setting
11173 "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both "SSLv2" and
11174 "SSLv3" set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
11175 the protocols to include, rather than protocols to exclude, is sup‐
11176 ported, but not recommended. The exclusion form more closely matches
11177 the underlying OpenSSL interface semantics.
11178 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
11180 "TLSv1.2". When Postfix <= 2.5 is linked against OpenSSL 1.0.1 or
11181 later, these, or any other new protocol versions, cannot be disabled.
11182 The latest patch levels of Postfix >= 2.6, and all versions of Postfix
11183 >= 2.10 can disable support for "TLSv1.1" or "TLSv1.2".
11184 OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4
11186 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
11187 abled, if need be, via "!TLSv1.3".
11188 Example:
11190 # Preferred syntax with Postfix >= 2.5:
11192 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
11193 # Legacy syntax:
11194 smtpd_tls_mandatory_protocols = TLSv1
11195 This feature is available in Postfix 2.3 and later.
11197
11199 List of TLS protocols that the Postfix SMTP server will exclude or
11200 include with opportunistic TLS encryption. The default value is
11201 "!SSLv2, !SSLv3" for Postfix releases after the middle of 2015, empty
11202 for older releases allowing all protocols to be used with opportunistic
11203 TLS. A non-empty value is a list of protocol names separated by white‐
11204 space, commas or colons. The supported protocol names are "SSLv2",
11205 "SSLv3" and "TLSv1", and are not case sensitive.
11206 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
11208 "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all versions
11209 of Postfix >= 2.10 can disable support for "TLSv1.1" or "TLSv1.2".
11210 OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4
11212 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
11213 abled, if need be, via "!TLSv1.3".
11214 To include a protocol list its name, to exclude it, prefix the name
11216 with a "!" character. To exclude SSLv2 for opportunistic TLS set
11217 "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
11218 "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the proto‐
11219 cols to include, rather than protocols to exclude, is supported, but
11220 not recommended. The exclusion form more closely matches the underly‐
11221 ing OpenSSL interface semantics.
11222 Example:
11224 smtpd_tls_protocols = !SSLv2, !SSLv3
11225 This feature is available in Postfix 2.6 and later.
11227
11229 Request that the Postfix SMTP server produces Received: message head‐
11230 ers that include information about the protocol and cipher used, as
11231 well as the remote SMTP client CommonName and client certificate issuer
11232 CommonName. This is disabled by default, as the information may be
11233 modified in transit through other mail servers. Only information that
11234 was recorded by the final destination can be trusted.
11235 This feature is available in Postfix 2.2 and later.
11237
11239 With mandatory TLS encryption, require a trusted remote SMTP client
11240 certificate in order to allow TLS connections to proceed. This option
11241 implies "smtpd_tls_ask_ccert = yes".
11242 When TLS encryption is optional, this setting is ignored with a warning
11244 written to the mail log.
11245 This feature is available in Postfix 2.2 and later.
11247
11249 The SMTP TLS security level for the Postfix SMTP server; when a
11250 non-empty value is specified, this overrides the obsolete parameters
11251 smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with
11252 "smtpd_tls_wrappermode = yes".
11253 Specify one of the following security levels:
11255 none TLS will not be used.
11257 may Opportunistic TLS: announce STARTTLS support to remote SMTP
11259 clients, but do not require that clients use TLS encryption.
11260 encrypt
11262 Mandatory TLS encryption: announce STARTTLS support to remote
11263 SMTP clients, and require that clients use TLS encryption.
11264 According to RFC 2487 this MUST NOT be applied in case of a pub‐
11265 licly-referenced SMTP server. Instead, this option should be
11266 used only on dedicated servers.
11267 Note 1: the "fingerprint", "verify" and "secure" levels are not sup‐
11269 ported here. The Postfix SMTP server logs a warning and uses "encrypt"
11270 instead. To verify remote SMTP client certificates, see TLS_README for
11271 a discussion of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and per‐
11272 mit_tls_clientcerts features.
11273 Note 2: The parameter setting "smtpd_tls_security_level = encrypt"
11275 implies "smtpd_tls_auth_only = yes".
11276 Note 3: when invoked via "sendmail -bs", Postfix will never offer
11278 STARTTLS due to insufficient privileges to access the server private
11279 key. This is intended behavior.
11280 This feature is available in Postfix 2.3 and later.
11282
11284 Name of the file containing the optional Postfix SMTP server TLS ses‐
11285 sion cache. Specify a database type that supports enumeration, such as
11286 btree or sdbm; there is no need to support concurrent access. The file
11287 is created if it does not exist. The smtpd(8) daemon does not use this
11288 parameter directly, rather the cache is implemented indirectly in the
11289 tlsmgr(8) daemon. This means that per-smtpd-instance master.cf over‐
11290 rides of this parameter are not effective. Note, that each of the cache
11291 databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
11292 base, $smtp_tls_session_cache_database (and with Postfix 2.3 and later
11293 $lmtp_tls_session_cache_database), needs to be stored separately. It is
11294 not at this time possible to store multiple caches in a single data‐
11295 base.
11296 Note: dbm databases are not suitable. TLS session objects are too
11298 large.
11299 As of version 2.5, Postfix no longer uses root privileges when opening
11301 this file. The file should now be stored under the Postfix-owned
11302 data_directory. As a migration aid, an attempt to open the file under a
11303 non-Postfix directory is redirected to the Postfix-owned data_direc‐
11304 tory, and a warning is logged.
11305 As of Postfix 2.11 the preferred mechanism for session resumption is
11307 RFC 5077 TLS session tickets, which don't require server-side storage.
11308 Consequently, for Postfix >= 2.11 this parameter should generally be
11309 left empty. TLS session tickets require an OpenSSL library (at least
11310 version 0.9.8h) that provides full support for this TLS extension. See
11311 also smtpd_tls_session_cache_timeout.
11312 Example:
11314 smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
11316 This feature is available in Postfix 2.2 and later.
11318
11320 The expiration time of Postfix SMTP server TLS session cache informa‐
11321 tion. A cache cleanup is performed periodically every $smtpd_tls_ses‐
11322 sion_cache_timeout seconds. As with $smtpd_tls_session_cache_database,
11323 this parameter is implemented in the tlsmgr(8) daemon and therefore
11324 per-smtpd-instance master.cf overrides are not possible.
11325 As of Postfix 2.11 this setting cannot exceed 100 days. If set <= 0,
11327 session caching is disabled, not just via the database, but also via
11328 RFC 5077 TLS session tickets, which don't require server-side storage.
11329 If set to a positive value less than 2 minutes, the minimum value of 2
11330 minutes is used instead. TLS session tickets require an OpenSSL
11331 library (at least version 0.9.8h) that provides full support for this
11332 TLS extension.
11333 This feature is available in Postfix 2.2 and later, and updated for TLS
11335 session ticket support in Postfix 2.11.
11336
11338 Run the Postfix SMTP server in the non-standard "wrapper" mode, instead
11339 of using the STARTTLS command.
11340 If you want to support this service, enable a special port in mas‐
11342 ter.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP server's
11343 command line. Port 465 (smtps) was once chosen for this purpose.
11344 This feature is available in Postfix 2.2 and later.
11346
11348 The name of the proxy protocol used by an optional before-smtpd proxy
11349 agent. When a proxy agent is used, this protocol conveys local and
11350 remote address and port information. Specify
11351 "smtpd_upstream_proxy_protocol = haproxy" to enable the haproxy proto‐
11352 col; version 2 is supported with Postfix 3.5 and later.
11353 NOTE: To use the nginx proxy with smtpd(8), enable the XCLIENT protocol
11355 with smtpd_authorized_xclient_hosts. This supports SASL authentication
11356 in the proxy agent (Postfix 2.9 and later).
11357 This feature is available in Postfix 2.10 and later.
11359
11361 The time limit for the proxy protocol specified with the
11362 smtpd_upstream_proxy_protocol parameter.
11363 This feature is available in Postfix 2.10 and later.
11365
11367 Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
11368 but do not require that clients use TLS encryption.
11369 Note: when invoked via "sendmail -bs", Postfix will never offer START‐
11371 TLS due to insufficient privileges to access the server private key.
11372 This is intended behavior.
11373 This feature is available in Postfix 2.2 and later. With Postfix 2.3
11375 and later use smtpd_tls_security_level instead.
11376
11378 Detect that a message requires SMTPUTF8 support for the specified mail
11379 origin classes. This is a workaround to avoid chicken-and-egg problems
11380 during the initial SMTPUTF8 roll-out in environments with pre-existing
11381 mail flows that contain UTF8. Those mail flows should not break because
11382 Postfix suddenly refuses to deliver such mail to down-stream MTAs that
11383 don't announce SMTPUTF8 support.
11384 The problem is that Postfix cannot rely solely on the sender's declara‐
11386 tion that a message requires SMTPUTF8 support, because UTF8 may be
11387 introduced during local processing (for example, the client hostname in
11388 Postfix's Received: header, adding @$myorigin or .$mydomain to an
11389 incomplete address, address rewriting, alias expansion, automatic BCC
11390 recipients, local forwarding, and changes made by header checks or Mil‐
11391 ter applications).
11392 For now, the default is to enable "SMTPUTF8 required" autodetection
11394 only for Postfix sendmail command-line submissions and address verifi‐
11395 cation probes. This may change once SMTPUTF8 support achieves world
11396 domination. However, sites that add UTF8 content via local processing
11397 (see above) should autodetect the need for SMTPUTF8 support for all
11398 email.
11399 Specify one or more of the following:
11401 sendmail
11403 Submission with the Postfix sendmail(1) command.
11404 smtpd Mail received with the smtpd(8) daemon.
11406 qmqpd Mail received with the qmqpd(8) daemon.
11408 forward
11410 Local forwarding or aliasing. When a message is received with
11411 "SMTPUTF8 required", then the forwarded (aliased) message always
11412 has "SMTPUTF8 required".
11413 bounce
11415 Submission by the bounce(8) daemon. When a message is received
11416 with "SMTPUTF8 required", then the delivery status notification
11417 always has "SMTPUTF8 required".
11418 notify
11420 Postmaster notification from the smtp(8) or smtpd(8) daemon.
11421 verify
11423 Address verification probe from the verify(8) daemon.
11424 all Enable SMTPUTF8 autodetection for all mail.
11426 This feature is available in Postfix 3.0 and later.
11428
11430 Enable preliminary SMTPUTF8 support for the protocols described in RFC
11431 6531..6533. This requires that Postfix is built to support these proto‐
11432 cols.
11433 This feature is available in Postfix 3.0 and later.
11435
11437 Safety net to keep mail queued that would otherwise be returned to the
11438 sender. This parameter disables locally-generated bounces, changes the
11439 handling of negative responses from remote servers, content filters or
11440 plugins, and prevents the Postfix SMTP server from rejecting mail per‐
11441 manently by changing 5xx reply codes into 4xx. However, soft_bounce is
11442 no cure for address rewriting mistakes or mail routing mistakes.
11443 Note: "soft_bounce = yes" is in some cases implemented by modifying
11445 server responses. Therefore, the response that Postfix logs may differ
11446 from the response that Postfix actually sends or receives.
11447 Example:
11449 soft_bounce = yes
11451
11453 The time after which a stale exclusive mailbox lockfile is removed.
11454 This is used for delivery to file or mailbox.
11455 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
11457 The default time unit is s (seconds).
11458
11460 This feature is documented in the STRESS_README document.
11461 This feature is available in Postfix 2.5 and later.
11463
11465 Reject mail with 8-bit text in message headers. This blocks mail from
11466 poorly written applications.
11467 This feature should not be enabled on a general purpose mail server,
11469 because it is likely to reject legitimate email.
11470 This feature is available in Postfix 2.0 and later.
11472
11474 Enable both strict_7bit_headers and strict_8bitmime_body.
11475 This feature should not be enabled on a general purpose mail server,
11477 because it is likely to reject legitimate email.
11478 This feature is available in Postfix 2.0 and later.
11480
11482 Reject 8-bit message body text without 8-bit MIME content encoding
11483 information. This blocks mail from poorly written applications.
11484 Unfortunately, this also rejects majordomo approval requests when the
11486 included request contains valid 8-bit MIME mail, and it rejects bounces
11487 from mailers that do not MIME encapsulate 8-bit content (for example,
11488 bounces from qmail or from old versions of Postfix).
11489 This feature should not be enabled on a general purpose mail server,
11491 because it is likely to reject legitimate email.
11492 This feature is available in Postfix 2.0 and later.
11494
11496 Defer delivery when a mailbox file is not owned by its recipient. The
11497 default setting is not backwards compatible.
11498 This feature is available in Postfix 2.5.3 and later.
11500
11502 Reject mail with invalid Content-Transfer-Encoding: information for the
11503 message/* or multipart/* MIME content types. This blocks mail from
11504 poorly written software.
11505 This feature should not be enabled on a general purpose mail server,
11507 because it will reject mail after a single violation.
11508 This feature is available in Postfix 2.0 and later.
11510
11512 Require that addresses received in SMTP MAIL FROM and RCPT TO commands
11513 are enclosed with <>, and that those addresses do not contain RFC 822
11514 style comments or phrases. This stops mail from poorly written soft‐
11515 ware.
11516 By default, the Postfix SMTP server accepts RFC 822 syntax in MAIL FROM
11518 and RCPT TO addresses.
11519
11521 Enable stricter enforcement of the SMTPUTF8 protocol. The Postfix SMTP
11522 server accepts UTF8 sender or recipient addresses only when the client
11523 requests an SMTPUTF8 mail transaction.
11524 This feature is available in Postfix 3.0 and later.
11526
11528 Obsolete SUN mailtool compatibility feature. Instead, use "mail‐
11529 box_delivery_lock = dotlock".
11530
11532 Enable the rewriting of "site!user" into "user@site". This is neces‐
11533 sary if your machine is connected to UUCP networks. It is enabled by
11534 default.
11535 Note: with Postfix version 2.2, message header address rewriting hap‐
11537 pens only when one of the following conditions is true:
11538 · The message is received with the Postfix sendmail(1) command,
11540 · The message is received from a network client that matches
11542 $local_header_rewrite_clients,
11543 · The message is received from the network, and the
11545 remote_header_rewrite_domain parameter specifies a non-empty
11546 value.
11547 To get the behavior before Postfix version 2.2, specify
11549 "local_header_rewrite_clients = static:all".
11550 Example:
11552 swap_bangpath = no
11554
11556 The syslog facility of Postfix logging. Specify a facility as defined
11557 in syslog.conf(5). The default facility is "mail".
11558 Warning: a non-default syslog_facility setting takes effect only after
11560 a Postfix process has completed initialization. Errors during process
11561 initialization will be logged with the default facility. Examples are
11562 errors while parsing the command line arguments, and errors while
11563 accessing the Postfix main.cf configuration file.
11564
11566 A prefix that is prepended to the process name in syslog records, so
11567 that, for example, "smtpd" becomes "prefix/smtpd".
11568 Warning: a non-default syslog_name setting takes effect only after a
11570 Postfix process has completed initialization. Errors during process
11571 initialization will be logged with the default name. Examples are
11572 errors while parsing the command line arguments, and errors while
11573 accessing the Postfix main.cf configuration file.
11574
11576 An optional workaround for routers that break TCP window scaling.
11577 Specify a value > 0 and < 65536 to enable this feature. With Postfix
11578 TCP servers (smtpd(8), qmqpd(8)), this feature is implemented by the
11579 Postfix master(8) daemon.
11580 To change this parameter without stopping Postfix, you need to first
11582 terminate all Postfix TCP servers:
11583 # postconf -e master_service_disable=inet
11585 # postfix reload
11586 This immediately terminates all processes that accept network connec‐
11588 tions. Next, you enable Postfix TCP servers with the updated tcp_win‐
11589 dowsize setting:
11590 # postconf -e tcp_windowsize=65535 master_service_disable=
11592 # postfix reload
11593 If you skip these steps with a running Postfix system, then the
11595 tcp_windowsize change will work only for Postfix TCP clients (smtp(8),
11596 lmtp(8)).
11597 This feature is available in Postfix 2.6 and later.
11599
11601 Append the system-supplied default Certification Authority certificates
11602 to the ones specified with *_tls_CApath or *_tls_CAfile. The default
11603 is "no"; this prevents Postfix from trusting third-party certificates
11604 and giving them relay permission with permit_tls_all_clientcerts.
11605 This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8, 2.7.2 and
11607 later versions. Specify "tls_append_default_CA = yes" for backwards
11608 compatibility, to avoid breaking certificate verification with sites
11609 that don't use permit_tls_all_clientcerts.
11610
11612 The number of pseudo-random bytes that an smtp(8) or smtpd(8) process
11613 requests from the tlsmgr(8) server in order to seed its internal pseudo
11614 random number generator (PRNG). The default of 32 bytes (equivalent to
11615 256 bits) is sufficient to generate a 128bit (or 168bit) session key.
11616 This feature is available in Postfix 2.2 and later.
11618
11620 Configure RFC7671 DANE TLSA digest algorithm agility. Do not change
11621 this setting from its default value.
11622 See Section 8 of RFC7671 for correct key rotation procedures.
11624 This feature is available in Postfix 2.11 through 3.1. Postfix 3.2 and
11626 later ignore this configuration parameter and behave as though it were
11627 set to "on".
11628
11630 DANE TLSA (RFC 6698, RFC 7671, RFC 7672) resource-record "matching
11631 type" digest algorithms in descending preference order. All the speci‐
11632 fied algorithms must be supported by the underlying OpenSSL library,
11633 otherwise the Postfix SMTP client will not support DANE TLSA security.
11634 Specify a list of digest names separated by commas and/or whitespace.
11636 Each digest name may be followed by an optional "=<number>" suffix.
11637 For example, "sha512" may instead be specified as "sha512=2" and
11638 "sha256" may instead be specified as "sha256=1". The optional number
11639 must match the <a href="https://www.iana.org/assignments/dane-parame‐
11640 ters/dane-parameters.xhtml#matching-types" >IANA assigned TLSA matching
11641 type number the algorithm in question. Postfix will check this con‐
11642 straint for the algorithms it knows about. Additional matching type
11643 algorithms registered with IANA can be added with explicit numbers pro‐
11644 vided they are supported by OpenSSL.
11645 Invalid list elements are logged with a warning and disable DANE sup‐
11647 port. TLSA RRs that specify digests not included in the list are
11648 ignored with a warning.
11649 Note: It is unwise to omit sha256 from the digest list. This digest
11651 algorithm is the only mandatory to implement digest algorithm in RFC
11652 6698, and many servers are expected publish TLSA records with just
11653 sha256 digests. Unless one of the standard digests is seriously com‐
11654 promised and servers have had ample time to update their TLSA records
11655 you should not omit any standard digests, just arrange them in order
11656 from strongest to weakest.
11657 This feature is available in Postfix 2.11 and later.
11659
11661 Enable support for RFC 6698 (DANE TLSA) DNS records that contain
11662 digests of trust-anchors with certificate usage "2". Do not change
11663 this setting from its default value.
11664 This feature is available in Postfix 2.11 through 3.1. It has been
11666 withdrawn in Postfix 3.2, as trust-anchor TLSA records are now widely
11667 used and have proved sufficiently reliable. Postfix 3.2 and later
11668 ignore this configuration parameter and behaves as though it were set
11669 to "yes".
11670
11672 List or bit-mask of OpenSSL bug work-arounds to disable.
11673 The OpenSSL toolkit includes a set of work-arounds for buggy SSL/TLS
11675 implementations. Applications, such as Postfix, that want to maximize
11676 interoperability ask the OpenSSL library to enable the full set of rec‐
11677 ommended work-arounds.
11678 From time to time, it is discovered that a work-around creates a secu‐
11680 rity issue, and should no longer be used. If upgrading OpenSSL to a
11681 fixed version is not an option or an upgrade is not available in a
11682 timely manner, or in closed environments where no buggy clients or
11683 servers exist, it may be appropriate to disable some or all of the
11684 OpenSSL interoperability work-arounds. This parameter specifies which
11685 bug work-arounds to disable.
11686 If the value of the parameter is a hexadecimal long integer starting
11688 with "0x", the bug work-arounds corresponding to the bits specified in
11689 its value are removed from the SSL_OP_ALL work-around bit-mask (see
11690 openssl/ssl.h and SSL_CTX_set_options(3)). You can specify more bits
11691 than are present in SSL_OP_ALL, excess bits are ignored. Specifying
11692 0xFFFFFFFF disables all bug-workarounds on a 32-bit system. This should
11693 also be sufficient on 64-bit systems, until OpenSSL abandons support
11694 for 32-bit systems and starts using the high 32 bits of a 64-bit
11695 bug-workaround mask.
11696 Otherwise, the parameter is a white-space or comma separated list of
11698 specific named bug work-arounds chosen from the list below. It is pos‐
11699 sible that your OpenSSL version includes new bug work-arounds added
11700 after your Postfix source code was last updated, in that case you can
11701 only disable one of these via the hexadecimal syntax above.
11702 CRYPTOPRO_TLSEXT_BUG
11704 New with GOST support in OpenSSL 1.0.0.
11705 DONT_INSERT_EMPTY_FRAGMENTS
11707 See SSL_CTX_set_options(3)
11708 LEGACY_SERVER_CONNECT
11710 See SSL_CTX_set_options(3)
11711 MICROSOFT_BIG_SSLV3_BUFFER
11713 See SSL_CTX_set_options(3)
11714 MICROSOFT_SESS_ID_BUG
11716 See SSL_CTX_set_options(3)
11717 MSIE_SSLV2_RSA_PADDING
11719 also aliased as CVE-2005-2969. Postfix 2.8 disables this
11720 work-around by default with OpenSSL versions that may predate
11721 the fix. Fixed in OpenSSL 0.9.7h and OpenSSL 0.9.8a.
11722 NETSCAPE_CHALLENGE_BUG
11724 See SSL_CTX_set_options(3)
11725 NETSCAPE_REUSE_CIPHER_CHANGE_BUG
11727 also aliased as CVE-2010-4180. Postfix 2.8 disables this
11728 work-around by default with OpenSSL versions that may predate
11729 the fix. Fixed in OpenSSL 0.9.8q and OpenSSL 1.0.0c.
11730 SSLEAY_080_CLIENT_DH_BUG
11732 See SSL_CTX_set_options(3)
11733 SSLREF2_REUSE_CERT_TYPE_BUG
11735 See SSL_CTX_set_options(3)
11736 TLS_BLOCK_PADDING_BUG
11738 See SSL_CTX_set_options(3)
11739 TLS_D5_BUG
11741 See SSL_CTX_set_options(3)
11742 TLS_ROLLBACK_BUG
11744 See SSL_CTX_set_options(3). This is disabled in OpenSSL 0.9.7
11745 and later. Nobody should still be using 0.9.6!
11746 TLSEXT_PADDING
11748 Postfix >= 3.4. See SSL_CTX_set_options(3).
11749 This feature is available in Postfix 2.8 and later.
11751
11753 The prioritized list of elliptic curves supported by the Postfix SMTP
11754 client and server. These curves are used by the Postfix SMTP server
11755 when "smtpd_tls_eecdh_grade = auto". The selected curves must be
11756 implemented by OpenSSL and be standardized for use in TLS (RFC 4492 or
11757 its imminent successor). It is unwise to list only "bleeding-edge"
11758 curves supported by a small subset of clients. The default list is
11759 suitable for most users.
11760 Postfix skips curve names that are unknown to OpenSSL, or that are
11762 known but not yet implemented. This makes it possible to "anticipate"
11763 support for curves that should be used once they become available. In
11764 particular, in some OpenSSL versions, the new RFC 8031 curves "X25519"
11765 and "X448" may be known by name, but ECDH support for either or both
11766 may be missing. These curves may appear in the default value of this
11767 parameter, even though they'll only be usable with later versions of
11768 OpenSSL.
11769 This feature is available in Postfix 3.2 and later, when it is compiled
11771 and linked with OpenSSL 1.0.2 or later on platforms where EC algorithms
11772 have not been disabled by the vendor.
11773
11775 The elliptic curve used by the Postfix SMTP server for sensibly strong
11776 ephemeral ECDH key exchange. This curve is used by the Postfix SMTP
11777 server when "smtpd_tls_eecdh_grade = strong". The phrase "sensibly
11778 strong" means approximately 128-bit security based on best known
11779 attacks. The selected curve must be implemented by OpenSSL (as reported
11780 by ecparam(1) with the "-list_curves" option) and be one of the curves
11781 listed in Section 5.1.1 of RFC 4492. You should not generally change
11782 this setting. Remote SMTP client implementations must support this
11783 curve for EECDH key exchange to take place. It is unwise to choose an
11784 "bleeding-edge" curve supported by only a small subset of clients.
11785 The default "strong" curve is rated in NSA Suite B for information
11787 classified up to SECRET.
11788 Note: elliptic curve names are poorly standardized; different standards
11790 groups are assigning different names to the same underlying curves.
11791 The curve with the X9.62 name "prime256v1" is also known under the SECG
11792 name "secp256r1", but OpenSSL does not recognize the latter name.
11793 If you want to take maximal advantage of ciphers that offer forward
11795 secrecy see the Getting started section of FORWARD_SECRECY_README. The
11796 full document conveniently presents all information about Postfix "per‐
11797 fect" forward secrecy support in one place: what forward secrecy is,
11798 how to tweak settings, and what you can expect to see when Postfix uses
11799 ciphers with forward secrecy.
11800 This feature is available in Postfix 2.6 and later, when it is compiled
11802 and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
11803 have not been disabled by the vendor.
11804
11806 The elliptic curve used by the Postfix SMTP server for maximally strong
11807 ephemeral ECDH key exchange. This curve is used by the Postfix SMTP
11808 server when "smtpd_tls_eecdh_grade = ultra". The phrase "maximally
11809 strong" means approximately 192-bit security based on best known
11810 attacks. This additional strength comes at a significant computational
11811 cost, most users should instead set "smtpd_tls_eecdh_grade = strong".
11812 The selected curve must be implemented by OpenSSL (as reported by
11813 ecparam(1) with the "-list_curves" option) and be one of the curves
11814 listed in Section 5.1.1 of RFC 4492. You should not generally change
11815 this setting.
11816 This default "ultra" curve is rated in NSA Suite B for information
11818 classified up to TOP SECRET.
11819 If you want to take maximal advantage of ciphers that offer forward
11821 secrecy see the Getting started section of FORWARD_SECRECY_README. The
11822 full document conveniently presents all information about Postfix "per‐
11823 fect" forward secrecy support in one place: what forward secrecy is,
11824 how to tweak settings, and what you can expect to see when Postfix uses
11825 ciphers with forward secrecy.
11826 This feature is available in Postfix 2.6 and later, when it is compiled
11828 and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
11829 have not been disabled by the vendor.
11830
11832 The OpenSSL cipherlist for "export" or higher grade ciphers. This
11833 defines the meaning of the "export" setting in smtpd_tls_ciphers,
11834 smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_manda‐
11835 tory_ciphers, lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. With
11836 Postfix releases before the middle of 2015 this is the default
11837 cipherlist for the opportunistic ("may") TLS client security level and
11838 also the default cipherlist for the SMTP server. You are strongly
11839 encouraged to not change this setting.
11840 This feature is available in Postfix 2.3 and later.
11842
11844 A workaround for implementations that hang Postfix while shutting down
11845 a TLS session, until Postfix times out. With this enabled, Postfix will
11846 not wait for the remote TLS peer to respond to a TLS later.
11847
11849 The OpenSSL cipherlist for "high" grade ciphers. This defines the mean‐
11850 ing of the "high" setting in smtpd_tls_ciphers, smtpd_tls_manda‐
11851 tory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
11852 lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. You are strongly
11853 encouraged to not change this setting.
11854 This feature is available in Postfix 2.3 and later.
11856
11858 A temporary migration aid for sites that use certificate public-key
11859 fingerprints with Postfix 2.9.0..2.9.5, which use an incorrect algo‐
11860 rithm. This parameter has no effect on the certificate fingerprint sup‐
11861 port that is available since Postfix 2.2.
11862 Specify "tls_legacy_public_key_fingerprints = yes" temporarily, pending
11864 a migration from configuration files with incorrect Postfix
11865 2.9.0..2.9.5 certificate public-key finger prints, to the correct fin‐
11866 gerprints used by Postfix 2.9.6 and later. To compute the correct cer‐
11867 tificate public-key fingerprints, see TLS_README.
11868 This feature is available in Postfix 2.9.6 and later.
11870
11872 The OpenSSL cipherlist for "low" or higher grade ciphers. This defines
11873 the meaning of the "low" setting in smtpd_tls_ciphers, smtpd_tls_manda‐
11874 tory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
11875 lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. You are strongly
11876 encouraged to not change this setting.
11877 This feature is available in Postfix 2.3 and later.
11879
11881 The OpenSSL cipherlist for "medium" or higher grade ciphers. This
11882 defines the meaning of the "medium" setting in smtpd_tls_ciphers,
11883 smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_manda‐
11884 tory_ciphers, lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. This
11885 is the default cipherlist for mandatory TLS encryption in the TLS
11886 client (with anonymous ciphers disabled when verifying server certifi‐
11887 cates). This is the default cipherlist for opportunistic TLS with
11888 Postfix releases after the middle of 2015. You are strongly encouraged
11889 to not change this setting.
11890 This feature is available in Postfix 2.3 and later.
11892
11894 The OpenSSL cipherlist for "NULL" grade ciphers that provide authenti‐
11895 cation without encryption. This defines the meaning of the "null" set‐
11896 ting in smtpd_mandatory_tls_ciphers, smtp_tls_mandatory_ciphers and
11897 lmtp_tls_mandatory_ciphers. You are strongly encouraged to not change
11898 this setting.
11899 This feature is available in Postfix 2.3 and later.
11901
11903 With SSLv3 and later, use the Postfix SMTP server's cipher preference
11904 order instead of the remote client's cipher preference order.
11905 By default, the OpenSSL server selects the client's most preferred
11907 cipher that the server supports. With SSLv3 and later, the server may
11908 choose its own most preferred cipher that is supported (offered) by the
11909 client. Setting "tls_preempt_cipherlist = yes" enables server cipher
11910 preferences.
11911 While server cipher selection may in some cases lead to a more secure
11913 or performant cipher choice, there is some risk of interoperability
11914 issues. In the past, some SSL clients have listed lower priority
11915 ciphers that they did not implement correctly. If the server chooses a
11916 cipher that the client prefers less, it may select a cipher whose
11917 client implementation is flawed. Most notably Windows 2003 Microsoft
11918 Exchange servers have flawed implementations of DES-CBC3-SHA, which
11919 OpenSSL considers stronger than RC4-SHA. Enabling server cipher-suite
11920 selection may create interoperability issues with Windows 2003 Micro‐
11921 soft Exchange clients.
11922 This feature is available in Postfix 2.8 and later, in combination with
11924 OpenSSL 0.9.7 and later.
11925
11927 The number of bytes that tlsmgr(8) reads from $tls_random_source when
11928 (re)seeding the in-memory pseudo random number generator (PRNG) pool.
11929 The default of 32 bytes (256 bits) is good enough for 128bit symmetric
11930 keys. If using EGD or a device file, a maximum of 255 bytes is read.
11931 This feature is available in Postfix 2.2 and later.
11933
11935 Name of the pseudo random number generator (PRNG) state file that is
11936 maintained by tlsmgr(8). The file is created when it does not exist,
11937 and its length is fixed at 1024 bytes.
11938 As of version 2.5, Postfix no longer uses root privileges when opening
11940 this file, and the default file location was changed from ${con‐
11941 fig_directory}/prng_exch to ${data_directory}/prng_exch. As a migra‐
11942 tion aid, an attempt to open the file under a non-Postfix directory is
11943 redirected to the Postfix-owned data_directory, and a warning is
11944 logged.
11945 This feature is available in Postfix 2.2 and later.
11947
11949 The time between attempts by tlsmgr(8) to save the state of the pseudo
11950 random number generator (PRNG) to the file specified with $tls_ran‐
11951 dom_exchange_name.
11952 This feature is available in Postfix 2.2 and later.
11954
11956 The maximal time between attempts by tlsmgr(8) to re-seed the in-memory
11957 pseudo random number generator (PRNG) pool from external sources. The
11958 actual time between re-seeding attempts is calculated using the PRNG,
11959 and is between 0 and the time specified.
11960 This feature is available in Postfix 2.2 and later.
11962
11964 The external entropy source for the in-memory tlsmgr(8) pseudo random
11965 number generator (PRNG) pool. Be sure to specify a non-blocking source.
11966 If this source is not a regular file, the entropy source type must be
11967 prepended: egd:/path/to/egd_socket for a source with EGD compatible
11968 socket interface, or dev:/path/to/device for a device file.
11969 Note: on OpenBSD systems specify /dev/arandom when /dev/urandom gives
11971 timeout errors.
11972 This feature is available in Postfix 2.2 and later.
11974
11976 Optional lookup tables that map names received from remote SMTP clients
11977 via the TLS Server Name Indication (SNI) extension to the appropriate
11978 keys and certificate chains. This parameter is implemented in the
11979 Postfix TLS library, and applies to both smtpd(8) and the SMTP server
11980 mode of tlsproxy(8).
11981 When this parameter is non-empty, the Postfix SMTP server enables SNI
11983 extension processing, and logs SNI values that are invalid or don't
11984 match an entry in the the specified tables. When an entry does match,
11985 the SNI name is logged as part of the connection summary at log levels
11986 1 and higher.
11987 The lookup key is either the verbatim SNI domain name or an ancestor
11989 domain prefixed with a leading dot. For internationalized domains, the
11990 lookup key must be in IDNA 2008 A-label form (as required in the TLS
11991 SNI extension).
11992 The syntax of the lookup value is the same as with the
11994 smtp_tls_chain_files parameter (see there for additional details), but
11995 here scoped to just TLS connections in which the client sends a match‐
11996 ing SNI domain name.
11997 Example:
11999 /etc/postfix/main.cf:
12001 #
12002 # The indexed SNI table must be created with "postmap -F"
12003 #
12004 indexed = ${default_database_type}:${config_directory}/
12005 tls_server_sni_maps = ${indexed}sni
12006 /etc/postfix/sni:
12008 #
12009 # The example.com domain has both an RSA and ECDSA certificate
12010 # chain. The chain files MUST start with the private key,
12011 # with the certificate chain next, starting with the leaf
12012 # (server) certificate, and then the issuer certificates.
12013 #
12014 example.com /etc/postfix/sni-chains/rsa2048.example.com.pem,
12015 /etc/postfix/sni-chains/ecdsa-p256.example.com.pem
12016 #
12017 # The example.net domain has a wildcard certificate, and two
12018 # additional DNS names. So its certificate chain is also used
12019 # with any subdomain, plus the additional names.
12020 #
12021 example.net /etc/postfix/sni-chains/example.net.pem
12022 .example.net /etc/postfix/sni-chains/example.net.pem
12023 example.info /etc/postfix/sni-chains/example.net.pem
12024 example.org /etc/postfix/sni-chains/example.net.pem
12025 Note that the SNI lookup tables should also have entries for the
12027 domains that correspond to the Postfix SMTP server's default certifi‐
12028 cate(s). This ensures that the remote SMTP client's TLS SNI extension
12029 gets a positive response when it specifies one of the Postfix SMTP
12030 server's default domains, and ensures that the Postfix SMTP server will
12031 not log an SNI name mismatch for such a domain. The Postfix SMTP
12032 server's default certificates are then only used when the client sends
12033 no SNI or when it sends SNI with a domain that the server knows no cer‐
12034 tificate(s) for.
12035 The mapping from an SNI domain name to a certificate chain is indirect.
12037 In the input source files for "cdb", "hash", "btree" or other tables
12038 that are converted to on-disk indexed files via postmap(1), the value
12039 specified for each key is a list of filenames. When postmap(1) is used
12040 with the -F option, the generated table stores for each lookup key the
12041 base64-encoded contents of the associated files. When querying tables
12042 via postmap -Fq, the table value is decoded from base64, yielding the
12043 original file content, plus a new line.
12044 With "regexp", "pcre", "inline", "texthash", "static" and similar
12046 tables that are interpreted at run-time, and don't have a separate
12047 source format, the table value is again a list files, that are loaded
12048 into memory when the table is opened.
12049 With tables whose content is managed outside of Postfix, such as LDAP,
12051 MySQL, PostgreSQL, socketmap and tcp, the value must be a concatenation
12052 of the desired PEM keys and certificate chains, that is then further
12053 encoded to yield a single-line base64 string. Creation of such tables
12054 and secure storage (the value includes private key material) are out‐
12055 side the responsibility of Postfix.
12056 With "socketmap" and "tcp" the data will be transmitted in the clear,
12058 and there is no query access control, so these are generally unsuitable
12059 for storing SNI chains. With LDAP and SQL, you should restrict read
12060 access and use TLS to protect the sensitive data in transit.
12061 Typically there is only one private key and its chain of certificates
12063 starting with the "leaf" certificate corresponding to that key, and
12064 continuing with the appropriate intermediate issuer CA certificates,
12065 with each certificate ideally followed by its issuer. Servers that
12066 have keys and certificates for more than one algorithm (e.g. both an
12067 RSA key and an ECDSA key, or even RSA, ECDSA and Ed25519) can use mul‐
12068 tiple chains concatenated together, with the key always listed before
12069 the corresponding certificates.
12070 This feature is available in Postfix 3.4 and later.
12072
12074 3.0: aes-128-cbc)
12075 Algorithm used to encrypt RFC5077 TLS session tickets. This algorithm
12076 must use CBC mode, have a 128-bit block size, and must have a key
12077 length between 128 and 256 bits. The default is aes-256-cbc. Overrid‐
12078 ing the default to choose a different algorithm is discouraged.
12079 Setting this parameter empty disables session ticket support in the
12081 Postfix SMTP server. Another way to disable session ticket support is
12082 via the tls_ssl_options parameter.
12083 This feature is available in Postfix 3.0 and later.
12085
12087 List or bit-mask of OpenSSL options to enable.
12088 The OpenSSL toolkit provides a set of options that applications can
12090 enable to tune the OpenSSL behavior. Some of these work around bugs in
12091 other implementations and are on by default. You can use the tls_dis‐
12092 able_workarounds parameter to selectively disable some or all of the
12093 bug work-arounds, making OpenSSL more strict at the cost of non-inter‐
12094 operability with SSL clients or servers that exhibit the bugs.
12095 Other options are off by default, and typically enable or disable fea‐
12097 tures rather than bug work-arounds. These may be turned on (with care)
12098 via the tls_ssl_options parameter. The value is a white-space or comma
12099 separated list of named options chosen from the list below. The names
12100 are not case-sensitive, you can use lower-case if you prefer. The
12101 upper case values below match the corresponding macro name in the ssl.h
12102 header file with the SSL_OP_ prefix removed. It is possible that your
12103 OpenSSL version includes new options added after your Postfix source
12104 code was last updated, in that case you can only enable one of these
12105 via the hexadecimal syntax below.
12106 You should only enable features via the hexadecimal mask when the need
12108 to control the feature is critical (to deal with a new vulnerability or
12109 a serious interoperability problem). Postfix DOES NOT promise back‐
12110 wards compatible behavior with respect to the mask bits. A feature
12111 enabled via the mask in one release may be enabled by other means in a
12112 later release, and the mask bit will then be ignored. Therefore, use
12113 of the hexadecimal mask is only a temporary measure until a new Postfix
12114 or OpenSSL release provides a better solution.
12115 If the value of the parameter is a hexadecimal long integer starting
12117 with "0x", the options corresponding to the bits specified in its value
12118 are enabled (see openssl/ssl.h and SSL_CTX_set_options(3)). You can
12119 only enable options not already controlled by other Postfix settings.
12120 For example, you cannot disable protocols or enable server cipher pref‐
12121 erence. Do not attempt to turn all features by specifying 0xFFFFFFFF,
12122 this is unlikely to be a good idea. Some bug work-arounds are also
12123 valid here, allowing them to be re-enabled if/when they're no longer
12124 enabled by default. The supported values include:
12125 ENABLE_MIDDLEBOX_COMPAT
12127 Postfix >= 3.4. See SSL_CTX_set_options(3).
12128 LEGACY_SERVER_CONNECT
12130 See SSL_CTX_set_options(3).
12131 NO_TICKET
12133 Enabled by default when needed in fully-patched Postfix >= 2.7.
12134 Not needed at all for Postfix >= 2.11, unless for some reason
12135 you do not want to support TLS session resumption. Best not set
12136 explicitly. See SSL_CTX_set_options(3).
12137 NO_COMPRESSION
12139 Disable SSL compression even if supported by the OpenSSL
12140 library. Compression is CPU-intensive, and compression before
12141 encryption does not always improve security.
12142 NO_RENEGOTIATION
12144 Postfix >= 3.4. This can reduce opportunities for a potential
12145 CPU exhaustion attack. See SSL_CTX_set_options(3).
12146 NO_SESSION_RESUMPTION_ON_RENEGOTIATION
12148 Postfix >= 3.4. See SSL_CTX_set_options(3).
12149 PRIORITIZE_CHACHA
12151 Postfix >= 3.4. See SSL_CTX_set_options(3).
12152 This feature is available in Postfix 2.11 and later.
12154
12156 Match multiple DNS labels with "*" in wildcard certificates.
12157 Some mail service providers prepend the customer domain name to a base
12159 domain for which they have a wildcard TLS certificate. For example,
12160 the MX records for example.com hosted by example.net may be:
12161 example.com. IN MX 0 example.com.mx1.example.net.
12163 example.com. IN MX 0 example.com.mx2.example.net.
12164 and the TLS certificate may be for "*.example.net". The "*" then corre‐
12166 sponds with multiple labels in the mail server domain name. While
12167 multi-label wildcards are not widely supported, and are not blessed by
12168 any standard, there is little to be gained by disallowing their use in
12169 this context.
12170 Notes:
12172 · In a certificate name, the "*" is special only when it is used
12174 as the first label.
12175 · While Postfix (2.11 or later) can match "*" with multiple domain
12177 name labels, other implementations likely will not.
12178 · Earlier Postfix implementations behave as if "tls_wild‐
12180 card_matches_multiple_labels = no".
12181 This feature is available in Postfix 2.11 and later.
12183
12185 The name of the tlsmgr(8) service entry in master.cf. This service
12186 maintains TLS session caches and other information in support of TLS.
12187 This feature is available in Postfix 2.11 and later.
12189
12191 A file containing CA certificates of root CAs trusted to sign either
12192 remote TLS server certificates or intermediate CA certificates. See
12193 smtp_tls_CAfile for further details.
12194 This feature is available in Postfix 3.4 and later.
12196
12198 Directory with PEM format Certification Authority certificates that the
12199 Postfix tlsproxy(8) client uses to verify a remote TLS server certifi‐
12200 cate. See smtp_tls_CApath for further details.
12201 This feature is available in Postfix 3.4 and later.
12203
12205 File with the Postfix tlsproxy(8) client RSA certificate in PEM format.
12206 See smtp_tls_cert_file for further details. The preferred way to con‐
12207 figure tlsproxy client keys and certificates is via the
12208 "tlsproxy_client_chain_files" parameter.
12209 This feature is available in Postfix 3.4 and later.
12211
12213 Files with the Postfix tlsproxy(8) client keys and certificate chains
12214 in PEM format. See smtp_tls_chain_files for further details.
12215 This feature is available in Postfix 3.4 and later.
12217
12219 File with the Postfix tlsproxy(8) client DSA certificate in PEM format.
12220 See smtp_tls_dcert_file for further details. DSA is obsolete and should
12221 not be used.
12222 This feature is available in Postfix 3.4 and later.
12224
12226 File with the Postfix tlsproxy(8) client DSA private key in PEM format.
12227 See smtp_tls_dkey_file for further details. DSA is obsolete and should
12228 not be used.
12229 This feature is available in Postfix 3.4 and later.
12231
12233 File with the Postfix tlsproxy(8) client ECDSA certificate in PEM for‐
12234 mat. See smtp_tls_eccert_file for further details. The preferred way to
12235 configure tlsproxy client keys and certificates is via the
12236 "tlsproxy_client_chain_files" parameter.
12237 This feature is available in Postfix 3.4 and later.
12239
12241 File with the Postfix tlsproxy(8) client ECDSA private key in PEM for‐
12242 mat. See smtp_tls_eckey_file for further details. The preferred way to
12243 configure tlsproxy client keys and certificates is via the
12244 "tlsproxy_client_chain_files" parameter.
12245 This feature is available in Postfix 3.4 and later.
12247
12249 Enforcement mode: require that SMTP servers use TLS encryption. See
12250 smtp_enforce_tls for further details.
12251 This feature is available in Postfix 3.4 and later.
12253
12255 The message digest algorithm used to construct remote TLS server cer‐
12256 tificate fingerprints. See smtp_tls_fingerprint_digest for further
12257 details.
12258 This feature is available in Postfix 3.4 and later.
12260
12262 File with the Postfix tlsproxy(8) client RSA private key in PEM format.
12263 See smtp_tls_key_file for further details. The preferred way to config‐
12264 ure tlsproxy client keys and certificates is via the
12265 "tlsproxy_client_chain_files" parameter.
12266 This feature is available in Postfix 3.4 and later.
12268
12270 Enable additional Postfix tlsproxy(8) client logging of TLS activity.
12271 See smtp_tls_loglevel for further details.
12272 This feature is available in Postfix 3.4 and later.
12274
12276 The name of the parameter that provides the tlsproxy_client_loglevel
12277 value.
12278 This feature is available in Postfix 3.4 and later.
12280
12282 Optional lookup tables with the Postfix tlsproxy(8) client TLS usage
12283 policy by next-hop destination and by remote TLS server hostname. See
12284 smtp_tls_per_site for further details.
12285 This feature is available in Postfix 3.4 and later.
12287
12289 Optional lookup tables with the Postfix tlsproxy(8) client TLS security
12290 policy by next-hop destination. See smtp_tls_policy_maps for further
12291 details.
12292 This feature is available in Postfix 3.4 and later.
12294
12296 The verification depth for remote TLS server certificates. See
12297 smtp_tls_scert_verifydepth for further details.
12298 This feature is available in Postfix 3.4 and later.
12300
12302 The default TLS security level for the Postfix tlsproxy(8) client. See
12303 smtp_tls_security_level for further details.
12304 This feature is available in Postfix 3.4 and later.
12306
12308 Opportunistic mode: use TLS when a remote server announces TLS support.
12309 See smtp_use_tls for further details.
12310 This feature is available in Postfix 3.4 and later.
12312
12314 Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
12315 require that clients use TLS encryption. See smtpd_enforce_tls for fur‐
12316 ther details.
12317 This feature is available in Postfix 2.8 and later.
12319
12321 The name of the tlsproxy(8) service entry in master.cf. This service
12322 performs plaintext <=> TLS ciphertext conversion.
12323 This feature is available in Postfix 2.8 and later.
12325
12327 A file containing (PEM format) CA certificates of root CAs trusted to
12328 sign either remote SMTP client certificates or intermediate CA certifi‐
12329 cates. See smtpd_tls_CAfile for further details.
12330 This feature is available in Postfix 2.8 and later.
12332
12334 A directory containing (PEM format) CA certificates of root CAs trusted
12335 to sign either remote SMTP client certificates or intermediate CA cer‐
12336 tificates. See smtpd_tls_CApath for further details.
12337 This feature is available in Postfix 2.8 and later.
12339
12341 sion_ids)
12342 Force the Postfix tlsproxy(8) server to issue a TLS session id, even
12343 when TLS session caching is turned off. See smtpd_tls_always_issue_ses‐
12344 sion_ids for further details.
12345 This feature is available in Postfix 2.8 and later.
12347
12349 Ask a remote SMTP client for a client certificate. See
12350 smtpd_tls_ask_ccert for further details.
12351 This feature is available in Postfix 2.8 and later.
12353
12355 The verification depth for remote SMTP client certificates. A depth of
12356 1 is sufficient if the issuing CA is listed in a local CA file. See
12357 smtpd_tls_ccert_verifydepth for further details.
12358 This feature is available in Postfix 2.8 and later.
12360
12362 File with the Postfix tlsproxy(8) server RSA certificate in PEM format.
12363 This file may also contain the Postfix tlsproxy(8) server private RSA
12364 key. See smtpd_tls_cert_file for further details. With Postfix >= 3.4
12365 the preferred way to configure tlsproxy server keys and certificates is
12366 via the "tlsproxy_tls_chain_files" parameter.
12367 This feature is available in Postfix 2.8 and later.
12369
12371 Files with the Postfix tlsproxy(8) server keys and certificate chains
12372 in PEM format. See smtpd_tls_chain_files for further details.
12373 This feature is available in Postfix 3.4 and later.
12375
12377 The minimum TLS cipher grade that the Postfix tlsproxy(8) server will
12378 use with opportunistic TLS encryption. See smtpd_tls_ciphers for fur‐
12379 ther details.
12380 This feature is available in Postfix 2.8 and later.
12382
12384 File with the Postfix tlsproxy(8) server DSA certificate in PEM format.
12385 This file may also contain the Postfix tlsproxy(8) server private DSA
12386 key. DSA is obsolete and should not be used. See smtpd_tls_dcert_file
12387 for further details.
12388 This feature is available in Postfix 2.8 and later.
12390
12392 File with DH parameters that the Postfix tlsproxy(8) server should use
12393 with non-export EDH ciphers. See smtpd_tls_dh1024_param_file for fur‐
12394 ther details.
12395 This feature is available in Postfix 2.8 and later.
12397
12399 File with DH parameters that the Postfix tlsproxy(8) server should use
12400 with export-grade EDH ciphers. See smtpd_tls_dh512_param_file for fur‐
12401 ther details. The default SMTP server cipher grade is "medium" with
12402 Postfix releases after the middle of 2015, and as a result export-grade
12403 cipher suites are by default not used.
12404 This feature is available in Postfix 2.8 and later.
12406
12408 File with the Postfix tlsproxy(8) server DSA private key in PEM format.
12409 This file may be combined with the Postfix tlsproxy(8) server DSA cer‐
12410 tificate file specified with $smtpd_tls_dcert_file. DSA is obsolete
12411 and should not be used. See smtpd_tls_dkey_file for further details.
12412 This feature is available in Postfix 2.8 and later.
12414
12416 File with the Postfix tlsproxy(8) server ECDSA certificate in PEM for‐
12417 mat. This file may also contain the Postfix tlsproxy(8) server private
12418 ECDSA key. See smtpd_tls_eccert_file for further details. With Post‐
12419 fix >= 3.4 the preferred way to configure tlsproxy server keys and cer‐
12420 tificates is via the "tlsproxy_tls_chain_files" parameter.
12421 This feature is available in Postfix 2.8 and later.
12423
12425 File with the Postfix tlsproxy(8) server ECDSA private key in PEM for‐
12426 mat. This file may be combined with the Postfix tlsproxy(8) server
12427 ECDSA certificate file specified with $smtpd_tls_eccert_file. See
12428 smtpd_tls_eckey_file for further details. With Postfix >= 3.4 the pre‐
12429 ferred way to configure tlsproxy server keys and certificates is via
12430 the "tlsproxy_tls_chain_files" parameter.
12431 This feature is available in Postfix 2.8 and later.
12433
12435 The Postfix tlsproxy(8) server security grade for ephemeral ellip‐
12436 tic-curve Diffie-Hellman (EECDH) key exchange. See
12437 smtpd_tls_eecdh_grade for further details.
12438 This feature is available in Postfix 2.8 and later.
12440
12442 List of ciphers or cipher types to exclude from the tlsproxy(8) server
12443 cipher list at all TLS security levels. See smtpd_tls_exclude_ciphers
12444 for further details.
12445 This feature is available in Postfix 2.8 and later.
12447
12449 The message digest algorithm to construct remote SMTP client-certifi‐
12450 cate fingerprints. See smtpd_tls_fingerprint_digest for further
12451 details.
12452 This feature is available in Postfix 2.8 and later.
12454
12456 File with the Postfix tlsproxy(8) server RSA private key in PEM format.
12457 This file may be combined with the Postfix tlsproxy(8) server RSA cer‐
12458 tificate file specified with $smtpd_tls_cert_file. See
12459 smtpd_tls_key_file for further details. With Postfix >= 3.4 the pre‐
12460 ferred way to configure tlsproxy server keys and certificates is via
12461 the "tlsproxy_tls_chain_files" parameter.
12462 This feature is available in Postfix 2.8 and later.
12464
12466 Enable additional Postfix tlsproxy(8) server logging of TLS activity.
12467 Each logging level also includes the information that is logged at a
12468 lower logging level. See smtpd_tls_loglevel for further details.
12469 This feature is available in Postfix 2.8 and later.
12471
12473 The minimum TLS cipher grade that the Postfix tlsproxy(8) server will
12474 use with mandatory TLS encryption. See smtpd_tls_mandatory_ciphers for
12475 further details.
12476 This feature is available in Postfix 2.8 and later.
12478
12480 tory_exclude_ciphers)
12481 Additional list of ciphers or cipher types to exclude from the
12482 tlsproxy(8) server cipher list at mandatory TLS security levels. See
12483 smtpd_tls_mandatory_exclude_ciphers for further details.
12484 This feature is available in Postfix 2.8 and later.
12486
12488 The SSL/TLS protocols accepted by the Postfix tlsproxy(8) server with
12489 mandatory TLS encryption. If the list is empty, the server supports all
12490 available SSL/TLS protocol versions. See smtpd_tls_mandatory_protocols
12491 for further details.
12492 This feature is available in Postfix 2.8 and later.
12494
12496 List of TLS protocols that the Postfix tlsproxy(8) server will exclude
12497 or include with opportunistic TLS encryption. See smtpd_tls_protocols
12498 for further details.
12499 This feature is available in Postfix 2.8 and later.
12501
12503 With mandatory TLS encryption, require a trusted remote SMTP client
12504 certificate in order to allow TLS connections to proceed. See
12505 smtpd_tls_req_ccert for further details.
12506 This feature is available in Postfix 2.8 and later.
12508
12510 The SMTP TLS security level for the Postfix tlsproxy(8) server; when a
12511 non-empty value is specified, this overrides the obsolete parameters
12512 smtpd_use_tls and smtpd_enforce_tls. See smtpd_tls_security_level for
12513 further details.
12514 This feature is available in Postfix 2.8 and later.
12516
12518 Obsolete expiration time of Postfix tlsproxy(8) server TLS session
12520 cache information. Since the cache is shared with smtpd(8) and managed
12521 by tlsmgr(8), there is only one expiration time for the SMTP server
12522 cache shared by all three services, namely smtpd_tls_ses‐
12523 sion_cache_timeout.
12524 This feature is available in Postfix 2.8 and later.
12526
12528 Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
12529 but do not require that clients use TLS encryption. See smtpd_use_tls
12530 for further details.
12531 This feature is available in Postfix 2.8 and later.
12533
12535 How much time a tlsproxy(8) process may take to process local or remote
12536 I/O before it is terminated by a built-in watchdog timer. This is a
12537 safety mechanism that prevents tlsproxy(8) from becoming non-responsive
12538 due to a bug in Postfix itself or in system software. To avoid false
12539 alarms and unnecessary cache corruption this limit cannot be set under
12540 10s.
12541 Specify a non-zero time value (an integral value plus an optional
12543 one-letter suffix that specifies the time unit). Time units: s (sec‐
12544 onds), m (minutes), h (hours), d (days), w (weeks).
12545 This feature is available in Postfix 2.8 and later
12547
12549 The name of the trace service. This service is implemented by the
12550 bounce(8) daemon and maintains a record of mail deliveries and produces
12551 a mail delivery report when verbose delivery is requested with "send‐
12552 mail -v".
12553 This feature is available in Postfix 2.1 and later.
12555
12557 A transport-specific override for the default_delivery_slot_cost param‐
12558 eter value, where transport is the master.cf name of the message deliv‐
12559 ery transport.
12560 Note: transport_delivery_slot_cost parameters will not show up in
12562 "postconf" command output before Postfix version 2.9. This limitation
12563 applies to many parameters whose name is a combination of a master.cf
12564 service name and a built-in suffix (in this case: "_deliv‐
12565 ery_slot_cost").
12566
12568 A transport-specific override for the default_delivery_slot_discount
12569 parameter value, where transport is the master.cf name of the message
12570 delivery transport.
12571 Note: transport_delivery_slot_discount parameters will not show up in
12573 "postconf" command output before Postfix version 2.9. This limitation
12574 applies to many parameters whose name is a combination of a master.cf
12575 service name and a built-in suffix (in this case: "_delivery_slot_dis‐
12576 count").
12577
12579 A transport-specific override for the default_delivery_slot_loan param‐
12580 eter value, where transport is the master.cf name of the message deliv‐
12581 ery transport.
12582 Note: transport_delivery_slot_loan parameters will not show up in
12584 "postconf" command output before Postfix version 2.9. This limitation
12585 applies to many parameters whose name is a combination of a master.cf
12586 service name and a built-in suffix (in this case: "_deliv‐
12587 ery_slot_loan").
12588
12590 tination_concurrency_failed_cohort_limit)
12591 A transport-specific override for the default_destination_concur‐
12592 rency_failed_cohort_limit parameter value, where transport is the mas‐
12593 ter.cf name of the message delivery transport.
12594 Note: some transport_destination_concurrency_failed_cohort_limit param‐
12596 eters will not show up in "postconf" command output before Postfix ver‐
12597 sion 2.9. This limitation applies to many parameters whose name is a
12598 combination of a master.cf service name and a built-in suffix (in this
12599 case: "_destination_concurrency_failed_cohort_limit").
12600 This feature is available in Postfix 2.5 and later.
12602
12604 rency_limit)
12605 A transport-specific override for the default_destination_concur‐
12606 rency_limit parameter value, where transport is the master.cf name of
12607 the message delivery transport.
12608 Note: some transport_destination_concurrency_limit parameters will not
12610 show up in "postconf" command output before Postfix version 2.9. This
12611 limitation applies to many parameters whose name is a combination of a
12612 master.cf service name and a built-in suffix (in this case: "_destina‐
12613 tion_concurrency_limit").
12614
12616 nation_concurrency_negative_feedback)
12617 A transport-specific override for the default_destination_concur‐
12618 rency_negative_feedback parameter value, where transport is the mas‐
12619 ter.cf name of the message delivery transport.
12620 Note: some transport_destination_concurrency_negative_feedback parame‐
12622 ters will not show up in "postconf" command output before Postfix ver‐
12623 sion 2.9. This limitation applies to many parameters whose name is a
12624 combination of a master.cf service name and a built-in suffix (in this
12625 case: "_destination_concurrency_negative_feedback").
12626 This feature is available in Postfix 2.5 and later.
12628
12630 nation_concurrency_positive_feedback)
12631 A transport-specific override for the default_destination_concur‐
12632 rency_positive_feedback parameter value, where transport is the mas‐
12633 ter.cf name of the message delivery transport.
12634 Note: some transport_destination_concurrency_positive_feedback parame‐
12636 ters will not show up in "postconf" command output before Postfix ver‐
12637 sion 2.9. This limitation applies to many parameters whose name is a
12638 combination of a master.cf service name and a built-in suffix (in this
12639 case: "_destination_concurrency_positive_feedback").
12640 This feature is available in Postfix 2.5 and later.
12642
12644 A transport-specific override for the default_destination_rate_delay
12645 parameter value, where transport is the master.cf name of the message
12646 delivery transport.
12647 Note: some transport_destination_rate_delay parameters will not show up
12649 in "postconf" command output before Postfix version 2.9. This limita‐
12650 tion applies to many parameters whose name is a combination of a mas‐
12651 ter.cf service name and a built-in suffix (in this case: "_destina‐
12652 tion_rate_delay").
12653 This feature is available in Postfix 2.5 and later.
12655
12657 ent_limit)
12658 A transport-specific override for the default_destination_recipi‐
12659 ent_limit parameter value, where transport is the master.cf name of the
12660 message delivery transport.
12661 Note: some transport_destination_recipient_limit parameters will not
12663 show up in "postconf" command output before Postfix version 2.9. This
12664 limitation applies to many parameters whose name is a combination of a
12665 master.cf service name and a built-in suffix (in this case: "_destina‐
12666 tion_recipient_limit").
12667
12669 A transport-specific override for the default_extra_recipient_limit
12670 parameter value, where transport is the master.cf name of the message
12671 delivery transport.
12672 Note: transport_extra_recipient_limit parameters will not show up in
12674 "postconf" command output before Postfix version 2.9. This limitation
12675 applies to many parameters whose name is a combination of a master.cf
12676 service name and a built-in suffix (in this case: "_extra_recipi‐
12677 ent_limit").
12678
12680 currency)
12681 A transport-specific override for the initial_destination_concurrency
12682 parameter value, where transport is the master.cf name of the message
12683 delivery transport.
12684 Note: some transport_initial_destination_concurrency parameters will
12686 not show up in "postconf" command output before Postfix version 2.9.
12687 This limitation applies to many parameters whose name is a combination
12688 of a master.cf service name and a built-in suffix (in this case: "_ini‐
12689 tial_destination_concurrency").
12690 This feature is available in Postfix 2.5 and later.
12692
12694 Optional lookup tables with mappings from recipient address to (message
12695 delivery transport, next-hop destination). See transport(5) for
12696 details.
12697 Specify zero or more "type:table" lookup tables, separated by white‐
12699 space or comma. Tables will be searched in the specified order until a
12700 match is found. If you use this feature with local files, run "postmap
12701 /etc/postfix/transport" after making a change.
12702 Pattern matching of domain names is controlled by the presence or
12704 absence of "transport_maps" in the parent_domain_matches_subdomains
12705 parameter value.
12706 For safety reasons, as of Postfix 2.3 this feature does not allow $num‐
12708 ber substitutions in regular expression maps.
12709 Examples:
12711 transport_maps = dbm:/etc/postfix/transport
12713 transport_maps = hash:/etc/postfix/transport
12714
12716 A transport-specific override for the default_minimum_delivery_slots
12717 parameter value, where transport is the master.cf name of the message
12718 delivery transport.
12719 Note: transport_minimum_delivery_slots parameters will not show up in
12721 "postconf" command output before Postfix version 2.9. This limitation
12722 applies to many parameters whose name is a combination of a master.cf
12723 service name and a built-in suffix (in this case: "_minimum_deliv‐
12724 ery_slots").
12725
12727 A transport-specific override for the default_recipient_limit parameter
12728 value, where transport is the master.cf name of the message delivery
12729 transport.
12730 Note: some transport_recipient_limit parameters will not show up in
12732 "postconf" command output before Postfix version 2.9. This limitation
12733 applies to many parameters whose name is a combination of a master.cf
12734 service name and a built-in suffix (in this case: "_recipient_limit").
12735
12737 A transport-specific override for the default_recipient_refill_delay
12738 parameter value, where transport is the master.cf name of the message
12739 delivery transport.
12740 Note: transport_recipient_refill_delay parameters will not show up in
12742 "postconf" command output before Postfix version 2.9. This limitation
12743 applies to many parameters whose name is a combination of a master.cf
12744 service name and a built-in suffix (in this case: "_recipi‐
12745 ent_refill_delay").
12746 This feature is available in Postfix 2.4 and later.
12748
12750 A transport-specific override for the default_recipient_refill_limit
12751 parameter value, where transport is the master.cf name of the message
12752 delivery transport.
12753 Note: transport_recipient_refill_limit parameters will not show up in
12755 "postconf" command output before Postfix version 2.9. This limitation
12756 applies to many parameters whose name is a combination of a master.cf
12757 service name and a built-in suffix (in this case: "_recipi‐
12758 ent_refill_limit").
12759 This feature is available in Postfix 2.4 and later.
12761
12763 The time between attempts by the Postfix queue manager to contact a
12764 malfunctioning message delivery transport.
12765 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
12767 The default time unit is s (seconds).
12768
12770 A transport-specific override for the command_time_limit parameter
12771 value, where transport is the master.cf name of the message delivery
12772 transport.
12773 Note: transport_time_limit parameters will not show up in "postconf"
12775 command output before Postfix version 2.9. This limitation applies to
12776 many parameters whose name is a combination of a master.cf service name
12777 and a built-in suffix (in this case: "_time_limit").
12778
12780 A transport-specific override for the default_transport_rate_delay
12781 parameter value, where the initial transport in the parameter name is
12782 the master.cf name of the message delivery transport.
12783
12785 The time limit for sending a trigger to a Postfix daemon (for example,
12786 the pickup(8) or qmgr(8) daemon). This time limit prevents programs
12787 from getting stuck when the mail system is under heavy load.
12788 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
12790 The default time unit is s (seconds).
12791
12793 Message header that the Postfix cleanup(8) server inserts when a mes‐
12794 sage contains no To: or Cc: message header. With Postfix 2.8 and later,
12795 the default value is empty. With Postfix 2.4-2.7, specify an empty
12796 value to disable this feature.
12797 Example:
12799 # Default value before Postfix 2.8.
12801 # Note: the ":" and ";" are both required.
12802 undisclosed_recipients_header = To: undisclosed-recipients:;
12803
12805 The numerical response code when the Postfix SMTP server rejects a
12806 sender or recipient address because its domain is unknown. This is one
12807 of the possible replies from the restrictions
12808 reject_unknown_sender_domain and reject_unknown_recipient_domain.
12809 Do not change this unless you have a complete understanding of RFC
12811 5321.
12812
12814 The Postfix SMTP server's action when reject_unknown_sender_domain or
12815 reject_unknown_recipient_domain fail due to a temporary error condi‐
12816 tion. Specify "defer" to defer the remote SMTP client request immedi‐
12817 ately. With the default "defer_if_permit" action, the Postfix SMTP
12818 server continues to look for opportunities to reject mail, and defers
12819 the client request only if it would otherwise be accepted.
12820 This feature is available in Postfix 2.6 and later.
12822
12824 The numerical Postfix SMTP server response code when a client without
12825 valid address <=> name mapping is rejected by the
12826 reject_unknown_client_hostname restriction. The SMTP server always
12827 replies with 450 when the mapping failed due to a temporary error con‐
12828 dition.
12829 Do not change this unless you have a complete understanding of RFC
12831 5321.
12832
12834 The Postfix SMTP server's action when reject_unknown_helo_hostname
12835 fails due to a temporary error condition. Specify "defer" to defer the
12836 remote SMTP client request immediately. With the default "defer_if_per‐
12837 mit" action, the Postfix SMTP server continues to look for opportuni‐
12838 ties to reject mail, and defers the client request only if it would
12839 otherwise be accepted.
12840 This feature is available in Postfix 2.6 and later.
12842
12844 The numerical Postfix SMTP server response code when the hostname spec‐
12845 ified with the HELO or EHLO command is rejected by the
12846 reject_unknown_helo_hostname restriction.
12847 Do not change this unless you have a complete understanding of RFC
12849 5321.
12850
12852 The numerical Postfix SMTP server response code when a recipient
12853 address is local, and $local_recipient_maps specifies a list of lookup
12854 tables that does not match the recipient. A recipient address is local
12855 when its domain matches $mydestination, $proxy_interfaces or
12856 $inet_interfaces.
12857 The default setting is 550 (reject mail) but it is safer to initially
12859 use 450 (try again later) so you have time to find out if your
12860 local_recipient_maps settings are OK.
12861 Example:
12863 unknown_local_recipient_reject_code = 450
12865 This feature is available in Postfix 2.0 and later.
12867
12869 The numerical Postfix SMTP server reply code when a recipient address
12870 matches $relay_domains, and relay_recipient_maps specifies a list of
12871 lookup tables that does not match the recipient address.
12872 This feature is available in Postfix 2.0 and later.
12874
12876 The Postfix SMTP server reply code when a recipient address matches
12877 $virtual_alias_domains, and $virtual_alias_maps specifies a list of
12878 lookup tables that does not match the recipient address.
12879 This feature is available in Postfix 2.0 and later.
12881
12883 The Postfix SMTP server reply code when a recipient address matches
12884 $virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list of
12885 lookup tables that does not match the recipient address.
12886 This feature is available in Postfix 2.0 and later.
12888
12890 The numerical Postfix SMTP server response when a recipient address
12891 probe fails due to a temporary error condition.
12892 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12894 address anyway.
12895 Do not change this unless you have a complete understanding of RFC
12897 5321.
12898 This feature is available in Postfix 2.6 and later.
12900
12902 The numerical Postfix SMTP server response when a recipient address is
12903 rejected by the reject_unverified_recipient restriction.
12904 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12906 address anyway.
12907 Do not change this unless you have a complete understanding of RFC
12909 5321.
12910 This feature is available in Postfix 2.1 and later.
12912
12914 The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
12915 fied_recipient. Do not include the numeric SMTP reply code or the
12916 enhanced status code. By default, the response includes actual address
12917 verification details.
12918 Example:
12920 unverified_recipient_reject_reason = Recipient address lookup failed
12922 This feature is available in Postfix 2.6 and later.
12924
12926 The Postfix SMTP server's action when reject_unverified_recipient fails
12927 due to a temporary error condition. Specify "defer" to defer the remote
12928 SMTP client request immediately. With the default "defer_if_permit"
12929 action, the Postfix SMTP server continues to look for opportunities to
12930 reject mail, and defers the client request only if it would otherwise
12931 be accepted.
12932 This feature is available in Postfix 2.6 and later.
12934
12936 The numerical Postfix SMTP server response code when a sender address
12937 probe fails due to a temporary error condition.
12938 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12940 address anyway.
12941 Do not change this unless you have a complete understanding of RFC
12943 5321.
12944 This feature is available in Postfix 2.6 and later.
12946
12948 The numerical Postfix SMTP server response code when a recipient
12949 address is rejected by the reject_unverified_sender restriction.
12950 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12952 address anyway.
12953 Do not change this unless you have a complete understanding of RFC
12955 5321.
12956 This feature is available in Postfix 2.1 and later.
12958
12960 The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
12961 fied_sender. Do not include the numeric SMTP reply code or the enhanced
12962 status code. By default, the response includes actual address verifica‐
12963 tion details.
12964 Example:
12966 unverified_sender_reject_reason = Sender address lookup failed
12968 This feature is available in Postfix 2.6 and later.
12970
12972 The Postfix SMTP server's action when reject_unverified_sender fails
12973 due to a temporary error condition. Specify "defer" to defer the remote
12974 SMTP client request immediately. With the default "defer_if_permit"
12975 action, the Postfix SMTP server continues to look for opportunities to
12976 reject mail, and defers the client request only if it would otherwise
12977 be accepted.
12978 This feature is available in Postfix 2.6 and later.
12980
12982 The characters Postfix accepts as VERP delimiter characters on the
12983 Postfix sendmail(1) command line and in SMTP commands.
12984 This feature is available in Postfix 1.1 and later.
12986
12988 The maximal length of an email address after virtual alias expansion.
12989 This stops virtual aliasing loops that increase the address length
12990 exponentially.
12991 This feature is available in Postfix 3.0 and later.
12993
12995 Postfix is final destination for the specified list of virtual alias
12996 domains, that is, domains for which all addresses are aliased to
12997 addresses in other local or remote domains. The SMTP server validates
12998 recipient addresses with $virtual_alias_maps and rejects non-existent
12999 recipients. See also the virtual alias domain class in the
13000 ADDRESS_CLASS_README file
13001 This feature is available in Postfix 2.0 and later. The default value
13003 is backwards compatible with Postfix version 1.1.
13004 The default value is $virtual_alias_maps so that you can keep all
13006 information about virtual alias domains in one place. If you have many
13007 users, it is better to separate information that changes more fre‐
13008 quently (virtual address -> local or remote address mapping) from
13009 information that changes less frequently (the list of virtual domain
13010 names).
13011 Specify a list of host or domain names, "/file/name" or "type:table"
13013 patterns, separated by commas and/or whitespace. A "/file/name" pattern
13014 is replaced by its contents; a "type:table" lookup table is matched
13015 when a table entry matches a lookup string (the lookup result is
13016 ignored). Continue long lines by starting the next line with white‐
13017 space. Specify "!pattern" to exclude a host or domain name from the
13018 list. The form "!/file/name" is supported only in Postfix version 2.4
13019 and later.
13020 See also the VIRTUAL_README and ADDRESS_CLASS_README documents for fur‐
13022 ther information.
13023 Example:
13025 virtual_alias_domains = virtual1.tld virtual2.tld
13027
13029 The maximal number of addresses that virtual alias expansion produces
13030 from each original recipient.
13031 This feature is available in Postfix 2.1 and later.
13033
13035 Optional lookup tables that alias specific mail addresses or domains to
13036 other local or remote address. The table format and lookups are docu‐
13037 mented in virtual(5). For an overview of Postfix address manipulations
13038 see the ADDRESS_REWRITING_README document.
13039 This feature is available in Postfix 2.0 and later. The default value
13041 is backwards compatible with Postfix version 1.1.
13042 Specify zero or more "type:name" lookup tables, separated by whitespace
13044 or comma. Tables will be searched in the specified order until a match
13045 is found. Note: these lookups are recursive.
13046 If you use this feature with indexed files, run "postmap /etc/post‐
13048 fix/virtual" after changing the file.
13049 Examples:
13051 virtual_alias_maps = dbm:/etc/postfix/virtual
13053 virtual_alias_maps = hash:/etc/postfix/virtual
13054
13056 The maximal nesting depth of virtual alias expansion. Currently the
13057 recursion limit is applied only to the left branch of the expansion
13058 graph, so the depth of the tree can in the worst case reach the sum of
13059 the expansion and recursion limits. This may change in the future.
13060 This feature is available in Postfix 2.1 and later.
13062
13064 Optional filter for the virtual(8) delivery agent to change the deliv‐
13065 ery status code or explanatory text of successful or unsuccessful
13066 deliveries. See default_delivery_status_filter for details.
13067 This feature is available in Postfix 3.0 and later.
13069
13071 rency_limit)
13072 The maximal number of parallel deliveries to the same destination via
13073 the virtual message delivery transport. This limit is enforced by the
13074 queue manager. The message delivery transport name is the first field
13075 in the entry in the master.cf file.
13076
13078 ent_limit)
13079 The maximal number of recipients per message for the virtual message
13080 delivery transport. This limit is enforced by the queue manager. The
13081 message delivery transport name is the first field in the entry in the
13082 master.cf file.
13083 Setting this parameter to a value of 1 changes the meaning of vir‐
13085 tual_destination_concurrency_limit from concurrency per domain into
13086 concurrency per recipient.
13087
13089 Lookup tables with the per-recipient group ID for virtual(8) mailbox
13090 delivery.
13091 This parameter is specific to the virtual(8) delivery agent. It does
13093 not apply when mail is delivered with a different mail delivery pro‐
13094 gram.
13095 Specify zero or more "type:name" lookup tables, separated by whitespace
13097 or comma. Tables will be searched in the specified order until a match
13098 is found.
13099 In a lookup table, specify a left-hand side of "@domain.tld" to match
13101 any user in the specified domain that does not have a specific
13102 "user@domain.tld" entry.
13103 When a recipient address has an optional address extension
13105 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
13106 address first, and when the lookup fails, it looks up the unextended
13107 address (user@domain.tld).
13108 Note 1: for security reasons, the virtual(8) delivery agent disallows
13110 regular expression substitution of $1 etc. in regular expression lookup
13111 tables, because that would open a security hole.
13112 Note 2: for security reasons, the virtual(8) delivery agent will
13114 silently ignore requests to use the proxymap(8) server. Instead it will
13115 open the table directly. Before Postfix version 2.2, the virtual(8)
13116 delivery agent will terminate with a fatal error.
13117
13119 A prefix that the virtual(8) delivery agent prepends to all pathname
13120 results from $virtual_mailbox_maps table lookups. This is a safety
13121 measure to ensure that an out of control map doesn't litter the file
13122 system with mailboxes. While virtual_mailbox_base could be set to "/",
13123 this setting isn't recommended.
13124 This parameter is specific to the virtual(8) delivery agent. It does
13126 not apply when mail is delivered with a different mail delivery pro‐
13127 gram.
13128 Example:
13130 virtual_mailbox_base = /var/mail
13132
13134 Postfix is final destination for the specified list of domains; mail is
13135 delivered via the $virtual_transport mail delivery transport. By
13136 default this is the Postfix virtual(8) delivery agent. The SMTP server
13137 validates recipient addresses with $virtual_mailbox_maps and rejects
13138 mail for non-existent recipients. See also the virtual mailbox domain
13139 class in the ADDRESS_CLASS_README file.
13140 This parameter expects the same syntax as the mydestination configura‐
13142 tion parameter.
13143 This feature is available in Postfix 2.0 and later. The default value
13145 is backwards compatible with Postfix version 1.1.
13146
13148 The maximal size in bytes of an individual virtual(8) mailbox or
13149 maildir file, or zero (no limit).
13150 This parameter is specific to the virtual(8) delivery agent. It does
13152 not apply when mail is delivered with a different mail delivery pro‐
13153 gram.
13154
13156 How to lock a UNIX-style virtual(8) mailbox before attempting delivery.
13157 For a list of available file locking methods, use the "postconf -l"
13158 command.
13159 This parameter is specific to the virtual(8) delivery agent. It does
13161 not apply when mail is delivered with a different mail delivery pro‐
13162 gram.
13163 This setting is ignored with maildir style delivery, because such
13165 deliveries are safe without application-level locks.
13166 Note 1: the dotlock method requires that the recipient UID or GID has
13168 write access to the parent directory of the recipient's mailbox file.
13169 Note 2: the default setting of this parameter is system dependent.
13171
13173 Optional lookup tables with all valid addresses in the domains that
13174 match $virtual_mailbox_domains.
13175 Specify zero or more "type:name" lookup tables, separated by whitespace
13177 or comma. Tables will be searched in the specified order until a match
13178 is found.
13179 In a lookup table, specify a left-hand side of "@domain.tld" to match
13181 any user in the specified domain that does not have a specific
13182 "user@domain.tld" entry.
13183 The remainder of this text is specific to the virtual(8) delivery
13185 agent. It does not apply when mail is delivered with a different mail
13186 delivery program.
13187 The virtual(8) delivery agent uses this table to look up the per-recip‐
13189 ient mailbox or maildir pathname. If the lookup result ends in a slash
13190 ("/"), maildir-style delivery is carried out, otherwise the path is
13191 assumed to specify a UNIX-style mailbox file. Note that $virtual_mail‐
13192 box_base is unconditionally prepended to this path.
13193 When a recipient address has an optional address extension
13195 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
13196 address first, and when the lookup fails, it looks up the unextended
13197 address (user@domain.tld).
13198 Note 1: for security reasons, the virtual(8) delivery agent disallows
13200 regular expression substitution of $1 etc. in regular expression lookup
13201 tables, because that would open a security hole.
13202 Note 2: for security reasons, the virtual(8) delivery agent will
13204 silently ignore requests to use the proxymap(8) server. Instead it will
13205 open the table directly. Before Postfix version 2.2, the virtual(8)
13206 delivery agent will terminate with a fatal error.
13207
13209 Optional lookup tables with a) names of domains for which all addresses
13210 are aliased to addresses in other local or remote domains, and b)
13211 addresses that are aliased to addresses in other local or remote
13212 domains. Available before Postfix version 2.0. With Postfix version
13213 2.0 and later, this is replaced by separate controls: vir‐
13214 tual_alias_domains and virtual_alias_maps.
13215
13217 The minimum user ID value that the virtual(8) delivery agent accepts as
13218 a result from $virtual_uid_maps table lookup. Returned values less
13219 than this will be rejected, and the message will be deferred.
13220 This parameter is specific to the virtual(8) delivery agent. It does
13222 not apply when mail is delivered with a different mail delivery pro‐
13223 gram.
13224
13226 The default mail delivery transport and next-hop destination for final
13227 delivery to domains listed with $virtual_mailbox_domains. This infor‐
13228 mation can be overruled with the transport(5) table.
13229 Specify a string of the form transport:nexthop, where transport is the
13231 name of a mail delivery transport defined in master.cf. The :nexthop
13232 destination is optional; its syntax is documented in the manual page of
13233 the corresponding delivery agent.
13234 This feature is available in Postfix 2.0 and later.
13236
13238 Lookup tables with the per-recipient user ID that the virtual(8) deliv‐
13239 ery agent uses while writing to the recipient's mailbox.
13240 This parameter is specific to the virtual(8) delivery agent. It does
13242 not apply when mail is delivered with a different mail delivery pro‐
13243 gram.
13244 Specify zero or more "type:name" lookup tables, separated by whitespace
13246 or comma. Tables will be searched in the specified order until a match
13247 is found.
13248 In a lookup table, specify a left-hand side of "@domain.tld" to match
13250 any user in the specified domain that does not have a specific
13251 "user@domain.tld" entry.
13252 When a recipient address has an optional address extension
13254 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
13255 address first, and when the lookup fails, it looks up the unextended
13256 address (user@domain.tld).
13257 Note 1: for security reasons, the virtual(8) delivery agent disallows
13259 regular expression substitution of $1 etc. in regular expression lookup
13260 tables, because that would open a security hole.
13261 Note 2: for security reasons, the virtual(8) delivery agent will
13263 silently ignore requests to use the proxymap(8) server. Instead it will
13264 open the table directly. Before Postfix version 2.2, the virtual(8)
13265 delivery agent will terminate with a fatal error.
13266
13268 postconf(1), Postfix configuration parameter maintenance
13269 master(5), Postfix daemon configuration maintenance
13270
13272 The Secure Mailer license must be distributed with this software.
13273
13275 Wietse Venema
13276 IBM T.J. Watson Research
13277 P.O. Box 704
13278 Yorktown Heights, NY 10598, USA
13279 Wietse Venema
13281 Google, Inc.
13282 111 8th Avenue
13283 New York, NY 10011, USA
13284 Viktor Dukhovni
13286 POSTCONF(5)