1SMTP(8)                     System Manager's Manual                    SMTP(8)
2
3
4

NAME

6       smtp - Postfix SMTP+LMTP client
7

SYNOPSIS

9       smtp [generic Postfix daemon options] [flags=DORX]
10

DESCRIPTION

12       The Postfix SMTP+LMTP client implements the SMTP and LMTP mail delivery
13       protocols. It processes message delivery requests from the  queue  man‐
14       ager.  Each  request specifies a queue file, a sender address, a domain
15       or host to deliver to, and recipient information.  This program expects
16       to be run from the master(8) process manager.
17
18       The  SMTP+LMTP  client  updates  the queue file and marks recipients as
19       finished, or it informs the queue manager that delivery should be tried
20       again  at  a  later  time.  Delivery  status  reports  are  sent to the
21       bounce(8), defer(8) or trace(8) daemon as appropriate.
22
23       The SMTP+LMTP client looks up a list of mail  exchanger  addresses  for
24       the  destination  host,  sorts  the list by preference, and connects to
25       each listed address until it finds a server that responds.
26
27       When a server is not reachable, or when mail delivery fails  due  to  a
28       recoverable  error  condition, the SMTP+LMTP client will try to deliver
29       the mail to an alternate host.
30
31       After a successful mail transaction, a connection may be saved  to  the
32       scache(8)  connection  cache  server,  so  that  it  may be used by any
33       SMTP+LMTP client for a subsequent transaction.
34
35       By default, connection caching is enabled temporarily for  destinations
36       that have a high volume of mail in the active queue. Connection caching
37       can be enabled permanently for specific destinations.
38

SMTP DESTINATION SYNTAX

40       The Postfix SMTP+LMTP client supports multiple  destinations  separated
41       by comma or whitespace (Postfix 3.5 and later).  SMTP destinations have
42       the following form:
43
44       domainname
45
46       domainname:port
47              Look up the mail exchangers for the specified domain,  and  con‐
48              nect to the specified port (default: smtp).
49
50       [hostname]
51
52       [hostname]:port
53              Look  up  the  address(es) of the specified host, and connect to
54              the specified port (default: smtp).
55
56       [address]
57
58       [address]:port
59              Connect to the host at the specified address, and connect to the
60              specified  port (default: smtp). An IPv6 address must be format‐
61              ted as [ipv6:address].
62

LMTP DESTINATION SYNTAX

64       The Postfix SMTP+LMTP client supports multiple  destinations  separated
65       by comma or whitespace (Postfix 3.5 and later).  LMTP destinations have
66       the following form:
67
68       unix:pathname
69              Connect to the local UNIX-domain server that  is  bound  to  the
70              specified  pathname.  If  the process runs chrooted, an absolute
71              pathname is interpreted relative to the Postfix queue directory.
72
73       inet:hostname
74
75       inet:hostname:port
76
77       inet:[address]
78
79       inet:[address]:port
80              Connect to the specified TCP port  on  the  specified  local  or
81              remote  host.  If  no  port  is  specified,  connect to the port
82              defined as lmtp in services(4).  If no such  service  is  found,
83              the  lmtp_tcp_port configuration parameter (default value of 24)
84              will  be  used.   An  IPv6  address   must   be   formatted   as
85              [ipv6:address].
86

SINGLE-RECIPIENT DELIVERY

88       By  default,  the  Postfix  SMTP+LMTP  client delivers mail to multiple
89       recipients per delivery request. This is undesirable when prepending  a
90       Delivered-to: or X-Original-To: message header. To prevent Postfix from
91       sending multiple recipients per delivery request, specify
92
93           transport_destination_recipient_limit = 1
94
95       in the Postfix main.cf file, where transport is the name in  the  first
96       column of the Postfix master.cf entry for this mail delivery service.
97

COMMAND ATTRIBUTE SYNTAX

99       flags=DORX (optional)
100              Optional message processing flags.
101
102              D      Prepend  a  "Delivered-To: recipient" message header with
103                     the envelope recipient address. Note: for this  to  work,
104                     the  transport_destination_recipient_limit must be 1 (see
105                     SINGLE-RECIPIENT DELIVERY above for details).
106
107                     The D flag also enforces loop  detection:  if  a  message
108                     already  contains  a  Delivered-To:  header with the same
109                     recipient address, then the message is returned as  unde‐
110                     liverable. The address comparison is case insensitive.
111
112                     This feature is available as of Postfix 3.5.
113
114              O      Prepend an "X-Original-To: recipient" message header with
115                     the recipient address as given to Postfix. Note: for this
116                     to  work,  the transport_destination_recipient_limit must
117                     be 1 (see SINGLE-RECIPIENT DELIVERY above for details).
118
119                     This feature is available as of Postfix 3.5.
120
121              R      Prepend a "Return-Path: <sender>" message header with the
122                     envelope sender address.
123
124                     This feature is available as of Postfix 3.5.
125
126              X      Indicates  that  the delivery is final. This flag affects
127                     the status reported in  "success"  DSN  (delivery  status
128                     notification)  messages,  and  changes  it from "relayed"
129                     into "delivered".
130
131                     This feature is available as of Postfix 3.5.
132

SECURITY

134       The SMTP+LMTP client is moderately security-sensitive. It
135       talks to SMTP or LMTP servers and to DNS servers on the
136       network. The SMTP+LMTP client can be run chrooted at fixed
137       low privilege.
138

STANDARDS

140       RFC 821 (SMTP protocol)
141       RFC 822 (ARPA Internet Text Messages)
142       RFC 1651 (SMTP service extensions)
143       RFC 1652 (8bit-MIME transport)
144       RFC 1870 (Message Size Declaration)
145       RFC 2033 (LMTP protocol)
146       RFC 2034 (SMTP Enhanced Error Codes)
147       RFC 2045 (MIME: Format of Internet Message Bodies)
148       RFC 2046 (MIME: Media Types)
149       RFC 2554 (AUTH command)
150       RFC 2821 (SMTP protocol)
151       RFC 2920 (SMTP Pipelining)
152       RFC 3207 (STARTTLS command)
153       RFC 3461 (SMTP DSN Extension)
154       RFC 3463 (Enhanced Status Codes)
155       RFC 4954 (AUTH command)
156       RFC 5321 (SMTP protocol)
157       RFC 6531 (Internationalized SMTP)
158       RFC 6533 (Internationalized Delivery Status Notifications)
159       RFC 7672 (SMTP security via opportunistic DANE TLS)
160

DIAGNOSTICS

162       Problems and transactions are  logged  to  syslogd(8)  or  postlogd(8).
163       Corrupted  message  files are marked so that the queue manager can move
164       them to the corrupt queue for further inspection.
165
166       Depending on the setting of the notify_classes parameter, the  postmas‐
167       ter is notified of bounces, protocol problems, and of other trouble.
168

BUGS

170       SMTP  and  LMTP  connection  reuse for TLS (without closing the SMTP or
171       LMTP connection) is not supported before Postfix 3.4.
172
173       SMTP and LMTP connection reuse assumes that SASL credentials are  valid
174       for all destinations that map onto the same IP address and TCP port.
175

CONFIGURATION PARAMETERS

177       Before  Postfix version 2.3, the LMTP client is a separate program that
178       implements only a subset of  the  functionality  available  with  SMTP:
179       there  is  no  support  for TLS, and connections are cached in-process,
180       making it ineffective when the client is used for multiple domains.
181
182       Most smtp_xxx configuration parameters have an lmtp_xxx "mirror" param‐
183       eter  for  the  equivalent  LMTP  feature. This document describes only
184       those LMTP-related parameters that aren't simply "mirror" parameters.
185
186       Changes to main.cf are picked up automatically,  as  smtp(8)  processes
187       run for only a limited amount of time. Use the command "postfix reload"
188       to speed up a change.
189
190       The text below provides only a parameter summary. See  postconf(5)  for
191       more details including examples.
192

COMPATIBILITY CONTROLS

194       ignore_mx_lookup_error (no)
195              Ignore DNS MX lookups that produce no response.
196
197       smtp_always_send_ehlo (yes)
198              Always send EHLO at the start of an SMTP session.
199
200       smtp_never_send_ehlo (no)
201              Never send EHLO at the start of an SMTP session.
202
203       smtp_defer_if_no_mx_address_found (no)
204              Defer mail delivery when no MX record resolves to an IP address.
205
206       smtp_line_length_limit (998)
207              The maximal length of message header and body lines that Postfix
208              will send via SMTP.
209
210       smtp_pix_workaround_delay_time (10s)
211              How  long  the  Postfix  SMTP  client  pauses   before   sending
212              ".<CR><LF>"   in   order   to   work  around  the  PIX  firewall
213              "<CR><LF>.<CR><LF>" bug.
214
215       smtp_pix_workaround_threshold_time (500s)
216              How long a message must be queued before the Postfix SMTP client
217              turns on the PIX firewall "<CR><LF>.<CR><LF>" bug workaround for
218              delivery through firewalls with "smtp fixup" mode turned on.
219
220       smtp_pix_workarounds (disable_esmtp, delay_dotcrlf)
221              A list that specifies zero or more  workarounds  for  CISCO  PIX
222              firewall bugs.
223
224       smtp_pix_workaround_maps (empty)
225              Lookup  tables,  indexed by the remote SMTP server address, with
226              per-destination workarounds for CISCO PIX firewall bugs.
227
228       smtp_quote_rfc821_envelope (yes)
229              Quote addresses in Postfix SMTP client MAIL  FROM  and  RCPT  TO
230              commands as required by RFC 5321.
231
232       smtp_reply_filter (empty)
233              A  mechanism  to  transform replies from remote SMTP servers one
234              line at a time.
235
236       smtp_skip_5xx_greeting (yes)
237              Skip remote SMTP servers that greet with a 5XX status code.
238
239       smtp_skip_quit_response (yes)
240              Do not wait for the response to the SMTP QUIT command.
241
242       Available in Postfix version 2.0 and earlier:
243
244       smtp_skip_4xx_greeting (yes)
245              Skip SMTP servers that greet with a 4XX status  code  (go  away,
246              try again later).
247
248       Available in Postfix version 2.2 and later:
249
250       smtp_discard_ehlo_keyword_address_maps (empty)
251              Lookup  tables,  indexed by the remote SMTP server address, with
252              case insensitive lists of EHLO keywords  (pipelining,  starttls,
253              auth, etc.) that the Postfix SMTP client will ignore in the EHLO
254              response from a remote SMTP server.
255
256       smtp_discard_ehlo_keywords (empty)
257              A case insensitive list of EHLO keywords (pipelining,  starttls,
258              auth, etc.) that the Postfix SMTP client will ignore in the EHLO
259              response from a remote SMTP server.
260
261       smtp_generic_maps (empty)
262              Optional lookup tables that perform  address  rewriting  in  the
263              Postfix  SMTP  client,  typically  to  transform a locally valid
264              address into a globally valid address when sending  mail  across
265              the Internet.
266
267       Available in Postfix version 2.2.9 and later:
268
269       smtp_cname_overrides_servername (version dependent)
270              When  the  remote  SMTP  servername  is a DNS CNAME, replace the
271              servername with the result from CNAME expansion for the  purpose
272              of  logging,  SASL password lookup, TLS policy decisions, or TLS
273              certificate verification.
274
275       Available in Postfix version 2.3 and later:
276
277       lmtp_discard_lhlo_keyword_address_maps (empty)
278              Lookup tables, indexed by the remote LMTP server  address,  with
279              case  insensitive  lists of LHLO keywords (pipelining, starttls,
280              auth, etc.) that the Postfix LMTP client will ignore in the LHLO
281              response from a remote LMTP server.
282
283       lmtp_discard_lhlo_keywords (empty)
284              A  case insensitive list of LHLO keywords (pipelining, starttls,
285              auth, etc.) that the Postfix LMTP client will ignore in the LHLO
286              response from a remote LMTP server.
287
288       Available in Postfix version 2.4.4 and later:
289
290       send_cyrus_sasl_authzid (no)
291              When  authenticating  to  a  remote SMTP or LMTP server with the
292              default setting "no", send no SASL authoriZation  ID  (authzid);
293              send  only  the  SASL authentiCation ID (authcid) plus the auth‐
294              cid's password.
295
296       Available in Postfix version 2.5 and later:
297
298       smtp_header_checks (empty)
299              Restricted header_checks(5) tables for the Postfix SMTP client.
300
301       smtp_mime_header_checks (empty)
302              Restricted mime_header_checks(5) tables  for  the  Postfix  SMTP
303              client.
304
305       smtp_nested_header_checks (empty)
306              Restricted  nested_header_checks(5)  tables for the Postfix SMTP
307              client.
308
309       smtp_body_checks (empty)
310              Restricted body_checks(5) tables for the Postfix SMTP client.
311
312       Available in Postfix version 2.6 and later:
313
314       tcp_windowsize (0)
315              An optional workaround for routers that break TCP  window  scal‐
316              ing.
317
318       Available in Postfix version 2.8 and later:
319
320       smtp_dns_resolver_options (empty)
321              DNS Resolver options for the Postfix SMTP client.
322
323       Available in Postfix version 2.9 and later:
324
325       smtp_per_record_deadline (no)
326              Change  the  behavior  of the smtp_*_timeout time limits, from a
327              time limit per read or write system call, to  a  time  limit  to
328              send  or  receive  a complete record (an SMTP command line, SMTP
329              response line, SMTP message content line, or TLS  protocol  mes‐
330              sage).
331
332       smtp_send_dummy_mail_auth (no)
333              Whether  or  not to append the "AUTH=<>" option to the MAIL FROM
334              command in SASL-authenticated SMTP sessions.
335
336       Available in Postfix version 2.11 and later:
337
338       smtp_dns_support_level (empty)
339              Level of DNS support in the Postfix SMTP client.
340
341       Available in Postfix version 3.0 and later:
342
343       smtp_delivery_status_filter ($default_delivery_status_filter)
344              Optional filter for the smtp(8) delivery  agent  to  change  the
345              delivery status code or explanatory text of successful or unsuc‐
346              cessful deliveries.
347
348       smtp_dns_reply_filter (empty)
349              Optional filter for Postfix SMTP client DNS lookup results.
350
351       Available in Postfix version 3.3 and later:
352
353       smtp_balance_inet_protocols (yes)
354              When a remote destination resolves to a combination of IPv4  and
355              IPv6 addresses, ensure that the Postfix SMTP client can try both
356              address types before it runs into the smtp_mx_address_limit.
357
358       Available in Postfix 3.5 and later:
359
360       info_log_address_format (external)
361              The email address form that will be used  in  non-debug  logging
362              (info, warning, etc.).
363

MIME PROCESSING CONTROLS

365       Available in Postfix version 2.0 and later:
366
367       disable_mime_output_conversion (no)
368              Disable the conversion of 8BITMIME format to 7BIT format.
369
370       mime_boundary_length_limit (2048)
371              The maximal length of MIME multipart boundary strings.
372
373       mime_nesting_limit (100)
374              The maximal recursion level that the MIME processor will handle.
375

EXTERNAL CONTENT INSPECTION CONTROLS

377       Available in Postfix version 2.1 and later:
378
379       smtp_send_xforward_command (no)
380              Send  the  non-standard  XFORWARD  command when the Postfix SMTP
381              server EHLO response announces XFORWARD support.
382

SASL AUTHENTICATION CONTROLS

384       smtp_sasl_auth_enable (no)
385              Enable SASL authentication in the Postfix SMTP client.
386
387       smtp_sasl_password_maps (empty)
388              Optional Postfix  SMTP  client  lookup  tables  with  one  user‐
389              name:password  entry  per  sender,  remote  hostname or next-hop
390              domain.
391
392       smtp_sasl_security_options (noplaintext, noanonymous)
393              Postfix SMTP client SASL security options; as of Postfix 2.3 the
394              list  of available features depends on the SASL client implemen‐
395              tation that is selected with smtp_sasl_type.
396
397       Available in Postfix version 2.2 and later:
398
399       smtp_sasl_mechanism_filter (empty)
400              If non-empty, a Postfix SMTP client filter for the  remote  SMTP
401              server's list of offered SASL mechanisms.
402
403       Available in Postfix version 2.3 and later:
404
405       smtp_sender_dependent_authentication (no)
406              Enable  sender-dependent  authentication  in  the  Postfix  SMTP
407              client; this is available only  with  SASL  authentication,  and
408              disables  SMTP  connection caching to ensure that mail from dif‐
409              ferent senders will use the appropriate credentials.
410
411       smtp_sasl_path (empty)
412              Implementation-specific information that the Postfix SMTP client
413              passes  through  to  the  SASL  plug-in  implementation  that is
414              selected with smtp_sasl_type.
415
416       smtp_sasl_type (cyrus)
417              The SASL plug-in type that the Postfix SMTP  client  should  use
418              for authentication.
419
420       Available in Postfix version 2.5 and later:
421
422       smtp_sasl_auth_cache_name (empty)
423              An  optional table to prevent repeated SASL authentication fail‐
424              ures with the same remote SMTP  server  hostname,  username  and
425              password.
426
427       smtp_sasl_auth_cache_time (90d)
428              The  maximal age of an smtp_sasl_auth_cache_name entry before it
429              is removed.
430
431       smtp_sasl_auth_soft_bounce (yes)
432              When a remote SMTP server rejects a SASL authentication  request
433              with  a 535 reply code, defer mail delivery instead of returning
434              mail as undeliverable.
435
436       Available in Postfix version 2.9 and later:
437
438       smtp_send_dummy_mail_auth (no)
439              Whether or not to append the "AUTH=<>" option to the  MAIL  FROM
440              command in SASL-authenticated SMTP sessions.
441

STARTTLS SUPPORT CONTROLS

443       Detailed  information  about STARTTLS configuration may be found in the
444       TLS_README document.
445
446       smtp_tls_security_level (empty)
447              The default SMTP TLS security level for the Postfix SMTP client;
448              when a non-empty value is specified, this overrides the obsolete
449              parameters       smtp_use_tls,       smtp_enforce_tls,       and
450              smtp_tls_enforce_peername.
451
452       smtp_sasl_tls_security_options ($smtp_sasl_security_options)
453              The  SASL  authentication security options that the Postfix SMTP
454              client uses for TLS encrypted SMTP sessions.
455
456       smtp_starttls_timeout (300s)
457              Time limit for Postfix SMTP client  write  and  read  operations
458              during TLS startup and shutdown handshake procedures.
459
460       smtp_tls_CAfile (empty)
461              A  file  containing  CA certificates of root CAs trusted to sign
462              either remote SMTP server certificates or intermediate  CA  cer‐
463              tificates.
464
465       smtp_tls_CApath (empty)
466              Directory  with  PEM format Certification Authority certificates
467              that the Postfix SMTP client uses to verify a remote SMTP server
468              certificate.
469
470       smtp_tls_cert_file (empty)
471              File with the Postfix SMTP client RSA certificate in PEM format.
472
473       smtp_tls_mandatory_ciphers (medium)
474              The  minimum  TLS cipher grade that the Postfix SMTP client will
475              use with mandatory TLS encryption.
476
477       smtp_tls_exclude_ciphers (empty)
478              List of ciphers or cipher types to exclude from the Postfix SMTP
479              client cipher list at all TLS security levels.
480
481       smtp_tls_mandatory_exclude_ciphers (empty)
482              Additional  list  of ciphers or cipher types to exclude from the
483              Postfix SMTP client cipher list at mandatory TLS  security  lev‐
484              els.
485
486       smtp_tls_dcert_file (empty)
487              File with the Postfix SMTP client DSA certificate in PEM format.
488
489       smtp_tls_dkey_file ($smtp_tls_dcert_file)
490              File with the Postfix SMTP client DSA private key in PEM format.
491
492       smtp_tls_key_file ($smtp_tls_cert_file)
493              File with the Postfix SMTP client RSA private key in PEM format.
494
495       smtp_tls_loglevel (0)
496              Enable additional Postfix SMTP client logging of TLS activity.
497
498       smtp_tls_note_starttls_offer (no)
499              Log  the  hostname of a remote SMTP server that offers STARTTLS,
500              when TLS is not already enabled for that server.
501
502       smtp_tls_policy_maps (empty)
503              Optional lookup tables with the Postfix SMTP client TLS security
504              policy by next-hop destination; when a non-empty value is speci‐
505              fied, this overrides the obsolete smtp_tls_per_site parameter.
506
507       smtp_tls_mandatory_protocols (!SSLv2, !SSLv3)
508              List of SSL/TLS protocols that the Postfix SMTP client will  use
509              with mandatory TLS encryption.
510
511       smtp_tls_scert_verifydepth (9)
512              The verification depth for remote SMTP server certificates.
513
514       smtp_tls_secure_cert_match (nexthop, dot-nexthop)
515              How  the  Postfix  SMTP  client  verifies the server certificate
516              peername for the "secure" TLS security level.
517
518       smtp_tls_session_cache_database (empty)
519              Name of the file containing the optional Postfix SMTP client TLS
520              session cache.
521
522       smtp_tls_session_cache_timeout (3600s)
523              The  expiration  time  of  Postfix SMTP client TLS session cache
524              information.
525
526       smtp_tls_verify_cert_match (hostname)
527              How the Postfix SMTP  client  verifies  the  server  certificate
528              peername for the "verify" TLS security level.
529
530       tls_daemon_random_bytes (32)
531              The  number  of  pseudo-random bytes that an smtp(8) or smtpd(8)
532              process requests from the tlsmgr(8) server in order to seed  its
533              internal pseudo random number generator (PRNG).
534
535       tls_high_cipherlist (see 'postconf -d' output)
536              The OpenSSL cipherlist for "high" grade ciphers.
537
538       tls_medium_cipherlist (see 'postconf -d' output)
539              The OpenSSL cipherlist for "medium" or higher grade ciphers.
540
541       tls_low_cipherlist (see 'postconf -d' output)
542              The OpenSSL cipherlist for "low" or higher grade ciphers.
543
544       tls_export_cipherlist (see 'postconf -d' output)
545              The OpenSSL cipherlist for "export" or higher grade ciphers.
546
547       tls_null_cipherlist (eNULL:!aNULL)
548              The  OpenSSL  cipherlist  for  "NULL" grade ciphers that provide
549              authentication without encryption.
550
551       Available in Postfix version 2.4 and later:
552
553       smtp_sasl_tls_verified_security_options           ($smtp_sasl_tls_secu‐
554       rity_options)
555              The  SASL  authentication security options that the Postfix SMTP
556              client uses for TLS encrypted  SMTP  sessions  with  a  verified
557              server certificate.
558
559       Available in Postfix version 2.5 and later:
560
561       smtp_tls_fingerprint_cert_match (empty)
562              List  of  acceptable remote SMTP server certificate fingerprints
563              for  the  "fingerprint"  TLS  security   level   (smtp_tls_secu‐
564              rity_level = fingerprint).
565
566       smtp_tls_fingerprint_digest (md5)
567              The  message  digest  algorithm  used  to  construct remote SMTP
568              server certificate fingerprints.
569
570       Available in Postfix version 2.6 and later:
571
572       smtp_tls_protocols (!SSLv2, !SSLv3)
573              List of TLS protocols that the Postfix SMTP client will  exclude
574              or include with opportunistic TLS encryption.
575
576       smtp_tls_ciphers (medium)
577              The  minimum  TLS cipher grade that the Postfix SMTP client will
578              use with opportunistic TLS encryption.
579
580       smtp_tls_eccert_file (empty)
581              File with the Postfix SMTP client ECDSA certificate in PEM  for‐
582              mat.
583
584       smtp_tls_eckey_file ($smtp_tls_eccert_file)
585              File  with the Postfix SMTP client ECDSA private key in PEM for‐
586              mat.
587
588       Available in Postfix version 2.7 and later:
589
590       smtp_tls_block_early_mail_reply (no)
591              Try to detect a mail hijacking attack based on  a  TLS  protocol
592              vulnerability  (CVE-2009-3555), where an attacker prepends mali‐
593              cious HELO, MAIL, RCPT, DATA commands to a Postfix  SMTP  client
594              TLS session.
595
596       Available in Postfix version 2.8 and later:
597
598       tls_disable_workarounds (see 'postconf -d' output)
599              List or bit-mask of OpenSSL bug work-arounds to disable.
600
601       Available in Postfix version 2.11-3.1:
602
603       tls_dane_digest_agility (on)
604              Configure RFC7671 DANE TLSA digest algorithm agility.
605
606       tls_dane_trust_anchor_digest_enable (yes)
607              Enable support for RFC 6698 (DANE TLSA) DNS records that contain
608              digests of trust-anchors with certificate usage "2".
609
610       Available in Postfix version 2.11 and later:
611
612       smtp_tls_trust_anchor_file (empty)
613              Zero or more PEM-format  files  with  trust-anchor  certificates
614              and/or public keys.
615
616       smtp_tls_force_insecure_host_tlsa_lookup (no)
617              Lookup  the  associated  DANE TLSA RRset even when a hostname is
618              not an alias and its address records lie in an unsigned zone.
619
620       tlsmgr_service_name (tlsmgr)
621              The name of the tlsmgr(8) service entry in master.cf.
622
623       Available in Postfix version 3.0 and later:
624
625       smtp_tls_wrappermode (no)
626              Request that the Postfix SMTP client connects using  the  legacy
627              SMTPS protocol instead of using the STARTTLS command.
628
629       Available in Postfix version 3.1 and later:
630
631       smtp_tls_dane_insecure_mx_policy (dane)
632              The  TLS policy for MX hosts with "secure" TLSA records when the
633              nexthop destination security level is dane, but  the  MX  record
634              was found via an "insecure" MX lookup.
635
636       Available in Postfix version 3.4 and later:
637
638       smtp_tls_connection_reuse (no)
639              Try to make multiple deliveries per TLS-encrypted connection.
640
641       smtp_tls_chain_files (empty)
642              List  of one or more PEM files, each holding one or more private
643              keys directly followed by a corresponding certificate chain.
644
645       smtp_tls_servername (empty)
646              Optional name to send to the  remote  SMTP  server  in  the  TLS
647              Server Name Indication (SNI) extension.
648
649       Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
650
651       tls_fast_shutdown_enable (yes)
652              A  workaround  for implementations that hang Postfix while shut‐
653              ting down a TLS session, until Postfix times out.
654

OBSOLETE STARTTLS CONTROLS

656       The following configuration parameters  exist  for  compatibility  with
657       Postfix  versions  before  2.3.  Support for these will be removed in a
658       future release.
659
660       smtp_use_tls (no)
661              Opportunistic mode: use TLS when a remote SMTP server  announces
662              STARTTLS support, otherwise send the mail in the clear.
663
664       smtp_enforce_tls (no)
665              Enforcement  mode:  require  that  remote  SMTP  servers use TLS
666              encryption, and never send mail in the clear.
667
668       smtp_tls_enforce_peername (yes)
669              With mandatory TLS encryption,  require  that  the  remote  SMTP
670              server  hostname  matches  the  information  in  the remote SMTP
671              server certificate.
672
673       smtp_tls_per_site (empty)
674              Optional lookup tables with the Postfix SMTP  client  TLS  usage
675              policy  by  next-hop destination and by remote SMTP server host‐
676              name.
677
678       smtp_tls_cipherlist (empty)
679              Obsolete Postfix < 2.3 control for the Postfix SMTP  client  TLS
680              cipher list.
681

RESOURCE AND RATE CONTROLS

683       smtp_connect_timeout (30s)
684              The  Postfix SMTP client time limit for completing a TCP connec‐
685              tion, or zero (use the operating system built-in time limit).
686
687       smtp_helo_timeout (300s)
688              The Postfix SMTP client time limit for sending the HELO or  EHLO
689              command,  and  for  receiving  the  initial  remote  SMTP server
690              response.
691
692       lmtp_lhlo_timeout (300s)
693              The Postfix LMTP client time limit for sending the LHLO command,
694              and for receiving the initial remote LMTP server response.
695
696       smtp_xforward_timeout (300s)
697              The Postfix SMTP client time limit for sending the XFORWARD com‐
698              mand, and for receiving the remote SMTP server response.
699
700       smtp_mail_timeout (300s)
701              The Postfix SMTP client time limit for  sending  the  MAIL  FROM
702              command, and for receiving the remote SMTP server response.
703
704       smtp_rcpt_timeout (300s)
705              The  Postfix SMTP client time limit for sending the SMTP RCPT TO
706              command, and for receiving the remote SMTP server response.
707
708       smtp_data_init_timeout (120s)
709              The Postfix SMTP client time limit for  sending  the  SMTP  DATA
710              command, and for receiving the remote SMTP server response.
711
712       smtp_data_xfer_timeout (180s)
713              The  Postfix SMTP client time limit for sending the SMTP message
714              content.
715
716       smtp_data_done_timeout (600s)
717              The Postfix SMTP client time limit for sending the SMTP ".", and
718              for receiving the remote SMTP server response.
719
720       smtp_quit_timeout (300s)
721              The Postfix SMTP client time limit for sending the QUIT command,
722              and for receiving the remote SMTP server response.
723
724       Available in Postfix version 2.1 and later:
725
726       smtp_mx_address_limit (5)
727              The maximal number of MX (mail exchanger) IP addresses that  can
728              result  from Postfix SMTP client mail exchanger lookups, or zero
729              (no limit).
730
731       smtp_mx_session_limit (2)
732              The maximal number of SMTP sessions per delivery request  before
733              the  Postfix  SMTP  client  gives  up or delivers to a fall-back
734              relay host, or zero (no limit).
735
736       smtp_rset_timeout (20s)
737              The Postfix SMTP client time limit for sending the RSET command,
738              and for receiving the remote SMTP server response.
739
740       Available in Postfix version 2.2 and earlier:
741
742       lmtp_cache_connection (yes)
743              Keep  Postfix  LMTP  client connections open for up to $max_idle
744              seconds.
745
746       Available in Postfix version 2.2 and later:
747
748       smtp_connection_cache_destinations (empty)
749              Permanently enable SMTP connection  caching  for  the  specified
750              destinations.
751
752       smtp_connection_cache_on_demand (yes)
753              Temporarily  enable  SMTP connection caching while a destination
754              has a high volume of mail in the active queue.
755
756       smtp_connection_reuse_time_limit (300s)
757              The amount of time during which Postfix will use an SMTP connec‐
758              tion repeatedly.
759
760       smtp_connection_cache_time_limit (2s)
761              When SMTP connection caching is enabled, the amount of time that
762              an unused SMTP client socket is kept open before it is closed.
763
764       Available in Postfix version 2.3 and later:
765
766       connection_cache_protocol_timeout (5s)
767              Time limit for connection cache connect, send or receive  opera‐
768              tions.
769
770       Available in Postfix version 2.9 and later:
771
772       smtp_per_record_deadline (no)
773              Change  the  behavior  of the smtp_*_timeout time limits, from a
774              time limit per read or write system call, to  a  time  limit  to
775              send  or  receive  a complete record (an SMTP command line, SMTP
776              response line, SMTP message content line, or TLS  protocol  mes‐
777              sage).
778
779       Available in Postfix version 2.11 and later:
780
781       smtp_connection_reuse_count_limit (0)
782              When  SMTP  connection  caching  is enabled, the number of times
783              that an SMTP session may be reused before it is closed, or  zero
784              (no limit).
785
786       Available in Postfix version 3.4 and later:
787
788       smtp_tls_connection_reuse (no)
789              Try to make multiple deliveries per TLS-encrypted connection.
790
791       Implemented in the qmgr(8) daemon:
792
793       transport_destination_concurrency_limit   ($default_destination_concur‐
794       rency_limit)
795              A transport-specific override for  the  default_destination_con‐
796              currency_limit parameter value, where transport is the master.cf
797              name of the message delivery transport.
798
799       transport_destination_recipient_limit     ($default_destination_recipi‐
800       ent_limit)
801              A transport-specific override for the default_destination_recip‐
802              ient_limit parameter value, where  transport  is  the  master.cf
803              name of the message delivery transport.
804

SMTPUTF8 CONTROLS

806       Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
807
808       smtputf8_enable (yes)
809              Enable  preliminary SMTPUTF8 support for the protocols described
810              in RFC 6531..6533.
811
812       smtputf8_autodetect_classes (sendmail, verify)
813              Detect that a message requires SMTPUTF8 support for  the  speci‐
814              fied mail origin classes.
815
816       Available in Postfix version 3.2 and later:
817
818       enable_idna2003_compatibility (no)
819              Enable   'transitional'   compatibility   between  IDNA2003  and
820              IDNA2008, when converting UTF-8 domain names to/from  the  ASCII
821              form that is used for DNS lookups.
822

TROUBLE SHOOTING CONTROLS

824       debug_peer_level (2)
825              The  increment  in verbose logging level when a remote client or
826              server matches a pattern in the debug_peer_list parameter.
827
828       debug_peer_list (empty)
829              Optional list of remote client or  server  hostname  or  network
830              address  patterns  that  cause  the  verbose  logging  level  to
831              increase by the amount specified in $debug_peer_level.
832
833       error_notice_recipient (postmaster)
834              The recipient of postmaster notifications  about  mail  delivery
835              problems that are caused by policy, resource, software or proto‐
836              col errors.
837
838       internal_mail_filter_classes (empty)
839              What  categories  of  Postfix-generated  mail  are  subject   to
840              before-queue    content    inspection    by   non_smtpd_milters,
841              header_checks and body_checks.
842
843       notify_classes (resource, software)
844              The list of error classes that are reported to the postmaster.
845

MISCELLANEOUS CONTROLS

847       best_mx_transport (empty)
848              Where the Postfix  SMTP  client  should  deliver  mail  when  it
849              detects a "mail loops back to myself" error condition.
850
851       config_directory (see 'postconf -d' output)
852              The  default  location of the Postfix main.cf and master.cf con‐
853              figuration files.
854
855       daemon_timeout (18000s)
856              How much time a Postfix daemon process  may  take  to  handle  a
857              request before it is terminated by a built-in watchdog timer.
858
859       delay_logging_resolution_limit (2)
860              The  maximal  number of digits after the decimal point when log‐
861              ging sub-second delay values.
862
863       disable_dns_lookups (no)
864              Disable DNS lookups in the Postfix SMTP and LMTP clients.
865
866       inet_interfaces (all)
867              The network interface addresses that this mail  system  receives
868              mail on.
869
870       inet_protocols (all)
871              The  Internet  protocols Postfix will attempt to use when making
872              or accepting connections.
873
874       ipc_timeout (3600s)
875              The time limit for sending  or  receiving  information  over  an
876              internal communication channel.
877
878       lmtp_assume_final (no)
879              When  a remote LMTP server announces no DSN support, assume that
880              the server performs final delivery, and send "delivered"  deliv‐
881              ery status notifications instead of "relayed".
882
883       lmtp_tcp_port (24)
884              The default TCP port that the Postfix LMTP client connects to.
885
886       max_idle (100s)
887              The  maximum  amount of time that an idle Postfix daemon process
888              waits for an incoming connection before terminating voluntarily.
889
890       max_use (100)
891              The maximal number of incoming connections that a Postfix daemon
892              process will service before terminating voluntarily.
893
894       process_id (read-only)
895              The process ID of a Postfix command or daemon process.
896
897       process_name (read-only)
898              The process name of a Postfix command or daemon process.
899
900       proxy_interfaces (empty)
901              The  network  interface addresses that this mail system receives
902              mail on by way of a proxy or network address translation unit.
903
904       smtp_address_preference (any)
905              The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
906              client  will  try  first,  when  a destination has IPv6 and IPv4
907              addresses with equal MX preference.
908
909       smtp_bind_address (empty)
910              An optional numerical network  address  that  the  Postfix  SMTP
911              client should bind to when making an IPv4 connection.
912
913       smtp_bind_address6 (empty)
914              An  optional  numerical  network  address  that the Postfix SMTP
915              client should bind to when making an IPv6 connection.
916
917       smtp_helo_name ($myhostname)
918              The hostname to send in the SMTP HELO or EHLO command.
919
920       lmtp_lhlo_name ($myhostname)
921              The hostname to send in the LMTP LHLO command.
922
923       smtp_host_lookup (dns)
924              What mechanisms the Postfix SMTP client uses to look up a host's
925              IP address.
926
927       smtp_randomize_addresses (yes)
928              Randomize the order of equal-preference MX host addresses.
929
930       syslog_facility (mail)
931              The syslog facility of Postfix logging.
932
933       syslog_name (see 'postconf -d' output)
934              A  prefix  that  is  prepended  to  the  process  name in syslog
935              records, so that, for example, "smtpd" becomes "prefix/smtpd".
936
937       Available with Postfix 2.2 and earlier:
938
939       fallback_relay (empty)
940              Optional list of relay hosts for SMTP destinations that can't be
941              found or that are unreachable.
942
943       Available with Postfix 2.3 and later:
944
945       smtp_fallback_relay ($fallback_relay)
946              Optional list of relay hosts for SMTP destinations that can't be
947              found or that are unreachable.
948
949       Available with Postfix 3.0 and later:
950
951       smtp_address_verify_target (rcpt)
952              In the context of email address verification, the SMTP  protocol
953              stage that determines whether an email address is deliverable.
954
955       Available with Postfix 3.1 and later:
956
957       lmtp_fallback_relay (empty)
958              Optional list of relay hosts for LMTP destinations that can't be
959              found or that are unreachable.
960
961       Available with Postfix 3.2 and later:
962
963       smtp_tcp_port (smtp)
964              The default TCP port that the Postfix SMTP client connects to.
965
966       Available in Postfix 3.3 and later:
967
968       service_name (read-only)
969              The master.cf service name of a Postfix daemon process.
970

SEE ALSO

972       generic(5), output address rewriting
973       header_checks(5), message header content inspection
974       body_checks(5), body parts content inspection
975       qmgr(8), queue manager
976       bounce(8), delivery status reports
977       scache(8), connection cache server
978       postconf(5), configuration parameters
979       master(5), generic daemon options
980       master(8), process manager
981       tlsmgr(8), TLS session and PRNG management
982       postlogd(8), Postfix logging
983       syslogd(8), system logging
984

README FILES

986       Use "postconf readme_directory" or "postconf html_directory" to  locate
987       this information.
988       SASL_README, Postfix SASL howto
989       TLS_README, Postfix STARTTLS howto
990

LICENSE

992       The Secure Mailer license must be distributed with this software.
993

AUTHOR(S)

995       Wietse Venema
996       IBM T.J. Watson Research
997       P.O. Box 704
998       Yorktown Heights, NY 10598, USA
999
1000       Wietse Venema
1001       Google, Inc.
1002       111 8th Avenue
1003       New York, NY 10011, USA
1004
1005       Command pipelining in cooperation with:
1006       Jon Ribbens
1007       Oaktree Internet Solutions Ltd.,
1008       Internet House,
1009       Canal Basin,
1010       Coventry,
1011       CV1 4LY, United Kingdom.
1012
1013       SASL support originally by:
1014       Till Franke
1015       SuSE Rhein/Main AG
1016       65760 Eschborn, Germany
1017
1018       TLS support originally by:
1019       Lutz Jaenicke
1020       BTU Cottbus
1021       Allgemeine Elektrotechnik
1022       Universitaetsplatz 3-4
1023       D-03044 Cottbus, Germany
1024
1025       Revised TLS and SMTP connection cache support by:
1026       Victor Duchovni
1027       Morgan Stanley
1028
1029
1030
1031                                                                       SMTP(8)
Impressum