1POSTCONF(5) File Formats Manual POSTCONF(5)
2
6 postconf - Postfix configuration parameters
7
9 postconf parameter ...
10 postconf -e "parameter=value" ...
12
14 The Postfix main.cf configuration file specifies parameters that con‐
15 trol the operation of the Postfix mail system. Typically the file con‐
16 tains only a small subset of all parameters; parameters not specified
17 are left at their default values.
18 The general format of the main.cf file is as follows:
20 · Each logical line has the form "parameter = value". Whitespace
22 around the "=" is ignored, as is whitespace at the end of a log‐
23 ical line.
24 · Empty lines and whitespace-only lines are ignored, as are lines
26 whose first non-whitespace character is a `#'.
27 · A logical line starts with non-whitespace text. A line that
29 starts with whitespace continues a logical line.
30 · A parameter value may refer to other parameters.
32 · The expressions "$name" and "${name}" are recursively
34 replaced with the value of the named parameter. The
35 parameter name must contain only characters from the set
36 [a-zA-Z0-9_]. An undefined parameter value is replaced
37 with the empty value.
38 · The expressions "${name?value}" and "${name?{value}}" are
40 replaced with "value" when "$name" is non-empty. The
41 parameter name must contain only characters from the set
42 [a-zA-Z0-9_]. These forms are supported with Postfix ver‐
43 sions >= 2.2 and >= 3.0, respectively.
44 · The expressions "${name:value}" and "${name:{value}}" are
46 replaced with "value" when "$name" is empty. The parame‐
47 ter name must contain only characters from the set [a-zA-
48 Z0-9_]. These forms are supported with Postfix versions
49 >= 2.2 and >= 3.0, respectively.
50 · The expression "${name?{value1}:{value2}}" is replaced
52 with "value1" when "$name" is non-empty, and with
53 "value2" when "$name" is empty. The "{}" is required for
54 "value1", optional for "value2". The parameter name must
55 contain only characters from the set [a-zA-Z0-9_]. This
56 form is supported with Postfix versions >= 3.0.
57 · The first item inside "${...}" may be a relational
59 expression of the form: "{value3} == {value4}". Besides
60 the "==" (equality) operator Postfix supports "!="
61 (inequality), "<", "<=", ">=", and ">". The comparison is
62 numerical when both operands are all digits, otherwise
63 the comparison is lexicographical. These forms are sup‐
64 ported with Postfix versions >= 3.0.
65 · Each "value" is subject to recursive named parameter and
67 relational expression evaluation, except where noted.
68 · Whitespace before or after each "{value}" is ignored.
70 · Specify "$$" to produce a single "$" character.
72 · The legacy form "$(...)" is equivalent to the preferred
74 form "${...}".
75 · When the same parameter is defined multiple times, only the last
77 instance is remembered.
78 · Otherwise, the order of main.cf parameter definitions does not
80 matter.
81 The remainder of this document is a description of all Postfix configu‐
83 ration parameters. Default values are shown after the parameter name in
84 parentheses, and can be looked up with the "postconf -d" command.
85 Note: this is not an invitation to make changes to Postfix configura‐
87 tion parameters. Unnecessary changes can impair the operation of the
88 mail system.
89
91 The recipient of undeliverable mail that cannot be returned to the
92 sender. This feature is enabled with the notify_classes parameter.
93
95 The numerical Postfix SMTP server response code for an access(5) map
96 "defer" action, including "defer_if_permit" or "defer_if_reject". Prior
97 to Postfix 2.6, the response is hard-coded as "450".
98 Do not change this unless you have a complete understanding of RFC
100 5321.
101 This feature is available in Postfix 2.6 and later.
103
105 The numerical Postfix SMTP server response code for an access(5) map
106 "reject" action.
107 Do not change this unless you have a complete understanding of RFC
109 5321.
110
112 The amount of time between verify(8) address verification database
113 cleanup runs. This feature requires that the database supports the
114 "delete" and "sequence" operators. Specify a zero interval to disable
115 database cleanup.
116 After each database cleanup run, the verify(8) daemon logs the number
118 of entries that were retained and dropped. A cleanup run is logged as
119 "partial" when the daemon terminates early after "postfix reload",
120 "postfix stop", or no requests for $max_idle seconds.
121 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
123 This feature is available in Postfix 2.7.
125
127 Overrides the default_transport parameter setting for address verifica‐
128 tion probes.
129 This feature is available in Postfix 2.1 and later.
131
133 Overrides the local_transport parameter setting for address verifica‐
134 tion probes.
135 This feature is available in Postfix 2.1 and later.
137
139 Lookup table for persistent address verification status storage. The
140 table is maintained by the verify(8) service, and is opened before the
141 process releases privileges.
142 The lookup table is persistent by default (Postfix 2.7 and later).
144 Specify an empty table name to keep the information in volatile memory
145 which is lost after "postfix reload" or "postfix stop". This is the
146 default with Postfix version 2.6 and earlier.
147 Specify a location in a file system that will not fill up. If the data‐
149 base becomes corrupted, the world comes to an end. To recover delete
150 (NOT: truncate) the file and do "postfix reload".
151 Postfix daemon processes do not use root privileges when opening this
153 file (Postfix 2.5 and later). The file must therefore be stored under
154 a Postfix-owned directory such as the data_directory. As a migration
155 aid, an attempt to open the file under a non-Postfix directory is redi‐
156 rected to the Postfix-owned data_directory, and a warning is logged.
157 Examples:
159 address_verify_map = hash:/var/lib/postfix/verify
161 address_verify_map = btree:/var/lib/postfix/verify
162 This feature is available in Postfix 2.1 and later.
164
166 Enable caching of failed address verification probe results. When this
167 feature is enabled, the cache may pollute quickly with garbage. When
168 this feature is disabled, Postfix will generate an address probe for
169 every lookup.
170 This feature is available in Postfix 2.1 and later.
172
174 The time after which a failed probe expires from the address verifica‐
175 tion cache.
176 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
178 This feature is available in Postfix 2.1 and later.
180
182 The time after which a failed address verification probe needs to be
183 refreshed.
184 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
186 This feature is available in Postfix 2.1 and later.
188
190 A safety limit that prevents address verification requests from over‐
191 whelming the Postfix queue. By default, the number of pending requests
192 is limited to 1/4 of the active queue maximum size (qmgr_mes‐
193 sage_active_limit). The queue manager enforces the limit by tempfailing
194 requests that exceed the limit. This affects only unknown addresses and
195 inactive addresses that have expired, because the verify(8) daemon
196 automatically refreshes an active address before it expires.
197 This feature is available in Postfix 3.1 and later.
199
201 How many times to query the verify(8) service for the completion of an
202 address verification request in progress.
203 By default, the Postfix SMTP server polls the verify(8) service up to
205 three times under non-overload conditions, and only once when under
206 overload. With Postfix version 2.5 and earlier, the SMTP server always
207 polls the verify(8) service up to three times by default.
208 Specify 1 to implement a crude form of greylisting, that is, always
210 defer the first delivery request for a new address.
211 Examples:
213 # Postfix <= 2.6 default
215 address_verify_poll_count = 3
216 # Poor man's greylisting
217 address_verify_poll_count = 1
218 This feature is available in Postfix 2.1 and later.
220
222 The delay between queries for the completion of an address verification
223 request in progress.
224 The default polling delay is 3 seconds.
226 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
228 This feature is available in Postfix 2.1 and later.
230
232 The time after which a successful probe expires from the address veri‐
233 fication cache.
234 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
236 This feature is available in Postfix 2.1 and later.
238
240 The time after which a successful address verification probe needs to
241 be refreshed. The address verification status is not updated when the
242 probe fails (optimistic caching).
243 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
245 This feature is available in Postfix 2.1 and later.
247
249 Overrides the relay_transport parameter setting for address verifica‐
250 tion probes.
251 This feature is available in Postfix 2.1 and later.
253
255 Overrides the relayhost parameter setting for address verification
256 probes. This information can be overruled with the transport(5) table.
257 This feature is available in Postfix 2.1 and later.
259
261 The sender address to use in address verification probes; prior to
262 Postfix 2.5 the default was "postmaster". To avoid problems with
263 address probes that are sent in response to address probes, the Postfix
264 SMTP server excludes the probe sender address from all SMTPD access
265 blocks.
266 Specify an empty value (address_verify_sender =) or <> if you want to
268 use the null sender address. Beware, some sites reject mail from <>,
269 even though RFCs require that such addresses be accepted.
270 Examples:
272 address_verify_sender = <>
274 address_verify_sender = postmaster@my.domain
275 This feature is available in Postfix 2.1 and later.
277
279 $sender_dependent_default_transport_maps)
280 Overrides the sender_dependent_default_transport_maps parameter setting
281 for address verification probes.
282 This feature is available in Postfix 2.7 and later.
284
286 dent_relayhost_maps)
287 Overrides the sender_dependent_relayhost_maps parameter setting for
288 address verification probes.
289 This feature is available in Postfix 2.3 and later.
291
293 The time between changes in the time-dependent portion of address veri‐
294 fication probe sender addresses. The time-dependent portion is appended
295 to the localpart of the address specified with the address_ver‐
296 ify_sender parameter. This feature is ignored when the probe sender
297 addresses is the null sender, i.e. the address_verify_sender value is
298 empty or <>.
299 Historically, the probe sender address was fixed. This has caused such
301 addresses to end up on spammer mailing lists, and has resulted in
302 wasted network and processing resources.
303 To enable time-dependent probe sender addresses, specify a non-zero
305 time value (an integral value plus an optional one-letter suffix that
306 specifies the time unit). Specify a value of at least several hours,
307 to avoid problems with senders that use greylisting. Avoid nice TTL
308 values, to make the result less predictable. Time units are: s (sec‐
309 onds), m (minutes), h (hours), d (days), w (weeks).
310 This feature is available in Postfix 2.9 and later.
312
314 The name of the verify(8) address verification service. This service
315 maintains the status of sender and/or recipient address verification
316 probes, and generates probes on request by other Postfix processes.
317
319 Overrides the transport_maps parameter setting for address verification
320 probes.
321 This feature is available in Postfix 2.1 and later.
323
325 Overrides the virtual_transport parameter setting for address verifica‐
326 tion probes.
327 This feature is available in Postfix 2.1 and later.
329
331 The alias databases for local(8) delivery that are updated with
332 "newaliases" or with "sendmail -bi".
333 This is a separate configuration parameter because not all the tables
335 specified with $alias_maps have to be local files.
336 Examples:
338 alias_database = hash:/etc/aliases
340 alias_database = hash:/etc/mail/aliases
341
343 The alias databases that are used for local(8) delivery. See aliases(5)
344 for syntax details. Specify zero or more "type:name" lookup tables,
345 separated by whitespace or comma. Tables will be searched in the speci‐
346 fied order until a match is found. Note: these lookups are recursive.
347 The default list is system dependent. On systems with NIS, the default
349 is to search the local alias database, then the NIS alias database.
350 If you change the alias database, run "postalias /etc/aliases" (or
352 wherever your system stores the mail alias file), or simply run
353 "newaliases" to build the necessary DBM or DB file.
354 The local(8) delivery agent disallows regular expression substitution
356 of $1 etc. in alias_maps, because that would open a security hole.
357 The local(8) delivery agent will silently ignore requests to use the
359 proxymap(8) server within alias_maps. Instead it will open the table
360 directly. Before Postfix version 2.2, the local(8) delivery agent will
361 terminate with a fatal error.
362 Examples:
364 alias_maps = hash:/etc/aliases, nis:mail.aliases
366 alias_maps = hash:/etc/aliases
367
369 Restrict local(8) mail delivery to external commands. The default is
370 to disallow delivery to "|command" in :include: files (see aliases(5)
371 for the text that defines this terminology).
372 Specify zero or more of: alias, forward or include, in order to allow
374 commands in aliases(5), .forward files or in :include: files, respec‐
375 tively.
376 Example:
378 allow_mail_to_commands = alias,forward,include
380
382 Restrict local(8) mail delivery to external files. The default is to
383 disallow "/file/name" destinations in :include: files (see aliases(5)
384 for the text that defines this terminology).
385 Specify zero or more of: alias, forward or include, in order to allow
387 "/file/name" destinations in aliases(5), .forward files and in
388 :include: files, respectively.
389 Example:
391 allow_mail_to_files = alias,forward,include
393
395 Allow a sender or recipient address to have `-' as the first character.
396 By default, this is not allowed, to avoid accidents with software that
397 passes email addresses via the command line. Such software would not be
398 able to distinguish a malicious address from a bona fide command-line
399 option. Although this can be prevented by inserting a "--" option ter‐
400 minator into the command line, this is difficult to enforce consis‐
401 tently and globally.
402 As of Postfix version 2.5, this feature is implemented by trivial-re‐
404 write(8). With earlier versions this feature was implemented by
405 qmgr(8) and was limited to recipient addresses only.
406
408 Enable the rewriting of the form "user%domain" to "user@domain". This
409 is enabled by default.
410 Note: as of Postfix version 2.2, message header address rewriting hap‐
412 pens only when one of the following conditions is true:
413 · The message is received with the Postfix sendmail(1) command,
415 · The message is received from a network client that matches
417 $local_header_rewrite_clients,
418 · The message is received from the network, and the
420 remote_header_rewrite_domain parameter specifies a non-empty
421 value.
422 To get the behavior before Postfix version 2.2, specify
424 "local_header_rewrite_clients = static:all".
425 Example:
427 allow_percent_hack = no
429
431 Forward mail with sender-specified routing (user[@%!]remote[@%!]site)
432 from untrusted clients to destinations matching $relay_domains.
433 By default, this feature is turned off. This closes a nasty open relay
435 loophole where a backup MX host can be tricked into forwarding junk
436 mail to a primary MX host which then spams it out to the world.
437 This parameter also controls if non-local addresses with sender-speci‐
439 fied routing can match Postfix access tables. By default, such
440 addresses cannot match Postfix access tables, because the address is
441 ambiguous.
442
444 A list of non-default Postfix configuration directories that may be
445 specified with "-c config_directory" on the command line (in the case
446 of sendmail(1), with the "-C" option), or via the MAIL_CONFIG environ‐
447 ment parameter.
448 This list must be specified in the default Postfix main.cf file, and
450 will be used by set-gid Postfix commands such as postqueue(1) and post‐
451 drop(1).
452 Specify absolute pathnames, separated by comma or space. Note: $name
454 expansion is not supported.
455
457 Always add (Resent-) From:, To:, Date: or Message-ID: headers when not
458 present. Postfix 2.6 and later add these headers only when clients
459 match the local_header_rewrite_clients parameter setting. Earlier
460 Postfix versions always add these headers; this may break DKIM signa‐
461 tures that cover non-existent headers. The undisclosed_recipi‐
462 ents_header parameter setting determines whether a To: header will be
463 added.
464
466 Optional address that receives a "blind carbon copy" of each message
467 that is received by the Postfix mail system.
468 Note: with Postfix 2.3 and later the BCC address is added as if it was
470 specified with NOTIFY=NONE. The sender will not be notified when the
471 BCC address is undeliverable, as long as all down-stream software
472 implements RFC 3461.
473 Note: with Postfix 2.2 and earlier the sender will be notified when the
475 BCC address is undeliverable.
476 Note: automatic BCC recipients are produced only for new mail. To
478 avoid mailer loops, automatic BCC recipients are not generated after
479 Postfix forwards mail internally, or after Postfix generates mail
480 itself.
481
483 The time unit over which client connection rates and other rates are
484 calculated.
485 This feature is implemented by the anvil(8) service which is available
487 in Postfix version 2.2 and later.
488 The default interval is relatively short. Because of the high frequency
490 of updates, the anvil(8) server uses volatile memory only. Thus, infor‐
491 mation is lost whenever the process terminates.
492 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
494 The default time unit is s (seconds).
495
497 How frequently the anvil(8) connection and rate limiting server logs
498 peak usage information.
499 This feature is available in Postfix 2.2 and later.
501 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
503 The default time unit is s (seconds).
504
506 With locally submitted mail, append the string "@$myorigin" to mail
507 addresses without domain information. With remotely submitted mail,
508 append the string "@$remote_header_rewrite_domain" instead.
509 Note 1: this feature is enabled by default and must not be turned off.
511 Postfix does not support domain-less addresses.
512 Note 2: with Postfix version 2.2, message header address rewriting hap‐
514 pens only when one of the following conditions is true:
515 · The message is received with the Postfix sendmail(1) command,
517 · The message is received from a network client that matches
519 $local_header_rewrite_clients,
520 · The message is received from the network, and the
522 remote_header_rewrite_domain parameter specifies a non-empty
523 value.
524 To get the behavior before Postfix version 2.2, specify
526 "local_header_rewrite_clients = static:all".
527
529 With locally submitted mail, append the string ".$mydomain" to
530 addresses that have no ".domain" information. With remotely submitted
531 mail, append the string ".$remote_header_rewrite_domain" instead.
532 Note 1: this feature is enabled by default. If disabled, users will not
534 be able to send mail to "user@partialdomainname" but will have to spec‐
535 ify full domain names instead.
536 Note 2: with Postfix version 2.2, message header address rewriting hap‐
538 pens only when one of the following conditions is true:
539 · The message is received with the Postfix sendmail(1) command,
541 · The message is received from a network client that matches
543 $local_header_rewrite_clients,
544 · The message is received from the network, and the
546 remote_header_rewrite_domain parameter specifies a non-empty
547 value.
548 To get the behavior before Postfix version 2.2, specify
550 "local_header_rewrite_clients = static:all".
551
553 How long the postkick(1) command waits for a request to enter the Post‐
554 fix daemon process input buffer before giving up.
555 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
557 The default time unit is s (seconds).
558 This feature is available in Postfix 2.1 and later.
560
562 List of users who are authorized to flush the queue.
563 By default, all users are allowed to flush the queue. Access is always
565 granted if the invoking user is the super-user or the $mail_owner user.
566 Otherwise, the real UID of the process is looked up in the system pass‐
567 word file, and access is granted only if the corresponding login name
568 is on the access list. The username "unknown" is used for processes
569 whose real UID is not found in the password file.
570 Specify a list of user names, "/file/name" or "type:table" patterns,
572 separated by commas and/or whitespace. The list is matched left to
573 right, and the search stops on the first match. A "/file/name" pattern
574 is replaced by its contents; a "type:table" lookup table is matched
575 when a name matches a lookup key (the lookup result is ignored). Con‐
576 tinue long lines by starting the next line with whitespace. Specify
577 "!pattern" to exclude a name from the list. The form "!/file/name" is
578 supported only in Postfix version 2.4 and later.
579 This feature is available in Postfix 2.2 and later.
581
583 List of users who are authorized to view the queue.
584 By default, all users are allowed to view the queue. Access is always
586 granted if the invoking user is the super-user or the $mail_owner user.
587 Otherwise, the real UID of the process is looked up in the system pass‐
588 word file, and access is granted only if the corresponding login name
589 is on the access list. The username "unknown" is used for processes
590 whose real UID is not found in the password file.
591 Specify a list of user names, "/file/name" or "type:table" patterns,
593 separated by commas and/or whitespace. The list is matched left to
594 right, and the search stops on the first match. A "/file/name" pattern
595 is replaced by its contents; a "type:table" lookup table is matched
596 when a name matches a lookup key (the lookup result is ignored). Con‐
597 tinue long lines by starting the next line with whitespace. Specify
598 "!pattern" to exclude a user name from the list. The form "!/file/name"
599 is supported only in Postfix version 2.4 and later.
600 This feature is available in Postfix 2.2 and later.
602
604 List of users who are authorized to submit mail with the sendmail(1)
605 command (and with the privileged postdrop(1) helper command).
606 By default, all users are allowed to submit mail. Otherwise, the real
608 UID of the process is looked up in the system password file, and access
609 is granted only if the corresponding login name is on the access list.
610 The username "unknown" is used for processes whose real UID is not
611 found in the password file. To deny mail submission access to all users
612 specify an empty list.
613 Specify a list of user names, "/file/name" or "type:table" patterns,
615 separated by commas and/or whitespace. The list is matched left to
616 right, and the search stops on the first match. A "/file/name" pattern
617 is replaced by its contents; a "type:table" lookup table is matched
618 when a name matches a lookup key (the lookup result is ignored). Con‐
619 tinue long lines by starting the next line with whitespace. Specify
620 "!pattern" to exclude a user name from the list. The form "!/file/name"
621 is supported only in Postfix version 2.4 and later.
622 Example:
624 authorized_submit_users = !www, static:all
626 This feature is available in Postfix 2.2 and later.
628
630 What remote SMTP clients are allowed to specify the XVERP command.
631 This command requests that mail be delivered one recipient at a time
632 with a per recipient return address.
633 By default, only trusted clients are allowed to specify XVERP.
635 This parameter was introduced with Postfix version 1.1. Postfix ver‐
637 sion 2.1 renamed this parameter to smtpd_authorized_verp_clients and
638 changed the default to none.
639 Specify a list of network/netmask patterns, separated by commas and/or
641 whitespace. The mask specifies the number of bits in the network part
642 of a host address. You can also specify hostnames or .domain names (the
643 initial dot causes the domain to match any name below it),
644 "/file/name" or "type:table" patterns. A "/file/name" pattern is
645 replaced by its contents; a "type:table" lookup table is matched when a
646 table entry matches a lookup string (the lookup result is ignored).
647 Continue long lines by starting the next line with whitespace. Specify
648 "!pattern" to exclude an address or network block from the list. The
649 form "!/file/name" is supported only in Postfix version 2.4 and later.
650 Note: IP version 6 address information must be specified inside [] in
652 the authorized_verp_clients value, and in files specified with
653 "/file/name". IP version 6 addresses contain the ":" character, and
654 would otherwise be confused with a "type:table" pattern.
655
657 Produce additional bounce(8) logfile records that can be read by Post‐
658 fix versions before 2.0. The current and more extensible "name = value"
659 format is needed in order to implement more sophisticated functional‐
660 ity.
661 This feature is available in Postfix 2.1 and later.
663
665 The per-table I/O buffer size for programs that create Berkeley DB hash
666 or btree tables. Specify a byte count.
667 This feature is available in Postfix 2.0 and later.
669
671 The per-table I/O buffer size for programs that read Berkeley DB hash
672 or btree tables. Specify a byte count.
673 This feature is available in Postfix 2.0 and later.
675
677 Where the Postfix SMTP client should deliver mail when it detects a
678 "mail loops back to myself" error condition. This happens when the
679 local MTA is the best SMTP mail exchanger for a destination not listed
680 in $mydestination, $inet_interfaces, $proxy_interfaces, $vir‐
681 tual_alias_domains, or $virtual_mailbox_domains. By default, the Post‐
682 fix SMTP client returns such mail as undeliverable.
683 Specify, for example, "best_mx_transport = local" to pass the mail from
685 the Postfix SMTP client to the local(8) delivery agent. You can specify
686 any message delivery "transport" or "transport:nexthop" that is defined
687 in the master.cf file. See the transport(5) manual page for the syntax
688 and meaning of "transport" or "transport:nexthop".
689 However, this feature is expensive because it ties up a Postfix SMTP
691 client process while the local(8) delivery agent is doing its work. It
692 is more efficient (for Postfix) to list all hosted domains in a table
693 or database.
694
696 Whether or not to use the local biff service. This service sends "new
697 mail" notifications to users who have requested new mail notification
698 with the UNIX command "biff y".
699 For compatibility reasons this feature is on by default. On systems
701 with lots of interactive users, the biff service can be a performance
702 drain. Specify "biff = no" in main.cf to disable.
703
705 Optional lookup tables for content inspection as specified in the
706 body_checks(5) manual page.
707 Note: with Postfix versions before 2.0, these rules inspect all content
709 after the primary message headers.
710
712 How much text in a message body segment (or attachment, if you prefer
713 to use that term) is subjected to body_checks inspection. The amount
714 of text is limited to avoid scanning huge attachments.
715 This feature is available in Postfix 2.0 and later.
717
719 The recipient of postmaster notifications with the message headers of
720 mail that Postfix did not deliver and of SMTP conversation transcripts
721 of mail that Postfix did not receive. This feature is enabled with the
722 notify_classes parameter.
723
725 Consider a bounce message as undeliverable, when delivery fails with a
726 temporary error, and the time in the queue has reached the
727 bounce_queue_lifetime limit. By default, this limit is the same as for
728 regular mail.
729 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
731 The default time unit is d (days).
732 Specify 0 when mail delivery should be tried only once.
734 This feature is available in Postfix 2.1 and later.
736
738 The name of the bounce(8) service. This service maintains a record of
739 failed delivery attempts and generates non-delivery notifications.
740 This feature is available in Postfix 2.0 and later.
742
744 The maximal amount of original message text that is sent in a
745 non-delivery notification. Specify a byte count. A message is returned
746 as either message/rfc822 (the complete original) or as
747 text/rfc822-headers (the headers only). With Postfix version 2.4 and
748 earlier, a message is always returned as message/rfc822 and is trun‐
749 cated when it exceeds the size limit.
750 Notes:
752 · If you increase this limit, then you should increase the
754 mime_nesting_limit value proportionally.
755 · Be careful when making changes. Excessively large values will
757 result in the loss of non-delivery notifications, when a bounce
758 message size exceeds a local or remote MTA's message size limit.
759
761 Pathname of a configuration file with bounce message templates. These
762 override the built-in templates of delivery status notification (DSN)
763 messages for undeliverable mail, for delayed mail, successful delivery,
764 or delivery verification. The bounce(5) manual page describes how to
765 edit and test template files.
766 Template message body text may contain $name references to Postfix con‐
768 figuration parameters. The result of $name expansion can be previewed
769 with "postconf -b file_name" before the file is placed into the Postfix
770 configuration directory.
771 This feature is available in Postfix 2.3 and later.
773
775 Enable interoperability with remote SMTP clients that implement an
776 obsolete version of the AUTH command (RFC 4954). Examples of such
777 clients are MicroSoft Outlook Express version 4 and MicroSoft Exchange
778 version 5.0.
779 Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH
781 support in a non-standard way.
782
784 header_sender, header_recipient)
785 What addresses are subject to canonical_maps address mapping. By
786 default, canonical_maps address mapping is applied to envelope sender
787 and recipient addresses, and to header sender and header recipient
788 addresses.
789 Specify one or more of: envelope_sender, envelope_recipient,
791 header_sender, header_recipient
792 This feature is available in Postfix 2.2 and later.
794
796 Optional address mapping lookup tables for message headers and
797 envelopes. The mapping is applied to both sender and recipient
798 addresses, in both envelopes and in headers, as controlled with the
799 canonical_classes parameter. This is typically used to clean up dirty
800 addresses from legacy mail systems, or to replace login names by First‐
801 name.Lastname. The table format and lookups are documented in canoni‐
802 cal(5). For an overview of Postfix address manipulations see the
803 ADDRESS_REWRITING_README document.
804 Specify zero or more "type:name" lookup tables, separated by whitespace
806 or comma. Tables will be searched in the specified order until a match
807 is found. Note: these lookups are recursive.
808 If you use this feature, run "postmap /etc/postfix/canonical" to build
810 the necessary DBM or DB file after every change. The changes will
811 become visible after a minute or so. Use "postfix reload" to eliminate
812 the delay.
813 Note: with Postfix version 2.2, message header address mapping happens
815 only when message header address rewriting is enabled:
816 · The message is received with the Postfix sendmail(1) command,
818 · The message is received from a network client that matches
820 $local_header_rewrite_clients,
821 · The message is received from the network, and the
823 remote_header_rewrite_domain parameter specifies a non-empty
824 value.
825 To get the behavior before Postfix version 2.2, specify
827 "local_header_rewrite_clients = static:all".
828 Examples:
830 canonical_maps = dbm:/etc/postfix/canonical
832 canonical_maps = hash:/etc/postfix/canonical
833
835 The name of the cleanup(8) service. This service rewrites addresses
836 into the standard form, and performs canonical(5) address mapping and
837 virtual(5) aliasing.
838 This feature is available in Postfix 2.0 and later.
840
842 The location of all postfix administrative commands.
843
845 The local(8) delivery agent working directory for delivery to external
846 command. Failure to change directory causes the delivery to be
847 deferred.
848 The command_execution_directory value is not subject to Postfix config‐
850 uration parameter $name expansion. Instead, the following $name expan‐
851 sions are done on command_execution_directory before the directory is
852 used. Expansion happens in the context of the delivery request. The
853 result of $name expansion is filtered with the character set that is
854 specified with the execution_directory_expansion_filter parameter.
855 $user The recipient's username.
857 $shell The recipient's login shell pathname.
859 $home The recipient's home directory.
861 $recipient
863 The full recipient address.
864 $extension
866 The optional recipient address extension.
867 $domain
869 The recipient domain.
870 $local The entire recipient localpart.
872 $recipient_delimiter
874 The address extension delimiter that was found in the recipient
875 address (Postfix 2.11 and later), or the system-wide recipient
876 address extension delimiter (Postfix 2.10 and earlier).
877 ${name?value}
879 Expands to value when $name is non-empty.
880 ${name:value}
882 Expands to value when $name is empty.
883 Instead of $name you can also specify ${name} or $(name).
885 This feature is available in Postfix 2.2 and later.
887
889 Restrict the characters that the local(8) delivery agent allows in
890 $name expansions of $mailbox_command and $command_execution_directory.
891 Characters outside the allowed set are replaced by underscores.
892
894 Time limit for delivery to external commands. This limit is used by the
895 local(8) delivery agent, and is the default time limit for delivery by
896 the pipe(8) delivery agent.
897 Note: if you set this time limit to a large value you must update the
899 global ipc_timeout parameter as well.
900
902 A safety net that causes Postfix to run with backwards-compatible
903 default settings after an upgrade to a newer Postfix version.
904 With backwards compatibility turned on (the main.cf compatibility_level
906 value is less than the Postfix built-in value), Postfix looks for set‐
907 tings that are left at their implicit default value, and logs a message
908 when a backwards-compatible default setting is required.
909 using backwards-compatible default setting name=value
911 to [accept a specific client request]
912 using backwards-compatible default setting name=value
914 to [enable specific Postfix behavior]
915 See COMPATIBILITY_README for specific message details. If such a mes‐
917 sage is logged in the context of a legitimate request, the system
918 administrator should make the backwards-compatible setting permanent in
919 main.cf or master.cf, for example:
920 # postconf name=value
922 # postfix reload
923 When no more backwards-compatible settings need to be made permanent,
925 the administrator should turn off backwards compatibility by updating
926 the compatibility_level setting in main.cf:
927 # postconf compatibility_level=N
929 # postfix reload
930 For N specify the number that is logged in your postfix(1) warning mes‐
932 sage:
933 warning: To disable backwards compatibility use "postconf
935 compatibility_level=N" and "postfix reload"
936 This feature is available in Postfix 3.0 and later.
938
940 The default location of the Postfix main.cf and master.cf configuration
941 files. This can be overruled via the following mechanisms:
942 · The MAIL_CONFIG environment variable (daemon processes and com‐
944 mands).
945 · The "-c" command-line option (commands only).
947 With Postfix command that run with set-gid privileges, a config_direc‐
949 tory override requires either root privileges, or it requires that the
950 directory is listed with the alternate_config_directories parameter in
951 the default main.cf file.
952
954 After sending a "your message is delayed" notification, inform the
955 sender when the delay clears up. This can result in a sudden burst of
956 notifications at the end of a prolonged network outage, and is there‐
957 fore disabled by default.
958 See also: delay_warning_time.
960 This feature is available in Postfix 3.0 and later.
962
964 Time limit for connection cache connect, send or receive operations.
965 The time limit is enforced in the client.
966 This feature is available in Postfix 2.3 and later.
968
970 The name of the scache(8) connection cache service. This service main‐
971 tains a limited pool of cached sessions.
972 This feature is available in Postfix 2.2 and later.
974
976 How frequently the scache(8) server logs usage statistics with connec‐
977 tion cache hit and miss rates for logical destinations and for physical
978 endpoints.
979
981 The maximal time-to-live value that the scache(8) connection cache
982 server allows. Requests that specify a larger TTL will be stored with
983 the maximum allowed TTL. The purpose of this additional control is to
984 protect the infrastructure against careless people. The cache TTL is
985 already bounded by $max_idle.
986
988 After the message is queued, send the entire message to the specified
989 transport:destination. The transport name specifies the first field of
990 a mail delivery agent definition in master.cf; the syntax of the
991 next-hop destination is described in the manual page of the correspond‐
992 ing delivery agent. More information about external content filters is
993 in the Postfix FILTER_README file.
994 Notes:
996 · This setting has lower precedence than a FILTER action that is
998 specified in an access(5), header_checks(5) or body_checks(5)
999 table.
1000 · The meaning of an empty next-hop filter destination is version
1002 dependent. Postfix 2.7 and later will use the recipient domain;
1003 earlier versions will use $myhostname. Specify "default_fil‐
1004 ter_nexthop = $myhostname" for compatibility with Postfix 2.6 or
1005 earlier, or specify a content_filter value with an explicit
1006 next-hop destination.
1007
1009 Search path for Cyrus SASL application configuration files, currently
1010 used only to locate the $smtpd_sasl_path.conf file. Specify zero or
1011 more directories separated by a colon character, or an empty value to
1012 use Cyrus SASL's built-in search path.
1013 This feature is available in Postfix 2.5 and later when compiled with
1015 Cyrus SASL 2.1.22 or later.
1016
1018 The directory with Postfix support programs and daemon programs. These
1019 should not be invoked directly by humans. The directory must be owned
1020 by root.
1021
1023 How a Postfix daemon process handles errors while opening lookup
1024 tables: gradual degradation or immediate termination.
1025 no (default)
1027 Gradual degradation: a daemon process logs a message of type
1028 "error" and continues execution with reduced functionality. Fea‐
1029 tures that do not depend on the unavailable table will work nor‐
1030 mally, while features that depend on the table will result in a
1031 type "warning" message.
1032 When the notify_classes parameter value contains the "data"
1033 class, the Postfix SMTP server and client will report tran‐
1034 scripts of sessions with an error because a table is unavail‐
1035 able.
1036 yes (historical behavior)
1038 Immediate termination: a daemon process logs a type "fatal" mes‐
1039 sage and terminates immediately. This option reduces the number
1040 of possible code paths through Postfix, and may therefore be
1041 slightly more secure than the default.
1042 For the sake of sanity, the number of type "error" messages is limited
1044 to 13 over the lifetime of a daemon process.
1045 This feature is available in Postfix 2.9 and later.
1047
1049 How much time a Postfix daemon process may take to handle a request
1050 before it is terminated by a built-in watchdog timer.
1051 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1053 The default time unit is s (seconds).
1054
1056 The directory with Postfix-writable data files (for example: caches,
1057 pseudo-random numbers). This directory must be owned by the mail_owner
1058 account, and must not be shared with non-Postfix software.
1059 This feature is available in Postfix 2.5 and later.
1061
1063 The increment in verbose logging level when a remote client or server
1064 matches a pattern in the debug_peer_list parameter.
1065
1067 Optional list of remote client or server hostname or network address
1068 patterns that cause the verbose logging level to increase by the amount
1069 specified in $debug_peer_level.
1070 Specify domain names, network/netmask patterns, "/file/name" patterns
1072 or "type:table" lookup tables. The right-hand side result from
1073 "type:table" lookups is ignored.
1074 Pattern matching of domain names is controlled by the presence or
1076 absence of "debug_peer_list" in the parent_domain_matches_subdomains
1077 parameter value.
1078 Examples:
1080 debug_peer_list = 127.0.0.1
1082 debug_peer_list = example.com
1083
1085 The external command to execute when a Postfix daemon program is
1086 invoked with the -D option.
1087 Use "command .. & sleep 5" so that the debugger can attach before the
1089 process marches on. If you use an X-based debugger, be sure to set up
1090 your XAUTHORITY environment variable before starting Postfix.
1091 Note: the command is subject to $name expansion, before it is passed to
1093 the default command interpreter. Specify "$$" to produce a single "$"
1094 character.
1095 Example:
1097 debugger_command =
1099 PATH=/usr/bin:/usr/X11R6/bin
1100 ddd $daemon_directory/$process_name $process_id & sleep 5
1101
1103 The default database type for use in newaliases(1), postalias(1) and
1104 postmap(1) commands. On many UNIX systems the default type is either
1105 dbm or hash. The default setting is frozen when the Postfix system is
1106 built.
1107 Examples:
1109 default_database_type = hash
1111 default_database_type = dbm
1112
1114 How often the Postfix queue manager's scheduler is allowed to preempt
1115 delivery of one message with another.
1116 Each transport maintains a so-called "available delivery slot counter"
1118 for each message. One message can be preempted by another one when the
1119 other message can be delivered using no more delivery slots (i.e.,
1120 invocations of delivery agents) than the current message counter has
1121 accumulated (or will eventually accumulate - see about slot loans
1122 below). This parameter controls how often is the counter incremented -
1123 it happens after each default_delivery_slot_cost recipients have been
1124 delivered.
1125 The cost of 0 is used to disable the preempting scheduling completely.
1127 The minimum value the scheduling algorithm can use is 2 - use it if you
1128 want to maximize the message throughput rate. Although there is no max‐
1129 imum, it doesn't make much sense to use values above say 50.
1130 The only reason why the value of 2 is not the default is the way this
1132 parameter affects the delivery of mailing-list mail. In the worst case,
1133 delivery can take somewhere between (cost+1/cost) and (cost/cost-1)
1134 times more than if the preemptive scheduler was disabled. The default
1135 value of 5 turns out to provide reasonable message response times while
1136 making sure the mailing-list deliveries are not extended by more than
1137 20-25 percent even in the worst case.
1138 Use transport_delivery_slot_cost to specify a transport-specific over‐
1140 ride, where transport is the master.cf name of the message delivery
1141 transport.
1142 Examples:
1144 default_delivery_slot_cost = 0
1146 default_delivery_slot_cost = 2
1147
1149 The default value for transport-specific _delivery_slot_discount set‐
1150 tings.
1151 This parameter speeds up the moment when a message preemption can hap‐
1153 pen. Instead of waiting until the full amount of delivery slots
1154 required is available, the preemption can happen when transport_deliv‐
1155 ery_slot_discount percent of the required amount plus transport_deliv‐
1156 ery_slot_loan still remains to be accumulated. Note that the full
1157 amount will still have to be accumulated before another preemption can
1158 take place later.
1159 Use transport_delivery_slot_discount to specify a transport-specific
1161 override, where transport is the master.cf name of the message delivery
1162 transport.
1163
1165 The default value for transport-specific _delivery_slot_loan settings.
1166 This parameter speeds up the moment when a message preemption can hap‐
1168 pen. Instead of waiting until the full amount of delivery slots
1169 required is available, the preemption can happen when transport_deliv‐
1170 ery_slot_discount percent of the required amount plus transport_deliv‐
1171 ery_slot_loan still remains to be accumulated. Note that the full
1172 amount will still have to be accumulated before another preemption can
1173 take place later.
1174 Use transport_delivery_slot_loan to specify a transport-specific over‐
1176 ride, where transport is the master.cf name of the message delivery
1177 transport.
1178
1180 Optional filter to replace the delivery status code or explanatory text
1181 of successful or unsuccessful deliveries. This does not allow the
1182 replacement of a successful status code (2.X.X) with an unsuccessful
1183 status code (4.X.X or 5.X.X) or vice versa.
1184 Note: the (smtp|lmtp)_delivery_status_filter is applied only once per
1186 recipient: when delivery is successful, when delivery is rejected with
1187 5XX, or when there are no more alternate MX or A destinations. Use
1188 smtp_reply_filter or lmtp_reply_filter to inspect responses for all
1189 delivery attempts.
1190 The following parameters can be used to implement a filter for specific
1192 delivery agents: lmtp_delivery_status_filter, local_delivery_sta‐
1193 tus_filter, pipe_delivery_status_filter, smtp_delivery_status_filter or
1194 virtual_delivery_status_filter. These parameters support the same fil‐
1195 ter syntax as described here.
1196 Specify zero or more "type:table" lookup table names, separated by
1198 comma or whitespace. For each successful or unsuccessful delivery to a
1199 recipient, the tables are queried in the specified order with one line
1200 of text that is structured as follows:
1201 enhanced-status-code SPACE explanatory-text
1203 The first table match wins. The lookup result must have the same struc‐
1205 ture as the query, a successful status code (2.X.X) must be replaced
1206 with a successful status code, an unsuccessful status code (4.X.X or
1207 5.X.X) must be replaced with an unsuccessful status code, and the
1208 explanatory text field must be non-empty. Other results will result in
1209 a warning.
1210 Example 1: convert specific soft TLS errors into hard errors, by over‐
1212 riding the first number in the enhanced status code.
1213 /etc/postfix/main.cf:
1215 smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter
1216 /etc/postfix/smtp_dsn_filter:
1218 /^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/
1219 5$1
1220 /^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/
1221 5$1
1222 # Do not change the following into hard bounces. They may
1223 # result from a local configuration problem.
1224 # 4.\d+.\d+ TLS is required, but our TLS engine is unavailable
1225 # 4.\d+.\d+ TLS is required, but unavailable
1226 # 4.\d+.\d+ Cannot start TLS: handshake failure
1227 Example 2: censor the per-recipient delivery status text so that it
1229 does not reveal the destination command or filename when a remote
1230 sender requests confirmation of successful delivery.
1231 /etc/postfix/main.cf:
1233 local_delivery_status_filter = pcre:/etc/postfix/local_dsn_filter
1234 /etc/postfix/local_dsn_filter:
1236 /^(2\S+ delivered to file).+/ $1
1237 /^(2\S+ delivered to command).+/ $1
1238 Notes:
1240 · This feature will NOT override the soft_bounce safety net.
1242 · This feature will change the enhanced status code and text that
1244 is logged to the maillog file, and that is reported to the
1245 sender in delivery confirmation or non-delivery notifications.
1246 This feature is available in Postfix 3.0 and later.
1248
1250 How many pseudo-cohorts must suffer connection or handshake failure
1251 before a specific destination is considered unavailable (and further
1252 delivery is suspended). Specify zero to disable this feature. A desti‐
1253 nation's pseudo-cohort failure count is reset each time a delivery com‐
1254 pletes without connection or handshake failure for that specific desti‐
1255 nation.
1256 A pseudo-cohort is the number of deliveries equal to a destination's
1258 delivery concurrency.
1259 Use transport_destination_concurrency_failed_cohort_limit to specify a
1261 transport-specific override, where transport is the master.cf name of
1262 the message delivery transport.
1263 This feature is available in Postfix 2.5. The default setting is com‐
1265 patible with earlier Postfix versions.
1266
1268 The default maximal number of parallel deliveries to the same destina‐
1269 tion. This is the default limit for delivery via the lmtp(8), pipe(8),
1270 smtp(8) and virtual(8) delivery agents. With per-destination recipient
1271 limit > 1, a destination is a domain, otherwise it is a recipient.
1272 Use transport_destination_concurrency_limit to specify a transport-spe‐
1274 cific override, where transport is the master.cf name of the message
1275 delivery transport.
1276
1278 The per-destination amount of delivery concurrency negative feedback,
1279 after a delivery completes with a connection or handshake failure.
1280 Feedback values are in the range 0..1 inclusive. With negative feed‐
1281 back, concurrency is decremented at the beginning of a sequence of
1282 length 1/feedback. This is unlike positive feedback, where concurrency
1283 is incremented at the end of a sequence of length 1/feedback.
1284 As of Postfix version 2.5, negative feedback cannot reduce delivery
1286 concurrency to zero. Instead, a destination is marked dead (further
1287 delivery suspended) after the failed pseudo-cohort count reaches
1288 $default_destination_concurrency_failed_cohort_limit (or $trans‐
1289 port_destination_concurrency_failed_cohort_limit). To make the sched‐
1290 uler completely immune to connection or handshake failures, specify a
1291 zero feedback value and a zero failed pseudo-cohort limit.
1292 Specify one of the following forms:
1294 number
1296 number / number
1298 Constant feedback. The value must be in the range 0..1 inclu‐
1299 sive. The default setting of "1" is compatible with Postfix
1300 versions before 2.5, where a destination's delivery concurrency
1301 is throttled down to zero (and further delivery suspended) after
1302 a single failed pseudo-cohort.
1303 number / concurrency
1305 Variable feedback of "number / (delivery concurrency)". The
1306 number must be in the range 0..1 inclusive. With number equal to
1307 "1", a destination's delivery concurrency is decremented by 1
1308 after each failed pseudo-cohort.
1309 A pseudo-cohort is the number of deliveries equal to a destination's
1311 delivery concurrency.
1312 Use transport_destination_concurrency_negative_feedback to specify a
1314 transport-specific override, where transport is the master.cf name of
1315 the message delivery transport.
1316 This feature is available in Postfix 2.5. The default setting is com‐
1318 patible with earlier Postfix versions.
1319
1321 The per-destination amount of delivery concurrency positive feedback,
1322 after a delivery completes without connection or handshake failure.
1323 Feedback values are in the range 0..1 inclusive. The concurrency
1324 increases until it reaches the per-destination maximal concurrency
1325 limit. With positive feedback, concurrency is incremented at the end of
1326 a sequence with length 1/feedback. This is unlike negative feedback,
1327 where concurrency is decremented at the start of a sequence of length
1328 1/feedback.
1329 Specify one of the following forms:
1331 number
1333 number / number
1335 Constant feedback. The value must be in the range 0..1 inclu‐
1336 sive. The default setting of "1" is compatible with Postfix ver‐
1337 sions before 2.5, where a destination's delivery concurrency
1338 doubles after each successful pseudo-cohort.
1339 number / concurrency
1341 Variable feedback of "number / (delivery concurrency)". The
1342 number must be in the range 0..1 inclusive. With number equal to
1343 "1", a destination's delivery concurrency is incremented by 1
1344 after each successful pseudo-cohort.
1345 A pseudo-cohort is the number of deliveries equal to a destination's
1347 delivery concurrency.
1348 Use transport_destination_concurrency_positive_feedback to specify a
1350 transport-specific override, where transport is the master.cf name of
1351 the message delivery transport.
1352 This feature is available in Postfix 2.5 and later.
1354
1356 The default amount of delay that is inserted between individual message
1357 deliveries to the same destination and over the same message delivery
1358 transport. Specify a non-zero value to rate-limit those message deliv‐
1359 eries to at most one per $default_destination_rate_delay.
1360 The resulting behavior depends on the value of the corresponding
1362 per-destination recipient limit.
1363 · With a corresponding per-destination recipient limit > 1, the
1365 rate delay specifies the time between deliveries to the same
1366 domain. Different domains are delivered in parallel, subject to
1367 the process limits specified in master.cf.
1368 · With a corresponding per-destination recipient limit equal to 1,
1370 the rate delay specifies the time between deliveries to the same
1371 recipient. Different recipients are delivered in parallel, sub‐
1372 ject to the process limits specified in master.cf.
1373 To enable the delay, specify a non-zero time value (an integral value
1375 plus an optional one-letter suffix that specifies the time unit).
1376 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1378 The default time unit is s (seconds).
1379 NOTE: the delay is enforced by the queue manager. The delay timer state
1381 does not survive "postfix reload" or "postfix stop".
1382 Use transport_destination_rate_delay to specify a transport-specific
1384 override, where transport is the master.cf name of the message delivery
1385 transport.
1386 NOTE: with a non-zero _destination_rate_delay, specify a transport_des‐
1388 tination_concurrency_failed_cohort_limit of 10 or more to prevent Post‐
1389 fix from deferring all mail for the same destination after only one
1390 connection or handshake error.
1391 This feature is available in Postfix 2.5 and later.
1393
1395 The default maximal number of recipients per message delivery. This is
1396 the default limit for delivery via the lmtp(8), pipe(8), smtp(8) and
1397 virtual(8) delivery agents.
1398 Setting this parameter to a value of 1 affects email deliveries as fol‐
1400 lows:
1401 · It changes the meaning of the corresponding per-destination con‐
1403 currency limit, from concurrency of deliveries to the same
1404 domain into concurrency of deliveries to the same recipient.
1405 Different recipients are delivered in parallel, subject to the
1406 process limits specified in master.cf.
1407 · It changes the meaning of the corresponding per-destination rate
1409 delay, from the delay between deliveries to the same domain into
1410 the delay between deliveries to the same recipient. Again, dif‐
1411 ferent recipients are delivered in parallel, subject to the
1412 process limits specified in master.cf.
1413 · It changes the meaning of other corresponding per-destination
1415 settings in a similar manner, from settings for delivery to the
1416 same domain into settings for delivery to the same recipient.
1417 Use transport_destination_recipient_limit to specify a transport-spe‐
1419 cific override, where transport is the master.cf name of the message
1420 delivery transport.
1421
1423 The default value for the extra per-transport limit imposed on the num‐
1424 ber of in-memory recipients. This extra recipient space is reserved
1425 for the cases when the Postfix queue manager's scheduler preempts one
1426 message with another and suddenly needs some extra recipients slots for
1427 the chosen message in order to avoid performance degradation.
1428 Use transport_extra_recipient_limit to specify a transport-specific
1430 override, where transport is the master.cf name of the message delivery
1431 transport.
1432
1434 When a content_filter or FILTER request specifies no explicit next-hop
1435 destination, use $default_filter_nexthop instead; when that value is
1436 empty, use the domain in the recipient address. Specify "default_fil‐
1437 ter_nexthop = $myhostname" for compatibility with Postfix version 2.6
1438 and earlier, or specify an explicit next-hop destination with each con‐
1439 tent_filter value or FILTER action.
1440 This feature is available in Postfix 2.7 and later.
1442
1444 How many recipients a message must have in order to invoke the Postfix
1445 queue manager's scheduling algorithm at all. Messages which would
1446 never accumulate at least this many delivery slots (subject to slot
1447 cost parameter as well) are never preempted.
1448 Use transport_minimum_delivery_slots to specify a transport-specific
1450 override, where transport is the master.cf name of the message delivery
1451 transport.
1452
1454 The default rights used by the local(8) delivery agent for delivery to
1455 external file or command. These rights are used when delivery is
1456 requested from an aliases(5) file that is owned by root, or when deliv‐
1457 ery is done on behalf of root. DO NOT SPECIFY A PRIVILEGED USER OR THE
1458 POSTFIX OWNER.
1459
1461 The default maximal number of Postfix child processes that provide a
1462 given service. This limit can be overruled for specific services in the
1463 master.cf file.
1464
1466 The default Postfix SMTP server response template for a request that is
1467 rejected by an RBL-based restriction. This template can be overruled by
1468 specific entries in the optional rbl_reply_maps lookup table.
1469 This feature is available in Postfix 2.0 and later.
1471 The template does not support Postfix configuration parameter $name
1473 substitution. Instead, it supports exactly one level of $name substitu‐
1474 tion for the following attributes:
1475 $client
1477 The client hostname and IP address, formatted as name[address].
1478 $client_address
1480 The client IP address.
1481 $client_name
1483 The client hostname or "unknown". See
1484 reject_unknown_client_hostname for more details.
1485 $reverse_client_name
1487 The client hostname from address->name lookup, or "unknown".
1488 See reject_unknown_reverse_client_hostname for more details.
1489 $helo_name
1491 The hostname given in HELO or EHLO command or empty string.
1492 $rbl_class
1494 The blacklisted entity type: Client host, Helo command, Sender
1495 address, or Recipient address.
1496 $rbl_code
1498 The numerical SMTP response code, as specified with the
1499 maps_rbl_reject_code configuration parameter. Note: The numeri‐
1500 cal SMTP response code is required, and must appear at the start
1501 of the reply. With Postfix version 2.3 and later this informa‐
1502 tion may be followed by an RFC 3463 enhanced status code.
1503 $rbl_domain
1505 The RBL domain where $rbl_what is blacklisted.
1506 $rbl_reason
1508 The reason why $rbl_what is blacklisted, or an empty string.
1509 $rbl_what
1511 The entity that is blacklisted (an IP address, a hostname, a
1512 domain name, or an email address whose domain was blacklisted).
1513 $recipient
1515 The recipient address or <> in case of the null address.
1516 $recipient_domain
1518 The recipient domain or empty string.
1519 $recipient_name
1521 The recipient address localpart or <> in case of null address.
1522 $sender
1524 The sender address or <> in case of the null address.
1525 $sender_domain
1527 The sender domain or empty string.
1528 $sender_name
1530 The sender address localpart or <> in case of the null address.
1531 ${name?text}
1533 Expands to `text' if $name is not empty.
1534 ${name:text}
1536 Expands to `text' if $name is empty.
1537 Instead of $name you can also specify ${name} or $(name).
1539 Note: when an enhanced status code is specified in an RBL reply tem‐
1541 plate, it is subject to modification. The following transformations
1542 are needed when the same RBL reply template is used for client, helo,
1543 sender, or recipient access restrictions.
1544 · When rejecting a sender address, the Postfix SMTP server will
1546 transform a recipient DSN status (e.g., 4.1.1-4.1.6) into the
1547 corresponding sender DSN status, and vice versa.
1548 · When rejecting non-address information (such as the HELO command
1550 argument or the client hostname/address), the Postfix SMTP
1551 server will transform a sender or recipient DSN status into a
1552 generic non-address DSN status (e.g., 4.0.0).
1553
1555 The default per-transport upper limit on the number of in-memory recip‐
1556 ients. These limits take priority over the global qmgr_message_recipi‐
1557 ent_limit after the message has been assigned to the respective trans‐
1558 ports. See also default_extra_recipient_limit and qmgr_message_recipi‐
1559 ent_minimum.
1560 Use transport_recipient_limit to specify a transport-specific override,
1562 where transport is the master.cf name of the message delivery trans‐
1563 port.
1564
1566 The default per-transport maximum delay between recipients refills.
1567 When not all message recipients fit into the memory at once, keep load‐
1568 ing more of them at least once every this many seconds. This is used
1569 to make sure the recipients are refilled in timely manner even when
1570 $default_recipient_refill_limit is too high for too slow deliveries.
1571 Use transport_recipient_refill_delay to specify a transport-specific
1573 override, where transport is the master.cf name of the message delivery
1574 transport.
1575 This feature is available in Postfix 2.4 and later.
1577
1579 The default per-transport limit on the number of recipients refilled at
1580 once. When not all message recipients fit into the memory at once,
1581 keep loading more of them in batches of at least this many at a time.
1582 See also $default_recipient_refill_delay, which may result in recipient
1583 batches lower than this when this limit is too high for too slow deliv‐
1584 eries.
1585 Use transport_recipient_refill_limit to specify a transport-specific
1587 override, where transport is the master.cf name of the message delivery
1588 transport.
1589 This feature is available in Postfix 2.4 and later.
1591
1593 The default mail delivery transport and next-hop destination for desti‐
1594 nations that do not match $mydestination, $inet_interfaces,
1595 $proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, or
1596 $relay_domains. This information can be overruled with the
1597 sender_dependent_default_transport_maps parameter and with the trans‐
1598 port(5) table.
1599 In order of decreasing precedence, the nexthop destination is taken
1601 from $sender_dependent_default_transport_maps, $default_transport,
1602 $sender_dependent_relayhost_maps, $relayhost, or from the recipient
1603 domain.
1604 Specify a string of the form transport:nexthop, where transport is the
1606 name of a mail delivery transport defined in master.cf. The :nexthop
1607 destination is optional; its syntax is documented in the manual page of
1608 the corresponding delivery agent. In the case of SMTP or LMTP, specify
1609 one or more destinations separated by comma or whitespace (with Postfix
1610 3.5 and later).
1611 Example:
1613 default_transport = uucp:relayhostname
1615
1617 The default amount of delay that is inserted between individual message
1618 deliveries over the same message delivery transport, regardless of des‐
1619 tination. Specify a non-zero value to rate-limit those message deliver‐
1620 ies to at most one per $default_transport_rate_delay.
1621 Use transport_transport_rate_delay to specify a transport-specific
1623 override, where the initial transport is the master.cf name of the mes‐
1624 sage delivery transport.
1625 Example: throttle outbound SMTP mail to at most 3 deliveries per
1627 minute.
1628 /etc/postfix/main.cf:
1630 smtp_transport_rate_delay = 20s
1631 To enable the delay, specify a non-zero time value (an integral value
1633 plus an optional one-letter suffix that specifies the time unit).
1634 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1636 The default time unit is s (seconds).
1637 NOTE: the delay is enforced by the queue manager.
1639 This feature is available in Postfix 3.1 and later.
1641
1643 The two default VERP delimiter characters. These are used when no
1644 explicit delimiters are specified with the SMTP XVERP command or with
1645 the "sendmail -V" command-line option. Specify characters that are
1646 allowed by the verp_delimiter_filter setting.
1647 This feature is available in Postfix 1.1 and later.
1649
1651 The numerical Postfix SMTP server response code when a remote SMTP
1652 client request is rejected by the "defer" restriction.
1653 Do not change this unless you have a complete understanding of RFC
1655 5321.
1656
1658 The name of the defer service. This service is implemented by the
1659 bounce(8) daemon and maintains a record of failed delivery attempts and
1660 generates non-delivery notifications.
1661 This feature is available in Postfix 2.0 and later.
1663
1665 The names of message delivery transports that should not deliver mail
1666 unless someone issues "sendmail -q" or equivalent. Specify zero or more
1667 names of mail delivery transports names that appear in the first field
1668 of master.cf.
1669 Example:
1671 defer_transports = smtp
1673
1675 The maximal number of digits after the decimal point when logging
1676 sub-second delay values. Specify a number in the range 0..6.
1677 Large delay values are rounded off to an integral number seconds; delay
1679 values below the delay_logging_resolution_limit are logged as "0", and
1680 delay values under 100s are logged with at most two-digit precision.
1681 The format of the "delays=a/b/c/d" logging is as follows:
1683 · a = time from message arrival to last active queue entry
1685 · b = time from last active queue entry to connection setup
1687 · c = time in connection setup, including DNS, EHLO and STARTTLS
1689 · d = time in message transmission
1691 This feature is available in Postfix 2.3 and later.
1693
1695 The recipient of postmaster notifications with the message headers of
1696 mail that cannot be delivered within $delay_warning_time time units.
1697 See also: delay_warning_time, notify_classes.
1699
1701 The time after which the sender receives a copy of the message headers
1702 of mail that is still queued. The confirm_delay_cleared parameter con‐
1703 trols sender notification when the delay clears up.
1704 To enable this feature, specify a non-zero time value (an integral
1706 value plus an optional one-letter suffix that specifies the time unit).
1707 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1709 The default time unit is h (hours).
1710 See also: delay_notice_recipient, notify_classes, con‐
1712 firm_delay_cleared.
1713
1715 The maximal number of attempts to acquire an exclusive lock on a mail‐
1716 box file or bounce(8) logfile.
1717
1719 The time between attempts to acquire an exclusive lock on a mailbox
1720 file or bounce(8) logfile.
1721 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1723 The default time unit is s (seconds).
1724
1726 Make the queue manager's feedback algorithm verbose for performance
1727 analysis purposes.
1728 This feature is available in Postfix 2.5 and later.
1730
1732 Automatically detect 8BITMIME body content by looking at Content-Trans‐
1733 fer-Encoding: message headers; historically, this behavior was
1734 hard-coded to be "always on".
1735 This feature is available in Postfix 2.5 and later.
1737
1739 Disable DNS lookups in the Postfix SMTP and LMTP clients. When dis‐
1740 abled, hosts are looked up with the getaddrinfo() system library rou‐
1741 tine which normally also looks in /etc/hosts. As of Postfix 2.11, this
1742 parameter is deprecated; use smtp_dns_support_level instead.
1743 DNS lookups are enabled by default.
1745
1747 Turn off MIME processing while receiving mail. This means that no spe‐
1748 cial treatment is given to Content-Type: message headers, and that all
1749 text after the initial message headers is considered to be part of the
1750 message body.
1751 This feature is available in Postfix 2.0 and later.
1753 Mime input processing is enabled by default, and is needed in order to
1755 recognize MIME headers in message content.
1756
1758 Disable the conversion of 8BITMIME format to 7BIT format. Mime output
1759 conversion is needed when the destination does not advertise 8BITMIME
1760 support.
1761 This feature is available in Postfix 2.0 and later.
1763
1765 Disable sending one bounce report per recipient.
1766 The default, one per recipient, is what ezmlm needs.
1768 This feature is available in Postfix 1.1 and later.
1770
1772 Disable the SMTP VRFY command. This stops some techniques used to har‐
1773 vest email addresses.
1774 Example:
1776 disable_vrfy_command = no
1778
1780 Enable a workaround for future libc incompatibility. The Postfix imple‐
1781 mentation of RFC 2308 negative reply caching relies on the promise that
1782 res_query() and res_search() invoke res_send(), which returns the
1783 server response in an application buffer even if the requested record
1784 does not exist. If this promise is broken, specify "yes" to enable a
1785 workaround for DNS reputation lookups.
1786 This feature is available in Postfix 3.1 and later.
1788
1790 A debugging aid to artificially delay DNS responses.
1791 This feature is available in Postfix 2.8.
1793
1795 The name of the dnsblog(8) service entry in master.cf. This service
1796 performs DNS white/blacklist lookups.
1797 This feature is available in Postfix 2.8 and later.
1799
1801 The DNS query type (default: "ns") and DNS query name (default: ".")
1802 that Postfix may use to determine whether DNSSEC validation is avail‐
1803 able.
1804 Background: DNSSEC validation is needed for Postfix DANE support; this
1806 ensures that Postfix receives TLSA records with secure TLS server cer‐
1807 tificate info. When DNSSEC validation is unavailable, mail deliveries
1808 using opportunistic DANE will not be protected by server certificate
1809 info in TLSA records, and mail deliveries using mandatory DANE will not
1810 be made at all.
1811 By default, a Postfix process will send a DNSSEC probe after 1) the
1813 process made a DNS query that requested DNSSEC validation, 2) the
1814 process did not receive a DNSSEC validated response to this query or to
1815 an earlier query, and 3) the process did not already send a DNSSEC
1816 probe.
1817 When the DNSSEC probe has no response, or when the response is not
1819 DNSSEC validated, Postfix logs a warning that DNSSEC validation may be
1820 unavailable.
1821 Example:
1823 warning: DNSSEC validation may be unavailable
1825 warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
1826 warning: reason: dnssec_probe 'ns:.' received no response: Server failure
1827 Possible reasons why DNSSEC validation may be unavailable:
1829 · The local /etc/resolv.conf file specifies a DNS resolver that
1831 does not validate DNSSEC signatures (that's $queue_direc‐
1832 tory/etc/resolv.conf when a Postfix daemon runs in a chroot
1833 jail).
1834 · The local system library does not pass on the "DNSSEC validated"
1836 bit to Postfix, or Postfix does not know how to ask the library
1837 to do that.
1838 By default, the DNSSEC probe asks for the DNS root zone NS records,
1840 because resolvers should always have that information cached. If Post‐
1841 fix runs on a network where the DNS root zone is not reachable, specify
1842 a different probe, or specify an empty dnssec_probe value to disable
1843 the feature.
1844 This feature was backported from Postfix 3.6 to Postfix versions 3.5.9,
1846 3.4.19, 3.3.16. 3.2.21.
1847
1849 Don't remove queue files and save them to the "saved" mail queue. This
1850 is a debugging aid. To inspect the envelope information and content of
1851 a Postfix queue file, use the postcat(1) command.
1852
1854 The sender address of postmaster notifications that are generated by
1855 the mail system. All mail to this address is silently discarded, in
1856 order to terminate mail bounce loops.
1857
1859 The maximal number of addresses remembered by the address duplicate
1860 filter for aliases(5) or virtual(5) alias expansion, or for showq(8)
1861 queue displays.
1862
1864 The sender_dependent_default_transport_maps search string that will be
1865 used instead of the null sender address.
1866 This feature is available in Postfix 2.7 and later.
1868
1870 The recipient of mail addressed to the null address. Postfix does not
1871 accept such addresses in SMTP commands, but they may still be created
1872 locally as the result of configuration or software error.
1873
1875 The sender_dependent_relayhost_maps search string that will be used
1876 instead of the null sender address.
1877 This feature is available in Postfix 2.5 and later. With earlier ver‐
1879 sions, sender_dependent_relayhost_maps lookups were skipped for the
1880 null sender address.
1881
1883 Report mail delivery errors to the address specified with the non-stan‐
1884 dard Errors-To: message header, instead of the envelope sender address
1885 (this feature is removed with Postfix version 2.2, is turned off by
1886 default with Postfix version 2.1, and is always turned on with older
1887 Postfix versions).
1888
1890 Enable 'transitional' compatibility between IDNA2003 and IDNA2008, when
1891 converting UTF-8 domain names to/from the ASCII form that is used for
1892 DNS lookups. Specify "yes" for compatibility with Postfix <= 3.1 (not
1893 recommended). This affects the conversion of domain names that contain
1894 for example the German sz and the Greek zeta. See http://uni‐
1895 code.org/cldr/utility/idna.jsp for more examples.
1896 This feature is available in Postfix 3.2 and later.
1898
1900 Enable long, non-repeating, queue IDs (queue file names). The benefit
1901 of non-repeating names is simpler logfile analysis and easier queue
1902 migration (there is no need to run "postsuper" to change queue file
1903 names that don't match their message file inode number).
1904 Note: see below for how to convert long queue file names to Postfix <=
1906 2.8.
1907 Changing the parameter value to "yes" has the following effects:
1909 · Existing queue file names are not affected.
1911 · New queue files are created with names such as 3Pt2mN2VXxznjll.
1913 These are encoded in a 52-character alphabet that contains dig‐
1914 its (0-9), upper-case letters (B-Z) and lower-case letters
1915 (b-z). For safety reasons the vowels (AEIOUaeiou) are excluded
1916 from the alphabet. The name format is: 6 or more characters for
1917 the time in seconds, 4 characters for the time in microseconds,
1918 the 'z'; the remainder is the file inode number encoded in the
1919 first 51 characters of the 52-character alphabet.
1920 · New messages have a Message-ID header with queueID@myhostname.
1922 · The mailq (postqueue -p) output has a wider Queue ID column.
1924 The number of whitespace-separated fields is not changed.
1925 · The hash_queue_depth algorithm uses the first characters of the
1927 queue file creation time in microseconds, after conversion into
1928 hexadecimal representation. This produces the same queue hashing
1929 behavior as if the queue file name was created with
1930 "enable_long_queue_ids = no".
1931 Changing the parameter value to "no" has the following effects:
1933 · Existing long queue file names are renamed to the short form
1935 (while running "postfix reload" or "postsuper").
1936 · New queue files are created with names such as C3CD21F3E90 from
1938 a hexadecimal alphabet that contains digits (0-9) and upper-case
1939 letters (A-F). The name format is: 5 characters for the time in
1940 microseconds; the remainder is the file inode number.
1941 · New messages have a Message-ID header with YYYYMMDDHH‐
1943 MMSS.queueid@myhostname, where YYYYMMDDHHMMSS are the year,
1944 month, day, hour, minute and second.
1945 · The mailq (postqueue -p) output has the same format as with
1947 Postfix <= 2.8.
1948 · The hash_queue_depth algorithm uses the first characters of the
1950 queue file name, with the hexadecimal representation of the file
1951 creation time in microseconds.
1952 Before migration to Postfix <= 2.8, the following commands are required
1954 to convert long queue file names into short names:
1955 # postfix stop
1957 # postconf enable_long_queue_ids=no
1958 # postsuper
1959 Repeat the postsuper command until it reports no more queue file name
1961 changes.
1962 This feature is available in Postfix 2.9 and later.
1964
1966 Enable support for the original recipient address after an address is
1967 rewritten to a different address (for example with aliasing or with
1968 canonical mapping).
1969 The original recipient address is used as follows:
1971 Final delivery
1973 With "enable_original_recipient = yes", the original recipient
1974 address is stored in the X-Original-To message header. This
1975 header may be used to distinguish between different recipients
1976 that share the same mailbox.
1977 Recipient deduplication
1979 With "enable_original_recipient = yes", the cleanup(8) daemon
1980 performs duplicate recipient elimination based on the content of
1981 (original recipient, maybe-rewritten recipient) pairs. Other‐
1982 wise, the cleanup(8) daemon performs duplicate recipient elimi‐
1983 nation based only on the maybe-rewritten recipient address.
1984 Note: with Postfix <= 3.2 the "setting enable_original_recipient = no"
1986 breaks address verification for addresses that are aliased or otherwise
1987 rewritten (Postfix is unable to store the address verification result
1988 under the original probe destination address; instead, it can store the
1989 result only under the rewritten address).
1990 This feature is available in Postfix 2.1 and later. Postfix version 2.0
1992 behaves as if this parameter is always set to yes. Postfix versions
1993 before 2.0 have no support for the original recipient address.
1994
1996 The recipient of postmaster notifications about mail delivery problems
1997 that are caused by policy, resource, software or protocol errors.
1998 These notifications are enabled with the notify_classes parameter.
1999
2001 The name of the error(8) pseudo delivery agent. This service always
2002 returns mail as undeliverable.
2003 This feature is available in Postfix 2.0 and later.
2005
2007 Restrict the characters that the local(8) delivery agent allows in
2008 $name expansions of $command_execution_directory. Characters outside
2009 the allowed set are replaced by underscores.
2010 This feature is available in Postfix 2.2 and later.
2012
2014 When delivering to an alias "aliasname" that has an "owner-aliasname"
2015 companion alias, set the envelope sender address to the expansion of
2016 the "owner-aliasname" alias. Normally, Postfix sets the envelope
2017 sender address to the name of the "owner-aliasname" alias.
2018
2020 The list of environment variables that a Postfix process will export to
2021 non-Postfix processes. The TZ variable is needed for sane time keeping
2022 on System-V-ish systems.
2023 Specify a list of names and/or name=value pairs, separated by white‐
2025 space or comma. Specify "{ name=value }" to protect whitespace or comma
2026 in parameter values (whitespace after the opening "{" and before the
2027 closing "}" is ignored). The form name=value is supported with Postfix
2028 version 2.1 and later; the use of {} is supported with Postfix 3.0 and
2029 later.
2030 Example:
2032 export_environment = TZ PATH=/bin:/usr/bin
2034
2036 The maximal number of recipient addresses that Postfix will extract
2037 from message headers when mail is submitted with "sendmail -t".
2038 This feature was removed in Postfix version 2.1.
2040
2042 Optional list of relay hosts for SMTP destinations that can't be found
2043 or that are unreachable. With Postfix 2.3 this parameter is renamed to
2044 smtp_fallback_relay.
2045 By default, mail is returned to the sender when a destination is not
2047 found, and delivery is deferred when a destination is unreachable.
2048 The fallback relays must be SMTP destinations. Specify a domain, host,
2050 host:port, [host]:port, [address] or [address]:port; the form [host]
2051 turns off MX lookups. If you specify multiple SMTP destinations, Post‐
2052 fix will try them in the specified order.
2053 Note: before Postfix 2.2, do not use the fallback_relay feature when
2055 relaying mail for a backup or primary MX domain. Mail would loop
2056 between the Postfix MX host and the fallback_relay host when the final
2057 destination is unavailable.
2058 · In main.cf specify "relay_transport = relay",
2060 · In master.cf specify "-o fallback_relay =" (i.e., empty) at the
2062 end of the relay entry.
2063 · In transport maps, specify "relay:nexthop..." as the right-hand
2065 side for backup or primary MX domain entries.
2066 Postfix version 2.2 and later will not use the fallback_relay feature
2068 for destinations that it is MX host for.
2069
2071 Optional message delivery transport that the local(8) delivery agent
2072 should use for names that are not found in the aliases(5) or UNIX pass‐
2073 word database.
2074 The precedence of local(8) delivery features from high to low is:
2076 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2077 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2078 tory, fallback_transport_maps, fallback_transport and luser_relay.
2079
2081 Optional lookup tables with per-recipient message delivery transports
2082 for recipients that the local(8) delivery agent could not find in the
2083 aliases(5) or UNIX password database.
2084 The precedence of local(8) delivery features from high to low is:
2086 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2087 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2088 tory, fallback_transport_maps, fallback_transport and luser_relay.
2089 For safety reasons, this feature does not allow $number substitutions
2091 in regular expression maps.
2092 This feature is available in Postfix 2.3 and later.
2094
2096 Optional list of destinations that are eligible for per-destination
2097 logfiles with mail that is queued to those destinations.
2098 By default, Postfix maintains "fast flush" logfiles only for destina‐
2100 tions that the Postfix SMTP server is willing to relay to (i.e. the
2101 default is: "fast_flush_domains = $relay_domains"; see the
2102 relay_domains parameter in the postconf(5) manual).
2103 Specify a list of hosts or domains, "/file/name" patterns or "type:ta‐
2105 ble" lookup tables, separated by commas and/or whitespace. Continue
2106 long lines by starting the next line with whitespace. A "/file/name"
2107 pattern is replaced by its contents; a "type:table" lookup table is
2108 matched when the domain or its parent domain appears as lookup key.
2109 Pattern matching of domain names is controlled by the presence or
2111 absence of "fast_flush_domains" in the parent_domain_matches_subdomains
2112 parameter value.
2113 Specify "fast_flush_domains =" (i.e., empty) to disable the feature
2115 altogether.
2116
2118 The time after which an empty per-destination "fast flush" logfile is
2119 deleted.
2120 You can specify the time as a number, or as a number followed by a let‐
2122 ter that indicates the time unit: s=seconds, m=minutes, h=hours,
2123 d=days, w=weeks. The default time unit is days.
2124
2126 The time after which a non-empty but unread per-destination "fast
2127 flush" logfile needs to be refreshed. The contents of a logfile are
2128 refreshed by requesting delivery of all messages listed in the logfile.
2129 You can specify the time as a number, or as a number followed by a let‐
2131 ter that indicates the time unit: s=seconds, m=minutes, h=hours,
2132 d=days, w=weeks. The default time unit is hours.
2133
2135 Force specific internal tests to fail, to test the handling of errors
2136 that are difficult to reproduce otherwise.
2137
2139 The name of the flush(8) service. This service maintains per-destina‐
2140 tion logfiles with the queue file names of mail that is queued for
2141 those destinations.
2142 This feature is available in Postfix 2.0 and later.
2144
2146 The maximal number of attempts to fork() a child process.
2147
2149 The delay between attempts to fork() a child process.
2150 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2152 The default time unit is s (seconds).
2153
2155 Restrict the characters that the local(8) delivery agent allows in
2156 $name expansions of $forward_path. Characters outside the allowed set
2157 are replaced by underscores.
2158
2160 The local(8) delivery agent search list for finding a .forward file
2161 with user-specified delivery methods. The first file that is found is
2162 used.
2163 The forward_path value is not subject to Postfix configuration parame‐
2165 ter $name expansion. Instead, the following $name expansions are done
2166 on forward_path before the search actually happens. The result of
2167 $name expansion is filtered with the character set that is specified
2168 with the forward_expansion_filter parameter.
2169 $user The recipient's username.
2171 $shell The recipient's login shell pathname.
2173 $home The recipient's home directory.
2175 $recipient
2177 The full recipient address.
2178 $extension
2180 The optional recipient address extension.
2181 $domain
2183 The recipient domain.
2184 $local The entire recipient localpart.
2186 $recipient_delimiter
2188 The address extension delimiter that was found in the recipient
2189 address (Postfix 2.11 and later), or the system-wide recipient
2190 address extension delimiter (Postfix 2.10 and earlier).
2191 ${name?value}
2193 Expands to value when $name is non-empty.
2194 ${name:value}
2196 Expands to value when $name is empty.
2197 Instead of $name you can also specify ${name} or $(name).
2199 Examples:
2201 forward_path = /var/forward/$user
2203 forward_path =
2204 /var/forward/$user/.forward$recipient_delimiter$extension,
2205 /var/forward/$user/.forward
2206
2208 Update the local(8) delivery agent's idea of the Delivered-To: address
2209 (see prepend_delivered_header) only once, at the start of a delivery
2210 attempt; do not update the Delivered-To: address while expanding
2211 aliases or .forward files.
2212 This feature is available in Postfix 2.3 and later. With older Postfix
2214 releases, the behavior is as if this parameter is set to "no". The old
2215 setting can be expensive with deeply nested aliases or .forward files.
2216 When an alias or .forward file changes the Delivered-To: address, it
2217 ties up one queue file and one cleanup process instance while mail is
2218 being forwarded.
2219
2221 The number of subdirectory levels for queue directories listed with the
2222 hash_queue_names parameter. Queue hashing is implemented by creating
2223 one or more levels of directories with one-character names. Origi‐
2224 nally, these directory names were equal to the first characters of the
2225 queue file name, with the hexadecimal representation of the file cre‐
2226 ation time in microseconds.
2227 With long queue file names, queue hashing produces the same results as
2229 with short names. The file creation time in microseconds is converted
2230 into hexadecimal form before the result is used for queue hashing. The
2231 base 16 encoding gives finer control over the number of subdirectories
2232 than is possible with the base 52 encoding of long queue file names.
2233 After changing the hash_queue_names or hash_queue_depth parameter, exe‐
2235 cute the command "postfix reload".
2236
2238 The names of queue directories that are split across multiple subdirec‐
2239 tory levels.
2240 Before Postfix version 2.2, the default list of hashed queues was sig‐
2242 nificantly larger. Claims about improvements in file system technology
2243 suggest that hashing of the incoming and active queues is no longer
2244 needed. Fewer hashed directories speed up the time needed to restart
2245 Postfix.
2246 After changing the hash_queue_names or hash_queue_depth parameter, exe‐
2248 cute the command "postfix reload".
2249
2251 The maximal number of address tokens are allowed in an address message
2252 header. Information that exceeds the limit is discarded. The limit is
2253 enforced by the cleanup(8) server.
2254
2256 Optional lookup tables for content inspection of primary non-MIME mes‐
2257 sage headers, as specified in the header_checks(5) manual page.
2258
2260 The format of the Postfix-generated From: header. This setting affects
2261 the appearance of 'full name' information when a local program such as
2262 /bin/mail submits a message without From: header through the Postfix
2263 sendmail(1) command.
2264 Specify one of the following:
2266 standard (default)
2268 Produce a header formatted as "From: name <address>". This is
2269 the default as of Postfix 3.3.
2270 obsolete
2272 Produce a header formatted as "From: address (name)". This is
2273 the behavior prior to Postfix 3.3.
2274 Notes:
2276 · Postfix generates the format "From: address" when name informa‐
2278 tion is unavailable or the envelope sender address is empty.
2279 This is the same behavior as prior to Postfix 3.3.
2280 · In the standard form, the name will be quoted if it contains
2282 specials as defined in RFC 5322, or the "!%" address operators.
2283 · The Postfix sendmail(1) command gets name information from the
2285 -F command-line option, from the NAME environment variable, or
2286 from the UNIX password file.
2287 This feature is available in Postfix 3.3 and later.
2289
2291 The maximal amount of memory in bytes for storing a message header. If
2292 a header is larger, the excess is discarded. The limit is enforced by
2293 the cleanup(8) server.
2294
2296 Log warnings about problematic configuration settings, and provide
2297 helpful suggestions.
2298 This feature is available in Postfix 2.0 and later.
2300
2302 Optional pathname of a mailbox file relative to a local(8) user's home
2303 directory.
2304 Specify a pathname ending in "/" for qmail-style delivery.
2306 The precedence of local(8) delivery features from high to low is:
2308 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2309 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2310 tory, fallback_transport_maps, fallback_transport and luser_relay.
2311 Examples:
2313 home_mailbox = Mailbox
2315 home_mailbox = Maildir/
2316
2318 The maximal number of Received: message headers that is allowed in the
2319 primary message headers. A message that exceeds the limit is bounced,
2320 in order to stop a mailer loop.
2321
2323 The location of Postfix HTML files that describe how to build, config‐
2324 ure or operate a specific Postfix subsystem or feature.
2325
2327 Ignore DNS MX lookups that produce no response. By default, the Post‐
2328 fix SMTP client defers delivery and tries again after some delay. This
2329 behavior is required by the SMTP standard.
2330 Specify "ignore_mx_lookup_error = yes" to force a DNS A record lookup
2332 instead. This violates the SMTP standard and can result in mis-delivery
2333 of mail.
2334
2336 The list of environment parameters that a privileged Postfix process
2337 will import from a non-Postfix parent process, or name=value environ‐
2338 ment overrides. Unprivileged utilities will enforce the name=value
2339 overrides, but otherwise will not change their process environment.
2340 Examples of relevant parameters:
2341 TZ May be needed for sane time keeping on most System-V-ish sys‐
2343 tems.
2344 DISPLAY
2346 Needed for debugging Postfix daemons with an X-windows debugger.
2347 XAUTHORITY
2349 Needed for debugging Postfix daemons with an X-windows debugger.
2350 MAIL_CONFIG
2352 Needed to make "postfix -c" work.
2353 Specify a list of names and/or name=value pairs, separated by white‐
2355 space or comma. Specify "{ name=value }" to protect whitespace or comma
2356 in parameter values (whitespace after the opening "{" and before the
2357 closing "}" is ignored). The form name=value is supported with Postfix
2358 version 2.1 and later; the use of {} is supported with Postfix 3.0 and
2359 later.
2360
2362 Time to pause before accepting a new message, when the message arrival
2363 rate exceeds the message delivery rate. This feature is turned on by
2364 default (it's disabled on SCO UNIX due to an SCO bug).
2365 With the default 100 Postfix SMTP server process limit, "in_flow_delay
2367 = 1s" limits the mail inflow to 100 messages per second above the num‐
2368 ber of messages delivered per second.
2369 Specify 0 to disable the feature. Valid delays are 0..10.
2371
2373 The network interface addresses that this mail system receives mail on.
2374 Specify "all" to receive mail on all network interfaces (default), and
2375 "loopback-only" to receive mail on loopback network interfaces only
2376 (Postfix version 2.2 and later). The parameter also controls delivery
2377 of mail to user@[ip.address].
2378 Note 1: you need to stop and start Postfix when this parameter changes.
2380 Note 2: address information may be enclosed inside [], but this form is
2382 not required here.
2383 When inet_interfaces specifies just one IPv4 and/or IPv6 address that
2385 is not a loopback address, the Postfix SMTP client will use this
2386 address as the IP source address for outbound mail. Support for IPv6 is
2387 available in Postfix version 2.2 and later.
2388 On a multi-homed firewall with separate Postfix instances listening on
2390 the "inside" and "outside" interfaces, this can prevent each instance
2391 from being able to reach remote SMTP servers on the "other side" of the
2392 firewall. Setting smtp_bind_address to 0.0.0.0 avoids the potential
2393 problem for IPv4, and setting smtp_bind_address6 to :: solves the prob‐
2394 lem for IPv6.
2395 A better solution for multi-homed firewalls is to leave inet_interfaces
2397 at the default value and instead use explicit IP addresses in the mas‐
2398 ter.cf SMTP server definitions. This preserves the Postfix SMTP
2399 client's loop detection, by ensuring that each side of the firewall
2400 knows that the other IP address is still the same host. Setting
2401 $inet_interfaces to a single IPv4 and/or IPV6 address is primarily use‐
2402 ful with virtual hosting of domains on secondary IP addresses, when
2403 each IP address serves a different domain (and has a different $myhost‐
2404 name setting).
2405 See also the proxy_interfaces parameter, for network addresses that are
2407 forwarded to Postfix by way of a proxy or address translator.
2408 Examples:
2410 inet_interfaces = all (DEFAULT)
2412 inet_interfaces = loopback-only (Postfix version 2.2 and later)
2413 inet_interfaces = 127.0.0.1
2414 inet_interfaces = 127.0.0.1, [::1] (Postfix version 2.2 and later)
2415 inet_interfaces = 192.168.1.2, 127.0.0.1
2416
2418 The Internet protocols Postfix will attempt to use when making or
2419 accepting connections. Specify one or more of "ipv4" or "ipv6", sepa‐
2420 rated by whitespace or commas. The form "all" is equivalent to "ipv4,
2421 ipv6" or "ipv4", depending on whether the operating system implements
2422 IPv6.
2423 With Postfix 2.8 and earlier the default is "ipv4". For backwards com‐
2425 patibility with these releases, the Postfix 2.9 and later upgrade pro‐
2426 cedure appends an explicit "inet_protocols = ipv4" setting to main.cf
2427 when no explicit setting is present. This compatibility workaround will
2428 be phased out as IPv6 deployment becomes more common.
2429 This feature is available in Postfix 2.2 and later.
2431 Note: you MUST stop and start Postfix after changing this parameter.
2433 On systems that pre-date IPV6_V6ONLY support (RFC 3493), an IPv6 server
2435 will also accept IPv4 connections, even when IPv4 is turned off with
2436 the inet_protocols parameter. On systems with IPV6_V6ONLY support,
2437 Postfix will use separate server sockets for IPv6 and IPv4, and each
2438 will accept only connections for the corresponding protocol.
2439 When IPv4 support is enabled via the inet_protocols parameter, Postfix
2441 will look up DNS type A records, and will convert IPv4-in-IPv6 client
2442 IP addresses (::ffff:1.2.3.4) to their original IPv4 form (1.2.3.4).
2443 The latter is needed on hosts that pre-date IPV6_V6ONLY support (RFC
2444 3493).
2445 When IPv6 support is enabled via the inet_protocols parameter, Postfix
2447 will do DNS type AAAA record lookups.
2448 When both IPv4 and IPv6 support are enabled, the Postfix SMTP client
2450 will choose the protocol as specified with the smtp_address_preference
2451 parameter. Postfix versions before 2.8 attempt to connect via IPv6
2452 before attempting to use IPv4.
2453 Examples:
2455 inet_protocols = ipv4
2457 inet_protocols = all (DEFAULT)
2458 inet_protocols = ipv6
2459 inet_protocols = ipv4, ipv6
2460
2462 The email address form that will be used in non-debug logging (info,
2463 warning, etc.). As of Postfix 3.5 when an address localpart contains
2464 spaces or other special characters, the localpart will be quoted, for
2465 example:
2466 from=<"name with spaces"@example.com>
2468 Older Postfix versions would log the internal (unquoted) form:
2470 from=<name with spaces@example.com>
2472 The external and internal forms are identical for the vast majority of
2474 email addresses that contain no spaces or other special characters in
2475 the localpart.
2476 The logging in external form is consistent with the address form that
2478 Postfix 3.2 and later prefer for most table lookups. This is therefore
2479 the more useful form for non-debug logging.
2480 Specify "info_log_address_format = internal" for backwards compatibil‐
2482 ity.
2483 Postfix uses the unquoted form internally, because an attacker can
2485 specify an email address in different forms by playing games with
2486 quotes and backslashes. An attacker should not be able to use such
2487 games to circumvent Postfix access policies.
2488 This feature is available in Postfix 3.5 and later.
2490
2492 The initial per-destination concurrency level for parallel delivery to
2493 the same destination. With per-destination recipient limit > 1, a des‐
2494 tination is a domain, otherwise it is a recipient.
2495 Use transport_initial_destination_concurrency to specify a trans‐
2497 port-specific override, where transport is the master.cf name of the
2498 message delivery transport (Postfix 2.5 and later).
2499 Warning: with concurrency of 1, one bad message can be enough to block
2501 all mail to a site.
2502
2504 What categories of Postfix-generated mail are subject to before-queue
2505 content inspection by non_smtpd_milters, header_checks and body_checks.
2506 Specify zero or more of the following, separated by whitespace or
2507 comma.
2508 bounce Inspect the content of delivery status notifications.
2510 notify Inspect the content of postmaster notifications by the smtp(8)
2512 and smtpd(8) processes.
2513 NOTE: It's generally not safe to enable content inspection of Post‐
2515 fix-generated email messages. The user is warned.
2516 This feature is available in Postfix 2.3 and later.
2518
2520 The numerical Postfix SMTP server response code when the client HELO or
2521 EHLO command parameter is rejected by the reject_invalid_helo_hostname
2522 restriction.
2523 Do not change this unless you have a complete understanding of RFC
2525 5321.
2526
2528 The time after which a client closes an idle internal communication
2529 channel. The purpose is to allow Postfix daemon processes to terminate
2530 voluntarily after they become idle. This is used, for example, by the
2531 Postfix address resolving and rewriting clients.
2532 With Postfix 2.4 the default value was reduced from 100s to 5s.
2534 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2536 The default time unit is s (seconds).
2537
2539 The time limit for sending or receiving information over an internal
2540 communication channel. The purpose is to break out of deadlock situa‐
2541 tions. If the time limit is exceeded the software aborts with a fatal
2542 error.
2543 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2545 The default time unit is s (seconds).
2546
2548 The time after which a client closes an active internal communication
2549 channel. The purpose is to allow Postfix daemon processes to terminate
2550 voluntarily after reaching their client limit. This is used, for exam‐
2551 ple, by the Postfix address resolving and rewriting clients.
2552 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2554 The default time unit is s (seconds).
2555 This feature is available in Postfix 2.1 and later.
2557
2559 Upon input, long lines are chopped up into pieces of at most this
2560 length; upon delivery, long lines are reconstructed.
2561
2563 The initial OpenLDAP LMDB database size limit in bytes. Each time a
2564 database becomes full, its size limit is doubled.
2565 This feature is available in Postfix 2.11 and later.
2567
2569 The LMTP-specific version of the smtp_address_preference configuration
2570 parameter. See there for details.
2571 This feature is available in Postfix 2.8 and later.
2573
2575 The LMTP-specific version of the smtp_address_verify_target configura‐
2576 tion parameter. See there for details.
2577 This feature is available in Postfix 3.0 and later.
2579
2581 When a remote LMTP server announces no DSN support, assume that the
2582 server performs final delivery, and send "delivered" delivery status
2583 notifications instead of "relayed". The default setting is backwards
2584 compatible to avoid the infinitesimal possibility of breaking existing
2585 LMTP-based content filters.
2586
2588 The LMTP-specific version of the smtp_balance_inet_protocols configura‐
2589 tion parameter. See there for details.
2590 This feature is available in Postfix 3.3 and later.
2592
2594 The LMTP-specific version of the smtp_bind_address configuration param‐
2595 eter. See there for details.
2596 This feature is available in Postfix 2.3 and later.
2598
2600 The LMTP-specific version of the smtp_bind_address6 configuration
2601 parameter. See there for details.
2602 This feature is available in Postfix 2.3 and later.
2604
2606 The LMTP-specific version of the smtp_body_checks configuration parame‐
2607 ter. See there for details.
2608 This feature is available in Postfix 2.5 and later.
2610
2612 Keep Postfix LMTP client connections open for up to $max_idle seconds.
2613 When the LMTP client receives a request for the same connection the
2614 connection is reused.
2615 This parameter is available in Postfix version 2.2 and earlier. With
2617 Postfix version 2.3 and later, see lmtp_connection_cache_on_demand,
2618 lmtp_connection_cache_destinations, or lmtp_connection_re‐
2619 use_time_limit.
2620 The effectiveness of cached connections will be determined by the num‐
2622 ber of remote LMTP servers in use, and the concurrency limit specified
2623 for the Postfix LMTP client. Cached connections are closed under any of
2624 the following conditions:
2625 · The Postfix LMTP client idle time limit is reached. This limit
2627 is specified with the Postfix max_idle configuration parameter.
2628 · A delivery request specifies a different destination than the
2630 one currently cached.
2631 · The per-process limit on the number of delivery requests is
2633 reached. This limit is specified with the Postfix max_use con‐
2634 figuration parameter.
2635 · Upon the onset of another delivery request, the remote LMTP
2637 server associated with the current session does not respond to
2638 the RSET command.
2639 Most of these limitations have been with the Postfix a connection cache
2641 that is shared among multiple LMTP client programs.
2642
2644 The LMTP-specific version of the smtp_cname_overrides_servername con‐
2645 figuration parameter. See there for details.
2646 This feature is available in Postfix 2.3 and later.
2648
2650 The Postfix LMTP client time limit for completing a TCP connection, or
2651 zero (use the operating system built-in time limit). When no connec‐
2652 tion can be made within the deadline, the LMTP client tries the next
2653 address on the mail exchanger list.
2654 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2656 The default time unit is s (seconds).
2657 Example:
2659 lmtp_connect_timeout = 30s
2661
2663 The LMTP-specific version of the smtp_connection_cache_destinations
2664 configuration parameter. See there for details.
2665 This feature is available in Postfix 2.3 and later.
2667
2669 The LMTP-specific version of the smtp_connection_cache_on_demand con‐
2670 figuration parameter. See there for details.
2671 This feature is available in Postfix 2.3 and later.
2673
2675 The LMTP-specific version of the smtp_connection_cache_time_limit con‐
2676 figuration parameter. See there for details.
2677 This feature is available in Postfix 2.3 and later.
2679
2681 The LMTP-specific version of the smtp_connection_reuse_count_limit con‐
2682 figuration parameter. See there for details.
2683 This feature is available in Postfix 2.11 and later.
2685
2687 The LMTP-specific version of the smtp_connection_reuse_time_limit con‐
2688 figuration parameter. See there for details.
2689 This feature is available in Postfix 2.3 and later.
2691
2693 The Postfix LMTP client time limit for sending the LMTP ".", and for
2694 receiving the remote LMTP server response. When no response is
2695 received within the deadline, a warning is logged that the mail may be
2696 delivered multiple times.
2697 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2699 The default time unit is s (seconds).
2700
2702 The Postfix LMTP client time limit for sending the LMTP DATA command,
2703 and for receiving the remote LMTP server response.
2704 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2706 The default time unit is s (seconds).
2707
2709 The Postfix LMTP client time limit for sending the LMTP message con‐
2710 tent. When the connection stalls for more than $lmtp_data_xfer_timeout
2711 the LMTP client terminates the transfer.
2712 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2714 The default time unit is s (seconds).
2715
2717 The LMTP-specific version of the smtp_defer_if_no_mx_address_found con‐
2718 figuration parameter. See there for details.
2719 This feature is available in Postfix 2.3 and later.
2721
2723 The LMTP-specific version of the smtp_delivery_status_filter configura‐
2724 tion parameter. See there for details.
2725 This feature is available in Postfix 3.0 and later.
2727
2729 rency_limit)
2730 The maximal number of parallel deliveries to the same destination via
2731 the lmtp message delivery transport. This limit is enforced by the
2732 queue manager. The message delivery transport name is the first field
2733 in the entry in the master.cf file.
2734
2736 ent_limit)
2737 The maximal number of recipients per message for the lmtp message
2738 delivery transport. This limit is enforced by the queue manager. The
2739 message delivery transport name is the first field in the entry in the
2740 master.cf file.
2741 Setting this parameter to a value of 1 changes the meaning of lmtp_des‐
2743 tination_concurrency_limit from concurrency per domain into concurrency
2744 per recipient.
2745
2747 Lookup tables, indexed by the remote LMTP server address, with case
2748 insensitive lists of LHLO keywords (pipelining, starttls, auth, etc.)
2749 that the Postfix LMTP client will ignore in the LHLO response from a
2750 remote LMTP server. See lmtp_discard_lhlo_keywords for details. The ta‐
2751 ble is not indexed by hostname for consistency with smtpd_dis‐
2752 card_ehlo_keyword_address_maps.
2753 This feature is available in Postfix 2.3 and later.
2755
2757 A case insensitive list of LHLO keywords (pipelining, starttls, auth,
2758 etc.) that the Postfix LMTP client will ignore in the LHLO response
2759 from a remote LMTP server.
2760 This feature is available in Postfix 2.3 and later.
2762 Notes:
2764 · Specify the silent-discard pseudo keyword to prevent this action
2766 from being logged.
2767 · Use the lmtp_discard_lhlo_keyword_address_maps feature to dis‐
2769 card LHLO keywords selectively.
2770
2772 Optional filter for Postfix LMTP client DNS lookup results. See
2773 smtp_dns_reply_filter for details including an example.
2774 This feature is available in Postfix 3.0 and later.
2776
2778 The LMTP-specific version of the smtp_dns_resolver_options configura‐
2779 tion parameter. See there for details.
2780 This feature is available in Postfix 2.8 and later.
2782
2784 The LMTP-specific version of the smtp_dns_support_level configuration
2785 parameter. See there for details.
2786 This feature is available in Postfix 2.11 and later.
2788
2790 The LMTP-specific version of the smtp_enforce_tls configuration parame‐
2791 ter. See there for details.
2792 This feature is available in Postfix 2.3 and later.
2794
2796 Optional list of relay hosts for LMTP destinations that can't be found
2797 or that are unreachable. In main.cf elements are separated by white‐
2798 space or commas.
2799 By default, mail is returned to the sender when a destination is not
2801 found, and delivery is deferred when a destination is unreachable.
2802 The fallback relays must be TCP destinations, specified without a lead‐
2804 ing "inet:" prefix. Specify a host or host:port. Since MX lookups do
2805 not apply with LMTP, there is no need to use the "[host]" or
2806 "[host]:port" forms. If you specify multiple LMTP destinations, Post‐
2807 fix will try them in the specified order.
2808 This feature is available in Postfix 3.1 and later.
2810
2812 The LMTP-specific version of the smtp_generic_maps configuration param‐
2813 eter. See there for details.
2814 This feature is available in Postfix 2.3 and later.
2816
2818 The LMTP-specific version of the smtp_header_checks configuration
2819 parameter. See there for details.
2820 This feature is available in Postfix 2.5 and later.
2822
2824 The LMTP-specific version of the smtp_host_lookup configuration parame‐
2825 ter. See there for details.
2826 This feature is available in Postfix 2.3 and later.
2828
2830 The hostname to send in the LMTP LHLO command.
2831 The default value is the machine hostname. Specify a hostname or
2833 [ip.add.re.ss].
2834 This information can be specified in the main.cf file for all LMTP
2836 clients, or it can be specified in the master.cf file for a specific
2837 client, for example:
2838 /etc/postfix/master.cf:
2840 mylmtp ... lmtp -o lmtp_lhlo_name=foo.bar.com
2841 This feature is available in Postfix 2.3 and later.
2843
2845 The Postfix LMTP client time limit for sending the LHLO command, and
2846 for receiving the initial remote LMTP server response.
2847 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2849 The default time unit is s (seconds).
2850
2852 The LMTP-specific version of the smtp_line_length_limit configuration
2853 parameter. See there for details.
2854 This feature is available in Postfix 2.3 and later.
2856
2858 The Postfix LMTP client time limit for sending the MAIL FROM command,
2859 and for receiving the remote LMTP server response.
2860 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2862 The default time unit is s (seconds).
2863
2865 The LMTP-specific version of the smtp_mime_header_checks configuration
2866 parameter. See there for details.
2867 This feature is available in Postfix 2.5 and later.
2869
2871 The LMTP-specific version of the smtp_mx_address_limit configuration
2872 parameter. See there for details.
2873 This feature is available in Postfix 2.3 and later.
2875
2877 The LMTP-specific version of the smtp_mx_session_limit configuration
2878 parameter. See there for details.
2879 This feature is available in Postfix 2.3 and later.
2881
2883 The LMTP-specific version of the smtp_nested_header_checks configura‐
2884 tion parameter. See there for details.
2885 This feature is available in Postfix 2.5 and later.
2887
2889 The LMTP-specific version of the smtp_per_record_deadline configuration
2890 parameter. See there for details.
2891 This feature is available in Postfix 2.9 and later.
2893
2895 The LMTP-specific version of the smtp_pix_workaround_delay_time config‐
2896 uration parameter. See there for details.
2897 This feature is available in Postfix 2.3 and later.
2899
2901 The LMTP-specific version of the smtp_pix_workaround_maps configuration
2902 parameter. See there for details.
2903 This feature is available in Postfix 2.4 and later.
2905
2907 The LMTP-specific version of the smtp_pix_workaround_threshold_time
2908 configuration parameter. See there for details.
2909 This feature is available in Postfix 2.3 and later.
2911
2913 The LMTP-specific version of the smtp_pix_workaround configuration
2914 parameter. See there for details.
2915 This feature is available in Postfix 2.4 and later.
2917
2919 The Postfix LMTP client time limit for sending the QUIT command, and
2920 for receiving the remote LMTP server response.
2921 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2923 The default time unit is s (seconds).
2924
2926 The LMTP-specific version of the smtp_quote_rfc821_envelope configura‐
2927 tion parameter. See there for details.
2928 This feature is available in Postfix 2.3 and later.
2930
2932 The LMTP-specific version of the smtp_randomize_addresses configuration
2933 parameter. See there for details.
2934 This feature is available in Postfix 2.3 and later.
2936
2938 The Postfix LMTP client time limit for sending the RCPT TO command, and
2939 for receiving the remote LMTP server response.
2940 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2942 The default time unit is s (seconds).
2943
2945 The LMTP-specific version of the smtp_reply_filter configuration param‐
2946 eter. See there for details.
2947 This feature is available in Postfix 2.7 and later.
2949
2951 The Postfix LMTP client time limit for sending the RSET command, and
2952 for receiving the remote LMTP server response. The LMTP client sends
2953 RSET in order to finish a recipient address probe, or to verify that a
2954 cached connection is still alive.
2955 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2957 The default time unit is s (seconds).
2958
2960 The LMTP-specific version of the smtp_sasl_auth_cache_name configura‐
2961 tion parameter. See there for details.
2962 This feature is available in Postfix 2.5 and later.
2964
2966 The LMTP-specific version of the smtp_sasl_auth_cache_time configura‐
2967 tion parameter. See there for details.
2968 This feature is available in Postfix 2.5 and later.
2970
2972 Enable SASL authentication in the Postfix LMTP client.
2973
2975 The LMTP-specific version of the smtp_sasl_auth_soft_bounce configura‐
2976 tion parameter. See there for details.
2977 This feature is available in Postfix 2.5 and later.
2979
2981 The LMTP-specific version of the smtp_sasl_mechanism_filter configura‐
2982 tion parameter. See there for details.
2983 This feature is available in Postfix 2.3 and later.
2985
2987 Optional Postfix LMTP client lookup tables with one username:password
2988 entry per host or domain. If a remote host or domain has no user‐
2989 name:password entry, then the Postfix LMTP client will not attempt to
2990 authenticate to the remote host.
2991
2993 Implementation-specific information that is passed through to the SASL
2994 plug-in implementation that is selected with lmtp_sasl_type. Typically
2995 this specifies the name of a configuration file or rendezvous point.
2996 This feature is available in Postfix 2.3 and later.
2998
3000 SASL security options; as of Postfix 2.3 the list of available features
3001 depends on the SASL client implementation that is selected with
3002 lmtp_sasl_type.
3003 The following security features are defined for the cyrus client SASL
3005 implementation:
3006 noplaintext
3008 Disallow authentication methods that use plaintext passwords.
3009 noactive
3011 Disallow authentication methods that are vulnerable to non-dic‐
3012 tionary active attacks.
3013 nodictionary
3015 Disallow authentication methods that are vulnerable to passive
3016 dictionary attack.
3017 noanonymous
3019 Disallow anonymous logins.
3020 Example:
3022 lmtp_sasl_security_options = noplaintext
3024
3026 The LMTP-specific version of the smtp_sasl_tls_security_options config‐
3027 uration parameter. See there for details.
3028 This feature is available in Postfix 2.3 and later.
3030
3032 rity_options)
3033 The LMTP-specific version of the smtp_sasl_tls_verified_secu‐
3034 rity_options configuration parameter. See there for details.
3035 This feature is available in Postfix 2.3 and later.
3037
3039 The SASL plug-in type that the Postfix LMTP client should use for
3040 authentication. The available types are listed with the "postconf -A"
3041 command.
3042 This feature is available in Postfix 2.3 and later.
3044
3046 The LMTP-specific version of the smtp_send_dummy_mail_auth configura‐
3047 tion parameter. See there for details.
3048 This feature is available in Postfix 2.9 and later.
3050
3052 Send an XFORWARD command to the remote LMTP server when the LMTP LHLO
3053 server response announces XFORWARD support. This allows an lmtp(8)
3054 delivery agent, used for content filter message injection, to forward
3055 the name, address, protocol and HELO name of the original client to the
3056 content filter and downstream queuing LMTP server. Before you change
3057 the value to yes, it is best to make sure that your content filter sup‐
3058 ports this command.
3059 This feature is available in Postfix 2.1 and later.
3061
3063 The LMTP-specific version of the smtp_sender_dependent_authentication
3064 configuration parameter. See there for details.
3065 This feature is available in Postfix 2.3 and later.
3067
3069 The LMTP-specific version of the smtp_skip_5xx_greeting configuration
3070 parameter. See there for details.
3071 This feature is available in Postfix 2.3 and later.
3073
3075 Wait for the response to the LMTP QUIT command.
3076
3078 The LMTP-specific version of the smtp_starttls_timeout configuration
3079 parameter. See there for details.
3080 This feature is available in Postfix 2.3 and later.
3082
3084 The default TCP port that the Postfix LMTP client connects to. Specify
3085 a symbolic name (see services(5)) or a numeric port.
3086
3088 The LMTP-specific version of the smtp_tls_CAfile configuration parame‐
3089 ter. See there for details.
3090 This feature is available in Postfix 2.3 and later.
3092
3094 The LMTP-specific version of the smtp_tls_CApath configuration parame‐
3095 ter. See there for details.
3096 This feature is available in Postfix 2.3 and later.
3098
3100 The LMTP-specific version of the smtp_tls_block_early_mail_reply con‐
3101 figuration parameter. See there for details.
3102 This feature is available in Postfix 2.7 and later.
3104
3106 The LMTP-specific version of the smtp_tls_cert_file configuration
3107 parameter. See there for details.
3108 This feature is available in Postfix 2.3 and later.
3110
3112 The LMTP-specific version of the smtp_tls_chain_files configuration
3113 parameter. See there for details.
3114 This feature is available in Postfix 3.4 and later.
3116
3118 The LMTP-specific version of the smtp_tls_ciphers configuration parame‐
3119 ter. See there for details.
3120 This feature is available in Postfix 2.6 and later.
3122
3124 The LMTP-specific version of the smtp_tls_connection_reuse configura‐
3125 tion parameter. See there for details.
3126 This feature is available in Postfix 3.4 and later.
3128
3130 The LMTP-specific version of the smtp_tls_dcert_file configuration
3131 parameter. See there for details.
3132 This feature is available in Postfix 2.3 and later.
3134
3136 The LMTP-specific version of the smtp_tls_dkey_file configuration
3137 parameter. See there for details.
3138 This feature is available in Postfix 2.3 and later.
3140
3142 The LMTP-specific version of the smtp_tls_eccert_file configuration
3143 parameter. See there for details.
3144 This feature is available in Postfix 2.6 and later, when Postfix is
3146 compiled and linked with OpenSSL 1.0.0 or later.
3147
3149 The LMTP-specific version of the smtp_tls_eckey_file configuration
3150 parameter. See there for details.
3151 This feature is available in Postfix 2.6 and later, when Postfix is
3153 compiled and linked with OpenSSL 1.0.0 or later.
3154
3156 The LMTP-specific version of the smtp_tls_enforce_peername configura‐
3157 tion parameter. See there for details.
3158 This feature is available in Postfix 2.3 and later.
3160
3162 The LMTP-specific version of the smtp_tls_exclude_ciphers configuration
3163 parameter. See there for details.
3164 This feature is available in Postfix 2.3 and later.
3166
3168 The LMTP-specific version of the smtp_tls_fingerprint_cert_match con‐
3169 figuration parameter. See there for details.
3170 This feature is available in Postfix 2.5 and later.
3172
3174 The LMTP-specific version of the smtp_tls_fingerprint_digest configura‐
3175 tion parameter. See there for details.
3176 This feature is available in Postfix 2.5 and later.
3178
3180 The LMTP-specific version of the smtp_tls_force_inse‐
3181 cure_host_tlsa_lookup configuration parameter. See there for details.
3182 This feature is available in Postfix 2.11 and later.
3184
3186 The LMTP-specific version of the smtp_tls_key_file configuration param‐
3187 eter. See there for details.
3188 This feature is available in Postfix 2.3 and later.
3190
3192 The LMTP-specific version of the smtp_tls_loglevel configuration param‐
3193 eter. See there for details.
3194 This feature is available in Postfix 2.3 and later.
3196
3198 The LMTP-specific version of the smtp_tls_mandatory_ciphers configura‐
3199 tion parameter. See there for details.
3200 This feature is available in Postfix 2.3 and later.
3202
3204 The LMTP-specific version of the smtp_tls_mandatory_exclude_ciphers
3205 configuration parameter. See there for details.
3206 This feature is available in Postfix 2.3 and later.
3208
3210 The LMTP-specific version of the smtp_tls_mandatory_protocols configu‐
3211 ration parameter. See there for details.
3212 This feature is available in Postfix 2.3 and later.
3214
3216 The LMTP-specific version of the smtp_tls_note_starttls_offer configu‐
3217 ration parameter. See there for details.
3218 This feature is available in Postfix 2.3 and later.
3220
3222 The LMTP-specific version of the smtp_tls_per_site configuration param‐
3223 eter. See there for details.
3224 This feature is available in Postfix 2.3 and later.
3226
3228 The LMTP-specific version of the smtp_tls_policy_maps configuration
3229 parameter. See there for details.
3230 This feature is available in Postfix 2.3 and later.
3232
3234 The LMTP-specific version of the smtp_tls_protocols configuration
3235 parameter. See there for details.
3236 This feature is available in Postfix 2.6 and later.
3238
3240 The LMTP-specific version of the smtp_tls_scert_verifydepth configura‐
3241 tion parameter. See there for details.
3242 This feature is available in Postfix 2.3 and later.
3244
3246 The LMTP-specific version of the smtp_tls_secure_cert_match configura‐
3247 tion parameter. See there for details.
3248 This feature is available in Postfix 2.3 and later.
3250
3252 The LMTP-specific version of the smtp_tls_security_level configuration
3253 parameter. See there for details.
3254 This feature is available in Postfix 2.3 and later.
3256
3258 The LMTP-specific version of the smtp_tls_servername configuration
3259 parameter. See there for details.
3260 This feature is available in Postfix 3.4 and later.
3262
3264 The LMTP-specific version of the smtp_tls_session_cache_database con‐
3265 figuration parameter. See there for details.
3266 This feature is available in Postfix 2.3 and later.
3268
3270 The LMTP-specific version of the smtp_tls_session_cache_timeout config‐
3271 uration parameter. See there for details.
3272 This feature is available in Postfix 2.3 and later.
3274
3276 The LMTP-specific version of the smtp_tls_trust_anchor_file configura‐
3277 tion parameter. See there for details.
3278 This feature is available in Postfix 2.11 and later.
3280
3282 The LMTP-specific version of the smtp_tls_verify_cert_match configura‐
3283 tion parameter. See there for details.
3284 This feature is available in Postfix 2.3 and later.
3286
3288 The LMTP-specific version of the smtp_use_tls configuration parameter.
3289 See there for details.
3290 This feature is available in Postfix 2.3 and later.
3292
3294 The Postfix LMTP client time limit for sending the XFORWARD command,
3295 and for receiving the remote LMTP server response.
3296 In case of problems the client does NOT try the next address on the
3298 mail exchanger list.
3299 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3301 The default time unit is s (seconds).
3302 This feature is available in Postfix 2.1 and later.
3304
3306 Optional shell program for local(8) delivery to non-Postfix command.
3307 By default, non-Postfix commands are executed directly; commands are
3308 given to given to the default shell (typically, /bin/sh) only when they
3309 contain shell meta characters or shell built-in commands.
3310 "sendmail's restricted shell" (smrsh) is what most people will use in
3312 order to restrict what programs can be run from e.g. .forward files
3313 (smrsh is part of the Sendmail distribution).
3314 Note: when a shell program is specified, it is invoked even when the
3316 command contains no shell built-in commands or meta characters.
3317 Example:
3319 local_command_shell = /some/where/smrsh -c
3321 local_command_shell = /bin/bash -c
3322
3324 Optional filter for the local(8) delivery agent to change the status
3325 code or explanatory text of successful or unsuccessful deliveries. See
3326 default_delivery_status_filter for details.
3327 This feature is available in Postfix 3.0 and later.
3329
3331 The maximal number of parallel deliveries via the local mail delivery
3332 transport to the same recipient (when "local_destination_recipi‐
3333 ent_limit = 1") or the maximal number of parallel deliveries to the
3334 same local domain (when "local_destination_recipient_limit > 1"). This
3335 limit is enforced by the queue manager. The message delivery transport
3336 name is the first field in the entry in the master.cf file.
3337 A low limit of 2 is recommended, just in case someone has an expensive
3339 shell command in a .forward file or in an alias (e.g., a mailing list
3340 manager). You don't want to run lots of those at the same time.
3341
3343 The maximal number of recipients per message delivery via the local
3344 mail delivery transport. This limit is enforced by the queue manager.
3345 The message delivery transport name is the first field in the entry in
3346 the master.cf file.
3347 Setting this parameter to a value > 1 changes the meaning of local_des‐
3349 tination_concurrency_limit from concurrency per recipient into concur‐
3350 rency per domain.
3351
3353 Rewrite message header addresses in mail from these clients and update
3354 incomplete addresses with the domain name in $myorigin or $mydomain;
3355 either don't rewrite message headers from other clients at all, or re‐
3356 write message headers and update incomplete addresses with the domain
3357 specified in the remote_header_rewrite_domain parameter.
3358 See the append_at_myorigin and append_dot_mydomain parameters for
3360 details of how domain names are appended to incomplete addresses.
3361 Specify a list of zero or more of the following:
3363 permit_inet_interfaces
3365 Append the domain name in $myorigin or $mydomain when the client
3366 IP address matches $inet_interfaces. This is enabled by default.
3367 permit_mynetworks
3369 Append the domain name in $myorigin or $mydomain when the client
3370 IP address matches any network or network address listed in
3371 $mynetworks. This setting will not prevent remote mail header
3372 address rewriting when mail from a remote client is forwarded by
3373 a neighboring system.
3374 permit_sasl_authenticated
3376 Append the domain name in $myorigin or $mydomain when the client
3377 is successfully authenticated via the RFC 4954 (AUTH) protocol.
3378 permit_tls_clientcerts
3380 Append the domain name in $myorigin or $mydomain when the remote
3381 SMTP client TLS certificate fingerprint or public key finger‐
3382 print (Postfix 2.9 and later) is listed in $relay_clientcerts.
3383 The fingerprint digest algorithm is configurable via the
3384 smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior
3385 to Postfix version 2.5).
3386 permit_tls_all_clientcerts
3388 Append the domain name in $myorigin or $mydomain when the remote
3389 SMTP client TLS certificate is successfully verified, regardless
3390 of whether it is listed on the server, and regardless of the
3391 certifying authority.
3392 check_address_map type:table
3394 type:table
3396 Append the domain name in $myorigin or $mydomain when the client
3397 IP address matches the specified lookup table. The lookup
3398 result is ignored, and no subnet lookup is done. This is suit‐
3399 able for, e.g., pop-before-smtp lookup tables.
3400 Examples:
3402 The Postfix < 2.2 backwards compatible setting: always rewrite message
3404 headers, and always append my own domain to incomplete header
3405 addresses.
3406 local_header_rewrite_clients = static:all
3408 The purist (and default) setting: rewrite headers only in mail from
3410 Postfix sendmail and in SMTP mail from this machine.
3411 local_header_rewrite_clients = permit_inet_interfaces
3413 The intermediate setting: rewrite header addresses and append $myorigin
3415 or $mydomain information only with mail from Postfix sendmail, from
3416 local clients, or from authorized SMTP clients.
3417 Note: this setting will not prevent remote mail header address rewrit‐
3419 ing when mail from a remote client is forwarded by a neighboring sys‐
3420 tem.
3421 local_header_rewrite_clients = permit_mynetworks,
3423 permit_sasl_authenticated permit_tls_clientcerts
3424 check_address_map hash:/etc/postfix/pop-before-smtp
3425
3427 Lookup tables with all names or addresses of local recipients: a recip‐
3428 ient address is local when its domain matches $mydestination,
3429 $inet_interfaces or $proxy_interfaces. Specify @domain as a wild-card
3430 for domains that do not have a valid recipient list. Technically,
3431 tables listed with $local_recipient_maps are used as lists: Postfix
3432 needs to know only if a lookup string is found or not, but it does not
3433 use the result from table lookup.
3434 Specify zero or more "type:name" lookup tables, separated by whitespace
3436 or comma. Tables will be searched in the specified order until a match
3437 is found.
3438 If this parameter is non-empty (the default), then the Postfix SMTP
3440 server will reject mail for unknown local users.
3441 To turn off local recipient checking in the Postfix SMTP server, spec‐
3443 ify "local_recipient_maps =" (i.e. empty).
3444 The default setting assumes that you use the default Postfix local
3446 delivery agent for local delivery. You need to update the local_recipi‐
3447 ent_maps setting if:
3448 · You redefine the local delivery agent in master.cf.
3450 · You redefine the "local_transport" setting in main.cf.
3452 · You use the "luser_relay", "mailbox_transport", or "fall‐
3454 back_transport" feature of the Postfix local(8) delivery agent.
3455 Details are described in the LOCAL_RECIPIENT_README file.
3457 Beware: if the Postfix SMTP server runs chrooted, you need to access
3459 the passwd file via the proxymap(8) service, in order to overcome
3460 chroot access restrictions. The alternative, maintaining a copy of the
3461 system password file in the chroot jail is not practical.
3462 Examples:
3464 local_recipient_maps =
3466
3468 The default mail delivery transport and next-hop destination for final
3469 delivery to domains listed with mydestination, and for [ipaddress] des‐
3470 tinations that match $inet_interfaces or $proxy_interfaces. This
3471 information can be overruled with the transport(5) table.
3472 By default, local mail is delivered to the transport called "local",
3474 which is just the name of a service that is defined the master.cf file.
3475 Specify a string of the form transport:nexthop, where transport is the
3477 name of a mail delivery transport defined in master.cf. The :nexthop
3478 destination is optional; its syntax is documented in the manual page of
3479 the corresponding delivery agent.
3480 Beware: if you override the default local delivery agent then you need
3482 to review the LOCAL_RECIPIENT_README document, otherwise the SMTP
3483 server may reject mail for local recipients.
3484
3486 Optional catch-all destination for unknown local(8) recipients. By
3487 default, mail for unknown recipients in domains that match $mydestina‐
3488 tion, $inet_interfaces or $proxy_interfaces is returned as undeliver‐
3489 able.
3490 The luser_relay value is not subject to Postfix configuration parameter
3492 $name expansion. Instead, the following $name expansions are done:
3493 $domain
3495 The recipient domain.
3496 $extension
3498 The recipient address extension.
3499 $home The recipient's home directory.
3501 $local The entire recipient address localpart.
3503 $recipient
3505 The full recipient address.
3506 $recipient_delimiter
3508 The address extension delimiter that was found in the recipient
3509 address (Postfix 2.11 and later), or the system-wide recipient
3510 address extension delimiter (Postfix 2.10 and earlier).
3511 $shell The recipient's login shell.
3513 $user The recipient username.
3515 ${name?value}
3517 Expands to value when $name has a non-empty value.
3518 ${name:value}
3520 Expands to value when $name has an empty value.
3521 Instead of $name you can also specify ${name} or $(name).
3523 Note: luser_relay works only for the Postfix local(8) delivery agent.
3525 Note: if you use this feature for accounts not in the UNIX password
3527 file, then you must specify "local_recipient_maps =" (i.e. empty) in
3528 the main.cf file, otherwise the Postfix SMTP server will reject mail
3529 for non-UNIX accounts with "User unknown in local recipient table".
3530 Examples:
3532 luser_relay = $user@other.host
3534 luser_relay = $local@other.host
3535 luser_relay = admin+$local
3536
3538 The mail system name that is displayed in Received: headers, in the
3539 SMTP greeting banner, and in bounced mail.
3540
3542 The UNIX system account that owns the Postfix queue and most Postfix
3543 daemon processes. Specify the name of an unprivileged user account
3544 that does not share a user or group ID with other accounts, and that
3545 owns no other files or processes on the system. In particular, don't
3546 specify nobody or daemon. PLEASE USE A DEDICATED USER ID AND GROUP ID.
3547 When this parameter value is changed you need to re-run "postfix
3549 set-permissions" (with Postfix version 2.0 and earlier: "/etc/post‐
3550 fix/post-install set-permissions".
3551
3553 The Postfix release date, in "YYYYMMDD" format.
3554
3556 The directory where local(8) UNIX-style mailboxes are kept. The default
3557 setting depends on the system type. Specify a name ending in / for
3558 maildir-style delivery.
3559 Note: maildir delivery is done with the privileges of the recipient.
3561 If you use the mail_spool_directory setting for maildir style delivery,
3562 then you must create the top-level maildir directory in advance. Post‐
3563 fix will not create it.
3564 Examples:
3566 mail_spool_directory = /var/mail
3568 mail_spool_directory = /var/spool/mail
3569
3571 The version of the mail system. Stable releases are named
3572 major.minor.patchlevel. Experimental releases also include the release
3573 date. The version string can be used in, for example, the SMTP greeting
3574 banner.
3575
3577 Optional external command that the local(8) delivery agent should use
3578 for mailbox delivery. The command is run with the user ID and the pri‐
3579 mary group ID privileges of the recipient. Exception: command delivery
3580 for root executes with $default_privs privileges. This is not a prob‐
3581 lem, because 1) mail for root should always be aliased to a real user
3582 and 2) don't log in as root, use "su" instead.
3583 The following environment variables are exported to the command:
3585 CLIENT_ADDRESS
3587 Remote client network address. Available in Postfix version 2.2
3588 and later.
3589 CLIENT_HELO
3591 Remote client EHLO command parameter. Available in Postfix ver‐
3592 sion 2.2 and later.
3593 CLIENT_HOSTNAME
3595 Remote client hostname. Available in Postfix version 2.2 and
3596 later.
3597 CLIENT_PROTOCOL
3599 Remote client protocol. Available in Postfix version 2.2 and
3600 later.
3601 DOMAIN The domain part of the recipient address.
3603 EXTENSION
3605 The optional address extension.
3606 HOME The recipient home directory.
3608 LOCAL The recipient address localpart.
3610 LOGNAME
3612 The recipient's username.
3613 ORIGINAL_RECIPIENT
3615 The entire recipient address, before any address rewriting or
3616 aliasing.
3617 RECIPIENT
3619 The full recipient address.
3620 SASL_METHOD
3622 SASL authentication method specified in the remote client AUTH
3623 command. Available in Postfix version 2.2 and later.
3624 SASL_SENDER
3626 SASL sender address specified in the remote client MAIL FROM
3627 command. Available in Postfix version 2.2 and later.
3628 SASL_USER
3630 SASL username specified in the remote client AUTH command.
3631 Available in Postfix version 2.2 and later.
3632 SENDER The full sender address.
3634 SHELL The recipient's login shell.
3636 USER The recipient username.
3638 Unlike other Postfix configuration parameters, the mailbox_command
3640 parameter is not subjected to $name substitutions. This is to make it
3641 easier to specify shell syntax (see example below).
3642 If you can, avoid shell meta characters because they will force Postfix
3644 to run an expensive shell process. If you're delivering via "procmail"
3645 then running a shell won't make a noticeable difference in the total
3646 cost.
3647 Note: if you use the mailbox_command feature to deliver mail sys‐
3649 tem-wide, you must set up an alias that forwards mail for root to a
3650 real user.
3651 The precedence of local(8) delivery features from high to low is:
3653 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3654 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3655 tory, fallback_transport_maps, fallback_transport and luser_relay.
3656 Examples:
3658 mailbox_command = /some/where/procmail
3660 mailbox_command = /some/where/procmail -a "$EXTENSION"
3661 mailbox_command = /some/where/maildrop -d "$USER"
3662 -f "$SENDER" "$EXTENSION"
3663
3665 Optional lookup tables with per-recipient external commands to use for
3666 local(8) mailbox delivery. Behavior is as with mailbox_command.
3667 The precedence of local(8) delivery features from high to low is:
3669 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3670 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3671 tory, fallback_transport_maps, fallback_transport and luser_relay.
3672 Specify zero or more "type:name" lookup tables, separated by whitespace
3674 or comma. Tables will be searched in the specified order until a match
3675 is found.
3676
3678 How to lock a UNIX-style local(8) mailbox before attempting delivery.
3679 For a list of available file locking methods, use the "postconf -l"
3680 command.
3681 This setting is ignored with maildir style delivery, because such
3683 deliveries are safe without explicit locks.
3684 Note: The dotlock method requires that the recipient UID or GID has
3686 write access to the parent directory of the mailbox file.
3687 Note: the default setting of this parameter is system dependent.
3689
3691 The maximal size of any local(8) individual mailbox or maildir file, or
3692 zero (no limit). In fact, this limits the size of any file that is
3693 written to upon local delivery, including files written by external
3694 commands that are executed by the local(8) delivery agent.
3695 This limit must not be smaller than the message size limit.
3697
3699 Optional message delivery transport that the local(8) delivery agent
3700 should use for mailbox delivery to all local recipients, whether or not
3701 they are found in the UNIX passwd database.
3702 The precedence of local(8) delivery features from high to low is:
3704 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3705 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3706 tory, fallback_transport_maps, fallback_transport and luser_relay.
3707
3709 Optional lookup tables with per-recipient message delivery transports
3710 to use for local(8) mailbox delivery, whether or not the recipients are
3711 found in the UNIX passwd database.
3712 The precedence of local(8) delivery features from high to low is:
3714 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3715 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3716 tory, fallback_transport_maps, fallback_transport and luser_relay.
3717 Specify zero or more "type:name" lookup tables, separated by whitespace
3719 or comma. Tables will be searched in the specified order until a match
3720 is found.
3721 For safety reasons, this feature does not allow $number substitutions
3723 in regular expression maps.
3724 This feature is available in Postfix 2.3 and later.
3726
3728 The name of an optional logfile that is written by the Postfix post‐
3729 logd(8) service. An empty value selects logging to syslogd(8). Specify
3730 "/dev/stdout" to select logging to standard output. Stdout logging
3731 requires that Postfix is started with "postfix start-fg".
3732 Note 1: The maillog_file parameter value must contain a prefix that is
3734 specified with the maillog_file_prefixes parameter.
3735 Note 2: Some Postfix non-daemon programs may still log information to
3737 syslogd(8), before they have processed their configuration parameters
3738 and command-line options.
3739 This feature is available in Postfix 3.4 and later.
3741
3743 The program to run after rotating $maillog_file with "postfix logro‐
3744 tate". The command is run with the rotated logfile name as its first
3745 argument.
3746 This feature is available in Postfix 3.4 and later.
3748
3750 A list of allowed prefixes for a maillog_file value. This is a safety
3751 feature to contain the damage from a single configuration mistake.
3752 Specify one or more prefix strings, separated by comma or whitespace.
3753 This feature is available in Postfix 3.4 and later.
3755
3757 The format of the suffix to append to $maillog_file while rotating the
3758 file with "postfix logrotate". See strftime(3) for syntax. The default
3759 suffix, YYYYMMDD-HHMMSS, allows logs to be rotated frequently.
3760 This feature is available in Postfix 3.4 and later.
3762
3764 Sendmail compatibility feature that specifies where the Postfix
3765 mailq(1) command is installed. This command can be used to list the
3766 Postfix mail queue.
3767
3769 Where the Postfix manual pages are installed.
3770
3772 Obsolete feature: use the reject_rbl_client feature instead.
3773
3775 The numerical Postfix SMTP server response code when a remote SMTP
3776 client request is blocked by the reject_rbl_client,
3777 reject_rhsbl_client, reject_rhsbl_reverse_client, reject_rhsbl_sender
3778 or reject_rhsbl_recipient restriction.
3779 Do not change this unless you have a complete understanding of RFC
3781 5321.
3782
3784 What addresses are subject to address masquerading.
3786 By default, address masquerading is limited to envelope sender
3788 addresses, and to header sender and header recipient addresses. This
3789 allows you to use address masquerading on a mail gateway while still
3790 being able to forward mail to users on individual machines.
3791 Specify zero or more of: envelope_sender, envelope_recipient,
3793 header_sender, header_recipient
3794
3796 Optional list of domains whose subdomain structure will be stripped off
3797 in email addresses.
3798 The list is processed left to right, and processing stops at the first
3800 match. Thus,
3801 masquerade_domains = foo.example.com example.com
3803 strips "user@any.thing.foo.example.com" to "user@foo.example.com", but
3805 strips "user@any.thing.else.example.com" to "user@example.com".
3806 A domain name prefixed with ! means do not masquerade this domain or
3808 its subdomains. Thus,
3809 masquerade_domains = !foo.example.com example.com
3811 does not change "user@any.thing.foo.example.com" or "user@foo.exam‐
3813 ple.com", but strips "user@any.thing.else.example.com" to "user@exam‐
3814 ple.com".
3815 Note: with Postfix version 2.2, message header address masquerading
3817 happens only when message header address rewriting is enabled:
3818 · The message is received with the Postfix sendmail(1) command,
3820 · The message is received from a network client that matches
3822 $local_header_rewrite_clients,
3823 · The message is received from the network, and the
3825 remote_header_rewrite_domain parameter specifies a non-empty
3826 value.
3827 To get the behavior before Postfix version 2.2, specify
3829 "local_header_rewrite_clients = static:all".
3830 Example:
3832 masquerade_domains = $mydomain
3834
3836 Optional list of user names that are not subjected to address mas‐
3837 querading, even when their addresses match $masquerade_domains.
3838 By default, address masquerading makes no exceptions.
3840 Specify a list of user names, "/file/name" or "type:table" patterns,
3842 separated by commas and/or whitespace. The list is matched left to
3843 right, and the search stops on the first match. A "/file/name" pattern
3844 is replaced by its contents; a "type:table" lookup table is matched
3845 when a name matches a lookup key (the lookup result is ignored). Con‐
3846 tinue long lines by starting the next line with whitespace. Specify
3847 "!pattern" to exclude a name from the list. The form "!/file/name" is
3848 supported only in Postfix version 2.4 and later.
3849 Examples:
3851 masquerade_exceptions = root, mailer-daemon
3853 masquerade_exceptions = root
3854
3856 Selectively disable master(8) listener ports by service type or by ser‐
3857 vice name and type. Specify a list of service types ("inet", "unix",
3858 "fifo", or "pass") or "name/type" tuples, where "name" is the first
3859 field of a master.cf entry and "type" is a service type. As with other
3860 Postfix matchlists, a search stops at the first match. Specify "!pat‐
3861 tern" to exclude a service from the list. By default, all master(8)
3862 listener ports are enabled.
3863 Note: this feature does not support "/file/name" or "type:table" pat‐
3865 terns, nor does it support wildcards such as "*" or "all". This is
3866 intentional.
3867 Examples:
3869 # With Postfix 2.6..2.10 use '.' instead of '/'.
3871 # Turn on all master(8) listener ports (the default).
3872 master_service_disable =
3873 # Turn off only the main SMTP listener port.
3874 master_service_disable = smtp/inet
3875 # Turn off all TCP/IP listener ports.
3876 master_service_disable = inet
3877 # Turn off all TCP/IP listener ports except "foo".
3878 master_service_disable = !foo/inet, inet
3879 This feature is available in Postfix 2.6 and later.
3881
3883 The maximum amount of time that an idle Postfix daemon process waits
3884 for an incoming connection before terminating voluntarily. This param‐
3885 eter is ignored by the Postfix queue manager and by other long-lived
3886 Postfix daemon processes.
3887 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3889 The default time unit is s (seconds).
3890
3892 The maximal number of incoming connections that a Postfix daemon
3893 process will service before terminating voluntarily. This parameter is
3894 ignored by the Postfix queue manager and by other long-lived Postfix
3895 daemon processes.
3896
3898 The maximal time between attempts to deliver a deferred message.
3899 This parameter should be set to a value greater than or equal to $mini‐
3901 mal_backoff_time. See also $queue_run_delay.
3902 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3904 The default time unit is s (seconds).
3905
3907 Consider a message as undeliverable, when delivery fails with a tempo‐
3908 rary error, and the time in the queue has reached the maxi‐
3909 mal_queue_lifetime limit.
3910 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3912 The default time unit is d (days).
3913 Specify 0 when mail delivery should be tried only once.
3915
3917 Names of message headers that the cleanup(8) daemon will remove after
3918 applying header_checks(5) and before invoking Milter applications. The
3919 default setting is compatible with Postfix < 3.0.
3920 Specify a list of header names, separated by comma or space. Names are
3922 matched in a case-insensitive manner. The list of supported header
3923 names is limited only by available memory.
3924 This feature is available in Postfix 3.0 and later.
3926
3928 The set of characters that Postfix will reject in message content. The
3929 usual C-like escape sequences are recognized: \a \b \f \n \r \t \v \ddd
3930 (up to three octal digits) and \\.
3931 Note 1: this feature does not recognize text that requires MIME decod‐
3933 ing. It inspects raw message content, just like header_checks and
3934 body_checks.
3935 Note 2: this feature is disabled with "receive_override_options =
3937 no_header_body_checks".
3938 Example:
3940 message_reject_characters = \0
3942 This feature is available in Postfix 2.3 and later.
3944
3946 The maximal size in bytes of a message, including envelope information.
3947 Note: be careful when making changes. Excessively small values will
3949 result in the loss of non-delivery notifications, when a bounce message
3950 size exceeds the local or remote MTA's message size limit.
3951
3953 The set of characters that Postfix will remove from message content.
3954 The usual C-like escape sequences are recognized: \a \b \f \n \r \t \v
3955 \ddd (up to three octal digits) and \\.
3956 Note 1: this feature does not recognize text that requires MIME decod‐
3958 ing. It inspects raw message content, just like header_checks and
3959 body_checks.
3960 Note 2: this feature is disabled with "receive_override_options =
3962 no_header_body_checks".
3963 Example:
3965 message_strip_characters = \0
3967 This feature is available in Postfix 2.3 and later.
3969
3971 The location of non-executable files that are shared among multiple
3972 Postfix instances, such as postfix-files, dynamicmaps.cf, and the
3973 multi-instance template files main.cf.proto and master.cf.proto. This
3974 directory should contain only Postfix-related files. Typically, the
3975 meta_directory parameter has the same default as the config_directory
3976 parameter (/etc/postfix or /usr/local/etc/postfix).
3977 For backwards compatibility with Postfix versions 2.6..2.11, specify
3979 "meta_directory = $daemon_directory" in main.cf before installing or
3980 upgrading Postfix, or specify "meta_directory = /path/name" on the
3981 "make makefiles", "make install" or "make upgrade" command line.
3982 This feature is available in Postfix 3.0 and later.
3984
3986 The time limit for sending an SMTP command to a Milter (mail filter)
3987 application, and for receiving the response.
3988 Specify a non-zero time value (an integral value plus an optional
3990 one-letter suffix that specifies the time unit).
3991 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3993 The default time unit is s (seconds).
3994 This feature is available in Postfix 2.3 and later.
3996
3998 The macros that are sent to Milter (mail filter) applications after
3999 completion of an SMTP connection. See MILTER_README for a list of
4000 available macro names and their meanings.
4001 This feature is available in Postfix 2.3 and later.
4003
4005 The time limit for connecting to a Milter (mail filter) application,
4006 and for negotiating protocol options.
4007 Specify a non-zero time value (an integral value plus an optional
4009 one-letter suffix that specifies the time unit).
4010 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4012 The default time unit is s (seconds).
4013 This feature is available in Postfix 2.3 and later.
4015
4017 The time limit for sending message content to a Milter (mail filter)
4018 application, and for receiving the response.
4019 Specify a non-zero time value (an integral value plus an optional
4021 one-letter suffix that specifies the time unit).
4022 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4024 The default time unit is s (seconds).
4025 This feature is available in Postfix 2.3 and later.
4027
4029 The macros that are sent to version 4 or higher Milter (mail filter)
4030 applications after the SMTP DATA command. See MILTER_README for a list
4031 of available macro names and their meanings.
4032 This feature is available in Postfix 2.3 and later.
4034
4036 The default action when a Milter (mail filter) response is unavailable
4037 (for example, bad Postfix configuration or Milter failure). Specify one
4038 of the following:
4039 accept Proceed as if the mail filter was not present.
4041 reject Reject all further commands in this session with a permanent
4043 status code.
4044 tempfail
4046 Reject all further commands in this session with a temporary
4047 status code.
4048 quarantine
4050 Like "accept", but freeze the message in the "hold" queue.
4051 Available with Postfix 2.6 and later.
4052 This feature is available in Postfix 2.3 and later.
4054
4056 The macros that are sent to Milter (mail filter) applications after the
4057 message end-of-data. See MILTER_README for a list of available macro
4058 names and their meanings.
4059 This feature is available in Postfix 2.3 and later.
4061
4063 The macros that are sent to Milter (mail filter) applications after the
4064 end of the message header. See MILTER_README for a list of available
4065 macro names and their meanings.
4066 This feature is available in Postfix 2.5 and later.
4068
4070 Optional lookup tables for content inspection of message headers that
4071 are produced by Milter applications. See the header_checks(5) manual
4072 page available actions. Currently, PREPEND is not implemented.
4073 The following example sends all mail that is marked as SPAM to a spam
4075 handling machine. Note that matches are case-insensitive by default.
4076 /etc/postfix/main.cf:
4078 milter_header_checks = pcre:/etc/postfix/milter_header_checks
4079 /etc/postfix/milter_header_checks:
4081 /^X-SPAM-FLAG:\s+YES/ FILTER mysmtp:sanitizer.example.com:25
4082 The milter_header_checks mechanism could also be used for whitelisting.
4084 For example it could be used to skip heavy content inspection for
4085 DKIM-signed mail from known friendly domains.
4086 This feature is available in Postfix 2.7, and as an optional patch for
4088 Postfix 2.6.
4089
4091 The macros that are sent to Milter (mail filter) applications after the
4092 SMTP HELO or EHLO command. See MILTER_README for a list of available
4093 macro names and their meanings.
4094 This feature is available in Postfix 2.3 and later.
4096
4098 The {daemon_name} macro value for Milter (mail filter) applications.
4099 See MILTER_README for a list of available macro names and their mean‐
4100 ings.
4101 This feature is available in Postfix 2.3 and later.
4103
4105 Optional list of name=value pairs that specify default values for arbi‐
4106 trary macros that Postfix may send to Milter applications. These
4107 defaults are used when there is no corresponding information from the
4108 message delivery context.
4109 Specify name=value or {name}=value pairs separated by comma or white‐
4111 space. Enclose a pair in "{}" when a value contains comma or white‐
4112 space (this form ignores whitespace after the enclosing "{", around the
4113 "=", and before the enclosing "}").
4114 This feature is available in Postfix 3.1 and later.
4116
4118 The {v} macro value for Milter (mail filter) applications. See MIL‐
4119 TER_README for a list of available macro names and their meanings.
4120 This feature is available in Postfix 2.3 and later.
4122
4124 The macros that are sent to Milter (mail filter) applications after the
4125 SMTP MAIL FROM command. See MILTER_README for a list of available macro
4126 names and their meanings.
4127 This feature is available in Postfix 2.3 and later.
4129
4131 The mail filter protocol version and optional protocol extensions for
4132 communication with a Milter application; prior to Postfix 2.6 the
4133 default protocol is 2. Postfix sends this version number during the
4134 initial protocol handshake. It should match the version number that is
4135 expected by the mail filter application (or by its Milter library).
4136 Protocol versions:
4138 2 Use Sendmail 8 mail filter protocol version 2 (default with
4140 Sendmail version 8.11 .. 8.13 and Postfix version 2.3 .. 2.5).
4141 3 Use Sendmail 8 mail filter protocol version 3.
4143 4 Use Sendmail 8 mail filter protocol version 4.
4145 6 Use Sendmail 8 mail filter protocol version 6 (default with
4147 Sendmail version 8.14 and Postfix version 2.6).
4148 Protocol extensions:
4150 no_header_reply
4152 Specify this when the Milter application will not reply for each
4153 individual message header.
4154 This feature is available in Postfix 2.3 and later.
4156
4158 The macros that are sent to Milter (mail filter) applications after the
4159 SMTP RCPT TO command. See MILTER_README for a list of available macro
4160 names and their meanings.
4161 This feature is available in Postfix 2.3 and later.
4163
4165 The macros that are sent to version 3 or higher Milter (mail filter)
4166 applications after an unknown SMTP command. See MILTER_README for a
4167 list of available macro names and their meanings.
4168 This feature is available in Postfix 2.3 and later.
4170
4172 The maximal length of MIME multipart boundary strings. The MIME proces‐
4173 sor is unable to distinguish between boundary strings that do not dif‐
4174 fer in the first $mime_boundary_length_limit characters.
4175 This feature is available in Postfix 2.0 and later.
4177
4179 Optional lookup tables for content inspection of MIME related message
4180 headers, as described in the header_checks(5) manual page.
4181 This feature is available in Postfix 2.0 and later.
4183
4185 The maximal recursion level that the MIME processor will handle. Post‐
4186 fix refuses mail that is nested deeper than the specified limit.
4187 This feature is available in Postfix 2.0 and later.
4189
4191 The minimal time between attempts to deliver a deferred message; prior
4192 to Postfix 2.4 the default value was 1000s.
4193 This parameter also limits the time an unreachable destination is kept
4195 in the short-term, in-memory, destination status cache.
4196 This parameter should be set greater than or equal to $queue_run_delay.
4198 See also $maximal_backoff_time.
4199 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4201 The default time unit is s (seconds).
4202
4204 An optional list of non-default Postfix configuration directories;
4205 these directories belong to additional Postfix instances that share the
4206 Postfix executable files and documentation with the default Postfix
4207 instance, and that are started, stopped, etc., together with the
4208 default Postfix instance. Specify a list of pathnames separated by
4209 comma or whitespace.
4210 When $multi_instance_directories is empty, the postfix(1) command runs
4212 in single-instance mode and operates on a single Postfix instance only.
4213 Otherwise, the postfix(1) command runs in multi-instance mode and
4214 invokes the multi-instance manager specified with the
4215 multi_instance_wrapper parameter. The multi-instance manager in turn
4216 executes postfix(1) commands for the default instance and for all Post‐
4217 fix instances in $multi_instance_directories.
4218 Currently, this parameter setting is ignored except for the default
4220 main.cf file.
4221 This feature is available in Postfix 2.6 and later.
4223
4225 Allow this Postfix instance to be started, stopped, etc., by a
4226 multi-instance manager. By default, new instances are created in a
4227 safe state that prevents them from being started inadvertently. This
4228 parameter is reserved for the multi-instance manager.
4229 This feature is available in Postfix 2.6 and later.
4231
4233 The optional instance group name of this Postfix instance. A group
4234 identifies closely-related Postfix instances that the multi-instance
4235 manager can start, stop, etc., as a unit. This parameter is reserved
4236 for the multi-instance manager.
4237 This feature is available in Postfix 2.6 and later.
4239
4241 The optional instance name of this Postfix instance. This name becomes
4242 also the default value for the syslog_name parameter.
4243 This feature is available in Postfix 2.6 and later.
4245
4247 The pathname of a multi-instance manager command that the postfix(1)
4248 command invokes when the multi_instance_directories parameter value is
4249 non-empty. The pathname may be followed by initial command arguments
4250 separated by whitespace; shell metacharacters such as quotes are not
4251 supported in this context.
4252 The postfix(1) command invokes the manager command with the postfix(1)
4254 non-option command arguments on the manager command line, and with all
4255 installation configuration parameters exported into the manager command
4256 process environment. The manager command in turn invokes the postfix(1)
4257 command for individual Postfix instances as "postfix -c config_direc‐
4258 tory command".
4259 This feature is available in Postfix 2.6 and later.
4261
4263 The numerical Postfix SMTP server response code when a remote SMTP
4264 client request is blocked by the reject_multi_recipient_bounce restric‐
4265 tion.
4266 Do not change this unless you have a complete understanding of RFC
4268 5321.
4269 This feature is available in Postfix 2.1 and later.
4271
4273 The list of domains that are delivered via the $local_transport mail
4274 delivery transport. By default this is the Postfix local(8) delivery
4275 agent which looks up all recipients in /etc/passwd and /etc/aliases.
4276 The SMTP server validates recipient addresses with $local_recipi‐
4277 ent_maps and rejects non-existent recipients. See also the local domain
4278 class in the ADDRESS_CLASS_README file.
4279 The default mydestination value specifies names for the local machine
4281 only. On a mail domain gateway, you should also include $mydomain.
4282 The $local_transport delivery method is also selected for mail
4284 addressed to user@[the.net.work.address] of the mail system (the IP
4285 addresses specified with the inet_interfaces and proxy_interfaces
4286 parameters).
4287 Warnings:
4289 · Do not specify the names of virtual domains - those domains are
4291 specified elsewhere. See VIRTUAL_README for more information.
4292 · Do not specify the names of domains that this machine is backup
4294 MX host for. See STANDARD_CONFIGURATION_README for how to set up
4295 backup MX hosts.
4296 · By default, the Postfix SMTP server rejects mail for recipients
4298 not listed with the local_recipient_maps parameter. See the
4299 postconf(5) manual for a description of the local_recipient_maps
4300 and unknown_local_recipient_reject_code parameters.
4301 Specify a list of host or domain names, "/file/name" or "type:table"
4303 patterns, separated by commas and/or whitespace. A "/file/name" pattern
4304 is replaced by its contents; a "type:table" lookup table is matched
4305 when a name matches a lookup key (the lookup result is ignored). Con‐
4306 tinue long lines by starting the next line with whitespace.
4307 Examples:
4309 mydestination = $myhostname, localhost.$mydomain $mydomain
4311 mydestination = $myhostname, localhost.$mydomain www.$mydomain, ftp.$mydomain
4312
4314 The internet domain name of this mail system. The default is to use
4315 $myhostname minus the first component, or "localdomain" (Postfix 2.3
4316 and later). $mydomain is used as a default value for many other con‐
4317 figuration parameters.
4318 Example:
4320 mydomain = domain.tld
4322
4324 The internet hostname of this mail system. The default is to use the
4325 fully-qualified domain name (FQDN) from gethostname(), or to use the
4326 non-FQDN result from gethostname() and append ".$mydomain". $myhost‐
4327 name is used as a default value for many other configuration parame‐
4328 ters.
4329 Example:
4331 myhostname = host.example.com
4333
4335 The list of "trusted" remote SMTP clients that have more privileges
4336 than "strangers".
4337 In particular, "trusted" SMTP clients are allowed to relay mail through
4339 Postfix. See the smtpd_relay_restrictions parameter description in the
4340 postconf(5) manual.
4341 You can specify the list of "trusted" network addresses by hand or you
4343 can let Postfix do it for you (which is the default). See the descrip‐
4344 tion of the mynetworks_style parameter for more information.
4345 If you specify the mynetworks list by hand, Postfix ignores the mynet‐
4347 works_style setting.
4348 Specify a list of network addresses or network/netmask patterns, sepa‐
4350 rated by commas and/or whitespace. Continue long lines by starting the
4351 next line with whitespace.
4352 The netmask specifies the number of bits in the network part of a host
4354 address. You can also specify "/file/name" or "type:table" patterns.
4355 A "/file/name" pattern is replaced by its contents; a "type:table"
4356 lookup table is matched when a table entry matches a lookup string (the
4357 lookup result is ignored).
4358 The list is matched left to right, and the search stops on the first
4360 match. Specify "!pattern" to exclude an address or network block from
4361 the list. The form "!/file/name" is supported only in Postfix version
4362 2.4 and later.
4363 Note 1: Pattern matching of domain names is controlled by the or
4365 absence of "mynetworks" in the parent_domain_matches_subdomains parame‐
4366 ter value.
4367 Note 2: IP version 6 address information must be specified inside [] in
4369 the mynetworks value, and in files specified with "/file/name". IP
4370 version 6 addresses contain the ":" character, and would otherwise be
4371 confused with a "type:table" pattern.
4372 Examples:
4374 mynetworks = 127.0.0.0/8 168.100.189.0/28
4376 mynetworks = !192.168.0.1, 192.168.0.0/28
4377 mynetworks = 127.0.0.0/8 168.100.189.0/28 [::1]/128 [2001:240:587::]/64
4378 mynetworks = $config_directory/mynetworks
4379 mynetworks = hash:/etc/postfix/network_table
4380
4382 The method to generate the default value for the mynetworks parameter.
4383 This is the list of trusted networks for relay access control etc.
4384 · Specify "mynetworks_style = host" when Postfix should "trust"
4386 only the local machine.
4387 · Specify "mynetworks_style = subnet" when Postfix should "trust"
4389 remote SMTP clients in the same IP subnetworks as the local
4390 machine. On Linux, this works correctly only with interfaces
4391 specified with the "ifconfig" command.
4392 · Specify "mynetworks_style = class" when Postfix should "trust"
4394 remote SMTP clients in the same IP class A/B/C networks as the
4395 local machine. Caution: this may cause Postfix to "trust" your
4396 entire provider's network. Instead, specify an explicit mynet‐
4397 works list by hand, as described with the mynetworks configura‐
4398 tion parameter.
4399
4401 The domain name that locally-posted mail appears to come from, and that
4402 locally posted mail is delivered to. The default, $myhostname, is ade‐
4403 quate for small sites. If you run a domain with multiple machines, you
4404 should (1) change this to $mydomain and (2) set up a domain-wide alias
4405 database that aliases each user to user@that.users.mailhost.
4406 Example:
4408 myorigin = $mydomain
4410
4412 Optional lookup tables for content inspection of non-MIME message head‐
4413 ers in attached messages, as described in the header_checks(5) manual
4414 page.
4415 This feature is available in Postfix 2.0 and later.
4417
4419 Sendmail compatibility feature that specifies the location of the
4420 newaliases(1) command. This command can be used to rebuild the local(8)
4421 aliases(5) database.
4422
4424 The numerical Postfix SMTP server reply code when a client request is
4425 rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender
4426 or reject_non_fqdn_recipient restriction.
4427
4429 A list of Milter (mail filter) applications for new mail that does not
4430 arrive via the Postfix smtpd(8) server. This includes local submission
4431 via the sendmail(1) command line, new mail that arrives via the Postfix
4432 qmqpd(8) server, and old mail that is re-injected into the queue with
4433 "postsuper -r". Specify space or comma as separator. See the MIL‐
4434 TER_README document for details.
4435 This feature is available in Postfix 2.3 and later.
4437
4439 The list of error classes that are reported to the postmaster. The
4440 default is to report only the most serious problems. The paranoid may
4441 wish to turn on the policy (UCE and mail relaying) and protocol error
4442 (broken mail software) reports.
4443 NOTE: postmaster notifications may contain confidential information
4445 such as SASL passwords or message content. It is the system adminis‐
4446 trator's responsibility to treat such information with care.
4447 The error classes are:
4449 bounce (also implies 2bounce)
4451 Send the postmaster copies of the headers of bounced mail, and
4452 send transcripts of SMTP sessions when Postfix rejects mail. The
4453 notification is sent to the address specified with the
4454 bounce_notice_recipient configuration parameter (default: post‐
4455 master).
4456 2bounce
4458 Send undeliverable bounced mail to the postmaster. The notifica‐
4459 tion is sent to the address specified with the
4460 2bounce_notice_recipient configuration parameter (default: post‐
4461 master).
4462 data Send the postmaster a transcript of the SMTP session with an
4464 error because a critical data file was unavailable. The notifi‐
4465 cation is sent to the address specified with the
4466 error_notice_recipient configuration parameter (default: post‐
4467 master).
4468 This feature is available in Postfix 2.9 and later.
4469 delay Send the postmaster copies of the headers of delayed mail (see
4471 delay_warning_time). The notification is sent to the address
4472 specified with the delay_notice_recipient configuration parame‐
4473 ter (default: postmaster).
4474 policy Send the postmaster a transcript of the SMTP session when a
4476 client request was rejected because of (UCE) policy. The notifi‐
4477 cation is sent to the address specified with the
4478 error_notice_recipient configuration parameter (default: post‐
4479 master).
4480 protocol
4482 Send the postmaster a transcript of the SMTP session in case of
4483 client or server protocol errors. The notification is sent to
4484 the address specified with the error_notice_recipient configura‐
4485 tion parameter (default: postmaster).
4486 resource
4488 Inform the postmaster of mail not delivered due to resource
4489 problems. The notification is sent to the address specified
4490 with the error_notice_recipient configuration parameter
4491 (default: postmaster).
4492 software
4494 Inform the postmaster of mail not delivered due to software
4495 problems. The notification is sent to the address specified
4496 with the error_notice_recipient configuration parameter
4497 (default: postmaster).
4498 Examples:
4500 notify_classes = bounce, delay, policy, protocol, resource, software
4502 notify_classes = 2bounce, resource, software
4503
4505 The numerical reply code when the Postfix SMTP server rejects a sender
4506 or recipient address because its domain has a nullmx DNS record (an MX
4507 record with an empty hostname). This is one of the possible replies
4508 from the restrictions reject_unknown_sender_domain and
4509 reject_unknown_recipient_domain.
4510 This feature is available in Postfix 3.0 and later.
4512
4514 The location of the OpenSSL command line program openssl(1). This is
4515 used by the "postfix tls" command to create private keys, certificate
4516 signing requests, self-signed certificates, and to compute public key
4517 digests for DANE TLSA records. In multi-instance environments, this
4518 parameter is always determined from the configuration of the default
4519 Postfix instance.
4520 Example:
4522 /etc/postfix/main.cf:
4524 # NetBSD pkgsrc:
4525 openssl_path = /usr/pkg/bin/openssl
4526 # Local build:
4527 openssl_path = /usr/local/bin/openssl
4528 This feature is available in Postfix 3.1 and later.
4530
4532 Enable special treatment for owner-listname entries in the aliases(5)
4533 file, and don't split owner-listname and listname-request address
4534 localparts when the recipient_delimiter is set to "-". This feature is
4535 useful for mailing lists.
4536
4538 A list of Postfix features where the pattern "example.com" also matches
4539 subdomains of example.com, instead of requiring an explicit ".exam‐
4540 ple.com" pattern. This is planned backwards compatibility: eventu‐
4541 ally, all Postfix features are expected to require explicit ".exam‐
4542 ple.com" style patterns when you really want to match subdomains.
4543 The following Postfix feature names are supported.
4545 Postfix version 1.0 and later
4547 debug_peer_list, fast_flush_domains, mynetworks, per‐
4548 mit_mx_backup_networks, relay_domains, transport_maps
4549 Postfix version 1.1 and later
4551 qmqpd_authorized_clients, smtpd_access_maps,
4552 Postfix version 2.8 and later
4554 postscreen_access_list
4555 Postfix version 3.0 and later
4557 smtpd_client_event_limit_exceptions
4558
4560 Restrict the use of the permit_mx_backup SMTP access feature to only
4561 domains whose primary MX hosts match the listed networks. The parame‐
4562 ter value syntax is the same as with the mynetworks parameter; note,
4563 however, that the default value is empty.
4564 Pattern matching of domain names is controlled by the presence or
4566 absence of "permit_mx_backup_networks" in the par‐
4567 ent_domain_matches_subdomains parameter value.
4568
4570 The name of the pickup(8) service. This service picks up local mail
4571 submissions from the Postfix maildrop queue.
4572 This feature is available in Postfix 2.0 and later.
4574
4576 Optional filter for the pipe(8) delivery agent to change the delivery
4577 status code or explanatory text of successful or unsuccessful deliver‐
4578 ies. See default_delivery_status_filter for details.
4579 This feature is available in Postfix 3.0 and later.
4581
4583 The numerical Postfix SMTP server response code when a request is
4584 rejected by the reject_plaintext_session restriction.
4585 This feature is available in Postfix 2.3 and later.
4587
4589 The name of the postlogd(8) service entry in master.cf. This service
4590 appends logfile records to the file specified with the maillog_file
4591 parameter.
4592 This feature is available in Postfix 3.4 and later.
4594
4596 How much time a postlogd(8) process may take to process a request
4597 before it is terminated by a built-in watchdog timer. This is a safety
4598 mechanism that prevents postlogd(8) from becoming non-responsive due to
4599 a bug in Postfix itself or in system software. This limit cannot be set
4600 under 10s.
4601 Specify a non-zero time value (an integral value plus an optional
4603 one-letter suffix that specifies the time unit). Time units: s (sec‐
4604 onds), m (minutes), h (hours), d (days), w (weeks).
4605 This feature is available in Postfix 3.4 and later.
4607
4609 The postfix(1) commands that the postmulti(1) instance manager treats
4610 as "control" commands, that operate on running instances. For these
4611 commands, disabled instances are skipped.
4612 This feature is available in Postfix 2.6 and later.
4614
4616 The postfix(1) commands that the postmulti(1) instance manager treats
4617 as "start" commands. For these commands, disabled instances are
4618 "checked" rather than "started", and failure to "start" a member
4619 instance of an instance group will abort the start-up of later
4620 instances.
4621 This feature is available in Postfix 2.6 and later.
4623
4625 The postfix(1) commands that the postmulti(1) instance manager treats
4626 as "stop" commands. For these commands, disabled instances are skipped,
4627 and enabled instances are processed in reverse order.
4628 This feature is available in Postfix 2.6 and later.
4630
4632 Permanent white/blacklist for remote SMTP client IP addresses.
4633 postscreen(8) searches this list immediately after a remote SMTP client
4634 connects. Specify a comma- or whitespace-separated list of commands
4635 (in upper or lower case) or lookup tables. The search stops upon the
4636 first command that fires for the client IP address.
4637 permit_mynetworks
4639 Whitelist the client and terminate the search if the client IP
4640 address matches $mynetworks. Do not subject the client to any
4641 before/after 220 greeting tests. Pass the connection immedi‐
4642 ately to a Postfix SMTP server process.
4643 Pattern matching of domain names is controlled by the presence
4644 or absence of "postscreen_access_list" in the par‐
4645 ent_domain_matches_subdomains parameter value.
4646 type:table
4648 Query the specified lookup table. Each table lookup result is an
4649 access list, except that access lists inside a table cannot
4650 specify type:table entries.
4651 To discourage the use of hash, btree, etc. tables, there is no
4652 support for substring matching like smtpd(8). Use CIDR tables
4653 instead.
4654 permit
4656 Whitelist the client and terminate the search. Do not subject
4657 the client to any before/after 220 greeting tests. Pass the con‐
4658 nection immediately to a Postfix SMTP server process.
4659 reject
4661 Blacklist the client and terminate the search. Subject the
4662 client to the action configured with the postscreen_black‐
4663 list_action configuration parameter.
4664 dunno All postscreen(8) access lists implicitly have this command at
4666 the end.
4667 When dunno is executed inside a lookup table, return from the
4668 lookup table and evaluate the next command.
4669 When dunno is executed outside a lookup table, terminate the
4670 search, and subject the client to the configured before/after
4671 220 greeting tests.
4672 Example:
4674 /etc/postfix/main.cf:
4676 postscreen_access_list = permit_mynetworks,
4677 cidr:/etc/postfix/postscreen_access.cidr
4678 postscreen_blacklist_action = enforce
4679 /etc/postfix/postscreen_access.cidr:
4681 # Rules are evaluated in the order as specified.
4682 # Blacklist 192.168.* except 192.168.0.1.
4683 192.168.0.1 dunno
4684 192.168.0.0/16 reject
4685 This feature is available in Postfix 2.8.
4687
4689 The action that postscreen(8) takes when a remote SMTP client sends a
4690 bare newline character, that is, a newline not preceded by carriage
4691 return. Specify one of the following:
4692 ignore Ignore the failure of this test. Allow other tests to complete.
4694 Do not repeat this test before some the result from some other
4695 test expires. This option is useful for testing and collecting
4696 statistics without blocking mail permanently.
4697 enforce
4699 Allow other tests to complete. Reject attempts to deliver mail
4700 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4701 mation. Repeat this test the next time the client connects.
4702 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4704 this test the next time the client connects.
4705 This feature is available in Postfix 2.8.
4707
4709 Enable "bare newline" SMTP protocol tests in the postscreen(8) server.
4710 These tests are expensive: a remote SMTP client must disconnect after
4711 it passes the test, before it can talk to a real Postfix SMTP server.
4712 This feature is available in Postfix 2.8.
4714
4716 The amount of time that postscreen(8) will use the result from a suc‐
4717 cessful "bare newline" SMTP protocol test. During this time, the client
4718 IP address is excluded from this test. The default is long because a
4719 remote SMTP client must disconnect after it passes the test, before it
4720 can talk to a real Postfix SMTP server.
4721 Specify a non-zero time value (an integral value plus an optional
4723 one-letter suffix that specifies the time unit). Time units: s (sec‐
4724 onds), m (minutes), h (hours), d (days), w (weeks).
4725 This feature is available in Postfix 2.8.
4727
4729 The action that postscreen(8) takes when a remote SMTP client is perma‐
4730 nently blacklisted with the postscreen_access_list parameter. Specify
4731 one of the following:
4732 ignore (default)
4734 Ignore this result. Allow other tests to complete. Repeat this
4735 test the next time the client connects. This option is useful
4736 for testing and collecting statistics without blocking mail.
4737 enforce
4739 Allow other tests to complete. Reject attempts to deliver mail
4740 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4741 mation. Repeat this test the next time the client connects.
4742 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4744 this test the next time the client connects.
4745 This feature is available in Postfix 2.8.
4747
4749 The amount of time between postscreen(8) cache cleanup runs. Cache
4750 cleanup increases the load on the cache database and should therefore
4751 not be run frequently. This feature requires that the cache database
4752 supports the "delete" and "sequence" operators. Specify a zero inter‐
4753 val to disable cache cleanup.
4754 After each cache cleanup run, the postscreen(8) daemon logs the number
4756 of entries that were retained and dropped. A cleanup run is logged as
4757 "partial" when the daemon terminates early after "postfix reload",
4758 "postfix stop", or no requests for $max_idle seconds.
4759 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4761 This feature is available in Postfix 2.8.
4763
4765 Persistent storage for the postscreen(8) server decisions.
4766 To share a postscreen(8) cache between multiple postscreen(8)
4768 instances, use "postscreen_cache_map = proxy:btree:/path/to/file".
4769 This requires Postfix version 2.9 or later; earlier proxymap(8) imple‐
4770 mentations don't support cache cleanup. For an alternative approach see
4771 the memcache_table(5) manpage.
4772 This feature is available in Postfix 2.8.
4774
4776 The amount of time that postscreen(8) will cache an expired temporary
4777 whitelist entry before it is removed. This prevents clients from being
4778 logged as "NEW" just because their cache entry expired an hour ago. It
4779 also prevents the cache from filling up with clients that passed some
4780 deep protocol test once and never came back.
4781 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4783 This feature is available in Postfix 2.8.
4785
4787 tion_count_limit)
4788 How many simultaneous connections any remote SMTP client is allowed to
4789 have with the postscreen(8) daemon. By default, this limit is the same
4790 as with the Postfix SMTP server. Note that the triage process can take
4791 several seconds, with the time spent in postscreen_greet_wait delay,
4792 and with the time spent talking to the postscreen(8) built-in dummy
4793 SMTP protocol engine.
4794 This feature is available in Postfix 2.8.
4796
4798 The limit on the total number of commands per SMTP session for
4799 postscreen(8)'s built-in SMTP protocol engine. This SMTP engine defers
4800 or rejects all attempts to deliver mail, therefore there is no need to
4801 enforce separate limits on the number of junk commands and error com‐
4802 mands.
4803 This feature is available in Postfix 2.8.
4805
4807 A mechanism to transform commands from remote SMTP clients. See
4808 smtpd_command_filter for further details.
4809 This feature is available in Postfix 2.8 and later.
4811
4813 The time limit to read an entire command line with postscreen(8)'s
4814 built-in SMTP protocol engine.
4815 This feature is available in Postfix 2.8.
4817
4819 Disable the SMTP VRFY command in the postscreen(8) daemon. See dis‐
4820 able_vrfy_command for details.
4821 This feature is available in Postfix 2.8.
4823
4825 card_ehlo_keyword_address_maps)
4826 Lookup tables, indexed by the remote SMTP client address, with case
4827 insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
4828 that the postscreen(8) server will not send in the EHLO response to a
4829 remote SMTP client. See smtpd_discard_ehlo_keywords for details. The
4830 table is not searched by hostname for robustness reasons.
4831 This feature is available in Postfix 2.8 and later.
4833
4835 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
4836 etc.) that the postscreen(8) server will not send in the EHLO response
4837 to a remote SMTP client. See smtpd_discard_ehlo_keywords for details.
4838 This feature is available in Postfix 2.8 and later.
4840
4842 The action that postscreen(8) takes when a remote SMTP client's com‐
4843 bined DNSBL score is equal to or greater than a threshold (as defined
4844 with the postscreen_dnsbl_sites and postscreen_dnsbl_threshold parame‐
4845 ters). Specify one of the following:
4846 ignore (default)
4848 Ignore the failure of this test. Allow other tests to complete.
4849 Repeat this test the next time the client connects. This option
4850 is useful for testing and collecting statistics without blocking
4851 mail.
4852 enforce
4854 Allow other tests to complete. Reject attempts to deliver mail
4855 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4856 mation. Repeat this test the next time the client connects.
4857 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4859 this test the next time the client connects.
4860 This feature is available in Postfix 2.8.
4862
4864 ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h)
4865 The maximum amount of time that postscreen(8) will use the result from
4866 a successful DNS-based reputation test before a client IP address is
4867 required to pass that test again. If the DNS reply specifies a shorter
4868 TTL value, that value will be used unless it would be smaller than
4869 postscreen_dnsbl_min_ttl.
4870 Specify a non-zero time value (an integral value plus an optional
4872 one-letter suffix that specifies the time unit). Time units: s (sec‐
4873 onds), m (minutes), h (hours), d (days), w (weeks).
4874 This feature is available in Postfix 3.1. The default setting is back‐
4876 wards-compatible with older Postfix versions.
4877
4879 The minimum amount of time that postscreen(8) will use the result from
4880 a successful DNS-based reputation test before a client IP address is
4881 required to pass that test again. If the DNS reply specifies a larger
4882 TTL value, that value will be used unless it would be larger than
4883 postscreen_dnsbl_max_ttl.
4884 Specify a non-zero time value (an integral value plus an optional
4886 one-letter suffix that specifies the time unit). Time units: s (sec‐
4887 onds), m (minutes), h (hours), d (days), w (weeks).
4888 This feature is available in Postfix 3.1.
4890
4892 A mapping from actual DNSBL domain name which includes a secret pass‐
4893 word, to the DNSBL domain name that postscreen will reply with when it
4894 rejects mail. When no mapping is found, the actual DNSBL domain will
4895 be used.
4896 For maximal stability it is best to use a file that is read into memory
4898 such as pcre:, regexp: or texthash: (texthash: is similar to hash:,
4899 except a) there is no need to run postmap(1) before the file can be
4900 used, and b) texthash: does not detect changes after the file is read).
4901 Example:
4903 /etc/postfix/main.cf:
4905 postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
4906 /etc/postfix/dnsbl_reply:
4908 secret.zen.spamhaus.org zen.spamhaus.org
4909 This feature is available in Postfix 2.8.
4911
4913 Optional list of DNS white/blacklist domains, filters and weight fac‐
4914 tors. When the list is non-empty, the dnsblog(8) daemon will query
4915 these domains with the IP addresses of remote SMTP clients, and
4916 postscreen(8) will update an SMTP client's DNSBL score with each
4917 non-error reply.
4918 Caution: when postscreen rejects mail, it replies with the DNSBL domain
4920 name. Use the postscreen_dnsbl_reply_map feature to hide "password"
4921 information in DNSBL domain names.
4922 When a client's score is equal to or greater than the threshold speci‐
4924 fied with postscreen_dnsbl_threshold, postscreen(8) can drop the con‐
4925 nection with the remote SMTP client.
4926 Specify a list of domain=filter*weight entries, separated by comma or
4928 whitespace.
4929 · When no "=filter" is specified, postscreen(8) will use any
4931 non-error DNSBL reply. Otherwise, postscreen(8) uses only DNSBL
4932 replies that match the filter. The filter has the form d.d.d.d,
4933 where each d is a number, or a pattern inside [] that contains
4934 one or more ";"-separated numbers or number..number ranges.
4935 · When no "*weight" is specified, postscreen(8) increments the
4937 remote SMTP client's DNSBL score by 1. Otherwise, the weight
4938 must be an integral number, and postscreen(8) adds the specified
4939 weight to the remote SMTP client's DNSBL score. Specify a nega‐
4940 tive number for whitelisting.
4941 · When one postscreen_dnsbl_sites entry produces multiple DNSBL
4943 responses, postscreen(8) applies the weight at most once.
4944 Examples:
4946 To use example.com as a high-confidence blocklist, and to block mail
4948 with example.net and example.org only when both agree:
4949 postscreen_dnsbl_threshold = 2
4951 postscreen_dnsbl_sites = example.com*2, example.net, example.org
4952 To filter only DNSBL replies containing 127.0.0.4:
4954 postscreen_dnsbl_sites = example.com=127.0.0.4
4956 This feature is available in Postfix 2.8.
4958
4960 The inclusive lower bound for blocking a remote SMTP client, based on
4961 its combined DNSBL score as defined with the postscreen_dnsbl_sites
4962 parameter.
4963 This feature is available in Postfix 2.8.
4965
4967 The time limit for DNSBL or DNSWL lookups. This is separate from the
4968 timeouts in the dnsblog(8) daemon which are defined by system
4969 resolver(3) routines.
4970 This feature is available in Postfix 3.0.
4972
4974 The amount of time that postscreen(8) will use the result from a suc‐
4975 cessful DNS-based reputation test before a client IP address is
4976 required to pass that test again.
4977 Specify a non-zero time value (an integral value plus an optional
4979 one-letter suffix that specifies the time unit). Time units: s (sec‐
4980 onds), m (minutes), h (hours), d (days), w (weeks).
4981 This feature is available in Postfix 2.8-3.0. It was replaced by
4983 postscreen_dnsbl_max_ttl in Postfix 3.1.
4984
4986 Allow a remote SMTP client to skip "before" and "after 220 greeting"
4987 protocol tests, based on its combined DNSBL score as defined with the
4988 postscreen_dnsbl_sites parameter.
4989 Specify a negative value to enable this feature. When a client passes
4991 the postscreen_dnsbl_whitelist_threshold without having failed other
4992 tests, all pending or disabled tests are flagged as completed with a
4993 time-to-live value equal to postscreen_dnsbl_ttl. When a test was
4994 already completed, its time-to-live value is updated if it was less
4995 than postscreen_dnsbl_ttl.
4996 This feature is available in Postfix 2.11.
4998
5000 Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
5001 require that clients use TLS encryption. See
5002 smtpd_postscreen_enforce_tls for details.
5003 This feature is available in Postfix 2.8 and later. Preferably, use
5005 postscreen_tls_security_level instead.
5006
5008 List of characters that are permitted in postscreen_reject_footer
5009 attribute expansions. See smtpd_expansion_filter for further details.
5010 This feature is available in Postfix 2.8 and later.
5012
5014 List of commands that the postscreen(8) server considers in violation
5015 of the SMTP protocol. See smtpd_forbidden_commands for syntax, and
5016 postscreen_non_smtp_command_action for possible actions.
5017 This feature is available in Postfix 2.8.
5019
5021 The action that postscreen(8) takes when a remote SMTP client speaks
5022 before its turn within the time specified with the
5023 postscreen_greet_wait parameter. Specify one of the following:
5024 ignore (default)
5026 Ignore the failure of this test. Allow other tests to complete.
5027 Repeat this test the next time the client connects. This option
5028 is useful for testing and collecting statistics without blocking
5029 mail.
5030 enforce
5032 Allow other tests to complete. Reject attempts to deliver mail
5033 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
5034 mation. Repeat this test the next time the client connects.
5035 drop Drop the connection immediately with a 521 SMTP reply. Repeat
5037 this test the next time the client connects.
5038 In either case, postscreen(8) will not whitelist the remote SMTP client
5040 IP address.
5041 This feature is available in Postfix 2.8.
5043
5045 The text in the optional "220-text..." server response that
5046 postscreen(8) sends ahead of the real Postfix SMTP server's "220
5047 text..." response, in an attempt to confuse bad SMTP clients so that
5048 they speak before their turn (pre-greet). Specify an empty value to
5049 disable this feature.
5050 This feature is available in Postfix 2.8.
5052
5054 The amount of time that postscreen(8) will use the result from a suc‐
5055 cessful PREGREET test. During this time, the client IP address is
5056 excluded from this test. The default is relatively short, because a
5057 good client can immediately talk to a real Postfix SMTP server.
5058 Specify a non-zero time value (an integral value plus an optional
5060 one-letter suffix that specifies the time unit). Time units: s (sec‐
5061 onds), m (minutes), h (hours), d (days), w (weeks).
5062 This feature is available in Postfix 2.8.
5064
5066 The amount of time that postscreen(8) will wait for an SMTP client to
5067 send a command before its turn, and for DNS blocklist lookup results to
5068 arrive (default: up to 2 seconds under stress, up to 6 seconds other‐
5069 wise).
5070 Specify a non-zero time value (an integral value plus an optional
5072 one-letter suffix that specifies the time unit).
5073 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5075 This feature is available in Postfix 2.8.
5077
5079 Require that a remote SMTP client sends HELO or EHLO before commencing
5080 a MAIL transaction.
5081 This feature is available in Postfix 2.8.
5083
5085 The action that postscreen(8) takes when a remote SMTP client sends
5086 non-SMTP commands as specified with the postscreen_forbidden_commands
5087 parameter. Specify one of the following:
5088 ignore Ignore the failure of this test. Allow other tests to complete.
5090 Do not repeat this test before some the result from some other
5091 test expires. This option is useful for testing and collecting
5092 statistics without blocking mail permanently.
5093 enforce
5095 Allow other tests to complete. Reject attempts to deliver mail
5096 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
5097 mation. Repeat this test the next time the client connects.
5098 drop Drop the connection immediately with a 521 SMTP reply. Repeat
5100 this test the next time the client connects. This action is the
5101 same as with the Postfix SMTP server's smtpd_forbidden_commands
5102 feature.
5103 This feature is available in Postfix 2.8.
5105
5107 Enable "non-SMTP command" tests in the postscreen(8) server. These
5108 tests are expensive: a client must disconnect after it passes the test,
5109 before it can talk to a real Postfix SMTP server.
5110 This feature is available in Postfix 2.8.
5112
5114 The amount of time that postscreen(8) will use the result from a suc‐
5115 cessful "non_smtp_command" SMTP protocol test. During this time, the
5116 client IP address is excluded from this test. The default is long
5117 because a client must disconnect after it passes the test, before it
5118 can talk to a real Postfix SMTP server.
5119 Specify a non-zero time value (an integral value plus an optional
5121 one-letter suffix that specifies the time unit). Time units: s (sec‐
5122 onds), m (minutes), h (hours), d (days), w (weeks).
5123 This feature is available in Postfix 2.8.
5125
5127 The action that postscreen(8) takes when a remote SMTP client sends
5128 multiple commands instead of sending one command and waiting for the
5129 server to respond. Specify one of the following:
5130 ignore Ignore the failure of this test. Allow other tests to complete.
5132 Do not repeat this test before some the result from some other
5133 test expires. This option is useful for testing and collecting
5134 statistics without blocking mail permanently.
5135 enforce
5137 Allow other tests to complete. Reject attempts to deliver mail
5138 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
5139 mation. Repeat this test the next time the client connects.
5140 drop Drop the connection immediately with a 521 SMTP reply. Repeat
5142 this test the next time the client connects.
5143 This feature is available in Postfix 2.8.
5145
5147 Enable "pipelining" SMTP protocol tests in the postscreen(8) server.
5148 These tests are expensive: a good client must disconnect after it
5149 passes the test, before it can talk to a real Postfix SMTP server.
5150 This feature is available in Postfix 2.8.
5152
5154 The amount of time that postscreen(8) will use the result from a suc‐
5155 cessful "pipelining" SMTP protocol test. During this time, the client
5156 IP address is excluded from this test. The default is long because a
5157 good client must disconnect after it passes the test, before it can
5158 talk to a real Postfix SMTP server.
5159 Specify a non-zero time value (an integral value plus an optional
5161 one-letter suffix that specifies the time unit). Time units: s (sec‐
5162 onds), m (minutes), h (hours), d (days), w (weeks).
5163 This feature is available in Postfix 2.8.
5165
5167 The number of clients that can be waiting for service from a real Post‐
5168 fix SMTP server process. When this queue is full, all clients will
5169 receive a 421 response.
5170 This feature is available in Postfix 2.8.
5172
5174 The number of non-whitelisted clients that can be waiting for a deci‐
5175 sion whether they will receive service from a real Postfix SMTP server
5176 process. When this queue is full, all non-whitelisted clients will
5177 receive a 421 response.
5178 This feature is available in Postfix 2.8.
5180
5182 Optional information that is appended after a 4XX or 5XX postscreen(8)
5183 server response. See smtpd_reject_footer for further details.
5184 This feature is available in Postfix 2.8 and later.
5186
5188 Optional lookup table for information that is appended after a 4XX or
5189 5XX postscreen(8) server response. See smtpd_reject_footer_maps for
5190 further details.
5191 This feature is available in Postfix 3.4 and later.
5193
5195 The SMTP TLS security level for the postscreen(8) server; when a
5196 non-empty value is specified, this overrides the obsolete parameters
5197 postscreen_use_tls and postscreen_enforce_tls. See smtpd_tls_secu‐
5198 rity_level for details.
5199 This feature is available in Postfix 2.8 and later.
5201
5203 The name of the proxy protocol used by an optional before-postscreen
5204 proxy agent. When a proxy agent is used, this protocol conveys local
5205 and remote address and port information. Specify
5206 "postscreen_upstream_proxy_protocol = haproxy" to enable the haproxy
5207 protocol; version 2 is supported with Postfix 3.5 and later.
5208 This feature is available in Postfix 2.10 and later.
5210
5212 The time limit for the proxy protocol specified with the
5213 postscreen_upstream_proxy_protocol parameter.
5214 This feature is available in Postfix 2.10 and later.
5216
5218 Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
5219 but do not require that clients use TLS encryption.
5220 This feature is available in Postfix 2.8 and later. Preferably, use
5222 postscreen_tls_security_level instead.
5223
5225 How much time a postscreen(8) process may take to respond to a remote
5226 SMTP client command or to perform a cache operation before it is termi‐
5227 nated by a built-in watchdog timer. This is a safety mechanism that
5228 prevents postscreen(8) from becoming non-responsive due to a bug in
5229 Postfix itself or in system software. To avoid false alarms and unnec‐
5230 essary cache corruption this limit cannot be set under 10s.
5231 Specify a non-zero time value (an integral value plus an optional
5233 one-letter suffix that specifies the time unit). Time units: s (sec‐
5234 onds), m (minutes), h (hours), d (days), w (weeks).
5235 This feature is available in Postfix 2.8.
5237
5239 A list of local postscreen(8) server IP addresses where a
5240 non-whitelisted remote SMTP client can obtain postscreen(8)'s temporary
5241 whitelist status. This status is required before the client can talk to
5242 a Postfix SMTP server process. By default, a client can obtain
5243 postscreen(8)'s whitelist status on any local postscreen(8) server IP
5244 address.
5245 When postscreen(8) listens on both primary and backup MX addresses, the
5247 postscreen_whitelist_interfaces parameter can be configured to give the
5248 temporary whitelist status only when a client connects to a primary MX
5249 address. Once a client is whitelisted it can talk to a Postfix SMTP
5250 server on any address. Thus, clients that connect only to backup MX
5251 addresses will never become whitelisted, and will never be allowed to
5252 talk to a Postfix SMTP server process.
5253 Specify a list of network addresses or network/netmask patterns, sepa‐
5255 rated by commas and/or whitespace. The netmask specifies the number of
5256 bits in the network part of a host address. Continue long lines by
5257 starting the next line with whitespace.
5258 You can also specify "/file/name" or "type:table" patterns. A
5260 "/file/name" pattern is replaced by its contents; a "type:table" lookup
5261 table is matched when a table entry matches a lookup string (the lookup
5262 result is ignored).
5263 The list is matched left to right, and the search stops on the first
5265 match. Specify "!pattern" to exclude an address or network block from
5266 the list.
5267 Note: IP version 6 address information must be specified inside [] in
5269 the postscreen_whitelist_interfaces value, and in files specified with
5270 "/file/name". IP version 6 addresses contain the ":" character, and
5271 would otherwise be confused with a "type:table" pattern.
5272 Example:
5274 /etc/postfix/main.cf:
5276 # Don't whitelist connections to the backup IP address.
5277 postscreen_whitelist_interfaces = !168.100.189.8, static:all
5278 This feature is available in Postfix 2.9 and later.
5280
5282 The message delivery contexts where the Postfix local(8) delivery agent
5283 prepends a Delivered-To: message header with the address that the mail
5284 was delivered to. This information is used for mail delivery loop
5285 detection.
5286 By default, the Postfix local delivery agent prepends a Delivered-To:
5288 header when forwarding mail and when delivering to file (mailbox) and
5289 command. Turning off the Delivered-To: header when forwarding mail is
5290 not recommended.
5291 Specify zero or more of forward, file, or command.
5293 Example:
5295 prepend_delivered_header = forward
5297
5299 The process ID of a Postfix command or daemon process.
5300
5302 The location of Postfix PID files relative to $queue_directory. This
5303 is a read-only parameter.
5304
5306 The process name of a Postfix command or daemon process.
5307
5309 What address lookup tables copy an address extension from the lookup
5310 key to the lookup result.
5311 For example, with a virtual(5) mapping of "joe@example.com =>
5313 joe.user@example.net", the address "joe+foo@example.com" would rewrite
5314 to "joe.user+foo@example.net".
5315 Specify zero or more of canonical, virtual, alias, forward, include or
5317 generic. These cause address extension propagation with canonical(5),
5318 virtual(5), and aliases(5) maps, with local(8) .forward and :include:
5319 file lookups, and with smtp(8) generic maps, respectively.
5320 Note: enabling this feature for types other than canonical and virtual
5322 is likely to cause problems when mail is forwarded to other sites,
5323 especially with mail that is sent to a mailing list exploder address.
5324 Examples:
5326 propagate_unmatched_extensions = canonical, virtual, alias,
5328 forward, include
5329 propagate_unmatched_extensions = canonical, virtual
5330
5332 The network interface addresses that this mail system receives mail on
5333 by way of a proxy or network address translation unit.
5334 This feature is available in Postfix 2.0 and later.
5336 You must specify your "outside" proxy/NAT addresses when your system is
5338 a backup MX host for other domains, otherwise mail delivery loops will
5339 happen when the primary MX host is down.
5340 Example:
5342 proxy_interfaces = 1.2.3.4
5344
5346 The lookup tables that the proxymap(8) server is allowed to access for
5347 the read-only service.
5348 Specify zero or more "type:name" lookup tables, separated by whitespace
5350 or comma. Table references that don't begin with proxy: are ignored.
5351 This feature is available in Postfix 2.0 and later.
5353
5355 The lookup tables that the proxymap(8) server is allowed to access for
5356 the read-write service. Postfix-owned local database files should be
5357 stored under the Postfix-owned data_directory. Table references that
5358 don't begin with proxy: are ignored.
5359 This feature is available in Postfix 2.5 and later.
5361
5363 The name of the proxymap read-only table lookup service. This service
5364 is normally implemented by the proxymap(8) daemon.
5365 This feature is available in Postfix 2.6 and later.
5367
5369 The name of the proxywrite read-write table lookup service. This ser‐
5370 vice is normally implemented by the proxymap(8) daemon.
5371 This feature is available in Postfix 2.6 and later.
5373
5375 The minimal delay between warnings that a specific destination is clog‐
5376 ging up the Postfix active queue. Specify 0 to disable.
5377 This feature is enabled with the helpful_warnings parameter.
5379 This feature is available in Postfix 2.0 and later.
5381
5383 How much time a Postfix queue manager process may take to handle a
5384 request before it is terminated by a built-in watchdog timer.
5385 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5387 The default time unit is s (seconds).
5388 This feature is available in Postfix 2.8 and later.
5390
5392 Obsolete feature: the percentage of delivery resources that a busy mail
5393 system will use up for delivery of a large mailing list message.
5394 This feature exists only in the oqmgr(8) old queue manager. The current
5396 queue manager solves the problem in a better way.
5397
5399 The time limit for the queue manager to send or receive information
5400 over an internal communication channel. The purpose is to break out of
5401 deadlock situations. If the time limit is exceeded the software either
5402 retries or aborts the operation.
5403 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5405 The default time unit is s (seconds).
5406 This feature is available in Postfix 2.8 and later.
5408
5410 The maximal number of messages in the active queue.
5411
5413 The maximal number of recipients held in memory by the Postfix queue
5414 manager, and the maximal size of the short-term, in-memory "dead" des‐
5415 tination status cache.
5416
5418 The minimal number of in-memory recipients for any message. This takes
5419 priority over any other in-memory recipient limits (i.e., the global
5420 qmgr_message_recipient_limit and the per transport _recipient_limit) if
5421 necessary. The minimum value allowed for this parameter is 1.
5422
5424 What remote QMQP clients are allowed to connect to the Postfix QMQP
5425 server port.
5426 By default, no client is allowed to use the service. This is because
5428 the QMQP server will relay mail to any destination.
5429 Specify a list of client patterns. A list pattern specifies a host
5431 name, a domain name, an internet address, or a network/mask pattern,
5432 where the mask specifies the number of bits in the network part. When
5433 a pattern specifies a file name, its contents are substituted for the
5434 file name; when a pattern is a "type:table" table specification, table
5435 lookup is used instead.
5436 Patterns are separated by whitespace and/or commas. In order to reverse
5438 the result, precede a pattern with an exclamation point (!). The form
5439 "!/file/name" is supported only in Postfix version 2.4 and later.
5440 Pattern matching of domain names is controlled by the presence or
5442 absence of "qmqpd_authorized_clients" in the parent_domain_matches_sub‐
5443 domains parameter value.
5444 Example:
5446 qmqpd_authorized_clients = !192.168.0.1, 192.168.0.0/24
5448
5450 Enable logging of the remote QMQP client port in addition to the host‐
5451 name and IP address. The logging format is "host[address]:port".
5452 This feature is available in Postfix 2.5 and later.
5454
5456 How long the Postfix QMQP server will pause before sending a negative
5457 reply to the remote QMQP client. The purpose is to slow down confused
5458 or malicious clients.
5459 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5461 The default time unit is s (seconds).
5462
5464 The time limit for sending or receiving information over the network.
5465 If a read or write operation blocks for more than $qmqpd_timeout sec‐
5466 onds the Postfix QMQP server gives up and disconnects.
5467 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5469 The default time unit is s (seconds).
5470
5472 The location of the Postfix top-level queue directory. This is the root
5473 directory of Postfix daemon processes that run chrooted.
5474
5476 The maximal number of (name=value) attributes that may be stored in a
5477 Postfix queue file. The limit is enforced by the cleanup(8) server.
5478 This feature is available in Postfix 2.0 and later.
5480
5482 The minimal amount of free space in bytes in the queue file system that
5483 is needed to receive mail. This is currently used by the Postfix SMTP
5484 server to decide if it will accept any mail at all.
5485 By default, the Postfix SMTP server rejects MAIL FROM commands when the
5487 amount of free space is less than 1.5*$message_size_limit (Postfix ver‐
5488 sion 2.1 and later). To specify a higher minimum free space limit,
5489 specify a queue_minfree value that is at least 1.5*$message_size_limit.
5490 With Postfix versions 2.0 and earlier, a queue_minfree value of zero
5492 means there is no minimum required amount of free space.
5493
5495 The time between deferred queue scans by the queue manager; prior to
5496 Postfix 2.4 the default value was 1000s.
5497 This parameter should be set less than or equal to $minimal_back‐
5499 off_time. See also $maximal_backoff_time.
5500 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5502 The default time unit is s (seconds).
5503
5505 The name of the qmgr(8) service. This service manages the Postfix queue
5506 and schedules delivery requests.
5507 This feature is available in Postfix 2.0 and later.
5509
5511 Optional lookup tables with RBL response templates. The tables are
5512 indexed by the RBL domain name. By default, Postfix uses the default
5513 template as specified with the default_rbl_reply configuration parame‐
5514 ter. See there for a discussion of the syntax of RBL reply templates.
5515 This feature is available in Postfix 2.0 and later.
5517
5519 The location of Postfix README files that describe how to build, con‐
5520 figure or operate a specific Postfix subsystem or feature.
5521
5523 Enable or disable recipient validation, built-in content filtering, or
5524 address mapping. Typically, these are specified in master.cf as com‐
5525 mand-line arguments for the smtpd(8), qmqpd(8) or pickup(8) daemons.
5526 Specify zero or more of the following options. The options override
5528 main.cf settings and are either implemented by smtpd(8), qmqpd(8), or
5529 pickup(8) themselves, or they are forwarded to the cleanup server.
5530 no_unknown_recipient_checks
5532 Do not try to reject unknown recipients (SMTP server only).
5533 This is typically specified AFTER an external content filter.
5534 no_address_mappings
5536 Disable canonical address mapping, virtual alias map expansion,
5537 address masquerading, and automatic BCC (blind carbon-copy)
5538 recipients. This is typically specified BEFORE an external con‐
5539 tent filter.
5540 no_header_body_checks
5542 Disable header/body_checks. This is typically specified AFTER an
5543 external content filter.
5544 no_milters
5546 Disable Milter (mail filter) applications. This is typically
5547 specified AFTER an external content filter.
5548 Note: when the "BEFORE content filter" receive_override_options setting
5550 is specified in the main.cf file, specify the "AFTER content filter"
5551 receive_override_options setting in master.cf (and vice versa).
5552 Examples:
5554 receive_override_options =
5556 no_unknown_recipient_checks, no_header_body_checks
5557 receive_override_options = no_address_mappings
5558 This feature is available in Postfix 2.1 and later.
5560
5562 Optional BCC (blind carbon-copy) address lookup tables, indexed by
5563 recipient address. The BCC address (multiple results are not sup‐
5564 ported) is added when mail enters from outside of Postfix.
5565 Specify zero or more "type:name" lookup tables, separated by whitespace
5567 or comma. Tables will be searched in the specified order until a match
5568 is found.
5569 The table search order is as follows:
5571 · Look up the "user+extension@domain.tld" address including the
5573 optional address extension.
5574 · Look up the "user@domain.tld" address without the optional
5576 address extension.
5577 · Look up the "user+extension" address local part when the recipi‐
5579 ent domain equals $myorigin, $mydestination, $inet_interfaces or
5580 $proxy_interfaces.
5581 · Look up the "user" address local part when the recipient domain
5583 equals $myorigin, $mydestination, $inet_interfaces or
5584 $proxy_interfaces.
5585 · Look up the "@domain.tld" part.
5587 Note: with Postfix 2.3 and later the BCC address is added as if it was
5589 specified with NOTIFY=NONE. The sender will not be notified when the
5590 BCC address is undeliverable, as long as all down-stream software
5591 implements RFC 3461.
5592 Note: with Postfix 2.2 and earlier the sender will unconditionally be
5594 notified when the BCC address is undeliverable.
5595 Note: automatic BCC recipients are produced only for new mail. To
5597 avoid mailer loops, automatic BCC recipients are not generated after
5598 Postfix forwards mail internally, or after Postfix generates mail
5599 itself.
5600 Example:
5602 recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
5604 After a change, run "postmap /etc/postfix/recipient_bcc".
5606 This feature is available in Postfix 2.1 and later.
5608
5610 What addresses are subject to recipient_canonical_maps address mapping.
5611 By default, recipient_canonical_maps address mapping is applied to
5612 envelope recipient addresses, and to header recipient addresses.
5613 Specify one or more of: envelope_recipient, header_recipient
5615 This feature is available in Postfix 2.2 and later.
5617
5619 Optional address mapping lookup tables for envelope and header recipi‐
5620 ent addresses. The table format and lookups are documented in canoni‐
5621 cal(5).
5622 Note: $recipient_canonical_maps is processed before $canonical_maps.
5624 Example:
5626 recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
5628
5630 The set of characters that can separate a user name from its extension
5631 (example: user+foo), or a .forward file name from its extension (exam‐
5632 ple: .forward+foo). Basically, the software tries user+foo and .for‐
5633 ward+foo before trying user and .forward. This implementation recog‐
5634 nizes one delimiter character and one extension per email address or
5635 .forward file name.
5636 When the recipient_delimiter set contains multiple characters (Postfix
5638 2.11 and later), a user name or .forward file name is separated from
5639 its extension by the first character that matches the recipient_delim‐
5640 iter set.
5641 See canonical(5), local(8), relocated(5) and virtual(5) for the effects
5643 of recipient_delimiter on lookups in aliases, canonical, virtual, and
5644 relocated maps, and see the propagate_unmatched_extensions parameter
5645 for propagating an extension from one email address to another.
5646 When used in command_execution_directory, forward_path, or luser_relay,
5648 ${recipient_delimiter} is replaced with the actual recipient delimiter
5649 that was found in the recipient email address (Postfix 2.11 and later),
5650 or it is replaced with the main.cf recipient_delimiter parameter value
5651 (Postfix 2.10 and earlier).
5652 The recipient_delimiter is not applied to the mailer-daemon address,
5654 the postmaster address, or the double-bounce address. With the default
5655 "owner_request_special = yes" setting, the recipient_delimiter is also
5656 not applied to addresses with the special "owner-" prefix or the spe‐
5657 cial "-request" suffix.
5658 Examples:
5660 # Handle Postfix-style extensions.
5662 recipient_delimiter = +
5663 # Handle both Postfix and qmail extensions (Postfix 2.11 and later).
5665 recipient_delimiter = +-
5666 # Use .forward for mail without address extension, and for mail with
5668 # an unrecognized address extension.
5669 forward_path = $home/.forward${recipient_delimiter}${extension},
5670 $home/.forward
5671
5673 The numerical Postfix SMTP server response code when a remote SMTP
5674 client request is rejected by the "reject" restriction.
5675 Do not change this unless you have a complete understanding of RFC
5677 5321.
5678
5680 The Postfix SMTP server's action when a reject-type restriction fails
5681 due to a temporary error condition. Specify "defer" to defer the remote
5682 SMTP client request immediately. With the default "defer_if_permit"
5683 action, the Postfix SMTP server continues to look for opportunities to
5684 reject mail, and defers the client request only if it would otherwise
5685 be accepted.
5686 For finer control, see: unverified_recipient_tempfail_action, unveri‐
5688 fied_sender_tempfail_action, unknown_address_tempfail_action, and
5689 unknown_helo_hostname_tempfail_action.
5690 This feature is available in Postfix 2.6 and later.
5692
5694 List of tables with remote SMTP client-certificate fingerprints or pub‐
5695 lic key fingerprints (Postfix 2.9 and later) for which the Postfix SMTP
5696 server will allow access with the permit_tls_clientcerts feature. The
5697 fingerprint digest algorithm is configurable via the smtpd_tls_finger‐
5698 print_digest parameter (hard-coded as md5 prior to Postfix version
5699 2.5).
5700 Postfix lookup tables are in the form of (key, value) pairs. Since we
5702 only need the key, the value can be chosen freely, e.g. the name of
5703 the user or host: D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80
5704 lutzpc.at.home
5705 Example:
5707 relay_clientcerts = hash:/etc/postfix/relay_clientcerts
5709 For more fine-grained control, use check_ccert_access to select an
5711 appropriate access(5) policy for each client. See RESTRIC‐
5712 TION_CLASS_README.
5713 Note: Postfix 2.9.0-2.9.5 computed the public key fingerprint incor‐
5715 rectly. To use public-key fingerprints, upgrade to Postfix 2.9.6 or
5716 later.
5717 This feature is available with Postfix version 2.2.
5719
5721 rency_limit)
5722 The maximal number of parallel deliveries to the same destination via
5723 the relay message delivery transport. This limit is enforced by the
5724 queue manager. The message delivery transport name is the first field
5725 in the entry in the master.cf file.
5726 This feature is available in Postfix 2.0 and later.
5728
5730 ent_limit)
5731 The maximal number of recipients per message for the relay message
5732 delivery transport. This limit is enforced by the queue manager. The
5733 message delivery transport name is the first field in the entry in the
5734 master.cf file.
5735 Setting this parameter to a value of 1 changes the meaning of
5737 relay_destination_concurrency_limit from concurrency per domain into
5738 concurrency per recipient.
5739 This feature is available in Postfix 2.0 and later.
5741
5743 What destination domains (and subdomains thereof) this system will
5744 relay mail to. For details about how the relay_domains value is used,
5745 see the description of the permit_auth_destination and
5746 reject_unauth_destination SMTP recipient restrictions.
5747 Domains that match $relay_domains are delivered with the $relay_trans‐
5749 port mail delivery transport. The SMTP server validates recipient
5750 addresses with $relay_recipient_maps and rejects non-existent recipi‐
5751 ents. See also the relay domains address class in the
5752 ADDRESS_CLASS_README file.
5753 Note: Postfix will not automatically forward mail for domains that list
5755 this system as their primary or backup MX host. See the per‐
5756 mit_mx_backup restriction in the postconf(5) manual page.
5757 Specify a list of host or domain names, "/file/name" patterns or
5759 "type:table" lookup tables, separated by commas and/or whitespace.
5760 Continue long lines by starting the next line with whitespace. A
5761 "/file/name" pattern is replaced by its contents; a "type:table" lookup
5762 table is matched when a (parent) domain appears as lookup key. Specify
5763 "!pattern" to exclude a domain from the list. The form "!/file/name" is
5764 supported only in Postfix version 2.4 and later.
5765 Pattern matching of domain names is controlled by the presence or
5767 absence of "relay_domains" in the parent_domain_matches_subdomains
5768 parameter value.
5769
5771 The numerical Postfix SMTP server response code when a client request
5772 is rejected by the reject_unauth_destination recipient restriction.
5773 Do not change this unless you have a complete understanding of RFC
5775 5321.
5776
5778 Optional lookup tables with all valid addresses in the domains that
5779 match $relay_domains. Specify @domain as a wild-card for domains that
5780 have no valid recipient list, and become a source of backscatter mail:
5781 Postfix accepts spam for non-existent recipients and then floods inno‐
5782 cent people with undeliverable mail. Technically, tables listed with
5783 $relay_recipient_maps are used as lists: Postfix needs to know only if
5784 a lookup string is found or not, but it does not use the result from
5785 table lookup.
5786 Specify zero or more "type:name" lookup tables, separated by whitespace
5788 or comma. Tables will be searched in the specified order until a match
5789 is found.
5790 If this parameter is non-empty, then the Postfix SMTP server will
5792 reject mail to unknown relay users. This feature is off by default.
5793 See also the relay domains address class in the ADDRESS_CLASS_README
5795 file.
5796 Example:
5798 relay_recipient_maps = hash:/etc/postfix/relay_recipients
5800 This feature is available in Postfix 2.0 and later.
5802
5804 The default mail delivery transport and next-hop destination for remote
5805 delivery to domains listed with $relay_domains. In order of decreasing
5806 precedence, the nexthop destination is taken from $relay_transport,
5807 $sender_dependent_relayhost_maps, $relayhost, or from the recipient
5808 domain. This information can be overruled with the transport(5) table.
5809 Specify a string of the form transport:nexthop, where transport is the
5811 name of a mail delivery transport defined in master.cf. The :nexthop
5812 destination is optional; its syntax is documented in the manual page of
5813 the corresponding delivery agent.
5814 See also the relay domains address class in the ADDRESS_CLASS_README
5816 file.
5817 This feature is available in Postfix 2.0 and later.
5819
5821 The next-hop destination(s) for non-local mail; overrides non-local
5822 domains in recipient addresses. This information is overruled with
5823 relay_transport, sender_dependent_default_transport_maps,
5824 default_transport, sender_dependent_relayhost_maps and with the trans‐
5825 port(5) table.
5826 On an intranet, specify the organizational domain name. If your inter‐
5828 nal DNS uses no MX records, specify the name of the intranet gateway
5829 host instead.
5830 In the case of SMTP or LMTP delivery, specify one or more destinations
5832 in the form of a domain name, hostname, hostname:port, [hostname]:port,
5833 [hostaddress] or [hostaddress]:port, separated by comma or whitespace.
5834 The form [hostname] turns off MX lookups. Multiple destinations are
5835 supported in Postfix 3.5 and later.
5836 If you're connected via UUCP, see the UUCP_README file for useful
5838 information.
5839 Examples:
5841 relayhost = $mydomain
5843 relayhost = [gateway.example.com]
5844 relayhost = mail1.example:587, mail2.example:587
5845 relayhost = [an.ip.add.ress]
5846
5848 Optional lookup tables with new contact information for users or
5849 domains that no longer exist. The table format and lookups are docu‐
5850 mented in relocated(5).
5851 Specify zero or more "type:name" lookup tables, separated by whitespace
5853 or comma. Tables will be searched in the specified order until a match
5854 is found.
5855 If you use this feature, run "postmap /etc/postfix/relocated" to build
5857 the necessary DBM or DB file after change, then "postfix reload" to
5858 make the changes visible.
5859 Examples:
5861 relocated_maps = dbm:/etc/postfix/relocated
5863 relocated_maps = hash:/etc/postfix/relocated
5864
5866 Don't rewrite message headers from remote clients at all when this
5867 parameter is empty; otherwise, rewrite message headers and append the
5868 specified domain name to incomplete addresses. The local_header_re‐
5869 write_clients parameter controls what clients Postfix considers local.
5870 Examples:
5872 The safe setting: append "domain.invalid" to incomplete header
5874 addresses from remote SMTP clients, so that those addresses cannot be
5875 confused with local addresses.
5876 remote_header_rewrite_domain = domain.invalid
5878 The default, purist, setting: don't rewrite headers from remote clients
5880 at all.
5881 remote_header_rewrite_domain =
5883
5885 Require that a local(8) recipient's home directory exists before mail
5886 delivery is attempted. By default this test is disabled. It can be
5887 useful for environments that import home directories to the mail server
5888 (IMPORTING HOME DIRECTORIES IS NOT RECOMMENDED).
5889
5891 Reset the local(8) delivery agent's idea of the owner-alias attribute,
5892 when delivering mail to a child alias that does not have its own owner
5893 alias.
5894 This feature is available in Postfix 2.8 and later. With older Postfix
5896 releases, the behavior is as if this parameter is set to "yes".
5897 As documented in aliases(5), when an alias name has a companion alias
5899 named owner-name, this will replace the envelope sender address, so
5900 that delivery errors will be reported to the owner alias instead of the
5901 sender. This configuration is recommended for mailing lists.
5902 A less known property of the owner alias is that it also forces the
5904 local(8) delivery agent to write local and remote addresses from alias
5905 expansion to a new queue file, instead of attempting to deliver mail to
5906 local addresses as soon as they come out of alias expansion.
5907 Writing local addresses from alias expansion to a new queue file allows
5909 for robust handling of temporary delivery errors: errors with one local
5910 member have no effect on deliveries to other members of the list. On
5911 the other hand, delivery to local addresses as soon as they come out of
5912 alias expansion is fragile: a temporary error with one local address
5913 from alias expansion will cause the entire alias to be expanded repeat‐
5914 edly until the error goes away, or until the message expires in the
5915 queue. In that case, a problem with one list member results in multi‐
5916 ple message deliveries to other list members.
5917 The default behavior of Postfix 2.8 and later is to keep the
5919 owner-alias attribute of the parent alias, when delivering mail to a
5920 child alias that does not have its own owner alias. Then, local
5921 addresses from that child alias will be written to a new queue file,
5922 and a temporary error with one local address will not affect delivery
5923 to other mailing list members.
5924 Unfortunately, older Postfix releases reset the owner-alias attribute
5926 when delivering mail to a child alias that does not have its own owner
5927 alias. To be precise, this resets only the decision to create a new
5928 queue file, not the decision to override the envelope sender address.
5929 The local(8) delivery agent then attempts to deliver local addresses as
5930 soon as they come out of child alias expansion. If delivery to any
5931 address from child alias expansion fails with a temporary error condi‐
5932 tion, the entire mailing list may be expanded repeatedly until the mail
5933 expires in the queue, resulting in multiple deliveries of the same mes‐
5934 sage to mailing list members.
5935
5937 Resolve a recipient address safely instead of correctly, by looking
5938 inside quotes.
5939 By default, the Postfix address resolver does not quote the address
5941 localpart as per RFC 822, so that additional @ or % or ! operators
5942 remain visible. This behavior is safe but it is also technically incor‐
5943 rect.
5944 If you specify "resolve_dequoted_address = no", then the Postfix
5946 resolver will not know about additional @ etc. operators in the address
5947 localpart. This opens opportunities for obscure mail relay attacks with
5948 user@domain@domain addresses when Postfix provides backup MX service
5949 for Sendmail systems.
5950
5952 Resolve an address that ends in the "@" null domain as if the local
5953 hostname were specified, instead of rejecting the address as invalid.
5954 This feature is available in Postfix 2.1 and later. Earlier versions
5956 always resolve the null domain as the local hostname.
5957 The Postfix SMTP server uses this feature to reject mail from or to
5959 addresses that end in the "@" null domain, and from addresses that re‐
5960 write into a form that ends in the "@" null domain.
5961
5963 Resolve "user@ipaddress" as "user@[ipaddress]", instead of rejecting
5964 the address as invalid.
5965 This feature is available in Postfix 2.3 and later.
5967
5969 The name of the address rewriting service. This service rewrites
5970 addresses to standard form and resolves them to a (delivery method,
5971 next-hop host, recipient) triple.
5972 This feature is available in Postfix 2.0 and later.
5974
5976 The name of the directory with example Postfix configuration files.
5977 Starting with Postfix 2.1, these files have been replaced with the
5978 postconf(5) manual page.
5979
5981 When authenticating to a remote SMTP or LMTP server with the default
5982 setting "no", send no SASL authoriZation ID (authzid); send only the
5983 SASL authentiCation ID (authcid) plus the authcid's password.
5984 The non-default setting "yes" enables the behavior of older Postfix
5986 versions. These always send a SASL authzid that is equal to the SASL
5987 authcid, but this causes interoperability problems with some SMTP
5988 servers.
5989 This feature is available in Postfix 2.4.4 and later.
5991
5993 This parameter should not be used. It was replaced by sender_depen‐
5994 dent_relayhost_maps in Postfix version 2.3.
5995
5997 Optional BCC (blind carbon-copy) address lookup tables, indexed by
5998 sender address. The BCC address (multiple results are not supported)
5999 is added when mail enters from outside of Postfix.
6000 Specify zero or more "type:name" lookup tables, separated by whitespace
6002 or comma. Tables will be searched in the specified order until a match
6003 is found.
6004 The table search order is as follows:
6006 · Look up the "user+extension@domain.tld" address including the
6008 optional address extension.
6009 · Look up the "user@domain.tld" address without the optional
6011 address extension.
6012 · Look up the "user+extension" address local part when the sender
6014 domain equals $myorigin, $mydestination, $inet_interfaces or
6015 $proxy_interfaces.
6016 · Look up the "user" address local part when the sender domain
6018 equals $myorigin, $mydestination, $inet_interfaces or
6019 $proxy_interfaces.
6020 · Look up the "@domain.tld" part.
6022 Note: with Postfix 2.3 and later the BCC address is added as if it was
6024 specified with NOTIFY=NONE. The sender will not be notified when the
6025 BCC address is undeliverable, as long as all down-stream software
6026 implements RFC 3461.
6027 Note: with Postfix 2.2 and earlier the sender will be notified when the
6029 BCC address is undeliverable.
6030 Note: automatic BCC recipients are produced only for new mail. To
6032 avoid mailer loops, automatic BCC recipients are not generated after
6033 Postfix forwards mail internally, or after Postfix generates mail
6034 itself.
6035 Example:
6037 sender_bcc_maps = hash:/etc/postfix/sender_bcc
6039 After a change, run "postmap /etc/postfix/sender_bcc".
6041 This feature is available in Postfix 2.1 and later.
6043
6045 What addresses are subject to sender_canonical_maps address mapping.
6046 By default, sender_canonical_maps address mapping is applied to enve‐
6047 lope sender addresses, and to header sender addresses.
6048 Specify one or more of: envelope_sender, header_sender
6050 This feature is available in Postfix 2.2 and later.
6052
6054 Optional address mapping lookup tables for envelope and header sender
6055 addresses. The table format and lookups are documented in canoni‐
6056 cal(5).
6057 Example: you want to rewrite the SENDER address "user@ugly.domain" to
6059 "user@pretty.domain", while still being able to send mail to the RECIP‐
6060 IENT address "user@ugly.domain".
6061 Note: $sender_canonical_maps is processed before $canonical_maps.
6063 Example:
6065 sender_canonical_maps = hash:/etc/postfix/sender_canonical
6067
6069 A sender-dependent override for the global default_transport parameter
6070 setting. The tables are searched by the envelope sender address and
6071 @domain. A lookup result of DUNNO terminates the search without over‐
6072 riding the global default_transport parameter setting. This informa‐
6073 tion is overruled with the transport(5) table.
6074 Specify zero or more "type:name" lookup tables, separated by whitespace
6076 or comma. Tables will be searched in the specified order until a match
6077 is found.
6078 Note: this overrides default_transport, not transport_maps, and there‐
6080 fore the expected syntax is that of default_transport, not the syntax
6081 of transport_maps. Specifically, this does not support the trans‐
6082 port_maps syntax for null transport, null nexthop, or null email
6083 addresses.
6084 For safety reasons, this feature does not allow $number substitutions
6086 in regular expression maps.
6087 This feature is available in Postfix 2.7 and later.
6089
6091 A sender-dependent override for the global relayhost parameter setting.
6092 The tables are searched by the envelope sender address and @domain. A
6093 lookup result of DUNNO terminates the search without overriding the
6094 global relayhost parameter setting (Postfix 2.6 and later). This infor‐
6095 mation is overruled with relay_transport, sender_depen‐
6096 dent_default_transport_maps, default_transport and with the trans‐
6097 port(5) table.
6098 Specify zero or more "type:name" lookup tables, separated by whitespace
6100 or comma. Tables will be searched in the specified order until a match
6101 is found.
6102 For safety reasons, this feature does not allow $number substitutions
6104 in regular expression maps.
6105 This feature is available in Postfix 2.3 and later.
6107
6109 Controls how the Postfix sendmail command converts email message line
6110 endings from <CR><LF> into UNIX format (<LF>).
6111 always Always convert message lines ending in <CR><LF>. This setting is
6113 the default with Postfix 2.9 and later.
6114 strict Convert message lines ending in <CR><LF> only if the first input
6116 line ends in <CR><LF>. This setting is backwards-compatible with
6117 Postfix 2.8 and earlier.
6118 never Never convert message lines ending in <CR><LF>. This setting
6120 exists for completeness only.
6121 This feature is available in Postfix 2.9 and later.
6123
6125 A Sendmail compatibility feature that specifies the location of the
6126 Postfix sendmail(1) command. This command can be used to submit mail
6127 into the Postfix queue.
6128
6130 The master.cf service name of a Postfix daemon process. This can be
6131 used to distinguish the logging from different services that use the
6132 same program name.
6133 Example master.cf entries:
6135 # Distinguish inbound MTA logging from submission and smtps logging.
6137 smtp inet n - n - - smtpd
6138 submission inet n - n - - smtpd
6139 -o syslog_name=postfix/$service_name
6140 smtps inet n - n - - smtpd
6141 -o syslog_name=postfix/$service_name
6142 # Distinguish outbound MTA logging from inbound relay logging.
6144 smtp unix - - n - - smtp
6145 relay unix - - n - - smtp
6146 -o syslog_name=postfix/$service_name
6147
6149 How long the Postfix master(8) waits before forking a server that
6150 appears to be malfunctioning.
6151 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6153 The default time unit is s (seconds).
6154
6156 The group ownership of set-gid Postfix commands and of group-writable
6157 Postfix directories. When this parameter value is changed you need to
6158 re-run "postfix set-permissions" (with Postfix version 2.0 and earlier:
6159 "/etc/postfix/post-install set-permissions".
6160
6162 The location of Postfix dynamically-linked libraries (libpostfix-*.so),
6163 and the default location of Postfix database plugins (postfix-*.so)
6164 that have a relative pathname in the dynamicmaps.cf file. The
6165 shlib_directory parameter defaults to "no" when Postfix dynami‐
6166 cally-linked libraries and database plugins are disabled at compile
6167 time, otherwise it typically defaults to /usr/lib/postfix or
6168 /usr/local/lib/postfix.
6169 Notes:
6171 · The directory specified with shlib_directory should contain only
6173 Postfix-related files. Postfix dynamically-linked libraries and
6174 database plugins should not be installed in a "public" system
6175 directory such as /usr/lib or /usr/local/lib. Linking Postfix
6176 dynamically-linked library files or database plugins into
6177 non-Postfix programs is not supported. Postfix dynami‐
6178 cally-linked libraries and database plugins implement a Post‐
6179 fix-internal API that changes without maintaining compatibility.
6180 · You can change the shlib_directory value after Postfix is built.
6182 However, you may have to run ldconfig or equivalent to prevent
6183 Postfix programs from failing because the libpostfix-*.so files
6184 are not found. No ldconfig command is needed if you keep the
6185 libpostfix-*.so files in the compiled-in default $shlib_direc‐
6186 tory location.
6187 This feature is available in Postfix 3.0 and later.
6189
6191 Display the name of the recipient table in the "User unknown"
6192 responses. The extra detail makes troubleshooting easier but also
6193 reveals information that is nobody else's business.
6194 This feature is available in Postfix 2.0 and later.
6196
6198 The name of the showq(8) service. This service produces mail queue sta‐
6199 tus reports.
6200 This feature is available in Postfix 2.0 and later.
6202
6204 The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP client
6205 will try first, when a destination has IPv6 and IPv4 addresses with
6206 equal MX preference. This feature has no effect unless the inet_proto‐
6207 cols setting enables both IPv4 and IPv6.
6208 Postfix SMTP client address preference has evolved. With Postfix 2.8
6210 the default is "ipv6"; earlier implementations are hard-coded to prefer
6211 IPv6 over IPv4.
6212 Notes for mail delivery between sites that have both IPv4 and IPv6 con‐
6214 nectivity:
6215 · The setting "smtp_address_preference = ipv6" is unsafe. It can
6217 fail to deliver mail when there is an outage that affects IPv6,
6218 while the destination is still reachable over IPv4.
6219 · The setting "smtp_address_preference = any" is safe. With this,
6221 mail will eventually be delivered even if there is an outage
6222 that affects IPv6 or IPv4, as long as it does not affect both.
6223 This feature is available in Postfix 2.8 and later.
6225
6227 In the context of email address verification, the SMTP protocol stage
6228 that determines whether an email address is deliverable. Specify one
6229 of "rcpt" or "data". The latter is needed with remote SMTP servers
6230 that reject recipients after the DATA command. Use transport_maps to
6231 apply this feature selectively:
6232 /etc/postfix/main.cf:
6234 transport_maps = hash:/etc/postfix/transport
6235 /etc/postfix/transport:
6237 smtp-domain-that-verifies-after-data smtp-data-target:
6238 lmtp-domain-that-verifies-after-data lmtp-data-target:
6239 /etc/postfix/master.cf:
6241 smtp-data-target unix - - n - - smtp
6242 -o smtp_address_verify_target=data
6243 lmtp-data-target unix - - n - - lmtp
6244 -o lmtp_address_verify_target=data
6245 Unselective use of the "data" target does no harm, but will result in
6247 unnecessary "lost connection after DATA" events at remote SMTP/LMTP
6248 servers.
6249 This feature is available in Postfix 3.0 and later.
6251
6253 Always send EHLO at the start of an SMTP session.
6254 With "smtp_always_send_ehlo = no", the Postfix SMTP client sends EHLO
6256 only when the word "ESMTP" appears in the server greeting banner (exam‐
6257 ple: 220 spike.porcupine.org ESMTP Postfix).
6258
6260 When a remote destination resolves to a combination of IPv4 and IPv6
6261 addresses, ensure that the Postfix SMTP client can try both address
6262 types before it runs into the smtp_mx_address_limit.
6263 This avoids an interoperability problem when a destination resolves to
6265 primarily IPv6 addresses, the smtp_address_limit feature eliminates
6266 most or all IPv4 addresses, and the destination is not reachable over
6267 IPv6.
6268 This feature is available in Postfix 3.3 and later.
6270
6272 An optional numerical network address that the Postfix SMTP client
6273 should bind to when making an IPv4 connection.
6274 This can be specified in the main.cf file for all SMTP clients, or it
6276 can be specified in the master.cf file for a specific client, for exam‐
6277 ple:
6278 /etc/postfix/master.cf:
6280 smtp ... smtp -o smtp_bind_address=11.22.33.44
6281 Note 1: when inet_interfaces specifies no more than one IPv4 address,
6283 and that address is a non-loopback address, it is automatically used as
6284 the smtp_bind_address. This supports virtual IP hosting, but can be a
6285 problem on multi-homed firewalls. See the inet_interfaces documentation
6286 for more detail.
6287 Note 2: address information may be enclosed inside [], but this form is
6289 not required here.
6290
6292 An optional numerical network address that the Postfix SMTP client
6293 should bind to when making an IPv6 connection.
6294 This feature is available in Postfix 2.2 and later.
6296 This can be specified in the main.cf file for all SMTP clients, or it
6298 can be specified in the master.cf file for a specific client, for exam‐
6299 ple:
6300 /etc/postfix/master.cf:
6302 smtp ... smtp -o smtp_bind_address6=1:2:3:4:5:6:7:8
6303 Note 1: when inet_interfaces specifies no more than one IPv6 address,
6305 and that address is a non-loopback address, it is automatically used as
6306 the smtp_bind_address6. This supports virtual IP hosting, but can be a
6307 problem on multi-homed firewalls. See the inet_interfaces documentation
6308 for more detail.
6309 Note 2: address information may be enclosed inside [], but this form is
6311 not recommended here.
6312
6314 Restricted body_checks(5) tables for the Postfix SMTP client. These
6315 tables are searched while mail is being delivered. Actions that change
6316 the delivery time or destination are not available.
6317 This feature is available in Postfix 2.5 and later.
6319
6321 When the remote SMTP servername is a DNS CNAME, replace the servername
6322 with the result from CNAME expansion for the purpose of logging, SASL
6323 password lookup, TLS policy decisions, or TLS certificate verification.
6324 The value "no" hardens Postfix smtp_tls_per_site hostname-based poli‐
6325 cies against false hostname information in DNS CNAME records, and makes
6326 SASL password file lookups more predictable. This is the default set‐
6327 ting as of Postfix 2.3.
6328 When DNS CNAME records are validated with secure DNS lookups
6330 (smtp_dns_support_level = dnssec), they are always allowed to override
6331 the above servername (Postfix 2.11 and later).
6332 This feature is available in Postfix 2.2.9 and later.
6334
6336 The Postfix SMTP client time limit for completing a TCP connection, or
6337 zero (use the operating system built-in time limit).
6338 When no connection can be made within the deadline, the Postfix SMTP
6340 client tries the next address on the mail exchanger list. Specify 0 to
6341 disable the time limit (i.e. use whatever timeout is implemented by the
6342 operating system).
6343 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6345 The default time unit is s (seconds).
6346
6348 Permanently enable SMTP connection caching for the specified destina‐
6349 tions. With SMTP connection caching, a connection is not closed imme‐
6350 diately after completion of a mail transaction. Instead, the connec‐
6351 tion is kept open for up to $smtp_connection_cache_time_limit seconds.
6352 This allows connections to be reused for other deliveries, and can
6353 improve mail delivery performance.
6354 Specify a comma or white space separated list of destinations or
6356 pseudo-destinations:
6357 · if mail is sent without a relay host: a domain name (the
6359 right-hand side of an email address, without the [] around a
6360 numeric IP address),
6361 · if mail is sent via a relay host: a relay host name (without []
6363 or non-default TCP port), as specified in main.cf or in the
6364 transport map,
6365 · if mail is sent via a UNIX-domain socket: a pathname (without
6367 the unix: prefix),
6368 · a /file/name with domain names and/or relay host names as
6370 defined above,
6371 · a "type:table" with domain names and/or relay host names on the
6373 left-hand side. The right-hand side result from "type:table"
6374 lookups is ignored.
6375 This feature is available in Postfix 2.2 and later.
6377
6379 Temporarily enable SMTP connection caching while a destination has a
6380 high volume of mail in the active queue. With SMTP connection caching,
6381 a connection is not closed immediately after completion of a mail
6382 transaction. Instead, the connection is kept open for up to $smtp_con‐
6383 nection_cache_time_limit seconds. This allows connections to be reused
6384 for other deliveries, and can improve mail delivery performance.
6385 This feature is available in Postfix 2.2 and later.
6387
6389 When SMTP connection caching is enabled, the amount of time that an
6390 unused SMTP client socket is kept open before it is closed. Do not
6391 specify larger values without permission from the remote sites.
6392 This feature is available in Postfix 2.2 and later.
6394
6396 When SMTP connection caching is enabled, the number of times that an
6397 SMTP session may be reused before it is closed, or zero (no limit).
6398 With a reuse count limit of N, a connection is used up to N+1 times.
6399 NOTE: This feature is unsafe. When a high-volume destination has multi‐
6401 ple inbound MTAs, then the slowest inbound MTA will attract the most
6402 connections to that destination. This limitation does not exist with
6403 the smtp_connection_reuse_time_limit feature.
6404 This feature is available in Postfix 2.11.
6406
6408 The amount of time during which Postfix will use an SMTP connection
6409 repeatedly. The timer starts when the connection is initiated (i.e. it
6410 includes the connect, greeting and helo latency, in addition to the
6411 latencies of subsequent mail delivery transactions).
6412 This feature addresses a performance stability problem with remote SMTP
6414 servers. This problem is not specific to Postfix: it can happen when
6415 any MTA sends large amounts of SMTP email to a site that has multiple
6416 MX hosts.
6417 The problem starts when one of a set of MX hosts becomes slower than
6419 the rest. Even though SMTP clients connect to fast and slow MX hosts
6420 with equal probability, the slow MX host ends up with more simultaneous
6421 inbound connections than the faster MX hosts, because the slow MX host
6422 needs more time to serve each client request.
6423 The slow MX host becomes a connection attractor. If one MX host
6425 becomes N times slower than the rest, it dominates mail delivery
6426 latency unless there are more than N fast MX hosts to counter the
6427 effect. And if the number of MX hosts is smaller than N, the mail
6428 delivery latency becomes effectively that of the slowest MX host
6429 divided by the total number of MX hosts.
6430 The solution uses connection caching in a way that differs from Postfix
6432 version 2.2. By limiting the amount of time during which a connection
6433 can be used repeatedly (instead of limiting the number of deliveries
6434 over that connection), Postfix not only restores fairness in the dis‐
6435 tribution of simultaneous connections across a set of MX hosts, it also
6436 favors deliveries over connections that perform well, which is exactly
6437 what we want.
6438 The default reuse time limit, 300s, is comparable to the various smtp
6440 transaction timeouts which are fair estimates of maximum excess latency
6441 for a slow delivery. Note that hosts may accept thousands of messages
6442 over a single connection within the default connection reuse time
6443 limit. This number is much larger than the default Postfix version 2.2
6444 limit of 10 messages per cached connection. It may prove necessary to
6445 lower the limit to avoid interoperability issues with MTAs that exhibit
6446 bugs when many messages are delivered via a single connection. A lower
6447 reuse time limit risks losing the benefit of connection reuse when the
6448 average connection and mail delivery latency exceeds the reuse time
6449 limit.
6450 This feature is available in Postfix 2.3 and later.
6452
6454 The Postfix SMTP client time limit for sending the SMTP ".", and for
6455 receiving the remote SMTP server response.
6456 When no response is received within the deadline, a warning is logged
6458 that the mail may be delivered multiple times.
6459 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6461 The default time unit is s (seconds).
6462
6464 The Postfix SMTP client time limit for sending the SMTP DATA command,
6465 and for receiving the remote SMTP server response.
6466 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6468 The default time unit is s (seconds).
6469
6471 The Postfix SMTP client time limit for sending the SMTP message con‐
6472 tent. When the connection makes no progress for more than
6473 $smtp_data_xfer_timeout seconds the Postfix SMTP client terminates the
6474 transfer.
6475 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6477 The default time unit is s (seconds).
6478
6480 Defer mail delivery when no MX record resolves to an IP address.
6481 The default (no) is to return the mail as undeliverable. With older
6483 Postfix versions the default was to keep trying to deliver the mail
6484 until someone fixed the MX record or until the mail was too old.
6485 Note: the Postfix SMTP client always ignores MX records with equal or
6487 worse preference than the local MTA itself.
6488 This feature is available in Postfix 2.1 and later.
6490
6492 Optional filter for the smtp(8) delivery agent to change the delivery
6493 status code or explanatory text of successful or unsuccessful deliver‐
6494 ies. See default_delivery_status_filter for details.
6495 NOTE: This feature modifies Postfix SMTP client error or non-error mes‐
6497 sages that may or may not be derived from remote SMTP server responses.
6498 In contrast, the smtp_reply_filter feature modifies remote SMTP server
6499 responses only.
6500
6502 rency_limit)
6503 The maximal number of parallel deliveries to the same destination via
6504 the smtp message delivery transport. This limit is enforced by the
6505 queue manager. The message delivery transport name is the first field
6506 in the entry in the master.cf file.
6507
6509 ent_limit)
6510 The maximal number of recipients per message for the smtp message
6511 delivery transport. This limit is enforced by the queue manager. The
6512 message delivery transport name is the first field in the entry in the
6513 master.cf file.
6514 Setting this parameter to a value of 1 changes the meaning of smtp_des‐
6516 tination_concurrency_limit from concurrency per domain into concurrency
6517 per recipient.
6518
6520 Lookup tables, indexed by the remote SMTP server address, with case
6521 insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
6522 that the Postfix SMTP client will ignore in the EHLO response from a
6523 remote SMTP server. See smtp_discard_ehlo_keywords for details. The ta‐
6524 ble is not indexed by hostname for consistency with smtpd_dis‐
6525 card_ehlo_keyword_address_maps.
6526 Specify zero or more "type:name" lookup tables, separated by whitespace
6528 or comma. Tables will be searched in the specified order until a match
6529 is found.
6530 This feature is available in Postfix 2.2 and later.
6532
6534 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
6535 etc.) that the Postfix SMTP client will ignore in the EHLO response
6536 from a remote SMTP server.
6537 This feature is available in Postfix 2.2 and later.
6539 Notes:
6541 · Specify the silent-discard pseudo keyword to prevent this action
6543 from being logged.
6544 · Use the smtp_discard_ehlo_keyword_address_maps feature to dis‐
6546 card EHLO keywords selectively.
6547
6549 Optional filter for Postfix SMTP client DNS lookup results. Specify
6550 zero or more lookup tables. The lookup tables are searched in the
6551 given order for a match with the DNS lookup result, converted to the
6552 following form:
6553 name ttl class type preference value
6555 The class field is always "IN", the preference field exists only for MX
6557 records, the names of hosts, domains, etc. end in ".", and those names
6558 are in ASCII form (xn--mumble form in the case of UTF8 names).
6559 When a match is found, the table lookup result specifies an action. By
6561 default, the table query and the action name are case-insensitive.
6562 Currently, only the IGNORE action is implemented.
6563 Notes:
6565 · Postfix DNS reply filters have no effect on implicit DNS lookups
6567 through nsswitch.conf or equivalent mechanisms.
6568 · The Postfix SMTP/LMTP client uses smtp_dns_reply_filter and
6570 lmtp_dns_reply_filter only to discover a remote SMTP or LMTP
6571 service (record types MX, A, AAAAA, and TLSA). These lookups
6572 are also made to implement the features reject_unverified_sender
6573 and reject_unverified_recipient.
6574 · The Postfix SMTP/LMTP client defers mail delivery when a filter
6576 removes all lookup results from a successful query.
6577 · Postfix SMTP server uses smtpd_dns_reply_filter only to look up
6579 MX, A, AAAAA, and TXT records to implement the features
6580 reject_unknown_helo_hostname, reject_unknown_sender_domain,
6581 reject_unknown_recipient_domain, reject_rbl_*, and
6582 reject_rhsbl_*.
6583 · The Postfix SMTP server logs a warning or defers mail delivery
6585 when a filter removes all lookup results from a successful
6586 query.
6587 Example: ignore Google AAAA records in Postfix SMTP client DNS lookups,
6589 because Google sometimes hard-rejects mail from IPv6 clients with valid
6590 PTR etc. records.
6591 /etc/postfix/main.cf:
6593 smtp_dns_reply_filter = pcre:/etc/postfix/smtp_dns_reply_filter
6594 /etc/postfix/smtp_dns_reply_filter:
6596 # /domain ttl IN AAAA address/ action, all case-insensitive.
6597 # Note: the domain name ends in ".".
6598 /^\S+\.google\.com\.\s+\S+\s+\S+\s+AAAA\s+/ IGNORE
6599 This feature is available in Postfix 3.0 and later.
6601
6603 DNS Resolver options for the Postfix SMTP client. Specify zero or more
6604 of the following options, separated by comma or whitespace. Option
6605 names are case-sensitive. Some options refer to domain names that are
6606 specified in the file /etc/resolv.conf or equivalent.
6607 res_defnames
6609 Append the current domain name to single-component names (those
6610 that do not contain a "." character). This can produce incorrect
6611 results, and is the hard-coded behavior prior to Postfix 2.8.
6612 res_dnsrch
6614 Search for host names in the current domain and in parent
6615 domains. This can produce incorrect results and is therefore not
6616 recommended.
6617 This feature is available in Postfix 2.8 and later.
6619
6621 Level of DNS support in the Postfix SMTP client. With "smtp_dns_sup‐
6622 port_level" left at its empty default value, the legacy "dis‐
6623 able_dns_lookups" parameter controls whether DNS is enabled in the
6624 Postfix SMTP client, otherwise the legacy parameter is ignored.
6625 Specify one of the following:
6627 disabled
6629 Disable DNS lookups. No MX lookups are performed and hostname
6630 to address lookups are unconditionally "native". This setting
6631 is not appropriate for hosts that deliver mail to the public
6632 Internet. Some obsolete how-to documents recommend disabling
6633 DNS lookups in some configurations with content_filters. This
6634 is no longer required and strongly discouraged.
6635 enabled
6637 Enable DNS lookups. Nexthop destination domains not enclosed in
6638 "[]" will be subject to MX lookups. If "dns" and "native" are
6639 included in the "smtp_host_lookup" parameter value, DNS will be
6640 queried first to resolve MX-host A records, followed by "native"
6641 lookups if no answer is found in DNS.
6642 dnssec Enable DNSSEC lookups. The "dnssec" setting differs from the
6644 "enabled" setting above in the following ways:
6645 · Any MX lookups will set RES_USE_DNSSEC and RES_USE_EDNS0 to
6647 request DNSSEC-validated responses. If the MX response is
6648 DNSSEC-validated the corresponding hostnames are considered val‐
6649 idated.
6650 · The address lookups of validated hostnames are also validated,
6652 (provided of course "smtp_host_lookup" includes "dns", see
6653 below).
6654 · Temporary failures in DNSSEC-enabled hostname-to-address resolu‐
6656 tion block any "native" lookups. Additional "native" lookups
6657 only happen when DNSSEC lookups hard-fail (NODATA or NXDOMAIN).
6658 The Postfix SMTP client considers non-MX "[nexthop]" and "[nex‐
6660 thop]:port" destinations equivalent to statically-validated MX records
6661 of the form "nexthop. IN MX 0 nexthop." Therefore, with "dnssec" sup‐
6662 port turned on, validated hostname-to-address lookups apply to the nex‐
6663 thop domain of any "[nexthop]" or "[nexthop]:port" destination. This
6664 is also true for LMTP "inet:host" and "inet:host:port" destinations, as
6665 LMTP hostnames are never subject to MX lookups.
6666 The "dnssec" setting is recommended only if you plan to use the dane or
6668 dane-only TLS security level, otherwise enabling DNSSEC support in
6669 Postfix offers no additional security. Postfix DNSSEC support relies
6670 on an upstream recursive nameserver that validates DNSSEC signatures.
6671 Such a DNS server will always filter out forged DNS responses, even
6672 when Postfix itself is not configured to use DNSSEC.
6673 When using Postfix DANE support the "smtp_host_lookup" parameter should
6675 include "dns", as DANE is not applicable to hosts resolved via "native"
6676 lookups.
6677 As mentioned above, Postfix is not a validating stub resolver; it
6679 relies on the system's configured DNSSEC-validating recursive name‐
6680 server to perform all DNSSEC validation. Since this nameserver's
6681 DNSSEC-validated responses will be fully trusted, it is strongly recom‐
6682 mended that the MTA host have a local DNSSEC-validating recursive
6683 caching nameserver listening on a loopback address, and be configured
6684 to use only this nameserver for all lookups. Otherwise, Postfix may
6685 remain subject to man-in-the-middle attacks that forge responses from
6686 the recursive nameserver
6687 DNSSEC support requires a version of Postfix compiled against a reason‐
6689 ably-modern DNS resolver(3) library that implements the RES_USE_DNSSEC
6690 and RES_USE_EDNS0 resolver options.
6691 This feature is available in Postfix 2.11 and later.
6693
6695 Enforcement mode: require that remote SMTP servers use TLS encryption,
6696 and never send mail in the clear. This also requires that the remote
6697 SMTP server hostname matches the information in the remote server cer‐
6698 tificate, and that the remote SMTP server certificate was issued by a
6699 CA that is trusted by the Postfix SMTP client. If the certificate
6700 doesn't verify or the hostname doesn't match, delivery is deferred and
6701 mail stays in the queue.
6702 The server hostname is matched against all names provided as dNSNames
6704 in the SubjectAlternativeName. If no dNSNames are specified, the Com‐
6705 monName is checked. The behavior may be changed with the
6706 smtp_tls_enforce_peername option.
6707 This option is useful only if you are definitely sure that you will
6709 only connect to servers that support RFC 2487 _and_ that provide valid
6710 server certificates. Typical use is for clients that send all their
6711 email to a dedicated mailhub.
6712 This feature is available in Postfix 2.2 and later. With Postfix 2.3
6714 and later use smtp_tls_security_level instead.
6715
6717 Optional list of relay hosts for SMTP destinations that can't be found
6718 or that are unreachable. With Postfix 2.2 and earlier this parameter is
6719 called fallback_relay.
6720 By default, mail is returned to the sender when a destination is not
6722 found, and delivery is deferred when a destination is unreachable.
6723 With bulk email deliveries, it can be beneficial to run the fallback
6725 relay MTA on the same host, so that it can reuse the sender IP address.
6726 This speeds up deliveries that are delayed by IP-based reputation sys‐
6727 tems (greylist, etc.).
6728 The fallback relays must be SMTP destinations. Specify a domain, host,
6730 host:port, [host]:port, [address] or [address]:port; the form [host]
6731 turns off MX lookups. If you specify multiple SMTP destinations, Post‐
6732 fix will try them in the specified order.
6733 To prevent mailer loops between MX hosts and fall-back hosts, Postfix
6735 version 2.2 and later will not use the fallback relays for destinations
6736 that it is MX host for (assuming DNS lookup is turned on).
6737
6739 Optional lookup tables that perform address rewriting in the Postfix
6740 SMTP client, typically to transform a locally valid address into a
6741 globally valid address when sending mail across the Internet. This is
6742 needed when the local machine does not have its own Internet domain
6743 name, but uses something like localdomain.local instead.
6744 Specify zero or more "type:name" lookup tables, separated by whitespace
6746 or comma. Tables will be searched in the specified order until a match
6747 is found.
6748 The table format and lookups are documented in generic(5); examples are
6750 shown in the ADDRESS_REWRITING_README and STANDARD_CONFIGURATION_README
6751 documents.
6752 This feature is available in Postfix 2.2 and later.
6754
6756 Restricted header_checks(5) tables for the Postfix SMTP client. These
6757 tables are searched while mail is being delivered. Actions that change
6758 the delivery time or destination are not available.
6759 This feature is available in Postfix 2.5 and later.
6761
6763 The hostname to send in the SMTP HELO or EHLO command.
6764 The default value is the machine hostname. Specify a hostname or
6766 [ip.add.re.ss].
6767 This information can be specified in the main.cf file for all SMTP
6769 clients, or it can be specified in the master.cf file for a specific
6770 client, for example:
6771 /etc/postfix/master.cf:
6773 mysmtp ... smtp -o smtp_helo_name=foo.bar.com
6774 This feature is available in Postfix 2.0 and later.
6776
6778 The Postfix SMTP client time limit for sending the HELO or EHLO com‐
6779 mand, and for receiving the initial remote SMTP server response.
6780 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6782 The default time unit is s (seconds).
6783
6785 What mechanisms the Postfix SMTP client uses to look up a host's IP
6786 address. This parameter is ignored when DNS lookups are disabled (see:
6787 disable_dns_lookups and smtp_dns_support_level). The "dns" mechanism
6788 is always tried before "native" if both are listed.
6789 Specify one of the following:
6791 dns Hosts can be found in the DNS (preferred).
6793 native Use the native naming service only (nsswitch.conf, or equivalent
6795 mechanism).
6796 dns, native
6798 Use the native service for hosts not found in the DNS.
6799 This feature is available in Postfix 2.1 and later.
6801
6803 The maximal length of message header and body lines that Postfix will
6804 send via SMTP. This limit does not include the <CR><LF> at the end of
6805 each line. Longer lines are broken by inserting "<CR><LF><SPACE>", to
6806 minimize the damage to MIME formatted mail.
6807 The Postfix limit of 998 characters not including <CR><LF> is consis‐
6809 tent with the SMTP limit of 1000 characters including <CR><LF>. The
6810 Postfix limit was 990 with Postfix 2.8 and earlier.
6811
6813 The Postfix SMTP client time limit for sending the MAIL FROM command,
6814 and for receiving the remote SMTP server response.
6815 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6817 The default time unit is s (seconds).
6818
6820 Restricted mime_header_checks(5) tables for the Postfix SMTP client.
6821 These tables are searched while mail is being delivered. Actions that
6822 change the delivery time or destination are not available.
6823 This feature is available in Postfix 2.5 and later.
6825
6827 The maximal number of MX (mail exchanger) IP addresses that can result
6828 from Postfix SMTP client mail exchanger lookups, or zero (no limit).
6829 Prior to Postfix version 2.3, this limit was disabled by default.
6830 This feature is available in Postfix 2.1 and later.
6832
6834 The maximal number of SMTP sessions per delivery request before the
6835 Postfix SMTP client gives up or delivers to a fall-back relay host, or
6836 zero (no limit). This restriction ignores sessions that fail to com‐
6837 plete the SMTP initial handshake (Postfix version 2.2 and earlier) or
6838 that fail to complete the EHLO and TLS handshake (Postfix version 2.3
6839 and later).
6840 This feature is available in Postfix 2.1 and later.
6842
6844 Restricted nested_header_checks(5) tables for the Postfix SMTP client.
6845 These tables are searched while mail is being delivered. Actions that
6846 change the delivery time or destination are not available.
6847 This feature is available in Postfix 2.5 and later.
6849
6851 Never send EHLO at the start of an SMTP session. See also the
6852 smtp_always_send_ehlo parameter.
6853
6855 Change the behavior of the smtp_*_timeout time limits, from a time
6856 limit per read or write system call, to a time limit to send or receive
6857 a complete record (an SMTP command line, SMTP response line, SMTP mes‐
6858 sage content line, or TLS protocol message). This limits the impact
6859 from hostile peers that trickle data one byte at a time.
6860 Note: when per-record deadlines are enabled, a short timeout may cause
6862 problems with TLS over very slow network connections. The reasons are
6863 that a TLS protocol message can be up to 16 kbytes long (with TLSv1),
6864 and that an entire TLS protocol message must be sent or received within
6865 the per-record deadline.
6866 This feature is available in Postfix 2.9 and later. With older Postfix
6868 releases, the behavior is as if this parameter is set to "no".
6869
6871 How long the Postfix SMTP client pauses before sending ".<CR><LF>" in
6872 order to work around the PIX firewall "<CR><LF>.<CR><LF>" bug.
6873 Choosing a too short time makes this workaround ineffective when send‐
6875 ing large messages over slow network connections.
6876
6878 Lookup tables, indexed by the remote SMTP server address, with per-des‐
6879 tination workarounds for CISCO PIX firewall bugs. The table is not
6880 indexed by hostname for consistency with smtp_discard_ehlo_key‐
6881 word_address_maps.
6882 Specify zero or more "type:name" lookup tables, separated by whitespace
6884 or comma. Tables will be searched in the specified order until a match
6885 is found.
6886 This feature is available in Postfix 2.4 and later.
6888
6890 How long a message must be queued before the Postfix SMTP client turns
6891 on the PIX firewall "<CR><LF>.<CR><LF>" bug workaround for delivery
6892 through firewalls with "smtp fixup" mode turned on.
6893 By default, the workaround is turned off for mail that is queued for
6895 less than 500 seconds. In other words, the workaround is normally
6896 turned off for the first delivery attempt.
6897 Specify 0 to enable the PIX firewall "<CR><LF>.<CR><LF>" bug workaround
6899 upon the first delivery attempt.
6900
6902 A list that specifies zero or more workarounds for CISCO PIX firewall
6903 bugs. These workarounds are implemented by the Postfix SMTP client.
6904 Workaround names are separated by comma or space, and are case insensi‐
6905 tive. This parameter setting can be overruled with per-destination
6906 smtp_pix_workaround_maps settings.
6907 delay_dotcrlf
6909 Insert a delay before sending ".<CR><LF>" after the end of the
6910 message content. The delay is subject to the smtp_pix_work‐
6911 around_delay_time and smtp_pix_workaround_threshold_time parame‐
6912 ter settings.
6913 disable_esmtp
6915 Disable all extended SMTP commands: send HELO instead of EHLO.
6916 This feature is available in Postfix 2.4 and later. The default set‐
6918 tings are backwards compatible with earlier Postfix versions.
6919
6921 The Postfix SMTP client time limit for sending the QUIT command, and
6922 for receiving the remote SMTP server response.
6923 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6925 The default time unit is s (seconds).
6926
6928 Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO commands
6929 as required by RFC 5321. This includes putting quotes around an address
6930 localpart that ends in ".".
6931 The default is to comply with RFC 5321. If you have to send mail to a
6933 broken SMTP server, configure a special SMTP client in master.cf:
6934 /etc/postfix/master.cf:
6936 broken-smtp . . . smtp -o smtp_quote_rfc821_envelope=no
6937 and route mail for the destination in question to the "broken-smtp"
6939 message delivery with a transport(5) table.
6940 This feature is available in Postfix 2.1 and later.
6942
6944 Randomize the order of equal-preference MX host addresses. This is a
6945 performance feature of the Postfix SMTP client.
6946
6948 The Postfix SMTP client time limit for sending the SMTP RCPT TO com‐
6949 mand, and for receiving the remote SMTP server response.
6950 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6952 The default time unit is s (seconds).
6953
6955 A mechanism to transform replies from remote SMTP servers one line at a
6956 time. This is a last-resort tool to work around server replies that
6957 break interoperability with the Postfix SMTP client. Other uses
6958 involve fault injection to test Postfix's handling of invalid
6959 responses.
6960 Notes:
6962 · In the case of a multi-line reply, the Postfix SMTP client uses
6964 the final reply line's numerical SMTP reply code and enhanced
6965 status code.
6966 · The numerical SMTP reply code (XYZ) takes precedence over the
6968 enhanced status code (X.Y.Z). When the enhanced status code
6969 initial digit differs from the SMTP reply code initial digit, or
6970 when no enhanced status code is present, the Postfix SMTP client
6971 uses a generic enhanced status code (X.0.0) instead.
6972 Specify the name of a "type:table" lookup table. The search string is a
6974 single SMTP reply line as received from the remote SMTP server, except
6975 that the trailing <CR><LF> are removed. When the lookup succeeds, the
6976 result replaces the single SMTP reply line.
6977 Examples:
6979 /etc/postfix/main.cf:
6981 smtp_reply_filter = pcre:/etc/postfix/reply_filter
6982 /etc/postfix/reply_filter:
6984 # Transform garbage into "250-filler..." so that it looks like
6985 # one line from a multi-line reply. It does not matter what we
6986 # substitute here as long it has the right syntax. The Postfix
6987 # SMTP client will use the final line's numerical SMTP reply
6988 # code and enhanced status code.
6989 !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage
6990 This feature is available in Postfix 2.7.
6992
6994 The Postfix SMTP client time limit for sending the RSET command, and
6995 for receiving the remote SMTP server response. The SMTP client sends
6996 RSET in order to finish a recipient address probe, or to verify that a
6997 cached session is still usable.
6998 This feature is available in Postfix 2.1 and later.
7000
7002 An optional table to prevent repeated SASL authentication failures with
7003 the same remote SMTP server hostname, username and password. Each table
7004 (key, value) pair contains a server name, a username and password, and
7005 the full server response. This information is stored when a remote SMTP
7006 server rejects an authentication attempt with a 535 reply code. As
7007 long as the smtp_sasl_password_maps information does no change, and as
7008 long as the smtp_sasl_auth_cache_name information does not expire (see
7009 smtp_sasl_auth_cache_time) the Postfix SMTP client avoids SASL authen‐
7010 tication attempts with the same server, username and password, and
7011 instead bounces or defers mail as controlled with the
7012 smtp_sasl_auth_soft_bounce configuration parameter.
7013 Use a per-destination delivery concurrency of 1 (for example,
7015 "smtp_destination_concurrency_limit = 1", "relay_destination_concur‐
7016 rency_limit = 1", etc.), otherwise multiple delivery agents may experi‐
7017 ence a login failure at the same time.
7018 The table must be accessed via the proxywrite service, i.e. the map
7020 name must start with "proxy:". The table should be stored under the
7021 directory specified with the data_directory parameter.
7022 This feature uses cryptographic hashing to protect plain-text pass‐
7024 words, and requires that Postfix is compiled with TLS support.
7025 Example:
7027 smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
7029 This feature is available in Postfix 2.5 and later.
7031
7033 The maximal age of an smtp_sasl_auth_cache_name entry before it is
7034 removed.
7035 This feature is available in Postfix 2.5 and later.
7037
7039 Enable SASL authentication in the Postfix SMTP client. By default, the
7040 Postfix SMTP client uses no authentication.
7041 Example:
7043 smtp_sasl_auth_enable = yes
7045
7047 When a remote SMTP server rejects a SASL authentication request with a
7048 535 reply code, defer mail delivery instead of returning mail as unde‐
7049 liverable. The latter behavior was hard-coded prior to Postfix version
7050 2.5.
7051 Note: the setting "yes" overrides the global soft_bounce parameter, but
7053 the setting "no" does not.
7054 Example:
7056 # Default as of Postfix 2.5
7058 smtp_sasl_auth_soft_bounce = yes
7059 # The old hard-coded default
7060 smtp_sasl_auth_soft_bounce = no
7061 This feature is available in Postfix 2.5 and later.
7063
7065 If non-empty, a Postfix SMTP client filter for the remote SMTP server's
7066 list of offered SASL mechanisms. Different client and server implemen‐
7067 tations may support different mechanism lists; by default, the Postfix
7068 SMTP client will use the intersection of the two. smtp_sasl_mecha‐
7069 nism_filter specifies an optional third mechanism list to intersect
7070 with.
7071 Specify mechanism names, "/file/name" patterns or "type:table" lookup
7073 tables. The right-hand side result from "type:table" lookups is
7074 ignored. Specify "!pattern" to exclude a mechanism name from the list.
7075 The form "!/file/name" is supported only in Postfix version 2.4 and
7076 later.
7077 This feature is available in Postfix 2.2 and later.
7079 Examples:
7081 smtp_sasl_mechanism_filter = plain, login
7083 smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs
7084 smtp_sasl_mechanism_filter = !gssapi, !login, static:rest
7085
7087 Optional Postfix SMTP client lookup tables with one username:password
7088 entry per sender, remote hostname or next-hop domain. Per-sender lookup
7089 is done only when sender-dependent authentication is enabled. If no
7090 username:password entry is found, then the Postfix SMTP client will not
7091 attempt to authenticate to the remote host.
7092 The Postfix SMTP client opens the lookup table before going to chroot
7094 jail, so you can leave the password file in /etc/postfix.
7095 Specify zero or more "type:name" lookup tables, separated by whitespace
7097 or comma. Tables will be searched in the specified order until a match
7098 is found.
7099
7101 Implementation-specific information that the Postfix SMTP client passes
7102 through to the SASL plug-in implementation that is selected with
7103 smtp_sasl_type. Typically this specifies the name of a configuration
7104 file or rendezvous point.
7105 This feature is available in Postfix 2.3 and later.
7107
7109 Postfix SMTP client SASL security options; as of Postfix 2.3 the list
7110 of available features depends on the SASL client implementation that is
7111 selected with smtp_sasl_type.
7112 The following security features are defined for the cyrus client SASL
7114 implementation:
7115 Specify zero or more of the following:
7117 noplaintext
7119 Disallow methods that use plaintext passwords.
7120 noactive
7122 Disallow methods subject to active (non-dictionary) attack.
7123 nodictionary
7125 Disallow methods subject to passive (dictionary) attack.
7126 noanonymous
7128 Disallow methods that allow anonymous authentication.
7129 mutual_auth
7131 Only allow methods that provide mutual authentication (not
7132 available with SASL version 1).
7133 Example:
7135 smtp_sasl_security_options = noplaintext
7137
7139 The SASL authentication security options that the Postfix SMTP client
7140 uses for TLS encrypted SMTP sessions.
7141 This feature is available in Postfix 2.2 and later.
7143
7145 rity_options)
7146 The SASL authentication security options that the Postfix SMTP client
7147 uses for TLS encrypted SMTP sessions with a verified server certifi‐
7148 cate.
7149 When mail is sent to the public MX host for the recipient's domain,
7151 server certificates are by default optional, and delivery proceeds even
7152 if certificate verification fails. For delivery via a submission ser‐
7153 vice that requires SASL authentication, it may be appropriate to send
7154 plaintext passwords only when the connection to the server is strongly
7155 encrypted and the server identity is verified.
7156 The smtp_sasl_tls_verified_security_options parameter makes it possible
7158 to only enable plaintext mechanisms when a secure connection to the
7159 server is available. Submission servers subject to this policy must
7160 either have verifiable certificates or offer suitable non-plaintext
7161 SASL mechanisms.
7162 This feature is available in Postfix 2.6 and later.
7164
7166 The SASL plug-in type that the Postfix SMTP client should use for
7167 authentication. The available types are listed with the "postconf -A"
7168 command.
7169 This feature is available in Postfix 2.3 and later.
7171
7173 Whether or not to append the "AUTH=<>" option to the MAIL FROM command
7174 in SASL-authenticated SMTP sessions. The default is not to send this,
7175 to avoid problems with broken remote SMTP servers. Before Postfix 2.9
7176 the behavior is as if "smtp_send_dummy_mail_auth = yes".
7177 This feature is available in Postfix 2.9 and later.
7179
7181 Send the non-standard XFORWARD command when the Postfix SMTP server
7182 EHLO response announces XFORWARD support.
7183 This allows a Postfix SMTP delivery agent, used for injecting mail into
7185 a content filter, to forward the name, address, protocol and HELO name
7186 of the original client to the content filter and downstream queuing
7187 SMTP server. This can produce more useful logging than local‐
7188 host[127.0.0.1] etc.
7189 This feature is available in Postfix 2.1 and later.
7191
7193 Enable sender-dependent authentication in the Postfix SMTP client; this
7194 is available only with SASL authentication, and disables SMTP connec‐
7195 tion caching to ensure that mail from different senders will use the
7196 appropriate credentials.
7197 This feature is available in Postfix 2.3 and later.
7199
7201 Skip SMTP servers that greet with a 4XX status code (go away, try again
7202 later).
7203 By default, the Postfix SMTP client moves on the next mail exchanger.
7205 Specify "smtp_skip_4xx_greeting = no" if Postfix should defer delivery
7206 immediately.
7207 This feature is available in Postfix 2.0 and earlier. Later Postfix
7209 versions always skip remote SMTP servers that greet with a 4XX status
7210 code.
7211
7213 Skip remote SMTP servers that greet with a 5XX status code.
7214 By default, the Postfix SMTP client moves on the next mail exchanger.
7216 Specify "smtp_skip_5xx_greeting = no" if Postfix should bounce the mail
7217 immediately. Caution: the latter behavior appears to contradict RFC
7218 2821.
7219
7221 Do not wait for the response to the SMTP QUIT command.
7222
7224 Time limit for Postfix SMTP client write and read operations during TLS
7225 startup and shutdown handshake procedures.
7226 This feature is available in Postfix 2.2 and later.
7228
7230 The default TCP port that the Postfix SMTP client connects to. Specify
7231 a symbolic name (see services(5)) or a numeric port.
7232
7234 A file containing CA certificates of root CAs trusted to sign either
7235 remote SMTP server certificates or intermediate CA certificates. These
7236 are loaded into memory before the smtp(8) client enters the chroot
7237 jail. If the number of trusted roots is large, consider using
7238 smtp_tls_CApath instead, but note that the latter directory must be
7239 present in the chroot jail if the smtp(8) client is chrooted. This file
7240 may also be used to augment the client certificate trust chain, but it
7241 is best to include all the required certificates directly in
7242 $smtp_tls_cert_file (or, Postfix >= 3.4 $smtp_tls_chain_files).
7243 Specify "smtp_tls_CAfile = /path/to/system_CA_file" to use ONLY the
7245 system-supplied default Certification Authority certificates.
7246 Specify "tls_append_default_CA = no" to prevent Postfix from appending
7248 the system-supplied default CAs and trusting third-party certificates.
7249 Example:
7251 smtp_tls_CAfile = /etc/postfix/CAcert.pem
7253 This feature is available in Postfix 2.2 and later.
7255
7257 Directory with PEM format Certification Authority certificates that the
7258 Postfix SMTP client uses to verify a remote SMTP server certificate.
7259 Don't forget to create the necessary "hash" links with, for example,
7260 "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
7261 To use this option in chroot mode, this directory (or a copy) must be
7263 inside the chroot jail.
7264 Specify "smtp_tls_CApath = /path/to/system_CA_directory" to use ONLY
7266 the system-supplied default Certification Authority certificates.
7267 Specify "tls_append_default_CA = no" to prevent Postfix from appending
7269 the system-supplied default CAs and trusting third-party certificates.
7270 Example:
7272 smtp_tls_CApath = /etc/postfix/certs
7274 This feature is available in Postfix 2.2 and later.
7276
7278 Try to detect a mail hijacking attack based on a TLS protocol vulnera‐
7279 bility (CVE-2009-3555), where an attacker prepends malicious HELO,
7280 MAIL, RCPT, DATA commands to a Postfix SMTP client TLS session. The
7281 attack would succeed with non-Postfix SMTP servers that reply to the
7282 malicious HELO, MAIL, RCPT, DATA commands after negotiating the Postfix
7283 SMTP client TLS session.
7284 This feature is available in Postfix 2.7.
7286
7288 File with the Postfix SMTP client RSA certificate in PEM format. This
7289 file may also contain the Postfix SMTP client private RSA key, and
7290 these may be the same as the Postfix SMTP server RSA certificate and
7291 key file. With Postfix >= 3.4 the preferred way to configure client
7292 keys and certificates is via the "smtp_tls_chain_files" parameter.
7293 Do not configure client certificates unless you must present client TLS
7295 certificates to one or more servers. Client certificates are not usu‐
7296 ally needed, and can cause problems in configurations that work well
7297 without them. The recommended setting is to let the defaults stand:
7298 smtp_tls_cert_file =
7300 smtp_tls_key_file =
7301 smtp_tls_eccert_file =
7302 smtp_tls_eckey_file =
7303 # Obsolete DSA parameters
7304 smtp_tls_dcert_file =
7305 smtp_tls_dkey_file =
7306 # Postfix >= 3.4 interface
7307 smtp_tls_chain_files =
7308 The best way to use the default settings is to comment out the above
7310 parameters in main.cf if present.
7311 To enable remote SMTP servers to verify the Postfix SMTP client cer‐
7313 tificate, the issuing CA certificates must be made available to the
7314 server. You should include the required certificates in the client cer‐
7315 tificate file, the client certificate first, then the issuing CA(s)
7316 (bottom-up order).
7317 Example: the certificate for "client.example.com" was issued by "inter‐
7319 mediate CA" which itself has a certificate issued by "root CA". As the
7320 "root" super-user create the client.pem file with:
7321 # umask 077
7323 # cat client_key.pem client_cert.pem intermediate_CA.pem > chain.pem
7324 If you also want to verify remote SMTP server certificates issued by
7326 these CAs, you can add the CA certificates to the smtp_tls_CAfile, in
7327 which case it is not necessary to have them in the smtp_tls_cert_file,
7328 smtp_tls_dcert_file (obsolete) or smtp_tls_eccert_file.
7329 A certificate supplied here must be usable as an SSL client certificate
7331 and hence pass the "openssl verify -purpose sslclient ..." test.
7332 Example:
7334 smtp_tls_cert_file = /etc/postfix/chain.pem
7336 This feature is available in Postfix 2.2 and later.
7338
7340 List of one or more PEM files, each holding one or more private keys
7341 directly followed by a corresponding certificate chain. The file names
7342 are separated by commas and/or whitespace. This parameter obsoletes
7343 the legacy algorithm-specific key and certificate file settings. When
7344 this parameter is non-empty, the legacy parameters are ignored, and a
7345 warning is logged if any are also non-empty.
7346 With the proliferation of multiple private key algorithms-which, as of
7348 OpenSSL 1.1.1, include DSA (obsolete), RSA, ECDSA, Ed25519 and Ed448-it
7349 is increasingly impractical to use separate parameters to configure the
7350 key and certificate chain for each algorithm. Therefore, Postfix now
7351 supports storing multiple keys and corresponding certificate chains in
7352 a single file or in a set of files.
7353 Each key must appear immediately before the corresponding certificate,
7355 optionally followed by additional issuer certificates that complete the
7356 certificate chain for that key. When multiple files are specified,
7357 they are equivalent to a single file that is concatenated from those
7358 files in the given order. Thus, while a key must always precede its
7359 certificate and issuer chain, it can be in a separate file, so long as
7360 that file is listed immediately before the file that holds the corre‐
7361 sponding certificate chain. Once all the files are concatenated, the
7362 sequence of PEM objects must be: key1, cert1, [chain1], key2, cert2,
7363 [chain2], ..., keyN, certN, [chainN].
7364 Storing the private key in the same file as the corresponding certifi‐
7366 cate is more reliable. With the key and certificate in separate files,
7367 there is a chance that during key rollover a Postfix process might load
7368 a private key and certificate from separate files that don't match.
7369 Various operational errors may even result in a persistent broken con‐
7370 figuration in which the certificate does not match the private key.
7371 The file or files must contain at most one key of each type. If, for
7373 example, two or more RSA keys and corresponding chains are listed,
7374 depending on the version of OpenSSL either only the last one will be
7375 used or an configuration error may be detected. Note that while
7376 "Ed25519" and "Ed448" are considered separate algorithms, the various
7377 ECDSA curves (typically one of prime256v1, secp384r1 or secp521r1) are
7378 considered as different parameters of a single "ECDSA" algorithm, so it
7379 is not presently possible to configure keys for more than one ECDSA
7380 curve.
7381 Example (separate files for each key and corresponding certificate
7383 chain):
7384 /etc/postfix/main.cf:
7386 smtp_tls_chain_files =
7387 ${config_directory}/ed25519.pem,
7388 ${config_directory}/ed448.pem,
7389 ${config_directory}/rsa.pem
7390 /etc/postfix/ed25519.pem:
7392 -----BEGIN PRIVATE KEY-----
7393 MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
7394 -----END PRIVATE KEY-----
7395 -----BEGIN CERTIFICATE-----
7396 MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
7397 ...
7398 nC0egv51YPDWxEHom4QA
7399 -----END CERTIFICATE-----
7400 /etc/postfix/ed448.pem:
7402 -----BEGIN PRIVATE KEY-----
7403 MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
7404 LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
7405 -----END PRIVATE KEY-----
7406 -----BEGIN CERTIFICATE-----
7407 MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
7408 ...
7409 pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
7410 -----END CERTIFICATE-----
7411 /etc/postfix/rsa.pem:
7413 -----BEGIN PRIVATE KEY-----
7414 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
7415 ...
7416 ahQkZ3+krcaJvDSMgvu0tDc=
7417 -----END PRIVATE KEY-----
7418 -----BEGIN CERTIFICATE-----
7419 MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
7420 ...
7421 Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
7422 -----END CERTIFICATE-----
7423 Example (all keys and certificates in a single file):
7425 /etc/postfix/main.cf:
7427 smtp_tls_chain_files = ${config_directory}/chains.pem
7428 /etc/postfix/chains.pem:
7430 -----BEGIN PRIVATE KEY-----
7431 MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
7432 -----END PRIVATE KEY-----
7433 -----BEGIN CERTIFICATE-----
7434 MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
7435 ...
7436 nC0egv51YPDWxEHom4QA
7437 -----END CERTIFICATE-----
7438 -----BEGIN PRIVATE KEY-----
7439 MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
7440 LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
7441 -----END PRIVATE KEY-----
7442 -----BEGIN CERTIFICATE-----
7443 MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
7444 ...
7445 pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
7446 -----END CERTIFICATE-----
7447 -----BEGIN PRIVATE KEY-----
7448 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
7449 ...
7450 ahQkZ3+krcaJvDSMgvu0tDc=
7451 -----END PRIVATE KEY-----
7452 -----BEGIN CERTIFICATE-----
7453 MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
7454 ...
7455 Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
7456 -----END CERTIFICATE-----
7457 This feature is available in Postfix 3.4 and later.
7459
7461 Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS cipher
7462 list. As this feature applies to all TLS security levels, it is easy to
7463 create interoperability problems by choosing a non-default cipher list.
7464 Do not use a non-default TLS cipher list on hosts that deliver email to
7465 the public Internet: you will be unable to send email to servers that
7466 only support the ciphers you exclude. Using a restricted cipher list
7467 may be more appropriate for an internal MTA, where one can exert some
7468 control over the TLS software and settings of the peer servers.
7469 Note: do not use "" quotes around the parameter value.
7471 This feature is available in Postfix version 2.2. It is not used with
7473 Postfix 2.3 and later; use smtp_tls_mandatory_ciphers instead.
7474
7476 The minimum TLS cipher grade that the Postfix SMTP client will use with
7477 opportunistic TLS encryption. Cipher types listed in
7478 smtp_tls_exclude_ciphers are excluded from the base definition of the
7479 selected cipher grade. The default value is "medium" for Postfix
7480 releases after the middle of 2015, "export" for older releases.
7481 When TLS is mandatory the cipher grade is chosen via the
7483 smtp_tls_mandatory_ciphers configuration parameter, see there for syn‐
7484 tax details. See smtp_tls_policy_maps for information on how to config‐
7485 ure ciphers on a per-destination basis.
7486 This feature is available in Postfix 2.6 and later. With earlier Post‐
7488 fix releases only the smtp_tls_mandatory_ciphers parameter is imple‐
7489 mented, and opportunistic TLS always uses "export" or better (i.e. all)
7490 ciphers.
7491
7493 Try to make multiple deliveries per TLS-encrypted connection. This
7494 uses the tlsproxy(8) service to encrypt an SMTP connection, uses the
7495 scache(8) service to save that connection, and relies on hints from the
7496 qmgr(8) daemon.
7497 See "Client-side TLS connection reuse" for background details.
7499 This feature is available in Postfix 3.4 and later.
7501
7503 The TLS policy for MX hosts with "secure" TLSA records when the nexthop
7504 destination security level is dane, but the MX record was found via an
7505 "insecure" MX lookup. The choices are:
7506 may The TLSA records will be ignored and TLS will be optional. If
7508 the MX host does not appear to support STARTTLS, or the STARTTLS
7509 handshake fails, mail may be sent in the clear.
7510 encrypt
7512 The TLSA records will signal a requirement to use TLS. While
7513 TLS encryption will be required, authentication will not be per‐
7514 formed.
7515 dane (default)
7517 The TLSA records will be used just as with "secure" MX records.
7518 TLS encryption will be required, and, if at least one of the
7519 TLSA records is "usable", authentication will be required. When
7520 authentication succeeds, it will be logged only as "Trusted",
7521 not "Verified", because the MX host name could have been forged.
7522 The default setting for Postfix >= 3.6 is "dane" with
7523 "smtp_tls_security_level = dane", otherwise "may". This behavior
7524 was backported to Postfix versions 3.5.9, 3.4.19, 3.3.16.
7525 3.2.21. With earlier Postfix versions the default setting was
7526 always "dane".
7527 Though with "insecure" MX records an active attacker can compromise
7529 SMTP transport security by returning forged MX records, such attacks
7530 are "tamper-evident" since any forged MX hostnames will be recorded in
7531 the mail logs. Attackers who place a high value staying hidden may be
7532 deterred from forging MX records.
7533 This feature is available in Postfix 3.1 and later. The may policy is
7535 backwards-compatible with earlier Postfix versions.
7536
7538 File with the Postfix SMTP client DSA certificate in PEM format. This
7539 file may also contain the Postfix SMTP client private DSA key. The DSA
7540 algorithm is obsolete and should not be used.
7541 See the discussion under smtp_tls_cert_file for more details.
7543 Example:
7545 smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
7547 This feature is available in Postfix 2.2 and later.
7549
7551 File with the Postfix SMTP client DSA private key in PEM format. This
7552 file may be combined with the Postfix SMTP client DSA certificate file
7553 specified with $smtp_tls_dcert_file. The DSA algorithm is obsolete and
7554 should not be used.
7555 The private key must be accessible without a pass-phrase, i.e. it must
7557 not be encrypted. File permissions should grant read-only access to the
7558 system superuser account ("root"), and no access to anyone else.
7559 This feature is available in Postfix 2.2 and later.
7561
7563 File with the Postfix SMTP client ECDSA certificate in PEM format.
7564 This file may also contain the Postfix SMTP client ECDSA private key.
7565 With Postfix >= 3.4 the preferred way to configure client keys and cer‐
7566 tificates is via the "smtp_tls_chain_files" parameter.
7567 See the discussion under smtp_tls_cert_file for more details.
7569 Example:
7571 smtp_tls_eccert_file = /etc/postfix/ecdsa-ccert.pem
7573 This feature is available in Postfix 2.6 and later, when Postfix is
7575 compiled and linked with OpenSSL 1.0.0 or later.
7576
7578 File with the Postfix SMTP client ECDSA private key in PEM format.
7579 This file may be combined with the Postfix SMTP client ECDSA certifi‐
7580 cate file specified with $smtp_tls_eccert_file. With Postfix >= 3.4
7581 the preferred way to configure client keys and certificates is via the
7582 "smtp_tls_chain_files" parameter.
7583 The private key must be accessible without a pass-phrase, i.e. it must
7585 not be encrypted. File permissions should grant read-only access to the
7586 system superuser account ("root"), and no access to anyone else.
7587 This feature is available in Postfix 2.6 and later, when Postfix is
7589 compiled and linked with OpenSSL 1.0.0 or later.
7590
7592 With mandatory TLS encryption, require that the remote SMTP server
7593 hostname matches the information in the remote SMTP server certificate.
7594 As of RFC 2487 the requirements for hostname checking for MTA clients
7595 are not specified.
7596 This option can be set to "no" to disable strict peer name checking.
7598 This setting has no effect on sessions that are controlled via the
7599 smtp_tls_per_site table.
7600 Disabling the hostname verification can make sense in closed environ‐
7602 ment where special CAs are created. If not used carefully, this option
7603 opens the danger of a "man-in-the-middle" attack (the CommonName of
7604 this attacker will be logged).
7605 This feature is available in Postfix 2.2 and later. With Postfix 2.3
7607 and later use smtp_tls_security_level instead.
7608
7610 List of ciphers or cipher types to exclude from the Postfix SMTP client
7611 cipher list at all TLS security levels. This is not an OpenSSL
7612 cipherlist, it is a simple list separated by whitespace and/or commas.
7613 The elements are a single cipher, or one or more "+" separated cipher
7614 properties, in which case only ciphers matching all the properties are
7615 excluded.
7616 Examples (some of these will cause problems):
7618 smtp_tls_exclude_ciphers = aNULL
7620 smtp_tls_exclude_ciphers = MD5, DES
7621 smtp_tls_exclude_ciphers = DES+MD5
7622 smtp_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
7623 smtp_tls_exclude_ciphers = kEDH+aRSA
7624 The first setting, disables anonymous ciphers. The next setting dis‐
7626 ables ciphers that use the MD5 digest algorithm or the (single) DES
7627 encryption algorithm. The next setting disables ciphers that use MD5
7628 and DES together. The next setting disables the two ciphers
7629 "AES256-SHA" and "DES-CBC3-MD5". The last setting disables ciphers that
7630 use "EDH" key exchange with RSA authentication.
7631 This feature is available in Postfix 2.3 and later.
7633
7635 List of acceptable remote SMTP server certificate fingerprints for the
7636 "fingerprint" TLS security level (smtp_tls_security_level = finger‐
7637 print). At this security level, Certification Authorities are not used,
7638 and certificate expiration times are ignored. Instead, server certifi‐
7639 cates are verified directly via their certificate fingerprint or public
7640 key fingerprint (Postfix 2.9 and later). The fingerprint is a message
7641 digest of the server certificate (or public key). The digest algorithm
7642 is selected via the smtp_tls_fingerprint_digest parameter.
7643 When an smtp_tls_policy_maps table entry specifies the "fingerprint"
7645 security level, any "match" attributes in that entry specify the list
7646 of valid fingerprints for the corresponding destination. Multiple fin‐
7647 gerprints can be combined with a "|" delimiter in a single match
7648 attribute, or multiple match attributes can be employed.
7649 Example: Certificate fingerprint verification with internal mailhub.
7651 Two matching fingerprints are listed. The relayhost may be multiple
7652 physical hosts behind a load-balancer, each with its own private/public
7653 key and self-signed certificate. Alternatively, a single relayhost may
7654 be in the process of switching from one set of private/public keys to
7655 another, and both keys are trusted just prior to the transition.
7656 relayhost = [mailhub.example.com]
7658 smtp_tls_security_level = fingerprint
7659 smtp_tls_fingerprint_digest = md5
7660 smtp_tls_fingerprint_cert_match =
7661 3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
7662 EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
7663 Example: Certificate fingerprint verification with selected destina‐
7665 tions. As in the example above, we show two matching fingerprints:
7666 /etc/postfix/main.cf:
7668 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
7669 smtp_tls_fingerprint_digest = md5
7670 /etc/postfix/tls_policy:
7672 example.com fingerprint
7673 match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
7674 match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
7675 This feature is available in Postfix 2.5 and later.
7677
7679 The message digest algorithm used to construct remote SMTP server cer‐
7680 tificate fingerprints. At the "fingerprint" TLS security level
7681 (smtp_tls_security_level = fingerprint), the server certificate is ver‐
7682 ified by directly matching its certificate fingerprint or its public
7683 key fingerprint (Postfix 2.9 and later). The fingerprint is the message
7684 digest of the server certificate (or its public key) using the selected
7685 algorithm. With a digest algorithm resistant to "second pre-image"
7686 attacks, it is not feasible to create a new public key and a matching
7687 certificate (or public/private key-pair) that has the same fingerprint.
7688 The default algorithm is md5; this is consistent with the backwards
7690 compatible setting of the digest used to verify client certificates in
7691 the SMTP server.
7692 The best practice algorithm is now sha1. Recent advances in hash func‐
7694 tion cryptanalysis have led to md5 being deprecated in favor of sha1.
7695 However, as long as there are no known "second pre-image" attacks
7696 against md5, its use in this context can still be considered safe.
7697 While additional digest algorithms are often available with OpenSSL's
7699 libcrypto, only those used by libssl in SSL cipher suites are available
7700 to Postfix. For now this means just md5 or sha1.
7701 To find the fingerprint of a specific certificate file, with a specific
7703 digest algorithm, run:
7704 $ openssl x509 -noout -fingerprint -digest -in certfile.pem
7706 The text to the right of "=" sign is the desired fingerprint. For
7708 example:
7709 $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
7711 SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
7712 To extract the public key fingerprint from an X.509 certificate, you
7714 need to extract the public key from the certificate and compute the
7715 appropriate digest of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
7716 key" option of the "x509" command extracts the public key always in
7717 "PEM" format. We pipe the result to another OpenSSL command that con‐
7718 verts the key to DER and then to the "dgst" command to compute the fin‐
7719 gerprint.
7720 The actual command to transform the key to DER format depends on the
7722 version of OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" com‐
7723 mand supports all key types. With OpenSSL 0.9.8 and earlier, the key
7724 type is always RSA (nobody uses DSA, and EC keys are not fully sup‐
7725 ported by 0.9.8), so the "rsa" command is used.
7726 # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
7728 $ openssl x509 -in cert.pem -noout -pubkey |
7729 openssl pkey -pubin -outform DER |
7730 openssl dgst -sha1 -c
7731 (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
7732 # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
7734 $ openssl x509 -in cert.pem -noout -pubkey |
7735 openssl rsa -pubin -outform DER |
7736 openssl dgst -md5 -c
7737 (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
7738 The Postfix SMTP server and client log the peer (leaf) certificate fin‐
7740 gerprint and public key fingerprint when the TLS loglevel is 2 or
7741 higher.
7742 Note: Postfix 2.9.0-2.9.5 computed the public key fingerprint incor‐
7744 rectly. To use public-key fingerprints, upgrade to Postfix 2.9.6 or
7745 later.
7746 This feature is available in Postfix 2.5 and later.
7748
7750 Lookup the associated DANE TLSA RRset even when a hostname is not an
7751 alias and its address records lie in an unsigned zone. This is
7752 unlikely to ever yield DNSSEC validated results, since child zones of
7753 unsigned zones are also unsigned in the absence of DLV or locally con‐
7754 figured non-root trust-anchors. We anticipate that such mechanisms
7755 will not be used for just the "_tcp" subdomain of a host. Suppressing
7756 the TLSA RRset lookup reduces latency and avoids potential interoper‐
7757 ability problems with nameservers for unsigned zones that are not pre‐
7758 pared to handle the new TLSA RRset.
7759 This feature is available in Postfix 2.11.
7761
7763 File with the Postfix SMTP client RSA private key in PEM format. This
7764 file may be combined with the Postfix SMTP client RSA certificate file
7765 specified with $smtp_tls_cert_file. With Postfix >= 3.4 the preferred
7766 way to configure client keys and certificates is via the
7767 "smtp_tls_chain_files" parameter.
7768 The private key must be accessible without a pass-phrase, i.e. it must
7770 not be encrypted. File permissions should grant read-only access to the
7771 system superuser account ("root"), and no access to anyone else.
7772 Example:
7774 smtp_tls_key_file = $smtp_tls_cert_file
7776 This feature is available in Postfix 2.2 and later.
7778
7780 Enable additional Postfix SMTP client logging of TLS activity. Each
7781 logging level also includes the information that is logged at a lower
7782 logging level.
7783 0 Disable logging of TLS activity.
7785 1 Log only a summary message on TLS handshake completion - no
7787 logging of remote SMTP server certificate trust-chain verifica‐
7788 tion errors if server certificate verification is not required.
7789 With Postfix 2.8 and earlier, log the summary message and uncon‐
7790 ditionally log trust-chain verification errors.
7791 2 Also log levels during TLS negotiation.
7793 3 Also log hexadecimal and ASCII dump of TLS negotiation
7795 process.
7796 4 Also log hexadecimal and ASCII dump of complete transmission
7798 after STARTTLS.
7799 Do not use "smtp_tls_loglevel = 2" or higher except in case of prob‐
7801 lems. Use of loglevel 4 is strongly discouraged.
7802 This feature is available in Postfix 2.2 and later.
7804
7806 The minimum TLS cipher grade that the Postfix SMTP client will use with
7807 mandatory TLS encryption. The default value "medium" is suitable for
7808 most destinations with which you may want to enforce TLS, and is beyond
7809 the reach of today's cryptanalytic methods. See smtp_tls_policy_maps
7810 for information on how to configure ciphers on a per-destination basis.
7811 The following cipher grades are supported:
7813 export Enable "EXPORT" grade or better OpenSSL ciphers. The underlying
7815 cipherlist is specified via the tls_export_cipherlist configura‐
7816 tion parameter, which you are strongly encouraged to not change.
7817 This choice is insecure and SHOULD NOT be used.
7818 low Enable "LOW" grade or better OpenSSL ciphers. The underlying
7820 cipherlist is specified via the tls_low_cipherlist configuration
7821 parameter, which you are strongly encouraged to not change.
7822 This choice is insecure and SHOULD NOT be used.
7823 medium Enable "MEDIUM" grade or better OpenSSL ciphers. The underlying
7825 cipherlist is specified via the tls_medium_cipherlist configura‐
7826 tion parameter, which you are strongly encouraged to not change.
7827 high Enable only "HIGH" grade OpenSSL ciphers. This setting may be
7829 appropriate when all mandatory TLS destinations (e.g. when all
7830 mail is routed to a suitably capable relayhost) support at least
7831 one "HIGH" grade cipher. The underlying cipherlist is specified
7832 via the tls_high_cipherlist configuration parameter, which you
7833 are strongly encouraged to not change.
7834 null Enable only the "NULL" OpenSSL ciphers, these provide authenti‐
7836 cation without encryption. This setting is only appropriate in
7837 the rare case that all servers are prepared to use NULL ciphers
7838 (not normally enabled in TLS servers). A plausible use-case is
7839 an LMTP server listening on a UNIX-domain socket that is config‐
7840 ured to support "NULL" ciphers. The underlying cipherlist is
7841 specified via the tls_null_cipherlist configuration parameter,
7842 which you are strongly encouraged to not change.
7843 The underlying cipherlists for grades other than "null" include anony‐
7845 mous ciphers, but these are automatically filtered out if the Postfix
7846 SMTP client is configured to verify server certificates. You are very
7847 unlikely to need to take any steps to exclude anonymous ciphers, they
7848 are excluded automatically as necessary. If you must exclude anonymous
7849 ciphers at the "may" or "encrypt" security levels, when the Postfix
7850 SMTP client does not need or use peer certificates, set
7851 "smtp_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers only
7852 when TLS is enforced, set "smtp_tls_mandatory_exclude_ciphers = aNULL".
7853 This feature is available in Postfix 2.3 and later.
7855
7857 Additional list of ciphers or cipher types to exclude from the Postfix
7858 SMTP client cipher list at mandatory TLS security levels. This list
7859 works in addition to the exclusions listed with
7860 smtp_tls_exclude_ciphers (see there for syntax details).
7861 Starting with Postfix 2.6, the mandatory cipher exclusions can be spec‐
7863 ified on a per-destination basis via the TLS policy "exclude"
7864 attribute. See smtp_tls_policy_maps for notes and examples.
7865 This feature is available in Postfix 2.3 and later.
7867
7869 List of SSL/TLS protocols that the Postfix SMTP client will use with
7870 mandatory TLS encryption. In main.cf the values are separated by
7871 whitespace, commas or colons. In the policy table "protocols" attribute
7872 (see smtp_tls_policy_maps) the only valid separator is colon. An empty
7873 value means allow all protocols. The valid protocol names, (see \fBfB‐
7874 SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1". The default
7875 value is "!SSLv2, !SSLv3" for Postfix releases after the middle of
7876 2015, "!SSLv2" for older releases.
7877 With Postfix >= 2.5 the parameter syntax was expanded to support proto‐
7879 col exclusions. One can explicitly exclude "SSLv2" by setting
7880 "smtp_tls_mandatory_protocols = !SSLv2". To exclude both "SSLv2" and
7881 "SSLv3" set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
7882 the protocols to include, rather than protocols to exclude, is sup‐
7883 ported, but not recommended. The exclusion form more closely matches
7884 the underlying OpenSSL interface semantics.
7885 The range of protocols advertised by an SSL/TLS client must be contigu‐
7887 ous. When a protocol version is enabled, disabling any higher version
7888 implicitly disables all versions above that higher version. Thus, for
7889 example (assuming the OpenSSL library supports both SSLv2 and SSLv3):
7890 smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
7892 also disables any protocols version higher than TLSv1 leaving only
7893 "SSLv3" enabled.
7894 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
7896 "TLSv1.2". When Postfix <= 2.5 is linked against OpenSSL 1.0.1 or
7897 later, these, or any other new protocol versions, cannot be disabled
7898 except by also disabling "TLSv1" (typically leaving just "SSLv3"). The
7899 latest patch levels of Postfix >= 2.6, and all versions of Postfix >=
7900 2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2".
7901 OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4
7903 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
7904 abled, if need be, via "!TLSv1.3".
7905 At the dane and dane-only security levels, when usable TLSA records are
7907 obtained for the remote SMTP server, the Postfix SMTP client is obli‐
7908 gated to include the SNI TLS extension in its SSL client hello message.
7909 This may help the remote SMTP server live up to its promise to provide
7910 a certificate that matches its TLSA records. Since TLS extensions
7911 require TLS 1.0 or later, the Postfix SMTP client must disable "SSLv2"
7912 and "SSLv3" when SNI is required. If you use "dane" or "dane-only" do
7913 not disable TLSv1, except perhaps via the policy table for destinations
7914 which you are sure will support "TLSv1.1" or "TLSv1.2".
7915 See the documentation of the smtp_tls_policy_maps parameter and
7917 TLS_README for more information about security levels.
7918 Example:
7920 # Preferred syntax with Postfix >= 2.5:
7922 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
7923 # Legacy syntax:
7924 smtp_tls_mandatory_protocols = TLSv1
7925 This feature is available in Postfix 2.3 and later.
7927
7929 Log the hostname of a remote SMTP server that offers STARTTLS, when TLS
7930 is not already enabled for that server.
7931 The logfile record looks like:
7933 postfix/smtp[pid]: Host offered STARTTLS: [name.of.host]
7935 This feature is available in Postfix 2.2 and later.
7937
7939 Optional lookup tables with the Postfix SMTP client TLS usage policy by
7940 next-hop destination and by remote SMTP server hostname. When both
7941 lookups succeed, the more specific per-site policy (NONE, MUST, etc)
7942 overrides the less specific one (MAY), and the more secure per-site
7943 policy (MUST, etc) overrides the less secure one (NONE). With Postfix
7944 2.3 and later smtp_tls_per_site is strongly discouraged: use
7945 smtp_tls_policy_maps instead.
7946 Use of the bare hostname as the per-site table lookup key is discour‐
7948 aged. Always use the full destination nexthop (enclosed in [] with a
7949 possible ":port" suffix). A recipient domain or MX-enabled transport
7950 next-hop with no port suffix may look like a bare hostname, but is
7951 still a suitable destination.
7952 Specify a next-hop destination or server hostname on the left-hand
7954 side; no wildcards are allowed. The next-hop destination is either the
7955 recipient domain, or the destination specified with a transport(5) ta‐
7956 ble, the relayhost parameter, or the relay_transport parameter. On the
7957 right hand side specify one of the following keywords:
7958 NONE Don't use TLS at all. This overrides a less specific MAY lookup
7960 result from the alternate host or next-hop lookup key, and over‐
7961 rides the global smtp_use_tls, smtp_enforce_tls, and
7962 smtp_tls_enforce_peername settings.
7963 MAY Try to use TLS if the server announces support, otherwise use
7965 the unencrypted connection. This has less precedence than a more
7966 specific result (including NONE) from the alternate host or
7967 next-hop lookup key, and has less precedence than the more spe‐
7968 cific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peer‐
7969 name = yes".
7970 MUST_NOPEERMATCH
7972 Require TLS encryption, but do not require that the remote SMTP
7973 server hostname matches the information in the remote SMTP
7974 server certificate, or that the server certificate was issued by
7975 a trusted CA. This overrides a less secure NONE or a less spe‐
7976 cific MAY lookup result from the alternate host or next-hop
7977 lookup key, and overrides the global smtp_use_tls,
7978 smtp_enforce_tls and smtp_tls_enforce_peername settings.
7979 MUST Require TLS encryption, require that the remote SMTP server
7981 hostname matches the information in the remote SMTP server cer‐
7982 tificate, and require that the remote SMTP server certificate
7983 was issued by a trusted CA. This overrides a less secure NONE
7984 and MUST_NOPEERMATCH or a less specific MAY lookup result from
7985 the alternate host or next-hop lookup key, and overrides the
7986 global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peer‐
7987 name settings.
7988 The above keywords correspond to the "none", "may", "encrypt" and "ver‐
7990 ify" security levels for the new smtp_tls_security_level parameter
7991 introduced in Postfix 2.3. Starting with Postfix 2.3, and independently
7992 of how the policy is specified, the smtp_tls_mandatory_ciphers and
7993 smtp_tls_mandatory_protocols parameters apply when TLS encryption is
7994 mandatory. Connections for which encryption is optional typically
7995 enable all "export" grade and better ciphers (see smtp_tls_ciphers and
7996 smtp_tls_protocols).
7997 As long as no secure DNS lookup mechanism is available, false hostnames
7999 in MX or CNAME responses can change the server hostname that Postfix
8000 uses for TLS policy lookup and server certificate verification. Even
8001 with a perfect match between the server hostname and the server cer‐
8002 tificate, there is no guarantee that Postfix is connected to the right
8003 server. See TLS_README (Closing a DNS loophole with obsolete per-site
8004 TLS policies) for a possible work-around.
8005 This feature is available in Postfix 2.2 and later. With Postfix 2.3
8007 and later use smtp_tls_policy_maps instead.
8008
8010 Optional lookup tables with the Postfix SMTP client TLS security policy
8011 by next-hop destination; when a non-empty value is specified, this
8012 overrides the obsolete smtp_tls_per_site parameter. See TLS_README for
8013 a more detailed discussion of TLS security levels.
8014 Specify zero or more "type:name" lookup tables, separated by whitespace
8016 or comma. Tables will be searched in the specified order until a match
8017 is found.
8018 The TLS policy table is indexed by the full next-hop destination, which
8020 is either the recipient domain, or the verbatim next-hop specified in
8021 the transport table, $local_transport, $virtual_transport,
8022 $relay_transport or $default_transport. This includes any enclosing
8023 square brackets and any non-default destination server port suffix. The
8024 LMTP socket type prefix (inet: or unix:) is not included in the lookup
8025 key.
8026 Only the next-hop domain, or $myhostname with LMTP over UNIX-domain
8028 sockets, is used as the nexthop name for certificate verification. The
8029 port and any enclosing square brackets are used in the table lookup
8030 key, but are not used for server name verification.
8031 When the lookup key is a domain name without enclosing square brackets
8033 or any :port suffix (typically the recipient domain), and the full
8034 domain is not found in the table, just as with the transport(5) table,
8035 the parent domain starting with a leading "." is matched recursively.
8036 This allows one to specify a security policy for a recipient domain and
8037 all its sub-domains.
8038 The lookup result is a security level, followed by an optional list of
8040 whitespace and/or comma separated name=value attributes that override
8041 related main.cf settings. The TLS security levels in order of increas‐
8042 ing security are:
8043 none No TLS. No additional attributes are supported at this level.
8045 may Opportunistic TLS. Since sending in the clear is acceptable,
8047 demanding stronger than default TLS security merely reduces
8048 interoperability. The optional "ciphers", "exclude", and "proto‐
8049 cols" attributes (available for opportunistic TLS with Postfix
8050 >= 2.6) and "connection_reuse" attribute (Postfix >= 3.4) over‐
8051 ride the "smtp_tls_ciphers", "smtp_tls_exclude_ciphers",
8052 "smtp_tls_protocols", and "smtp_tls_connection_reuse" configura‐
8053 tion parameters. When opportunistic TLS handshakes fail, Postfix
8054 retries the connection with TLS disabled. This allows mail
8055 delivery to sites with non-interoperable TLS implementations.
8056 encrypt
8058 Mandatory TLS encryption. At this level and higher, the optional
8059 "protocols" attribute overrides the main.cf smtp_tls_manda‐
8060 tory_protocols parameter, the optional "ciphers" attribute over‐
8061 rides the main.cf smtp_tls_mandatory_ciphers parameter, the
8062 optional "exclude" attribute (Postfix >= 2.6) overrides the
8063 main.cf smtp_tls_mandatory_exclude_ciphers parameter, and the
8064 optional "connection_reuse" attribute (Postfix >= 3.4) overrides
8065 the main.cf smtp_tls_connection_reuse parameter. In the policy
8066 table, multiple protocols or excluded ciphers must be separated
8067 by colons, as attribute values may not contain whitespace or
8068 commas.
8069 dane Opportunistic DANE TLS. The TLS policy for the destination is
8071 obtained via TLSA records in DNSSEC. If no TLSA records are
8072 found, the effective security level used is may. If TLSA
8073 records are found, but none are usable, the effective security
8074 level is encrypt. When usable TLSA records are obtained for the
8075 remote SMTP server, the server certificate must match the TLSA
8076 records. RFC 7672 (DANE) TLS authentication and DNSSEC support
8077 is available with Postfix 2.11 and later. The optional "connec‐
8078 tion_reuse" attribute (Postfix >= 3.4) overrides the main.cf
8079 smtp_tls_connection_reuse parameter.
8080 dane-only
8082 Mandatory DANE TLS. The TLS policy for the destination is
8083 obtained via TLSA records in DNSSEC. If no TLSA records are
8084 found, or none are usable, no connection is made to the server.
8085 When usable TLSA records are obtained for the remote SMTP
8086 server, the server certificate must match the TLSA records. RFC
8087 7672 (DANE) TLS authentication and DNSSEC support is available
8088 with Postfix 2.11 and later. The optional "connection_reuse"
8089 attribute (Postfix >= 3.4) overrides the main.cf smtp_tls_con‐
8090 nection_reuse parameter.
8091 fingerprint
8093 Certificate fingerprint verification. Available with Postfix 2.5
8094 and later. At this security level, there are no trusted Certifi‐
8095 cation Authorities. The certificate trust chain, expiration
8096 date, ... are not checked. Instead, the optional match
8097 attribute, or else the main.cf smtp_tls_fingerprint_cert_match
8098 parameter, lists the certificate fingerprints or the public key
8099 fingerprint (Postfix 2.9 and later) of the valid server certifi‐
8100 cate. The digest algorithm used to calculate the fingerprint is
8101 selected by the smtp_tls_fingerprint_digest parameter. Multiple
8102 fingerprints can be combined with a "|" delimiter in a single
8103 match attribute, or multiple match attributes can be employed.
8104 The ":" character is not used as a delimiter as it occurs
8105 between each pair of fingerprint (hexadecimal) digits. The
8106 optional "connection_reuse" attribute (Postfix >= 3.4) overrides
8107 the main.cf smtp_tls_connection_reuse parameter.
8108 verify Mandatory TLS verification. At this security level, DNS MX
8110 lookups are trusted to be secure enough, and the name verified
8111 in the server certificate is usually obtained indirectly via
8112 unauthenticated DNS MX lookups. The optional "match" attribute
8113 overrides the main.cf smtp_tls_verify_cert_match parameter. In
8114 the policy table, multiple match patterns and strategies must be
8115 separated by colons. In practice explicit control over matching
8116 is more common with the "secure" policy, described below. The
8117 optional "connection_reuse" attribute (Postfix >= 3.4) overrides
8118 the main.cf smtp_tls_connection_reuse parameter.
8119 secure Secure-channel TLS. At this security level, DNS MX lookups,
8121 though potentially used to determine the candidate next-hop
8122 gateway IP addresses, are not trusted to be secure enough for
8123 TLS peername verification. Instead, the default name verified in
8124 the server certificate is obtained directly from the next-hop,
8125 or is explicitly specified via the optional match attribute
8126 which overrides the main.cf smtp_tls_secure_cert_match parame‐
8127 ter. In the policy table, multiple match patterns and strategies
8128 must be separated by colons. The match attribute is most useful
8129 when multiple domains are supported by common server, the policy
8130 entries for additional domains specify matching rules for the
8131 primary domain certificate. While transport table overrides
8132 routing the secondary domains to the primary nexthop also allow
8133 secure verification, they risk delivery to the wrong destination
8134 when domains change hands or are re-assigned to new gateways.
8135 With the "match" attribute approach, routing is not perturbed,
8136 and mail is deferred if verification of a new MX host fails. The
8137 optional "connection_reuse" attribute (Postfix >= 3.4) overrides
8138 the main.cf smtp_tls_connection_reuse parameter.
8139 Example:
8141 /etc/postfix/main.cf:
8143 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
8144 # Postfix 2.5 and later
8145 smtp_tls_fingerprint_digest = md5
8146 /etc/postfix/tls_policy:
8148 example.edu none
8149 example.mil may
8150 example.gov encrypt protocols=TLSv1
8151 example.com verify ciphers=high
8152 example.net secure
8153 .example.net secure match=.example.net:example.net
8154 [mail.example.org]:587 secure match=nexthop
8155 # Postfix 2.5 and later
8156 [thumb.example.org] fingerprint
8157 match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
8158 match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
8159 Note: The hostname strategy if listed in a non-default setting of
8161 smtp_tls_secure_cert_match or in the match attribute in the policy ta‐
8162 ble can render the secure level vulnerable to DNS forgery. Do not use
8163 the hostname strategy for secure-channel configurations in environments
8164 where DNS security is not assured.
8165 This feature is available in Postfix 2.3 and later.
8167
8169 List of TLS protocols that the Postfix SMTP client will exclude or
8170 include with opportunistic TLS encryption. The default value is
8171 "!SSLv2, !SSLv3" for Postfix releases after the middle of 2015,
8172 "!SSLv2" for older releases. Before Postfix 2.6, the Postfix SMTP
8173 client would use all protocols with opportunistic TLS.
8174 In main.cf the values are separated by whitespace, commas or colons. In
8176 the policy table (see smtp_tls_policy_maps) the only valid separator is
8177 colon. An empty value means allow all protocols. The valid protocol
8178 names, (see \fBfBSSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".
8179 The range of protocols advertised by an SSL/TLS client must be contigu‐
8181 ous. When a protocol version is enabled, disabling any higher version
8182 implicitly disables all versions above that higher version. Thus, for
8183 example (assuming the OpenSSL library supports both SSLv2 and SSLv3):
8184 smtp_tls_protocols = !SSLv2, !TLSv1
8186 also disables any protocols version higher than TLSv1 leaving only
8187 "SSLv3" enabled.
8188 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
8190 "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all versions
8191 of Postfix >= 2.10 can explicitly disable support for "TLSv1.1" or
8192 "TLSv1.2"
8193 OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4
8195 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
8196 abled, if need be, via "!TLSv1.3".
8197 To include a protocol list its name, to exclude it, prefix the name
8199 with a "!" character. To exclude SSLv2 for opportunistic TLS set
8200 "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
8201 "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols
8202 to include, rather than protocols to exclude, is supported, but not
8203 recommended. The exclusion form more closely matches the underlying
8204 OpenSSL interface semantics.
8205 Example:
8207 # TLSv1 or better:
8208 smtp_tls_protocols = !SSLv2, !SSLv3
8209 This feature is available in Postfix 2.6 and later.
8211
8213 The verification depth for remote SMTP server certificates. A depth of
8214 1 is sufficient if the issuing CA is listed in a local CA file.
8215 The default verification depth is 9 (the OpenSSL default) for compati‐
8217 bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
8218 value was 5, but the limit was not actually enforced. If you have set
8219 this to a lower non-default value, certificates with longer trust
8220 chains may now fail to verify. Certificate chains with 1 or 2 CAs are
8221 common, deeper chains are more rare and any number between 5 and 9
8222 should suffice in practice. You can choose a lower number if, for exam‐
8223 ple, you trust certificates directly signed by an issuing CA but not
8224 any CAs it delegates to.
8225 This feature is available in Postfix 2.2 and later.
8227
8229 How the Postfix SMTP client verifies the server certificate peername
8230 for the "secure" TLS security level. In a "secure" TLS policy table
8231 ($smtp_tls_policy_maps) entry the optional "match" attribute overrides
8232 this main.cf setting.
8233 This parameter specifies one or more patterns or strategies separated
8235 by commas, whitespace or colons. In the policy table the only valid
8236 separator is the colon character.
8237 For a description of the pattern and strategy syntax see the
8239 smtp_tls_verify_cert_match parameter. The "hostname" strategy should be
8240 avoided in this context, as in the absence of a secure global DNS,
8241 using the results of MX lookups in certificate verification is not
8242 immune to active (man-in-the-middle) attacks on DNS.
8243 Sample main.cf setting:
8245 smtp_tls_secure_cert_match = nexthop
8247 Sample policy table override:
8249 example.net secure match=example.com:.example.com
8251 .example.net secure match=example.com:.example.com
8252 This feature is available in Postfix 2.3 and later.
8254
8256 The default SMTP TLS security level for the Postfix SMTP client; when a
8257 non-empty value is specified, this overrides the obsolete parameters
8258 smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
8259 Specify one of the following security levels:
8261 none No TLS. TLS will not be used unless enabled for specific desti‐
8263 nations via smtp_tls_policy_maps.
8264 may Opportunistic TLS. Use TLS if this is supported by the remote
8266 SMTP server, otherwise use plaintext. Since sending in the clear
8267 is acceptable, demanding stronger than default TLS security
8268 merely reduces interoperability. The "smtp_tls_ciphers" and
8269 "smtp_tls_protocols" (Postfix >= 2.6) configuration parameters
8270 provide control over the protocols and cipher grade used with
8271 opportunistic TLS. With earlier releases the opportunistic TLS
8272 cipher grade is always "export" and no protocols are disabled.
8273 When TLS handshakes fail, the connection is retried with TLS
8274 disabled. This allows mail delivery to sites with non-interop‐
8275 erable TLS implementations.
8276 encrypt
8278 Mandatory TLS encryption. Since a minimum level of security is
8279 intended, it is reasonable to be specific about sufficiently
8280 secure protocol versions and ciphers. At this security level and
8281 higher, the main.cf parameters smtp_tls_mandatory_protocols and
8282 smtp_tls_mandatory_ciphers specify the TLS protocols and minimum
8283 cipher grade which the administrator considers secure enough for
8284 mandatory encrypted sessions. This security level is not an
8285 appropriate default for systems delivering mail to the Internet.
8286 dane Opportunistic DANE TLS. At this security level, the TLS policy
8288 for the destination is obtained via DNSSEC. For TLSA policy to
8289 be in effect, the destination domain's containing DNS zone must
8290 be signed and the Postfix SMTP client's operating system must be
8291 configured to send its DNS queries to a recursive DNS nameserver
8292 that is able to validate the signed records. Each MX host's DNS
8293 zone should also be signed, and should publish DANE TLSA (RFC
8294 7672) records that specify how that MX host's TLS certificate is
8295 to be verified. TLSA records do not preempt the normal SMTP MX
8296 host selection algorithm, if some MX hosts support TLSA and oth‐
8297 ers do not, TLS security will vary from delivery to delivery.
8298 It is up to the domain owner to configure their MX hosts and
8299 their DNS sensibly. To configure the Postfix SMTP client for
8300 DNSSEC lookups see the documentation for the smtp_dns_sup‐
8301 port_level main.cf parameter. When DNSSEC-validated TLSA
8302 records are not found the effective tls security level is "may".
8303 When TLSA records are found, but are all unusable the effective
8304 security level is "encrypt". For purposes of protocol and
8305 cipher selection, the "dane" security level is treated like a
8306 "mandatory" TLS security level, and weak ciphers and protocols
8307 are disabled. Since DANE authenticates server certificates the
8308 "aNULL" cipher-suites are transparently excluded at this level,
8309 no need to configure this manually. RFC 7672 (DANE) TLS authen‐
8310 tication is available with Postfix 2.11 and later.
8311 dane-only
8313 Mandatory DANE TLS. This is just like "dane" above, but DANE
8314 TLSA authentication is required. There is no fallback to "may"
8315 or "encrypt" when TLSA records are missing or unusable. RFC
8316 7672 (DANE) TLS authentication is available with Postfix 2.11
8317 and later.
8318 fingerprint
8320 Certificate fingerprint verification. At this security level,
8321 there are no trusted Certification Authorities. The certificate
8322 trust chain, expiration date, etc., are not checked. Instead,
8323 the smtp_tls_fingerprint_cert_match parameter lists the certifi‐
8324 cate fingerprint or public key fingerprint (Postfix 2.9 and
8325 later) of the valid server certificate. The digest algorithm
8326 used to calculate the fingerprint is selected by the
8327 smtp_tls_fingerprint_digest parameter. Available with Postfix
8328 2.5 and later.
8329 verify Mandatory TLS verification. At this security level, DNS MX
8331 lookups are trusted to be secure enough, and the name verified
8332 in the server certificate is usually obtained indirectly via
8333 unauthenticated DNS MX lookups. The smtp_tls_verify_cert_match
8334 parameter controls how the server name is verified. In practice
8335 explicit control over matching is more common at the "secure"
8336 level, described below. This security level is not an appropri‐
8337 ate default for systems delivering mail to the Internet.
8338 secure Secure-channel TLS. At this security level, DNS MX lookups,
8340 though potentially used to determine the candidate next-hop
8341 gateway IP addresses, are not trusted to be secure enough for
8342 TLS peername verification. Instead, the default name verified in
8343 the server certificate is obtained from the next-hop domain as
8344 specified in the smtp_tls_secure_cert_match configuration param‐
8345 eter. The default matching rule is that a server certificate
8346 matches when its name is equal to or is a sub-domain of the nex‐
8347 thop domain. This security level is not an appropriate default
8348 for systems delivering mail to the Internet.
8349 Examples:
8351 # No TLS. Formerly: smtp_use_tls=no and smtp_enforce_tls=no.
8353 smtp_tls_security_level = none
8354 # Opportunistic TLS.
8356 smtp_tls_security_level = may
8357 # Postfix >= 2.6:
8358 # Do not tweak opportunistic ciphers or protocol unless it is essential
8359 # to do so (if a security vulnerability is found in the SSL library that
8360 # can be mitigated by disabling a particular protocol or raising the
8361 # cipher grade from "export" to "low" or "medium").
8362 smtp_tls_ciphers = export
8363 smtp_tls_protocols = !SSLv2, !SSLv3
8364 # Mandatory (high-grade) TLS encryption.
8366 smtp_tls_security_level = encrypt
8367 smtp_tls_mandatory_ciphers = high
8368 # Mandatory TLS verification of hostname or nexthop domain.
8370 smtp_tls_security_level = verify
8371 smtp_tls_mandatory_ciphers = high
8372 smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
8373 # Secure channel TLS with exact nexthop name match.
8375 smtp_tls_security_level = secure
8376 smtp_tls_mandatory_protocols = TLSv1
8377 smtp_tls_mandatory_ciphers = high
8378 smtp_tls_secure_cert_match = nexthop
8379 # Certificate fingerprint verification (Postfix >= 2.5).
8381 # The CA-less "fingerprint" security level only scales to a limited
8382 # number of destinations. As a global default rather than a per-site
8383 # setting, this is practical when mail for all recipients is sent
8384 # to a central mail hub.
8385 relayhost = [mailhub.example.com]
8386 smtp_tls_security_level = fingerprint
8387 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
8388 smtp_tls_mandatory_ciphers = high
8389 smtp_tls_fingerprint_cert_match =
8390 3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
8391 EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
8392 This feature is available in Postfix 2.3 and later.
8394
8396 Optional name to send to the remote SMTP server in the TLS Server Name
8397 Indication (SNI) extension. The SNI extension is always on when DANE
8398 is used to authenticate the server, and in that case the SNI name sent
8399 is the one required by RFC7672 and this parameter is ignored.
8400 Some SMTP servers use the received SNI name to select an appropriate
8402 certificate chain to present to the client. While this may improve
8403 interoperability with such servers, it may reduce interoperability with
8404 other servers that choose to abort the connection when they don't have
8405 a certificate chain configured for the requested name. Such servers
8406 should select a default certificate chain and continue the handshake,
8407 but some may not. Therefore, absent DANE, no SNI name is sent by
8408 default.
8409 The SNI name must be either a valid DNS hostname, or else one of the
8411 special values hostname or nexthop, which select either the remote
8412 hostname or the nexthop domain respectively. DNS names for SNI must be
8413 in A-label (punycode) form. Invalid DNS names log a configuration
8414 error warning and mail delivery is deferred.
8415 Except when using a relayhost to forward all email, the only sensible
8417 non-empty main.cf setting for this parameter is hostname. Other
8418 non-empty values are only practical on a per-destination basis via the
8419 servername attribute of the Postfix TLS policy table. When in doubt,
8420 leave this parameter empty, and configure per-destination SNI as
8421 needed.
8422 This feature is available in Postfix 3.4 and later.
8424
8426 Name of the file containing the optional Postfix SMTP client TLS ses‐
8427 sion cache. Specify a database type that supports enumeration, such as
8428 btree or sdbm; there is no need to support concurrent access. The file
8429 is created if it does not exist. The smtp(8) daemon does not use this
8430 parameter directly, rather the cache is implemented indirectly in the
8431 tlsmgr(8) daemon. This means that per-smtp-instance master.cf overrides
8432 of this parameter are not effective. Note, that each of the cache
8433 databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
8434 base, $smtp_tls_session_cache_database (and with Postfix 2.3 and later
8435 $lmtp_tls_session_cache_database), needs to be stored separately. It is
8436 not at this time possible to store multiple caches in a single data‐
8437 base.
8438 Note: dbm databases are not suitable. TLS session objects are too
8440 large.
8441 As of version 2.5, Postfix no longer uses root privileges when opening
8443 this file. The file should now be stored under the Postfix-owned
8444 data_directory. As a migration aid, an attempt to open the file under a
8445 non-Postfix directory is redirected to the Postfix-owned data_direc‐
8446 tory, and a warning is logged.
8447 Example:
8449 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
8451 This feature is available in Postfix 2.2 and later.
8453
8455 The expiration time of Postfix SMTP client TLS session cache informa‐
8456 tion. A cache cleanup is performed periodically every $smtp_tls_ses‐
8457 sion_cache_timeout seconds. As with $smtp_tls_session_cache_database,
8458 this parameter is implemented in the tlsmgr(8) daemon and therefore
8459 per-smtp-instance master.cf overrides are not possible.
8460 As of Postfix 2.11 this setting cannot exceed 100 days. If set <= 0,
8462 session caching is disabled. If set to a positive value less than 2
8463 minutes, the minimum value of 2 minutes is used instead.
8464 This feature is available in Postfix 2.2 and later.
8466
8468 Zero or more PEM-format files with trust-anchor certificates and/or
8469 public keys. If the parameter is not empty the root CAs in CAfile and
8470 CApath are no longer trusted. Rather, the Postfix SMTP client will
8471 only trust certificate-chains signed by one of the trust-anchors con‐
8472 tained in the chosen files. The specified trust-anchor certificates
8473 and public keys are not subject to expiration, and need not be
8474 (self-signed) root CAs. They may, if desired, be intermediate certifi‐
8475 cates. Therefore, these certificates also may be found "in the middle"
8476 of the trust chain presented by the remote SMTP server, and any
8477 untrusted issuing parent certificates will be ignored. Specify a list
8478 of pathnames separated by comma or whitespace.
8479 Whether specified in main.cf, or on a per-destination basis, the
8481 trust-anchor PEM file must be accessible to the Postfix SMTP client in
8482 the chroot jail if applicable. The trust-anchor file should contain
8483 only certificates and public keys, no private key material, and must be
8484 readable by the non-privileged $mail_owner user. This allows destina‐
8485 tions to be bound to a set of specific CAs or public keys without
8486 trusting the same CAs for all destinations.
8487 The main.cf parameter supports single-purpose Postfix installations
8489 that send mail to a fixed set of SMTP peers. At most sites, if
8490 trust-anchor files are used at all, they will be specified on a
8491 per-destination basis via the "tafile" attribute of the "verify" and
8492 "secure" levels in smtp_tls_policy_maps.
8493 The underlying mechanism is in support of RFC 7672 (DANE TLSA), which
8495 defines mechanisms for an SMTP client MTA to securely determine server
8496 TLS certificates via DNS.
8497 If you want your trust anchors to be public keys, with OpenSSL you can
8499 extract a single PEM public key from a PEM X.509 file containing a sin‐
8500 gle certificate, as follows:
8501 $ openssl x509 -in cert.pem -out ta-key.pem -noout -pubkey
8503 This feature is available in Postfix 2.11 and later.
8505
8507 How the Postfix SMTP client verifies the server certificate peername
8508 for the "verify" TLS security level. In a "verify" TLS policy table
8509 ($smtp_tls_policy_maps) entry the optional "match" attribute overrides
8510 this main.cf setting.
8511 This parameter specifies one or more patterns or strategies separated
8513 by commas, whitespace or colons. In the policy table the only valid
8514 separator is the colon character.
8515 Patterns specify domain names, or domain name suffixes:
8517 example.com
8519 Match the example.com domain, i.e. one of the names the server
8520 certificate must be example.com, upper and lower case distinc‐
8521 tions are ignored.
8522 .example.com
8524 Match subdomains of the example.com domain, i.e. match a name in
8525 the server certificate that consists of a non-zero number of
8526 labels followed by a .example.com suffix. Case distinctions are
8527 ignored.
8528 Strategies specify a transformation from the next-hop domain to the
8530 expected name in the server certificate:
8531 nexthop
8533 Match against the next-hop domain, which is either the recipient
8534 domain, or the transport next-hop configured for the domain
8535 stripped of any optional socket type prefix, enclosing square
8536 brackets and trailing port. When MX lookups are not suppressed,
8537 this is the original nexthop domain prior to the MX lookup, not
8538 the result of the MX lookup. For LMTP delivery via UNIX-domain
8539 sockets, the verified next-hop name is $myhostname. This strat‐
8540 egy is suitable for use with the "secure" policy. Case is
8541 ignored.
8542 dot-nexthop
8544 As above, but match server certificate names that are subdomains
8545 of the next-hop domain. Case is ignored.
8546 hostname
8548 Match against the hostname of the server, often obtained via an
8549 unauthenticated DNS MX lookup. For LMTP delivery via UNIX-domain
8550 sockets, the verified name is $myhostname. This matches the ver‐
8551 ification strategy of the "MUST" keyword in the obsolete
8552 smtp_tls_per_site table, and is suitable for use with the "ver‐
8553 ify" security level. When the next-hop name is enclosed in
8554 square brackets to suppress MX lookups, the "hostname" strategy
8555 is the same as the "nexthop" strategy. Case is ignored.
8556 Sample main.cf setting:
8558 smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
8560 Sample policy table override:
8562 example.com verify match=hostname:nexthop
8564 .example.com verify match=example.com:.example.com:hostname
8565 This feature is available in Postfix 2.3 and later.
8567
8569 Request that the Postfix SMTP client connects using the legacy SMTPS
8570 protocol instead of using the STARTTLS command.
8571 This mode requires "smtp_tls_security_level = encrypt" or stronger.
8573 Example: deliver all remote mail via a provider's server "mail.exam‐
8575 ple.com".
8576 /etc/postfix/main.cf:
8578 # Client-side SMTPS requires "encrypt" or stronger.
8579 smtp_tls_security_level = encrypt
8580 smtp_tls_wrappermode = yes
8581 # The [] suppress MX lookups.
8582 relayhost = [mail.example.com]:465
8583 More examples are in TLS_README, including examples for older Postfix
8585 versions.
8586 This feature is available in Postfix 3.0 and later.
8588
8590 Opportunistic mode: use TLS when a remote SMTP server announces START‐
8591 TLS support, otherwise send the mail in the clear. Beware: some SMTP
8592 servers offer STARTTLS even if it is not configured. With Postfix <
8593 2.3, if the TLS handshake fails, and no other server is available,
8594 delivery is deferred and mail stays in the queue. If this is a concern
8595 for you, use the smtp_tls_per_site feature instead.
8596 This feature is available in Postfix 2.2 and later. With Postfix 2.3
8598 and later use smtp_tls_security_level instead.
8599
8601 The Postfix SMTP client time limit for sending the XFORWARD command,
8602 and for receiving the remote SMTP server response.
8603 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
8605 The default time unit is s (seconds).
8606 This feature is available in Postfix 2.1 and later.
8608
8610 What remote SMTP clients are allowed to specify the XVERP command.
8611 This command requests that mail be delivered one recipient at a time
8612 with a per recipient return address.
8613 By default, no clients are allowed to specify XVERP.
8615 This parameter was renamed with Postfix version 2.1. The default value
8617 is backwards compatible with Postfix version 2.0.
8618 Specify a list of network/netmask patterns, separated by commas and/or
8620 whitespace. The mask specifies the number of bits in the network part
8621 of a host address. You can also specify hostnames or .domain names (the
8622 initial dot causes the domain to match any name below it),
8623 "/file/name" or "type:table" patterns. A "/file/name" pattern is
8624 replaced by its contents; a "type:table" lookup table is matched when a
8625 table entry matches a lookup string (the lookup result is ignored).
8626 Continue long lines by starting the next line with whitespace. Specify
8627 "!pattern" to exclude an address or network block from the list. The
8628 form "!/file/name" is supported only in Postfix version 2.4 and later.
8629 Note: IP version 6 address information must be specified inside [] in
8631 the smtpd_authorized_verp_clients value, and in files specified with
8632 "/file/name". IP version 6 addresses contain the ":" character, and
8633 would otherwise be confused with a "type:table" pattern.
8634
8636 What remote SMTP clients are allowed to use the XCLIENT feature. This
8637 command overrides remote SMTP client information that is used for
8638 access control. Typical use is for SMTP-based content filters, fetch‐
8639 mail-like programs, or SMTP server access rule testing. See the
8640 XCLIENT_README document for details.
8641 This feature is available in Postfix 2.1 and later.
8643 By default, no clients are allowed to specify XCLIENT.
8645 Specify a list of network/netmask patterns, separated by commas and/or
8647 whitespace. The mask specifies the number of bits in the network part
8648 of a host address. You can also specify hostnames or .domain names (the
8649 initial dot causes the domain to match any name below it),
8650 "/file/name" or "type:table" patterns. A "/file/name" pattern is
8651 replaced by its contents; a "type:table" lookup table is matched when a
8652 table entry matches a lookup string (the lookup result is ignored).
8653 Continue long lines by starting the next line with whitespace. Specify
8654 "!pattern" to exclude an address or network block from the list. The
8655 form "!/file/name" is supported only in Postfix version 2.4 and later.
8656 Note: IP version 6 address information must be specified inside [] in
8658 the smtpd_authorized_xclient_hosts value, and in files specified with
8659 "/file/name". IP version 6 addresses contain the ":" character, and
8660 would otherwise be confused with a "type:table" pattern.
8661
8663 What remote SMTP clients are allowed to use the XFORWARD feature. This
8664 command forwards information that is used to improve logging after
8665 SMTP-based content filters. See the XFORWARD_README document for
8666 details.
8667 This feature is available in Postfix 2.1 and later.
8669 By default, no clients are allowed to specify XFORWARD.
8671 Specify a list of network/netmask patterns, separated by commas and/or
8673 whitespace. The mask specifies the number of bits in the network part
8674 of a host address. You can also specify hostnames or .domain names (the
8675 initial dot causes the domain to match any name below it),
8676 "/file/name" or "type:table" patterns. A "/file/name" pattern is
8677 replaced by its contents; a "type:table" lookup table is matched when a
8678 table entry matches a lookup string (the lookup result is ignored).
8679 Continue long lines by starting the next line with whitespace. Specify
8680 "!pattern" to exclude an address or network block from the list. The
8681 form "!/file/name" is supported only in Postfix version 2.4 and later.
8682 Note: IP version 6 address information must be specified inside [] in
8684 the smtpd_authorized_xforward_hosts value, and in files specified with
8685 "/file/name". IP version 6 addresses contain the ":" character, and
8686 would otherwise be confused with a "type:table" pattern.
8687
8689 The text that follows the 220 status code in the SMTP greeting banner.
8690 Some people like to see the mail version advertised. By default, Post‐
8691 fix shows no version.
8692 You MUST specify $myhostname at the start of the text. This is required
8694 by the SMTP protocol.
8695 Example:
8697 smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
8699
8701 The maximal number of AUTH commands that any client is allowed to send
8702 to this service per time unit, regardless of whether or not Postfix
8703 actually accepts those commands. The time unit is specified with the
8704 anvil_rate_time_unit configuration parameter.
8705 By default, there is no limit on the number AUTH commands that a client
8707 may send.
8708 To disable this feature, specify a limit of 0.
8710 WARNING: The purpose of this feature is to limit abuse. It must not be
8712 used to regulate legitimate mail traffic.
8713 This feature is available in Postfix 3.1 and later.
8715
8717 How many simultaneous connections any client is allowed to make to this
8718 service. By default, the limit is set to half the default process
8719 limit value.
8720 To disable this feature, specify a limit of 0.
8722 WARNING: The purpose of this feature is to limit abuse. It must not be
8724 used to regulate legitimate mail traffic.
8725 This feature is available in Postfix 2.2 and later.
8727
8729 The maximal number of connection attempts any client is allowed to make
8730 to this service per time unit. The time unit is specified with the
8731 anvil_rate_time_unit configuration parameter.
8732 By default, a client can make as many connections per time unit as
8734 Postfix can accept.
8735 To disable this feature, specify a limit of 0.
8737 WARNING: The purpose of this feature is to limit abuse. It must not be
8739 used to regulate legitimate mail traffic.
8740 This feature is available in Postfix 2.2 and later.
8742 Example:
8744 smtpd_client_connection_rate_limit = 1000
8746
8748 Clients that are excluded from smtpd_client_*_count/rate_limit restric‐
8749 tions. See the mynetworks parameter description for the parameter value
8750 syntax.
8751 By default, clients in trusted networks are excluded. Specify a list of
8753 network blocks, hostnames or .domain names (the initial dot causes the
8754 domain to match any name below it).
8755 Note: IP version 6 address information must be specified inside [] in
8757 the smtpd_client_event_limit_exceptions value, and in files specified
8758 with "/file/name". IP version 6 addresses contain the ":" character,
8759 and would otherwise be confused with a "type:table" pattern.
8760 Pattern matching of domain names is controlled by the presence or
8762 absence of "smtpd_client_event_limit_exceptions" in the par‐
8763 ent_domain_matches_subdomains parameter value (postfix 3.0 and later).
8764 This feature is available in Postfix 2.2 and later.
8766
8768 The maximal number of message delivery requests that any client is
8769 allowed to make to this service per time unit, regardless of whether or
8770 not Postfix actually accepts those messages. The time unit is speci‐
8771 fied with the anvil_rate_time_unit configuration parameter.
8772 By default, a client can send as many message delivery requests per
8774 time unit as Postfix can accept.
8775 To disable this feature, specify a limit of 0.
8777 WARNING: The purpose of this feature is to limit abuse. It must not be
8779 used to regulate legitimate mail traffic.
8780 This feature is available in Postfix 2.2 and later.
8782 Example:
8784 smtpd_client_message_rate_limit = 1000
8786
8788 The maximal number of new (i.e., uncached) TLS sessions that a remote
8789 SMTP client is allowed to negotiate with this service per time unit.
8790 The time unit is specified with the anvil_rate_time_unit configuration
8791 parameter.
8792 By default, a remote SMTP client can negotiate as many new TLS sessions
8794 per time unit as Postfix can accept.
8795 To disable this feature, specify a limit of 0. Otherwise, specify a
8797 limit that is at least the per-client concurrent session limit, or else
8798 legitimate client sessions may be rejected.
8799 WARNING: The purpose of this feature is to limit abuse. It must not be
8801 used to regulate legitimate mail traffic.
8802 This feature is available in Postfix 2.3 and later.
8804 Example:
8806 smtpd_client_new_tls_session_rate_limit = 100
8808
8810 Enable logging of the remote SMTP client port in addition to the host‐
8811 name and IP address. The logging format is "host[address]:port".
8812 This feature is available in Postfix 2.5 and later.
8814
8816 The maximal number of recipient addresses that any client is allowed to
8817 send to this service per time unit, regardless of whether or not Post‐
8818 fix actually accepts those recipients. The time unit is specified with
8819 the anvil_rate_time_unit configuration parameter.
8820 By default, a client can send as many recipient addresses per time unit
8822 as Postfix can accept.
8823 To disable this feature, specify a limit of 0.
8825 WARNING: The purpose of this feature is to limit abuse. It must not be
8827 used to regulate legitimate mail traffic.
8828 This feature is available in Postfix 2.2 and later.
8830 Example:
8832 smtpd_client_recipient_rate_limit = 1000
8834
8836 Optional restrictions that the Postfix SMTP server applies in the con‐
8837 text of a client connection request. See SMTPD_ACCESS_README, section
8838 "Delayed evaluation of SMTP access restriction lists" for a discussion
8839 of evaluation context and time.
8840 The default is to allow all connection requests.
8842 Specify a list of restrictions, separated by commas and/or whitespace.
8844 Continue long lines by starting the next line with whitespace.
8845 Restrictions are applied in the order as specified; the first restric‐
8846 tion that matches wins.
8847 The following restrictions are specific to client hostname or client
8849 network address information.
8850 check_ccert_access type:table
8852 By default use the remote SMTP client certificate fingerprint or
8853 the public key fingerprint (Postfix 2.9 and later) as lookup key
8854 for the specified access(5) database; with Postfix version 2.2,
8855 also require that the remote SMTP client certificate is verified
8856 successfully. The fingerprint digest algorithm is configurable
8857 via the smtpd_tls_fingerprint_digest parameter (hard-coded as
8858 md5 prior to Postfix version 2.5). This feature requires
8859 "smtpd_tls_ask_ccert = yes" and is available with Postfix ver‐
8860 sion 2.2 and later.
8861 Alternatively, check_ccert_access accepts an explicit search
8862 order (Postfix 3.5 and later). The default search order as
8863 described above corresponds with:
8864 check_ccert_access { type:table, { search_order = cert_finger‐
8865 print, pubkey_fingerprint } }
8866 The commas are optional.
8867 check_client_access type:table
8869 Search the specified access database for the client hostname,
8870 parent domains, client IP address, or networks obtained by
8871 stripping least significant octets. See the access(5) manual
8872 page for details.
8873 check_client_a_access type:table
8875 Search the specified access(5) database for the IP addresses for
8876 the client hostname, and execute the corresponding action.
8877 Note: a result of "OK" is not allowed for safety reasons.
8878 Instead, use DUNNO in order to exclude specific hosts from
8879 blacklists. This feature is available in Postfix 3.0 and later.
8880 check_client_mx_access type:table
8882 Search the specified access(5) database for the MX hosts for the
8883 client hostname, and execute the corresponding action. Note: a
8884 result of "OK" is not allowed for safety reasons. Instead, use
8885 DUNNO in order to exclude specific hosts from blacklists. This
8886 feature is available in Postfix 2.7 and later.
8887 check_client_ns_access type:table
8889 Search the specified access(5) database for the DNS servers for
8890 the client hostname, and execute the corresponding action.
8891 Note: a result of "OK" is not allowed for safety reasons.
8892 Instead, use DUNNO in order to exclude specific hosts from
8893 blacklists. This feature is available in Postfix 2.7 and later.
8894 check_reverse_client_hostname_access type:table
8896 Search the specified access database for the unverified reverse
8897 client hostname, parent domains, client IP address, or networks
8898 obtained by stripping least significant octets. See the
8899 access(5) manual page for details. Note: a result of "OK" is
8900 not allowed for safety reasons. Instead, use DUNNO in order to
8901 exclude specific hosts from blacklists. This feature is avail‐
8902 able in Postfix 2.6 and later.
8903 check_reverse_client_hostname_a_access type:table
8905 Search the specified access(5) database for the IP addresses for
8906 the unverified reverse client hostname, and execute the corre‐
8907 sponding action. Note: a result of "OK" is not allowed for
8908 safety reasons. Instead, use DUNNO in order to exclude specific
8909 hosts from blacklists. This feature is available in Postfix 3.0
8910 and later.
8911 check_reverse_client_hostname_mx_access type:table
8913 Search the specified access(5) database for the MX hosts for the
8914 unverified reverse client hostname, and execute the correspond‐
8915 ing action. Note: a result of "OK" is not allowed for safety
8916 reasons. Instead, use DUNNO in order to exclude specific hosts
8917 from blacklists. This feature is available in Postfix 2.7 and
8918 later.
8919 check_reverse_client_hostname_ns_access type:table
8921 Search the specified access(5) database for the DNS servers for
8922 the unverified reverse client hostname, and execute the corre‐
8923 sponding action. Note: a result of "OK" is not allowed for
8924 safety reasons. Instead, use DUNNO in order to exclude specific
8925 hosts from blacklists. This feature is available in Postfix 2.7
8926 and later.
8927 check_sasl_access type:table
8929 Use the remote SMTP client SASL user name as lookup key for the
8930 specified access(5) database. The lookup key has the form "user‐
8931 name@domainname" when the smtpd_sasl_local_domain parameter
8932 value is non-empty. Unlike the check_client_access feature,
8933 check_sasl_access does not perform matches of parent domains or
8934 IP subnet ranges. This feature is available with Postfix ver‐
8935 sion 2.11 and later.
8936 permit_inet_interfaces
8938 Permit the request when the client IP address matches
8939 $inet_interfaces.
8940 permit_mynetworks
8942 Permit the request when the client IP address matches any net‐
8943 work or network address listed in $mynetworks.
8944 permit_sasl_authenticated
8946 Permit the request when the client is successfully authenticated
8947 via the RFC 4954 (AUTH) protocol.
8948 permit_tls_all_clientcerts
8950 Permit the request when the remote SMTP client certificate is
8951 verified successfully. This option must be used only if a spe‐
8952 cial CA issues the certificates and only this CA is listed as
8953 trusted CA. Otherwise, clients with a third-party certificate
8954 would also be allowed to relay. Specify "tls_append_default_CA
8955 = no" when the trusted CA is specified with smtpd_tls_CAfile or
8956 smtpd_tls_CApath, to prevent Postfix from appending the sys‐
8957 tem-supplied default CAs. This feature requires
8958 "smtpd_tls_ask_ccert = yes" and is available with Postfix ver‐
8959 sion 2.2 and later.
8960 permit_tls_clientcerts
8962 Permit the request when the remote SMTP client certificate fin‐
8963 gerprint or public key fingerprint (Postfix 2.9 and later) is
8964 listed in $relay_clientcerts. The fingerprint digest algorithm
8965 is configurable via the smtpd_tls_fingerprint_digest parameter
8966 (hard-coded as md5 prior to Postfix version 2.5). This feature
8967 requires "smtpd_tls_ask_ccert = yes" and is available with Post‐
8968 fix version 2.2 and later.
8969 reject_rbl_client rbl_domain=d.d.d.d
8971 Reject the request when the reversed client network address is
8972 listed with the A record "d.d.d.d" under rbl_domain (Postfix
8973 version 2.1 and later only). Each "d" is a number, or a pattern
8974 inside "[]" that contains one or more ";"-separated numbers or
8975 number..number ranges (Postfix version 2.8 and later). If no
8976 "=d.d.d.d" is specified, reject the request when the reversed
8977 client network address is listed with any A record under
8978 rbl_domain.
8979 The maps_rbl_reject_code parameter specifies the response code
8980 for rejected requests (default: 554), the default_rbl_reply
8981 parameter specifies the default server reply, and the
8982 rbl_reply_maps parameter specifies tables with server replies
8983 indexed by rbl_domain. This feature is available in Postfix 2.0
8984 and later.
8985 permit_dnswl_client dnswl_domain=d.d.d.d
8987 Accept the request when the reversed client network address is
8988 listed with the A record "d.d.d.d" under dnswl_domain. Each "d"
8989 is a number, or a pattern inside "[]" that contains one or more
8990 ";"-separated numbers or number..number ranges. If no
8991 "=d.d.d.d" is specified, accept the request when the reversed
8992 client network address is listed with any A record under
8993 dnswl_domain.
8994 For safety, permit_dnswl_client is silently ignored when it
8995 would override reject_unauth_destination. The result is
8996 DEFER_IF_REJECT when whitelist lookup fails. This feature is
8997 available in Postfix 2.8 and later.
8998 reject_rhsbl_client rbl_domain=d.d.d.d
9000 Reject the request when the client hostname is listed with the A
9001 record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
9002 only). Each "d" is a number, or a pattern inside "[]" that con‐
9003 tains one or more ";"-separated numbers or number..number ranges
9004 (Postfix version 2.8 and later). If no "=d.d.d.d" is specified,
9005 reject the request when the client hostname is listed with any A
9006 record under rbl_domain. See the reject_rbl_client description
9007 above for additional RBL related configuration parameters. This
9008 feature is available in Postfix 2.0 and later; with Postfix ver‐
9009 sion 2.8 and later, reject_rhsbl_reverse_client will usually
9010 produce better results.
9011 permit_rhswl_client rhswl_domain=d.d.d.d
9013 Accept the request when the client hostname is listed with the A
9014 record "d.d.d.d" under rhswl_domain. Each "d" is a number, or a
9015 pattern inside "[]" that contains one or more ";"-separated num‐
9016 bers or number..number ranges. If no "=d.d.d.d" is specified,
9017 accept the request when the client hostname is listed with any A
9018 record under rhswl_domain.
9019 Caution: client name whitelisting is fragile, since the client
9020 name lookup can fail due to temporary outages. Client name
9021 whitelisting should be used only to reduce false positives in
9022 e.g. DNS-based blocklists, and not for making access rule
9023 exceptions.
9024 For safety, permit_rhswl_client is silently ignored when it
9025 would override reject_unauth_destination. The result is
9026 DEFER_IF_REJECT when whitelist lookup fails. This feature is
9027 available in Postfix 2.8 and later.
9028 reject_rhsbl_reverse_client rbl_domain=d.d.d.d
9030 Reject the request when the unverified reverse client hostname
9031 is listed with the A record "d.d.d.d" under rbl_domain. Each
9032 "d" is a number, or a pattern inside "[]" that contains one or
9033 more ";"-separated numbers or number..number ranges. If no
9034 "=d.d.d.d" is specified, reject the request when the unverified
9035 reverse client hostname is listed with any A record under
9036 rbl_domain. See the reject_rbl_client description above for
9037 additional RBL related configuration parameters. This feature
9038 is available in Postfix 2.8 and later.
9039 reject_unknown_client_hostname (with Postfix < 2.3:
9041 reject_unknown_client)
9042 Reject the request when 1) the client IP address->name mapping
9043 fails, or 2) the name->address mapping fails, or 3) the
9044 name->address mapping does not match the client IP address.
9045 This is a stronger restriction than the
9046 reject_unknown_reverse_client_hostname feature, which triggers
9047 only under condition 1) above.
9048 The unknown_client_reject_code parameter specifies the response
9049 code for rejected requests (default: 450). The reply is always
9050 450 in case the address->name or name->address lookup failed due
9051 to a temporary problem.
9052 reject_unknown_reverse_client_hostname
9054 Reject the request when the client IP address has no
9055 address->name mapping.
9056 This is a weaker restriction than the
9057 reject_unknown_client_hostname feature, which requires not only
9058 that the address->name and name->address mappings exist, but
9059 also that the two mappings reproduce the client IP address.
9060 The unknown_client_reject_code parameter specifies the response
9061 code for rejected requests (default: 450). The reply is always
9062 450 in case the address->name lookup failed due to a temporary
9063 problem.
9064 This feature is available in Postfix 2.3 and later.
9065 In addition, you can use any of the following generic restrictions.
9067 These restrictions are applicable in any SMTP command context.
9068 check_policy_service servername
9070 Query the specified policy server. See the SMTPD_POLICY_README
9071 document for details. This feature is available in Postfix 2.1
9072 and later.
9073 defer Defer the request. The client is told to try again later. This
9075 restriction is useful at the end of a restriction list, to make
9076 the default policy explicit.
9077 The defer_code parameter specifies the SMTP server reply code
9078 (default: 450).
9079 defer_if_permit
9081 Defer the request if some later restriction would result in an
9082 explicit or implicit PERMIT action. This is useful when a
9083 blacklisting feature fails due to a temporary problem. This
9084 feature is available in Postfix version 2.1 and later.
9085 defer_if_reject
9087 Defer the request if some later restriction would result in a
9088 REJECT action. This is useful when a whitelisting feature fails
9089 due to a temporary problem. This feature is available in Post‐
9090 fix version 2.1 and later.
9091 permit Permit the request. This restriction is useful at the end of a
9093 restriction list, to make the default policy explicit.
9094 reject_multi_recipient_bounce
9096 Reject the request when the envelope sender is the null address,
9097 and the message has multiple envelope recipients. This usage has
9098 rare but legitimate applications: under certain conditions,
9099 multi-recipient mail that was posted with the DSN option
9100 NOTIFY=NEVER may be forwarded with the null sender address.
9101 Note: this restriction can only work reliably when used in
9102 smtpd_data_restrictions or smtpd_end_of_data_restrictions,
9103 because the total number of recipients is not known at an ear‐
9104 lier stage of the SMTP conversation. Use at the RCPT stage will
9105 only reject the second etc. recipient.
9106 The multi_recipient_bounce_reject_code parameter specifies the
9107 response code for rejected requests (default: 550). This fea‐
9108 ture is available in Postfix 2.1 and later.
9109 reject_plaintext_session
9111 Reject the request when the connection is not encrypted. This
9112 restriction should not be used before the client has had a
9113 chance to negotiate encryption with the AUTH or STARTTLS com‐
9114 mands.
9115 The plaintext_reject_code parameter specifies the response code
9116 for rejected requests (default: 450). This feature is avail‐
9117 able in Postfix 2.3 and later.
9118 reject_unauth_pipelining
9120 Reject the request when the client sends SMTP commands ahead of
9121 time where it is not allowed, or when the client sends SMTP com‐
9122 mands ahead of time without knowing that Postfix actually sup‐
9123 ports ESMTP command pipelining. This stops mail from bulk mail
9124 software that improperly uses ESMTP command pipelining in order
9125 to speed up deliveries.
9126 With Postfix 2.6 and later, the SMTP server sets a per-session
9127 flag whenever it detects illegal pipelining, including pipelined
9128 HELO or EHLO commands. The reject_unauth_pipelining feature sim‐
9129 ply tests whether the flag was set at any point in time during
9130 the session.
9131 With older Postfix versions, reject_unauth_pipelining checks the
9132 current status of the input read queue, and its usage is not
9133 recommended in contexts other than smtpd_data_restrictions.
9134 reject Reject the request. This restriction is useful at the end of a
9136 restriction list, to make the default policy explicit. The
9137 reject_code configuration parameter specifies the response code
9138 for rejected requests (default: 554).
9139 sleep seconds
9141 Pause for the specified number of seconds and proceed with the
9142 next restriction in the list, if any. This may stop zombie mail
9143 when used as:
9144 /etc/postfix/main.cf:
9145 smtpd_client_restrictions =
9146 sleep 1, reject_unauth_pipelining
9147 smtpd_delay_reject = no
9148 This feature is available in Postfix 2.3.
9149 warn_if_reject
9151 A safety net for testing. When "warn_if_reject" is placed before
9152 a reject-type restriction, access table query, or check_pol‐
9153 icy_service query, this logs a "reject_warning" message instead
9154 of rejecting a request (when a reject-type restriction fails due
9155 to a temporary error, this logs a "reject_warning" message for
9156 any implicit "defer_if_permit" actions that would normally pre‐
9157 vent mail from being accepted by some later access restriction).
9158 This feature has no effect on defer_if_reject restrictions.
9159 Other restrictions that are valid in this context:
9161 · SMTP command specific restrictions that are described under the
9163 smtpd_helo_restrictions, smtpd_sender_restrictions or
9164 smtpd_recipient_restrictions parameters. When helo, sender or
9165 recipient restrictions are listed under smtpd_client_restric‐
9166 tions, they have effect only with "smtpd_delay_reject = yes", so
9167 that $smtpd_client_restrictions is evaluated at the time of the
9168 RCPT TO command.
9169 Example:
9171 smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname
9173
9175 A mechanism to transform commands from remote SMTP clients. This is a
9176 last-resort tool to work around client commands that break interoper‐
9177 ability with the Postfix SMTP server. Other uses involve fault injec‐
9178 tion to test Postfix's handling of invalid commands.
9179 Specify the name of a "type:table" lookup table. The search string is
9181 the SMTP command as received from the remote SMTP client, except that
9182 initial whitespace and the trailing <CR><LF> are removed. The result
9183 value is executed by the Postfix SMTP server.
9184 There is no need to use smtpd_command_filter for the following cases:
9186 · Use "resolve_numeric_domain = yes" to accept "user@ipaddress".
9188 · Postfix already accepts the correct form "user@[ipaddress]". Use
9190 virtual_alias_maps or canonical_maps to translate these into
9191 domain names if necessary.
9192 · Use "strict_rfc821_envelopes = no" to accept "RCPT TO:<User Name
9194 <user@example.com>>". Postfix will ignore the "User Name" part
9195 and deliver to the <user@example.com> address.
9196 Examples of problems that can be solved with the smtpd_command_filter
9198 feature:
9199 /etc/postfix/main.cf:
9201 smtpd_command_filter = pcre:/etc/postfix/command_filter
9202 /etc/postfix/command_filter:
9204 # Work around clients that send malformed HELO commands.
9205 /^HELO\s*$/ HELO domain.invalid
9206 # Work around clients that send empty lines.
9208 /^\s*$/ NOOP
9209 # Work around clients that send RCPT TO:<'user@domain'>.
9211 # WARNING: do not lose the parameters that follow the address.
9212 /^(RCPT\s+TO:\s*<)'([^[:space:]]+)'(>.*)/ $1$2$3
9213 # Append XVERP to MAIL FROM commands to request VERP-style delivery.
9215 # See VERP_README for more information on how to use Postfix VERP.
9216 /^(MAIL FROM:\s*<listname@example\.com>.*)/ $1 XVERP
9217 # Bounce-never mail sink. Use notify_classes=bounce,resource,software
9219 # to send bounced mail to the postmaster (with message body removed).
9220 /^(RCPT\s+TO:\s*<.*>.*)\s+NOTIFY=\S+(.*)/ $1 NOTIFY=NEVER$2
9221 /^(RCPT\s+TO:.*)/ $1 NOTIFY=NEVER
9222 This feature is available in Postfix 2.7.
9224
9226 Optional access restrictions that the Postfix SMTP server applies in
9227 the context of the SMTP DATA command. See SMTPD_ACCESS_README, section
9228 "Delayed evaluation of SMTP access restriction lists" for a discussion
9229 of evaluation context and time.
9230 This feature is available in Postfix 2.0 and later.
9232 Specify a list of restrictions, separated by commas and/or whitespace.
9234 Continue long lines by starting the next line with whitespace.
9235 Restrictions are applied in the order as specified; the first restric‐
9236 tion that matches wins.
9237 The following restrictions are valid in this context:
9239 · Generic restrictions that can be used in any SMTP command con‐
9241 text, described under smtpd_client_restrictions.
9242 · SMTP command specific restrictions described under
9244 smtpd_client_restrictions, smtpd_helo_restrictions,
9245 smtpd_sender_restrictions or smtpd_recipient_restrictions.
9246 · However, no recipient information is available in the case of
9248 multi-recipient mail. Acting on only one recipient would be mis‐
9249 leading, because any decision will affect all recipients
9250 equally. Acting on all recipients would require a possibly very
9251 large amount of memory, and would also be misleading for the
9252 reasons mentioned before.
9253 Examples:
9255 smtpd_data_restrictions = reject_unauth_pipelining
9257 smtpd_data_restrictions = reject_multi_recipient_bounce
9258
9260 Postpone the start of an SMTP mail transaction until a valid RCPT TO
9261 command is received. Specify "no" to create a mail transaction as soon
9262 as the Postfix SMTP server receives a valid MAIL FROM command.
9263 With sites that reject lots of mail, the default setting reduces the
9265 use of disk, CPU and memory resources. The downside is that rejected
9266 recipients are logged with NOQUEUE instead of a mail transaction ID.
9267 This complicates the logfile analysis of multi-recipient mail.
9268 This feature is available in Postfix 2.3 and later.
9270
9272 Wait until the RCPT TO command before evaluating $smtpd_client_restric‐
9273 tions, $smtpd_helo_restrictions and $smtpd_sender_restrictions, or wait
9274 until the ETRN command before evaluating $smtpd_client_restrictions and
9275 $smtpd_helo_restrictions.
9276 This feature is turned on by default because some clients apparently
9278 mis-behave when the Postfix SMTP server rejects commands before RCPT
9279 TO.
9280 The default setting has one major benefit: it allows Postfix to log
9282 recipient address information when rejecting a client name/address or
9283 sender address, so that it is possible to find out whose mail is being
9284 rejected.
9285
9287 Lookup tables, indexed by the remote SMTP client address, with case
9288 insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
9289 that the Postfix SMTP server will not send in the EHLO response to a
9290 remote SMTP client. See smtpd_discard_ehlo_keywords for details. The
9291 tables are not searched by hostname for robustness reasons.
9292 Specify zero or more "type:name" lookup tables, separated by whitespace
9294 or comma. Tables will be searched in the specified order until a match
9295 is found.
9296 This feature is available in Postfix 2.2 and later.
9298
9300 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
9301 etc.) that the Postfix SMTP server will not send in the EHLO response
9302 to a remote SMTP client.
9303 This feature is available in Postfix 2.2 and later.
9305 Notes:
9307 · Specify the silent-discard pseudo keyword to prevent this action
9309 from being logged.
9310 · Use the smtpd_discard_ehlo_keyword_address_maps feature to dis‐
9312 card EHLO keywords selectively.
9313
9315 Optional filter for Postfix SMTP server DNS lookup results. See
9316 smtp_dns_reply_filter for details including an example.
9317 This feature is available in Postfix 3.0 and later.
9319
9321 Optional access restrictions that the Postfix SMTP server applies in
9322 the context of the SMTP END-OF-DATA command. See SMTPD_ACCESS_README,
9323 section "Delayed evaluation of SMTP access restriction lists" for a
9324 discussion of evaluation context and time.
9325 This feature is available in Postfix 2.2 and later.
9327 See smtpd_data_restrictions for details and limitations.
9329
9331 Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
9332 require that clients use TLS encryption. According to RFC 2487 this
9333 MUST NOT be applied in case of a publicly-referenced SMTP server. This
9334 option is therefore off by default.
9335 Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes".
9337 Note 2: when invoked via "sendmail -bs", Postfix will never offer
9339 STARTTLS due to insufficient privileges to access the server private
9340 key. This is intended behavior.
9341 This feature is available in Postfix 2.2 and later. With Postfix 2.3
9343 and later use smtpd_tls_security_level instead.
9344
9346 With Postfix version 2.1 and later: the SMTP server response delay
9347 after a client has made more than $smtpd_soft_error_limit errors, and
9348 fewer than $smtpd_hard_error_limit errors, without delivering mail.
9349 With Postfix version 2.0 and earlier: the SMTP server delay before
9351 sending a reject (4xx or 5xx) response, when the client has made fewer
9352 than $smtpd_soft_error_limit errors without delivering mail.
9353
9355 Optional restrictions that the Postfix SMTP server applies in the con‐
9356 text of a client ETRN command. See SMTPD_ACCESS_README, section
9357 "Delayed evaluation of SMTP access restriction lists" for a discussion
9358 of evaluation context and time.
9359 The Postfix ETRN implementation accepts only destinations that are eli‐
9361 gible for the Postfix "fast flush" service. See the ETRN_README file
9362 for details.
9363 Specify a list of restrictions, separated by commas and/or whitespace.
9365 Continue long lines by starting the next line with whitespace.
9366 Restrictions are applied in the order as specified; the first restric‐
9367 tion that matches wins.
9368 The following restrictions are specific to the domain name information
9370 received with the ETRN command.
9371 check_etrn_access type:table
9373 Search the specified access database for the ETRN domain name or
9374 its parent domains. See the access(5) manual page for details.
9375 Other restrictions that are valid in this context:
9377 · Generic restrictions that can be used in any SMTP command con‐
9379 text, described under smtpd_client_restrictions.
9380 · SMTP command specific restrictions described under
9382 smtpd_client_restrictions and smtpd_helo_restrictions.
9383 Example:
9385 smtpd_etrn_restrictions = permit_mynetworks, reject
9387
9389 What characters are allowed in $name expansions of RBL reply templates.
9390 Characters not in the allowed set are replaced by "_". Use C like
9391 escapes to specify special characters such as whitespace.
9392 The smtpd_expansion_filter value is not subject to Postfix configura‐
9394 tion parameter $name expansion.
9395 This feature is available in Postfix 2.0 and later.
9397
9399 List of commands that cause the Postfix SMTP server to immediately ter‐
9400 minate the session with a 221 code. This can be used to disconnect
9401 clients that obviously attempt to abuse the system. In addition to the
9402 commands listed in this parameter, commands that follow the "Label:"
9403 format of message headers will also cause a disconnect.
9404 This feature is available in Postfix 2.2 and later.
9406
9408 The maximal number of errors a remote SMTP client is allowed to make
9409 without delivering mail. The Postfix SMTP server disconnects when the
9410 limit is exceeded. Normally the default limit is 20, but it changes
9411 under overload to just 1. With Postfix 2.5 and earlier, the SMTP server
9412 always allows up to 20 errors by default.
9413
9415 Require that a remote SMTP client introduces itself with the HELO or
9416 EHLO command before sending the MAIL command or other commands that
9417 require EHLO negotiation.
9418 Example:
9420 smtpd_helo_required = yes
9422
9424 Optional restrictions that the Postfix SMTP server applies in the con‐
9425 text of a client HELO command. See SMTPD_ACCESS_README, section
9426 "Delayed evaluation of SMTP access restriction lists" for a discussion
9427 of evaluation context and time.
9428 The default is to permit everything.
9430 Note: specify "smtpd_helo_required = yes" to fully enforce this
9432 restriction (without "smtpd_helo_required = yes", a client can simply
9433 skip smtpd_helo_restrictions by not sending HELO or EHLO).
9434 Specify a list of restrictions, separated by commas and/or whitespace.
9436 Continue long lines by starting the next line with whitespace.
9437 Restrictions are applied in the order as specified; the first restric‐
9438 tion that matches wins.
9439 The following restrictions are specific to the hostname information
9441 received with the HELO or EHLO command.
9442 check_helo_access type:table
9444 Search the specified access(5) database for the HELO or EHLO
9445 hostname or parent domains, and execute the corresponding
9446 action. Note: specify "smtpd_helo_required = yes" to fully
9447 enforce this restriction (without "smtpd_helo_required = yes", a
9448 client can simply skip check_helo_access by not sending HELO or
9449 EHLO).
9450 check_helo_a_access type:table
9452 Search the specified access(5) database for the IP addresses for
9453 the HELO or EHLO hostname, and execute the corresponding action.
9454 Note 1: a result of "OK" is not allowed for safety reasons.
9455 Instead, use DUNNO in order to exclude specific hosts from
9456 blacklists. Note 2: specify "smtpd_helo_required = yes" to
9457 fully enforce this restriction (without "smtpd_helo_required =
9458 yes", a client can simply skip check_helo_a_access by not send‐
9459 ing HELO or EHLO). This feature is available in Postfix 3.0 and
9460 later.
9461 check_helo_mx_access type:table
9463 Search the specified access(5) database for the MX hosts for the
9464 HELO or EHLO hostname, and execute the corresponding action.
9465 Note 1: a result of "OK" is not allowed for safety reasons.
9466 Instead, use DUNNO in order to exclude specific hosts from
9467 blacklists. Note 2: specify "smtpd_helo_required = yes" to
9468 fully enforce this restriction (without "smtpd_helo_required =
9469 yes", a client can simply skip check_helo_mx_access by not send‐
9470 ing HELO or EHLO). This feature is available in Postfix 2.1 and
9471 later.
9472 check_helo_ns_access type:table
9474 Search the specified access(5) database for the DNS servers for
9475 the HELO or EHLO hostname, and execute the corresponding action.
9476 Note 1: a result of "OK" is not allowed for safety reasons.
9477 Instead, use DUNNO in order to exclude specific hosts from
9478 blacklists. Note 2: specify "smtpd_helo_required = yes" to
9479 fully enforce this restriction (without "smtpd_helo_required =
9480 yes", a client can simply skip check_helo_ns_access by not send‐
9481 ing HELO or EHLO). This feature is available in Postfix 2.1 and
9482 later.
9483 reject_invalid_helo_hostname (with Postfix < 2.3: reject_invalid_host‐
9485 name)
9486 Reject the request when the HELO or EHLO hostname is malformed.
9487 Note: specify "smtpd_helo_required = yes" to fully enforce this
9488 restriction (without "smtpd_helo_required = yes", a client can
9489 simply skip reject_invalid_helo_hostname by not sending HELO or
9490 EHLO).
9491 The invalid_hostname_reject_code specifies the response code for
9492 rejected requests (default: 501).
9493 reject_non_fqdn_helo_hostname (with Postfix < 2.3:
9495 reject_non_fqdn_hostname)
9496 Reject the request when the HELO or EHLO hostname is not in
9497 fully-qualified domain or address literal form, as required by
9498 the RFC. Note: specify "smtpd_helo_required = yes" to fully
9499 enforce this restriction (without "smtpd_helo_required = yes", a
9500 client can simply skip reject_non_fqdn_helo_hostname by not
9501 sending HELO or EHLO).
9502 The non_fqdn_reject_code parameter specifies the response code
9503 for rejected requests (default: 504).
9504 reject_rhsbl_helo rbl_domain=d.d.d.d
9506 Reject the request when the HELO or EHLO hostname is listed with
9507 the A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and
9508 later only). Each "d" is a number, or a pattern inside "[]"
9509 that contains one or more ";"-separated numbers or number..num‐
9510 ber ranges (Postfix version 2.8 and later). If no "=d.d.d.d" is
9511 specified, reject the request when the HELO or EHLO hostname is
9512 listed with any A record under rbl_domain. See the
9513 reject_rbl_client description for additional RBL related config‐
9514 uration parameters. Note: specify "smtpd_helo_required = yes"
9515 to fully enforce this restriction (without "smtpd_helo_required
9516 = yes", a client can simply skip reject_rhsbl_helo by not send‐
9517 ing HELO or EHLO). This feature is available in Postfix 2.0 and
9518 later.
9519 reject_unknown_helo_hostname (with Postfix < 2.3: reject_unknown_host‐
9521 name)
9522 Reject the request when the HELO or EHLO hostname has no DNS A
9523 or MX record.
9524 The reply is specified with the unknown_hostname_reject_code
9525 parameter (default: 450) or unknown_helo_hostname_temp‐
9526 fail_action (default: defer_if_permit). See the respective
9527 parameter descriptions for details.
9528 Note: specify "smtpd_helo_required = yes" to fully enforce this
9529 restriction (without "smtpd_helo_required = yes", a client can
9530 simply skip reject_unknown_helo_hostname by not sending HELO or
9531 EHLO).
9532 Other restrictions that are valid in this context:
9534 · Generic restrictions that can be used in any SMTP command con‐
9536 text, described under smtpd_client_restrictions.
9537 · Client hostname or network address specific restrictions
9539 described under smtpd_client_restrictions.
9540 · SMTP command specific restrictions described under
9542 smtpd_sender_restrictions or smtpd_recipient_restrictions. When
9543 sender or recipient restrictions are listed under
9544 smtpd_helo_restrictions, they have effect only with
9545 "smtpd_delay_reject = yes", so that $smtpd_helo_restrictions is
9546 evaluated at the time of the RCPT TO command.
9547 Examples:
9549 smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname
9551 smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname
9552
9554 The maximal number of lines in the Postfix SMTP server command history
9555 before it is flushed upon receipt of EHLO, RSET, or end of DATA.
9556
9558 The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote
9559 SMTP client can send before the Postfix SMTP server starts to increment
9560 the error counter with each junk command. The junk command count is
9561 reset after mail is delivered. See also the smtpd_error_sleep_time and
9562 smtpd_soft_error_limit configuration parameters. Normally the default
9563 limit is 100, but it changes under overload to just 1. With Postfix 2.5
9564 and earlier, the SMTP server always allows up to 100 junk commands by
9565 default.
9566
9568 Enable logging of the named "permit" actions in SMTP server access
9569 lists (by default, the SMTP server logs "reject" actions but not "per‐
9570 mit" actions). This feature does not affect conditional actions such
9571 as "defer_if_permit".
9572 Specify a list of "permit" action names, "/file/name" or "type:table"
9574 patterns, separated by commas and/or whitespace. The list is matched
9575 left to right, and the search stops on the first match. A "/file/name"
9576 pattern is replaced by its contents; a "type:table" lookup table is
9577 matched when a name matches a lookup key (the lookup result is
9578 ignored). Continue long lines by starting the next line with white‐
9579 space. Specify "!pattern" to exclude a name from the list.
9580 Examples:
9582 /etc/postfix/main.cf:
9584 # Log all "permit" actions.
9585 smtpd_log_access_permit_actions = static:all
9586 /etc/postfix/main.cf:
9588 # Log "permit_dnswl_client" only.
9589 smtpd_log_access_permit_actions = permit_dnswl_client
9590 This feature is available in Postfix 2.10 and later.
9592
9594 Lookup tables with Milter settings per remote SMTP client IP address.
9595 The lookup result overrides the smtpd_milters setting, and has the same
9596 syntax.
9597 Note: lookup tables cannot return empty responses. Specify a lookup
9599 result of DISABLE (case does not matter) to indicate that Milter sup‐
9600 port should be disabled.
9601 Example to disable Milters for local clients:
9603 /etc/postfix/main.cf:
9605 smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
9606 smtpd_milters = inet:host:port, { inet:host:port, ... }, ...
9607 /etc/postfix/smtpd_milter_map:
9609 # Disable Milters for local clients.
9610 127.0.0.0/8 DISABLE
9611 192.168.0.0/16 DISABLE
9612 ::/64 DISABLE
9613 2001:db8::/32 DISABLE
9614 This feature is available in Postfix 3.2 and later.
9616
9618 A list of Milter (mail filter) applications for new mail that arrives
9619 via the Postfix smtpd(8) server. Specify space or comma as separator.
9620 See the MILTER_README document for details.
9621 This feature is available in Postfix 2.3 and later.
9623
9625 List of commands that the Postfix SMTP server replies to with "250 Ok",
9626 without doing any syntax checks and without changing state. This list
9627 overrides any commands built into the Postfix SMTP server.
9628
9630 The lookup key to be used in SMTP access(5) tables instead of the null
9631 sender address.
9632
9634 Attempt to look up the remote SMTP client hostname, and verify that the
9635 name matches the client IP address. A client name is set to "unknown"
9636 when it cannot be looked up or verified, or when name lookup is dis‐
9637 abled. Turning off name lookup reduces delays due to DNS lookup and
9638 increases the maximal inbound delivery rate.
9639 This feature is available in Postfix 2.3 and later.
9641
9643 Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
9644 time limits, from a time limit per read or write system call, to a time
9645 limit to send or receive a complete record (an SMTP command line, SMTP
9646 response line, SMTP message content line, or TLS protocol message).
9647 This limits the impact from hostile peers that trickle data one byte at
9648 a time.
9649 Note: when per-record deadlines are enabled, a short timeout may cause
9651 problems with TLS over very slow network connections. The reasons are
9652 that a TLS protocol message can be up to 16 kbytes long (with TLSv1),
9653 and that an entire TLS protocol message must be sent or received within
9654 the per-record deadline.
9655 This feature is available in Postfix 2.9 and later. With older Postfix
9657 releases, the behavior is as if this parameter is set to "no".
9658
9660 problem)
9661 The default action when an SMTPD policy service request fails. Specify
9662 "DUNNO" to behave as if the failed SMTPD policy service request was
9663 not sent, and to continue processing other access restrictions, if any.
9664 Limitations:
9666 · This parameter may specify any value that would be a valid SMTPD
9668 policy server response (or access(5) map lookup result). An
9669 access(5) map or policy server in this parameter value may need
9670 to be declared in advance with a restriction_class setting.
9671 · If the specified action invokes another check_policy_service
9673 request, that request will have the built-in default action.
9674 This feature is available in Postfix 3.0 and later.
9676
9678 The time after which an idle SMTPD policy service connection is closed.
9679 This feature is available in Postfix 2.1 and later.
9681
9683 The time after which an active SMTPD policy service connection is
9684 closed.
9685 This feature is available in Postfix 2.1 and later.
9687
9689 Optional information that the Postfix SMTP server specifies in the
9690 "policy_context" attribute of a policy service request (originally, to
9691 share the same service endpoint among multiple check_policy_service
9692 clients).
9693 This feature is available in Postfix 3.1 and later.
9695
9697 The maximal number of requests per SMTPD policy service connection, or
9698 zero (no limit). Once a connection reaches this limit, the connection
9699 is closed and the next request will be sent over a new connection. This
9700 is a workaround to avoid error-recovery delays with policy servers that
9701 cannot maintain a persistent connection.
9702 This feature is available in Postfix 3.0 and later.
9704
9706 The delay between attempts to resend a failed SMTPD policy service
9707 request. Specify a value greater than zero.
9708 This feature is available in Postfix 3.0 and later.
9710
9712 The time limit for connecting to, writing to, or receiving from a dele‐
9713 gated SMTPD policy server.
9714 This feature is available in Postfix 2.1 and later.
9716
9718 The maximal number of attempts to send an SMTPD policy service request
9719 before giving up. Specify a value greater than zero.
9720 This feature is available in Postfix 3.0 and later.
9722
9724 How the Postfix SMTP server announces itself to the proxy filter. By
9725 default, the Postfix hostname is used.
9726 This feature is available in Postfix 2.1 and later.
9728
9730 The hostname and TCP port of the mail filtering proxy server. The
9731 proxy receives all mail from the Postfix SMTP server, and is supposed
9732 to give the result to another Postfix SMTP server process.
9733 Specify "host:port" or "inet:host:port" for a TCP endpoint, or
9735 "unix:pathname" for a UNIX-domain endpoint. The host can be specified
9736 as an IP address or as a symbolic name; no MX lookups are done. When
9737 no "host" or "host:" are specified, the local machine is assumed.
9738 Pathname interpretation is relative to the Postfix queue directory.
9739 This feature is available in Postfix 2.1 and later.
9741 The "inet:" and "unix:" prefixes are available in Postfix 2.3 and
9743 later.
9744
9746 List of options that control how the Postfix SMTP server communicates
9747 with a before-queue content filter. Specify zero or more of the follow‐
9748 ing, separated by comma or whitespace.
9749 speed_adjust
9751 Do not connect to a before-queue content filter until an entire
9752 message has been received. This reduces the number of simultane‐
9753 ous before-queue content filter processes.
9754 NOTE 1: A filter must not selectively reject recipients of a
9756 multi-recipient message. Rejecting all recipients is OK, as is accept‐
9757 ing all recipients.
9758 NOTE 2: This feature increases the minimum amount of free queue space
9760 by $message_size_limit. The extra space is needed to save the message
9761 to a temporary file.
9762 This feature is available in Postfix 2.7 and later.
9764
9766 The time limit for connecting to a proxy filter and for sending or
9767 receiving information. When a connection fails the client gets a
9768 generic error message while more detailed information is logged to the
9769 maillog file.
9770 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
9772 The default time unit is s (seconds).
9773 This feature is available in Postfix 2.1 and later.
9775
9777 The maximal number of recipients that the Postfix SMTP server accepts
9778 per message delivery request.
9779
9781 The number of recipients that a remote SMTP client can send in excess
9782 of the limit specified with $smtpd_recipient_limit, before the Postfix
9783 SMTP server increments the per-session error count for each excess
9784 recipient.
9785
9787 Optional restrictions that the Postfix SMTP server applies in the con‐
9788 text of a client RCPT TO command, after smtpd_relay_restrictions. See
9789 SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access
9790 restriction lists" for a discussion of evaluation context and time.
9791 With Postfix versions before 2.10, the rules for relay permission and
9793 spam blocking were combined under smtpd_recipient_restrictions, result‐
9794 ing in error-prone configuration. As of Postfix 2.10, relay permission
9795 rules are preferably implemented with smtpd_relay_restrictions, so that
9796 a permissive spam blocking policy under smtpd_recipient_restrictions
9797 will no longer result in a permissive mail relay policy.
9798 For backwards compatibility, sites that migrate from Postfix versions
9800 before 2.10 can set smtpd_relay_restrictions to the empty value, and
9801 use smtpd_recipient_restrictions exactly as before.
9802 IMPORTANT: Either the smtpd_relay_restrictions or the smtpd_recipi‐
9804 ent_restrictions parameter must specify at least one of the following
9805 restrictions. Otherwise Postfix will refuse to receive mail:
9806 reject, reject_unauth_destination
9808 defer, defer_if_permit, defer_unauth_destination
9810 Specify a list of restrictions, separated by commas and/or whitespace.
9812 Continue long lines by starting the next line with whitespace.
9813 Restrictions are applied in the order as specified; the first restric‐
9814 tion that matches wins.
9815 The following restrictions are specific to the recipient address that
9817 is received with the RCPT TO command.
9818 check_recipient_access type:table
9820 Search the specified access(5) database for the resolved RCPT TO
9821 address, domain, parent domains, or localpart@, and execute the
9822 corresponding action.
9823 check_recipient_a_access type:table
9825 Search the specified access(5) database for the IP addresses for
9826 the RCPT TO domain, and execute the corresponding action. Note:
9827 a result of "OK" is not allowed for safety reasons. Instead, use
9828 DUNNO in order to exclude specific hosts from blacklists. This
9829 feature is available in Postfix 3.0 and later.
9830 check_recipient_mx_access type:table
9832 Search the specified access(5) database for the MX hosts for the
9833 RCPT TO domain, and execute the corresponding action. Note: a
9834 result of "OK" is not allowed for safety reasons. Instead, use
9835 DUNNO in order to exclude specific hosts from blacklists. This
9836 feature is available in Postfix 2.1 and later.
9837 check_recipient_ns_access type:table
9839 Search the specified access(5) database for the DNS servers for
9840 the RCPT TO domain, and execute the corresponding action. Note:
9841 a result of "OK" is not allowed for safety reasons. Instead, use
9842 DUNNO in order to exclude specific hosts from blacklists. This
9843 feature is available in Postfix 2.1 and later.
9844 permit_auth_destination
9846 Permit the request when one of the following is true:
9847 · Postfix is mail forwarder: the resolved RCPT TO domain matches
9849 $relay_domains or a subdomain thereof, and the address contains
9850 no sender-specified routing (user@elsewhere@domain),
9851 · Postfix is the final destination: the resolved RCPT TO domain
9853 matches $mydestination, $inet_interfaces, $proxy_interfaces,
9854 $virtual_alias_domains, or $virtual_mailbox_domains, and the
9855 address contains no sender-specified routing (user@else‐
9856 where@domain).
9857 permit_mx_backup
9859 Permit the request when the local mail system is backup MX for
9860 the RCPT TO domain, or when the domain is an authorized destina‐
9861 tion (see permit_auth_destination for definition).
9862 · Safety: permit_mx_backup does not accept addresses that have
9864 sender-specified routing information (example: user@else‐
9865 where@domain).
9866 · Safety: permit_mx_backup can be vulnerable to mis-use when
9868 access is not restricted with permit_mx_backup_networks.
9869 · Safety: as of Postfix version 2.3, permit_mx_backup no longer
9871 accepts the address when the local mail system is primary MX for
9872 the recipient domain. Exception: permit_mx_backup accepts the
9873 address when it specifies an authorized destination (see per‐
9874 mit_auth_destination for definition).
9875 · Limitation: mail may be rejected in case of a temporary DNS
9877 lookup problem with Postfix prior to version 2.0.
9878 reject_non_fqdn_recipient
9880 Reject the request when the RCPT TO address specifies a domain
9881 that is not in fully-qualified domain form, as required by the
9882 RFC.
9883 The non_fqdn_reject_code parameter specifies the response code
9884 for rejected requests (default: 504).
9885 reject_rhsbl_recipient rbl_domain=d.d.d.d
9887 Reject the request when the RCPT TO domain is listed with the A
9888 record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
9889 only). Each "d" is a number, or a pattern inside "[]" that con‐
9890 tains one or more ";"-separated numbers or number..number ranges
9891 (Postfix version 2.8 and later). If no "=d.d.d.d" is specified,
9892 reject the request when the RCPT TO domain is listed with any A
9893 record under rbl_domain.
9894 The maps_rbl_reject_code parameter specifies the response code
9895 for rejected requests (default: 554); the default_rbl_reply
9896 parameter specifies the default server reply; and the
9897 rbl_reply_maps parameter specifies tables with server replies
9898 indexed by rbl_domain. This feature is available in Postfix
9899 version 2.0 and later.
9900 reject_unauth_destination
9902 Reject the request unless one of the following is true:
9903 · Postfix is mail forwarder: the resolved RCPT TO domain matches
9905 $relay_domains or a subdomain thereof, and contains no
9906 sender-specified routing (user@elsewhere@domain),
9907 · Postfix is the final destination: the resolved RCPT TO domain
9909 matches $mydestination, $inet_interfaces, $proxy_interfaces,
9910 $virtual_alias_domains, or $virtual_mailbox_domains, and con‐
9911 tains no sender-specified routing (user@elsewhere@domain).
9912 The relay_domains_reject_code parameter specifies the response
9913 code for rejected requests (default: 554).
9914 defer_unauth_destination
9916 Reject the same requests as reject_unauth_destination, with a
9917 non-permanent error code. This feature is available in Postfix
9918 2.10 and later.
9919 reject_unknown_recipient_domain
9921 Reject the request when Postfix is not final destination for the
9922 recipient domain, and the RCPT TO domain has 1) no DNS MX and no
9923 DNS A record or 2) a malformed MX record such as a record with a
9924 zero-length MX hostname (Postfix version 2.3 and later).
9925 The reply is specified with the unknown_address_reject_code
9926 parameter (default: 450), unknown_address_tempfail_action
9927 (default: defer_if_permit), or 556 (nullmx, Postfix 3.0 and
9928 later). See the respective parameter descriptions for details.
9929 reject_unlisted_recipient (with Postfix version 2.0: check_recipi‐
9931 ent_maps)
9932 Reject the request when the RCPT TO address is not listed in the
9933 list of valid recipients for its domain class. See the
9934 smtpd_reject_unlisted_recipient parameter description for
9935 details. This feature is available in Postfix 2.1 and later.
9936 reject_unverified_recipient
9938 Reject the request when mail to the RCPT TO address is known to
9939 bounce, or when the recipient address destination is not reach‐
9940 able. Address verification information is managed by the ver‐
9941 ify(8) server; see the ADDRESS_VERIFICATION_README file for
9942 details.
9943 The unverified_recipient_reject_code parameter specifies the
9944 numerical response code when an address is known to bounce
9945 (default: 450, change into 550 when you are confident that it is
9946 safe to do so).
9947 The unverified_recipient_defer_code parameter specifies the
9948 numerical response code when an address probe failed due to a
9949 temporary problem (default: 450).
9950 The unverified_recipient_tempfail_action parameter specifies the
9951 action after address probe failure due to a temporary problem
9952 (default: defer_if_permit).
9953 This feature breaks for aliased addresses with "enable_origi‐
9954 nal_recipient = no" (Postfix <= 3.2).
9955 This feature is available in Postfix 2.1 and later.
9956 Other restrictions that are valid in this context:
9958 · Generic restrictions that can be used in any SMTP command con‐
9960 text, described under smtpd_client_restrictions.
9961 · SMTP command specific restrictions described under
9963 smtpd_client_restrictions, smtpd_helo_restrictions and
9964 smtpd_sender_restrictions.
9965 Example:
9967 # The Postfix before 2.10 default mail relay policy. Later Postfix
9969 # versions implement this preferably with smtpd_relay_restrictions.
9970 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
9971
9973 Optional information that is appended after each Postfix SMTP server
9974 4XX or 5XX response.
9975 The following example uses "\c" at the start of the template (supported
9977 in Postfix 2.10 and later) to suppress the line break between the reply
9978 text and the footer text. With earlier Postfix versions, the footer
9979 text always begins on a new line, and the "\c" is output literally.
9980 /etc/postfix/main.cf:
9982 smtpd_reject_footer = \c. For assistance, call 800-555-0101.
9983 Please provide the following information in your problem report:
9984 time ($localtime), client ($client_address) and server
9985 ($server_name).
9986 Server response:
9988 550-5.5.1 <user@example> Recipient address rejected: User
9990 unknown. For assistance, call 800-555-0101. Please provide the
9991 following information in your problem report: time (Jan 4 15:42:00),
9992 client (192.168.1.248) and server (mail1.example.com).
9993 Note: the above text is meant to make it easier to find the Postfix
9995 logfile records for a failed SMTP session. The text itself is not
9996 logged to the Postfix SMTP server's maillog file.
9997 Be sure to keep the text as short as possible. Long text may be trun‐
9999 cated before it is logged to the remote SMTP client's maillog file, or
10000 before it is returned to the sender in a delivery status notification.
10001 The template text is not subject to Postfix configuration parameter
10003 $name expansion. Instead, this feature supports a limited number of
10004 $name attributes in the footer text. These attributes are replaced with
10005 their current value for the SMTP session.
10006 Note: specify $$name in footer text that is looked up from regexp: or
10008 pcre:-based smtpd_reject_footer_maps, otherwise the Postfix server will
10009 not use the footer text and will log a warning instead.
10010 client_address
10012 The Client IP address that is logged in the maillog file.
10013 client_port
10015 The client TCP port that is logged in the maillog file.
10016 localtime
10018 The server local time (Mmm dd hh:mm:ss) that is logged in the
10019 maillog file.
10020 server_name
10022 The server's myhostname value. This attribute is made available
10023 for sites with multiple MTAs (perhaps behind a load-balancer),
10024 where the server name can help the server support team to
10025 quickly find the right log files.
10026 Notes:
10028 · NOT SUPPORTED are other attributes such as sender, recipient, or
10030 main.cf parameters.
10031 · For safety reasons, text that does not match $smtpd_expan‐
10033 sion_filter is censored.
10034 This feature supports the two-character sequence \n as a request for a
10036 line break in the footer text. Postfix automatically inserts after each
10037 line break the three-digit SMTP reply code (and optional enhanced sta‐
10038 tus code) from the original Postfix reject message.
10039 To work around mail software that mis-handles multi-line replies, spec‐
10041 ify the two-character sequence \c at the start of the template. This
10042 suppresses the line break between the reply text and the footer text
10043 (Postfix 2.10 and later).
10044 This feature is available in Postfix 2.8 and later.
10046
10048 Lookup tables, indexed by the complete Postfix SMTP server 4xx or 5xx
10049 response, with reject footer templates. See smtpd_reject_footer for
10050 details.
10051 Specify zero or more "type:name" lookup tables, separated by whitespace
10053 or comma. Tables will be searched in the specified order until a match
10054 is found.
10055 This feature is available in Postfix 3.4 and later.
10057
10059 Request that the Postfix SMTP server rejects mail for unknown recipient
10060 addresses, even when no explicit reject_unlisted_recipient access
10061 restriction is specified. This prevents the Postfix queue from filling
10062 up with undeliverable MAILER-DAEMON messages.
10063 An address is always considered "known" when it matches a virtual(5)
10065 alias or a canonical(5) mapping.
10066 · The recipient domain matches $mydestination, $inet_interfaces or
10068 $proxy_interfaces, but the recipient is not listed in
10069 $local_recipient_maps, and $local_recipient_maps is not null.
10070 · The recipient domain matches $virtual_alias_domains but the
10072 recipient is not listed in $virtual_alias_maps.
10073 · The recipient domain matches $virtual_mailbox_domains but the
10075 recipient is not listed in $virtual_mailbox_maps, and $vir‐
10076 tual_mailbox_maps is not null.
10077 · The recipient domain matches $relay_domains but the recipient is
10079 not listed in $relay_recipient_maps, and $relay_recipient_maps
10080 is not null.
10081 This feature is available in Postfix 2.1 and later.
10083
10085 Request that the Postfix SMTP server rejects mail from unknown sender
10086 addresses, even when no explicit reject_unlisted_sender access restric‐
10087 tion is specified. This can slow down an explosion of forged mail from
10088 worms or viruses.
10089 An address is always considered "known" when it matches a virtual(5)
10091 alias or a canonical(5) mapping.
10092 · The sender domain matches $mydestination, $inet_interfaces or
10094 $proxy_interfaces, but the sender is not listed in $local_recip‐
10095 ient_maps, and $local_recipient_maps is not null.
10096 · The sender domain matches $virtual_alias_domains but the sender
10098 is not listed in $virtual_alias_maps.
10099 · The sender domain matches $virtual_mailbox_domains but the
10101 sender is not listed in $virtual_mailbox_maps, and $vir‐
10102 tual_mailbox_maps is not null.
10103 · The sender domain matches $relay_domains but the sender is not
10105 listed in $relay_recipient_maps, and $relay_recipient_maps is
10106 not null.
10107 This feature is available in Postfix 2.1 and later.
10109
10111 cated, defer_unauth_destination)
10112 Access restrictions for mail relay control that the Postfix SMTP server
10113 applies in the context of the RCPT TO command, before smtpd_recipi‐
10114 ent_restrictions. See SMTPD_ACCESS_README, section "Delayed evaluation
10115 of SMTP access restriction lists" for a discussion of evaluation con‐
10116 text and time.
10117 With Postfix versions before 2.10, the rules for relay permission and
10119 spam blocking were combined under smtpd_recipient_restrictions, result‐
10120 ing in error-prone configuration. As of Postfix 2.10, relay permission
10121 rules are preferably implemented with smtpd_relay_restrictions, so that
10122 a permissive spam blocking policy under smtpd_recipient_restrictions
10123 will no longer result in a permissive mail relay policy.
10124 For backwards compatibility, sites that migrate from Postfix versions
10126 before 2.10 can set smtpd_relay_restrictions to the empty value, and
10127 use smtpd_recipient_restrictions exactly as before.
10128 By default, the Postfix SMTP server accepts:
10130 · Mail from clients whose IP address matches $mynetworks, or:
10132 · Mail to remote destinations that match $relay_domains, except
10134 for addresses that contain sender-specified routing (user@else‐
10135 where@domain), or:
10136 · Mail to local destinations that match $inet_interfaces or
10138 $proxy_interfaces, $mydestination, $virtual_alias_domains, or
10139 $virtual_mailbox_domains.
10140 IMPORTANT: Either the smtpd_relay_restrictions or the smtpd_recipi‐
10142 ent_restrictions parameter must specify at least one of the following
10143 restrictions. Otherwise Postfix will refuse to receive mail:
10144 reject, reject_unauth_destination
10146 defer, defer_if_permit, defer_unauth_destination
10148 Specify a list of restrictions, separated by commas and/or whitespace.
10150 Continue long lines by starting the next line with whitespace. The
10151 same restrictions are available as documented under smtpd_recipi‐
10152 ent_restrictions.
10153 This feature is available in Postix 2.10 and later.
10155
10157 User-defined aliases for groups of access restrictions. The aliases can
10158 be specified in smtpd_recipient_restrictions etc., and on the
10159 right-hand side of a Postfix access(5) table.
10160 One major application is for implementing per-recipient UCE control.
10162 See the RESTRICTION_CLASS_README document for other examples.
10163
10165 The application name that the Postfix SMTP server uses for SASL server
10166 initialization. This controls the name of the SASL configuration file.
10167 The default value is smtpd, corresponding to a SASL configuration file
10168 named smtpd.conf.
10169 This feature is available in Postfix 2.1 and 2.2. With Postfix 2.3 it
10171 was renamed to smtpd_sasl_path.
10172
10174 Enable SASL authentication in the Postfix SMTP server. By default, the
10175 Postfix SMTP server does not use authentication.
10176 If a remote SMTP client is authenticated, the permit_sasl_authenticated
10178 access restriction can be used to permit relay access, like this:
10179 # With Postfix 2.10 and later, the mail relay policy is
10181 # preferably specified under smtpd_relay_restrictions.
10182 smtpd_relay_restrictions =
10183 permit_mynetworks, permit_sasl_authenticated, ...
10184 # With Postfix before 2.10, the relay policy can be
10186 # specified only under smtpd_recipient_restrictions.
10187 smtpd_recipient_restrictions =
10188 permit_mynetworks, permit_sasl_authenticated, ...
10189 To reject all SMTP connections from unauthenticated clients, specify
10191 "smtpd_delay_reject = yes" (which is the default) and use:
10192 smtpd_client_restrictions = permit_sasl_authenticated, reject
10194 See the SASL_README file for SASL configuration and operation details.
10196
10198 Report the SASL authenticated user name in the smtpd(8) Received mes‐
10199 sage header.
10200 This feature is available in Postfix 2.3 and later.
10202
10204 What remote SMTP clients the Postfix SMTP server will not offer AUTH
10205 support to.
10206 Some clients (Netscape 4 at least) have a bug that causes them to
10208 require a login and password whenever AUTH is offered, whether it's
10209 necessary or not. To work around this, specify, for example, $mynet‐
10210 works to prevent Postfix from offering AUTH to local clients.
10211 Specify a list of network/netmask patterns, separated by commas and/or
10213 whitespace. The mask specifies the number of bits in the network part
10214 of a host address. You can also "/file/name" or "type:table" patterns.
10215 A "/file/name" pattern is replaced by its contents; a "type:table"
10216 lookup table is matched when a table entry matches a lookup string (the
10217 lookup result is ignored). Continue long lines by starting the next
10218 line with whitespace. Specify "!pattern" to exclude an address or net‐
10219 work block from the list. The form "!/file/name" is supported only in
10220 Postfix version 2.4 and later.
10221 Note: IP version 6 address information must be specified inside [] in
10223 the smtpd_sasl_exceptions_networks value, and in files specified with
10224 "/file/name". IP version 6 addresses contain the ":" character, and
10225 would otherwise be confused with a "type:table" pattern.
10226 Example:
10228 smtpd_sasl_exceptions_networks = $mynetworks
10230 This feature is available in Postfix 2.1 and later.
10232
10234 The name of the Postfix SMTP server's local SASL authentication realm.
10235 By default, the local authentication realm name is the null string.
10237 Examples:
10239 smtpd_sasl_local_domain = $mydomain
10241 smtpd_sasl_local_domain = $myhostname
10242
10244 Implementation-specific information that the Postfix SMTP server passes
10245 through to the SASL plug-in implementation that is selected with
10246 smtpd_sasl_type. Typically this specifies the name of a configuration
10247 file or rendezvous point.
10248 This feature is available in Postfix 2.3 and later. In earlier releases
10250 it was called smtpd_sasl_application_name.
10251
10253 The maximum length of a SASL client's response to a server challenge.
10254 When the client's "initial response" is longer than the normal limit
10255 for SMTP commands, the client must omit its initial response, and wait
10256 for an empty server challenge; it can then send what would have been
10257 its "initial response" as a response to the empty server challenge.
10258 RFC4954 requires the server to accept client responses up to at least
10259 12288 octets of base64-encoded text. The default value is therefore
10260 also the minimum value accepted for this parameter.
10261 This feature is available in Postfix 3.4 and later. Prior versions use
10263 "line_length_limit", which may need to be raised to accommodate larger
10264 client responses, as may be needed with GSSAPI authentication of Win‐
10265 dows AD users who are members of many groups.
10266
10268 Postfix SMTP server SASL security options; as of Postfix 2.3 the list
10269 of available features depends on the SASL server implementation that is
10270 selected with smtpd_sasl_type.
10271 The following security features are defined for the cyrus server SASL
10273 implementation:
10274 Restrict what authentication mechanisms the Postfix SMTP server will
10276 offer to the client. The list of available authentication mechanisms
10277 is system dependent.
10278 Specify zero or more of the following:
10280 noplaintext
10282 Disallow methods that use plaintext passwords.
10283 noactive
10285 Disallow methods subject to active (non-dictionary) attack.
10286 nodictionary
10288 Disallow methods subject to passive (dictionary) attack.
10289 noanonymous
10291 Disallow methods that allow anonymous authentication.
10292 forward_secrecy
10294 Only allow methods that support forward secrecy (Dovecot only).
10295 mutual_auth
10297 Only allow methods that provide mutual authentication (not
10298 available with Cyrus SASL version 1).
10299 By default, the Postfix SMTP server accepts plaintext passwords but not
10301 anonymous logins.
10302 Warning: it appears that clients try authentication methods in the
10304 order as advertised by the server (e.g., PLAIN ANONYMOUS CRAM-MD5)
10305 which means that if you disable plaintext passwords, clients will log
10306 in anonymously, even when they should be able to use CRAM-MD5. So, if
10307 you disable plaintext logins, disable anonymous logins too. Postfix
10308 treats anonymous login as no authentication.
10309 Example:
10311 smtpd_sasl_security_options = noanonymous, noplaintext
10313
10315 The service name that is passed to the SASL plug-in that is selected
10316 with smtpd_sasl_type and smtpd_sasl_path.
10317 This feature is available in Postfix 2.11 and later. Prior versions
10319 behave as if "smtp" is specified.
10320
10322 The SASL authentication security options that the Postfix SMTP server
10323 uses for TLS encrypted SMTP sessions.
10324 This feature is available in Postfix 2.2 and later.
10326
10328 The SASL plug-in type that the Postfix SMTP server should use for
10329 authentication. The available types are listed with the "postconf -a"
10330 command.
10331 This feature is available in Postfix 2.3 and later.
10333
10335 Optional lookup table with the SASL login names that own the sender
10336 (MAIL FROM) addresses.
10337 Specify zero or more "type:name" lookup tables, separated by whitespace
10339 or comma. Tables will be searched in the specified order until a match
10340 is found. With lookups from indexed files such as DB or DBM, or from
10341 networked tables such as NIS, LDAP or SQL, the following search opera‐
10342 tions are done with a sender address of user@domain:
10343 1) user@domain
10345 This table lookup is always done and has the highest precedence.
10346 2) user
10348 This table lookup is done only when the domain part of the
10349 sender address matches $myorigin, $mydestination, $inet_inter‐
10350 faces or $proxy_interfaces.
10351 3) @domain
10353 This table lookup is done last and has the lowest precedence.
10354 In all cases the result of table lookup must be either "not found" or a
10356 list of SASL login names separated by comma and/or whitespace.
10357
10359 Optional restrictions that the Postfix SMTP server applies in the con‐
10360 text of a client MAIL FROM command. See SMTPD_ACCESS_README, section
10361 "Delayed evaluation of SMTP access restriction lists" for a discussion
10362 of evaluation context and time.
10363 The default is to permit everything.
10365 Specify a list of restrictions, separated by commas and/or whitespace.
10367 Continue long lines by starting the next line with whitespace.
10368 Restrictions are applied in the order as specified; the first restric‐
10369 tion that matches wins.
10370 The following restrictions are specific to the sender address received
10372 with the MAIL FROM command.
10373 check_sender_access type:table
10375 Search the specified access(5) database for the MAIL FROM
10376 address, domain, parent domains, or localpart@, and execute the
10377 corresponding action.
10378 check_sender_a_access type:table
10380 Search the specified access(5) database for the IP addresses for
10381 the MAIL FROM domain, and execute the corresponding action.
10382 Note: a result of "OK" is not allowed for safety reasons.
10383 Instead, use DUNNO in order to exclude specific hosts from
10384 blacklists. This feature is available in Postfix 3.0 and later.
10385 check_sender_mx_access type:table
10387 Search the specified access(5) database for the MX hosts for the
10388 MAIL FROM domain, and execute the corresponding action. Note: a
10389 result of "OK" is not allowed for safety reasons. Instead, use
10390 DUNNO in order to exclude specific hosts from blacklists. This
10391 feature is available in Postfix 2.1 and later.
10392 check_sender_ns_access type:table
10394 Search the specified access(5) database for the DNS servers for
10395 the MAIL FROM domain, and execute the corresponding action.
10396 Note: a result of "OK" is not allowed for safety reasons.
10397 Instead, use DUNNO in order to exclude specific hosts from
10398 blacklists. This feature is available in Postfix 2.1 and later.
10399 reject_authenticated_sender_login_mismatch
10401 Enforces the reject_sender_login_mismatch restriction for
10402 authenticated clients only. This feature is available in Postfix
10403 version 2.1 and later.
10404 reject_known_sender_login_mismatch
10406 Apply the reject_sender_login_mismatch restriction only to MAIL
10407 FROM addresses that are known in $smtpd_sender_login_maps. This
10408 feature is available in Postfix version 2.11 and later.
10409 reject_non_fqdn_sender
10411 Reject the request when the MAIL FROM address specifies a domain
10412 that is not in fully-qualified domain form as required by the
10413 RFC.
10414 The non_fqdn_reject_code parameter specifies the response code
10415 for rejected requests (default: 504).
10416 reject_rhsbl_sender rbl_domain=d.d.d.d
10418 Reject the request when the MAIL FROM domain is listed with the
10419 A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and
10420 later only). Each "d" is a number, or a pattern inside "[]"
10421 that contains one or more ";"-separated numbers or number..num‐
10422 ber ranges (Postfix version 2.8 and later). If no "=d.d.d.d" is
10423 specified, reject the request when the MAIL FROM domain is
10424 listed with any A record under rbl_domain.
10425 The maps_rbl_reject_code parameter specifies the response code
10426 for rejected requests (default: 554); the default_rbl_reply
10427 parameter specifies the default server reply; and the
10428 rbl_reply_maps parameter specifies tables with server replies
10429 indexed by rbl_domain. This feature is available in Postfix 2.0
10430 and later.
10431 reject_sender_login_mismatch
10433 Reject the request when $smtpd_sender_login_maps specifies an
10434 owner for the MAIL FROM address, but the client is not (SASL)
10435 logged in as that MAIL FROM address owner; or when the client is
10436 (SASL) logged in, but the client login name doesn't own the MAIL
10437 FROM address according to $smtpd_sender_login_maps.
10438 reject_unauthenticated_sender_login_mismatch
10440 Enforces the reject_sender_login_mismatch restriction for unau‐
10441 thenticated clients only. This feature is available in Postfix
10442 version 2.1 and later.
10443 reject_unknown_sender_domain
10445 Reject the request when Postfix is not final destination for the
10446 sender address, and the MAIL FROM domain has 1) no DNS MX and no
10447 DNS A record, or 2) a malformed MX record such as a record with
10448 a zero-length MX hostname (Postfix version 2.3 and later).
10449 The reply is specified with the unknown_address_reject_code
10450 parameter (default: 450), unknown_address_tempfail_action
10451 (default: defer_if_permit), or 550 (nullmx, Postfix 3.0 and
10452 later). See the respective parameter descriptions for details.
10453 reject_unlisted_sender
10455 Reject the request when the MAIL FROM address is not listed in
10456 the list of valid recipients for its domain class. See the
10457 smtpd_reject_unlisted_sender parameter description for details.
10458 This feature is available in Postfix 2.1 and later.
10459 reject_unverified_sender
10461 Reject the request when mail to the MAIL FROM address is known
10462 to bounce, or when the sender address destination is not reach‐
10463 able. Address verification information is managed by the ver‐
10464 ify(8) server; see the ADDRESS_VERIFICATION_README file for
10465 details.
10466 The unverified_sender_reject_code parameter specifies the numer‐
10467 ical response code when an address is known to bounce (default:
10468 450, change into 550 when you are confident that it is safe to
10469 do so).
10470 The unverified_sender_defer_code specifies the numerical
10471 response code when an address probe failed due to a temporary
10472 problem (default: 450).
10473 The unverified_sender_tempfail_action parameter specifies the
10474 action after address probe failure due to a temporary problem
10475 (default: defer_if_permit).
10476 This feature breaks for aliased addresses with "enable_origi‐
10477 nal_recipient = no" (Postfix <= 3.2).
10478 This feature is available in Postfix 2.1 and later.
10479 Other restrictions that are valid in this context:
10481 · Generic restrictions that can be used in any SMTP command con‐
10483 text, described under smtpd_client_restrictions.
10484 · SMTP command specific restrictions described under
10486 smtpd_client_restrictions and smtpd_helo_restrictions.
10487 · SMTP command specific restrictions described under smtpd_recipi‐
10489 ent_restrictions. When recipient restrictions are listed under
10490 smtpd_sender_restrictions, they have effect only with
10491 "smtpd_delay_reject = yes", so that $smtpd_sender_restrictions
10492 is evaluated at the time of the RCPT TO command.
10493 Examples:
10495 smtpd_sender_restrictions = reject_unknown_sender_domain
10497 smtpd_sender_restrictions = reject_unknown_sender_domain,
10498 check_sender_access hash:/etc/postfix/access
10499
10501 The internal service that postscreen(8) hands off allowed connections
10502 to. In a future version there may be different classes of SMTP service.
10503 This feature is available in Postfix 2.8.
10505
10507 The number of errors a remote SMTP client is allowed to make without
10508 delivering mail before the Postfix SMTP server slows down all its
10509 responses.
10510 · With Postfix version 2.1 and later, the Postfix SMTP server
10512 delays all responses by $smtpd_error_sleep_time seconds.
10513 · With Postfix versions 2.0 and earlier, the Postfix SMTP server
10515 delays all responses by (number of errors) seconds.
10516
10518 The time limit for Postfix SMTP server write and read operations during
10519 TLS startup and shutdown handshake procedures. The current default
10520 value is stress-dependent. Before Postfix version 2.8, it was fixed at
10521 300s.
10522 This feature is available in Postfix 2.2 and later.
10524
10526 The time limit for sending a Postfix SMTP server response and for
10527 receiving a remote SMTP client request. Normally the default limit is
10528 300s, but it changes under overload to just 10s. With Postfix 2.5 and
10529 earlier, the SMTP server always uses a time limit of 300s by default.
10530 Note: if you set SMTP time limits to very large values you may have to
10532 update the global ipc_timeout parameter.
10533 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
10535 The default time unit is s (seconds).
10536
10538 A file containing (PEM format) CA certificates of root CAs trusted to
10539 sign either remote SMTP client certificates or intermediate CA certifi‐
10540 cates. These are loaded into memory before the smtpd(8) server enters
10541 the chroot jail. If the number of trusted roots is large, consider
10542 using smtpd_tls_CApath instead, but note that the latter directory must
10543 be present in the chroot jail if the smtpd(8) server is chrooted. This
10544 file may also be used to augment the server certificate trust chain,
10545 but it is best to include all the required certificates directly in the
10546 server certificate file.
10547 Specify "smtpd_tls_CAfile = /path/to/system_CA_file" to use ONLY the
10549 system-supplied default Certification Authority certificates.
10550 Specify "tls_append_default_CA = no" to prevent Postfix from appending
10552 the system-supplied default CAs and trusting third-party certificates.
10553 By default (see smtpd_tls_ask_ccert), client certificates are not
10555 requested, and smtpd_tls_CAfile should remain empty. If you do make use
10556 of client certificates, the distinguished names (DNs) of the Certifica‐
10557 tion Authorities listed in smtpd_tls_CAfile are sent to the remote SMTP
10558 client in the client certificate request message. MUAs with multiple
10559 client certificates may use the list of preferred Certification Author‐
10560 ities to select the correct client certificate. You may want to put
10561 your "preferred" CA or CAs in this file, and install other trusted CAs
10562 in $smtpd_tls_CApath.
10563 Example:
10565 smtpd_tls_CAfile = /etc/postfix/CAcert.pem
10567 This feature is available in Postfix 2.2 and later.
10569
10571 A directory containing (PEM format) CA certificates of root CAs trusted
10572 to sign either remote SMTP client certificates or intermediate CA cer‐
10573 tificates. Do not forget to create the necessary "hash" links with, for
10574 example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
10575 smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
10576 inside the chroot jail.
10577 Specify "smtpd_tls_CApath = /path/to/system_CA_directory" to use ONLY
10579 the system-supplied default Certification Authority certificates.
10580 Specify "tls_append_default_CA = no" to prevent Postfix from appending
10582 the system-supplied default CAs and trusting third-party certificates.
10583 By default (see smtpd_tls_ask_ccert), client certificates are not
10585 requested, and smtpd_tls_CApath should remain empty. In contrast to
10586 smtpd_tls_CAfile, DNs of Certification Authorities installed in
10587 $smtpd_tls_CApath are not included in the client certificate request
10588 message. MUAs with multiple client certificates may use the list of
10589 preferred Certification Authorities to select the correct client cer‐
10590 tificate. You may want to put your "preferred" CA or CAs in
10591 $smtpd_tls_CAfile, and install the remaining trusted CAs in
10592 $smtpd_tls_CApath.
10593 Example:
10595 smtpd_tls_CApath = /etc/postfix/certs
10597 This feature is available in Postfix 2.2 and later.
10599
10601 Force the Postfix SMTP server to issue a TLS session id, even when TLS
10602 session caching is turned off (smtpd_tls_session_cache_database is
10603 empty). This behavior is compatible with Postfix < 2.3.
10604 With Postfix 2.3 and later the Postfix SMTP server can disable session
10606 id generation when TLS session caching is turned off. This keeps remote
10607 SMTP clients from caching sessions that almost certainly cannot be
10608 re-used.
10609 By default, the Postfix SMTP server always generates TLS session ids.
10611 This works around a known defect in mail client applications such as MS
10612 Outlook, and may also prevent interoperability issues with other MTAs.
10613 Example:
10615 smtpd_tls_always_issue_session_ids = no
10617 This feature is available in Postfix 2.3 and later.
10619
10621 Ask a remote SMTP client for a client certificate. This information is
10622 needed for certificate based mail relaying with, for example, the per‐
10623 mit_tls_clientcerts feature.
10624 Some clients such as Netscape will either complain if no certificate is
10626 available (for the list of CAs in $smtpd_tls_CAfile) or will offer mul‐
10627 tiple client certificates to choose from. This may be annoying, so this
10628 option is "off" by default.
10629 This feature is available in Postfix 2.2 and later.
10631
10633 When TLS encryption is optional in the Postfix SMTP server, do not
10634 announce or accept SASL authentication over unencrypted connections.
10635 This feature is available in Postfix 2.2 and later.
10637
10639 The verification depth for remote SMTP client certificates. A depth of
10640 1 is sufficient if the issuing CA is listed in a local CA file.
10641 The default verification depth is 9 (the OpenSSL default) for compati‐
10643 bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
10644 value was 5, but the limit was not actually enforced. If you have set
10645 this to a lower non-default value, certificates with longer trust
10646 chains may now fail to verify. Certificate chains with 1 or 2 CAs are
10647 common, deeper chains are more rare and any number between 5 and 9
10648 should suffice in practice. You can choose a lower number if, for exam‐
10649 ple, you trust certificates directly signed by an issuing CA but not
10650 any CAs it delegates to.
10651 This feature is available in Postfix 2.2 and later.
10653
10655 File with the Postfix SMTP server RSA certificate in PEM format. This
10656 file may also contain the Postfix SMTP server private RSA key. With
10657 Postfix >= 3.4 the preferred way to configure server keys and certifi‐
10658 cates is via the "smtpd_tls_chain_files" parameter.
10659 Public Internet MX hosts without certificates signed by a "reputable"
10661 CA must generate, and be prepared to present to most clients, a
10662 self-signed or private-CA signed certificate. The client will not be
10663 able to authenticate the server, but unless it is running Postfix 2.3
10664 or similar software, it will still insist on a server certificate.
10665 For servers that are not public Internet MX hosts, Postfix supports
10667 configurations with no certificates. This entails the use of just the
10668 anonymous TLS ciphers, which are not supported by typical SMTP clients.
10669 Since some clients may not fall back to plain text after a TLS hand‐
10670 shake failure, a certificate-less Postfix SMTP server will be unable to
10671 receive email from some TLS-enabled clients. To avoid accidental con‐
10672 figurations with no certificates, Postfix enables certificate-less
10673 operation only when the administrator explicitly sets
10674 "smtpd_tls_cert_file = none". This ensures that new Postfix SMTP server
10675 configurations will not accidentally enable TLS without certificates.
10676 Note that server certificates are not optional in TLS 1.3. To run with‐
10678 out certificates you'd have to disable the TLS 1.3 protocol by includ‐
10679 ing '!TLSv1.3' in "smtpd_tls_protocols" and perhaps also
10680 "smtpd_tls_mandatory_protocols". It is simpler instead to just config‐
10681 ure a certificate chain. Certificate-less operation is not recom‐
10682 mended.
10683 Both RSA and DSA certificates are supported. When both types are
10685 present, the cipher used determines which certificate will be presented
10686 to the client. For Netscape and OpenSSL clients without special cipher
10687 choices the RSA certificate is preferred.
10688 To enable a remote SMTP client to verify the Postfix SMTP server cer‐
10690 tificate, the issuing CA certificates must be made available to the
10691 client. You should include the required certificates in the server cer‐
10692 tificate file, the server certificate first, then the issuing CA(s)
10693 (bottom-up order).
10694 Example: the certificate for "server.example.com" was issued by "inter‐
10696 mediate CA" which itself has a certificate of "root CA". Create the
10697 server.pem file with "cat server_cert.pem intermediate_CA.pem
10698 root_CA.pem > server.pem".
10699 If you also want to verify client certificates issued by these CAs, you
10701 can add the CA certificates to the smtpd_tls_CAfile, in which case it
10702 is not necessary to have them in the smtpd_tls_cert_file,
10703 smtpd_tls_dcert_file (obsolete) or smtpd_tls_eccert_file.
10704 A certificate supplied here must be usable as an SSL server certificate
10706 and hence pass the "openssl verify -purpose sslserver ..." test.
10707 Example:
10709 smtpd_tls_cert_file = /etc/postfix/server.pem
10711 This feature is available in Postfix 2.2 and later.
10713
10715 List of one or more PEM files, each holding one or more private keys
10716 directly followed by a corresponding certificate chain. The file names
10717 are separated by commas and/or whitespace. This parameter obsoletes
10718 the legacy algorithm-specific key and certificate file settings. When
10719 this parameter is non-empty, the legacy parameters are ignored, and a
10720 warning is logged if any are also non-empty.
10721 With the proliferation of multiple private key algorithms-which, as of
10723 OpenSSL 1.1.1, include DSA (obsolete), RSA, ECDSA, Ed25519 and Ed448-it
10724 is increasingly impractical to use separate parameters to configure the
10725 key and certificate chain for each algorithm. Therefore, Postfix now
10726 supports storing multiple keys and corresponding certificate chains in
10727 a single file or in a set of files.
10728 Each key must appear immediately before the corresponding certificate,
10730 optionally followed by additional issuer certificates that complete the
10731 certificate chain for that key. When multiple files are specified,
10732 they are equivalent to a single file that is concatenated from those
10733 files in the given order. Thus, while a key must always precede its
10734 certificate and issuer chain, it can be in a separate file, so long as
10735 that file is listed immediately before the file that holds the corre‐
10736 sponding certificate chain. Once all the files are concatenated, the
10737 sequence of PEM objects must be: key1, cert1, [chain1], key2, cert2,
10738 [chain2], ..., keyN, certN, [chainN].
10739 Storing the private key in the same file as the corresponding certifi‐
10741 cate is more reliable. With the key and certificate in separate files,
10742 there is a chance that during key rollover a Postfix process might load
10743 a private key and certificate from separate files that don't match.
10744 Various operational errors may even result in a persistent broken con‐
10745 figuration in which the certificate does not match the private key.
10746 The file or files must contain at most one key of each type. If, for
10748 example, two or more RSA keys and corresponding chains are listed,
10749 depending on the version of OpenSSL either only the last one will be
10750 used or an configuration error may be detected. Note that while
10751 "Ed25519" and "Ed448" are considered separate algorithms, the various
10752 ECDSA curves (typically one of prime256v1, secp384r1 or secp521r1) are
10753 considered as different parameters of a single "ECDSA" algorithm, so it
10754 is not presently possible to configure keys for more than one ECDSA
10755 curve.
10756 RSA is still the most widely supported algorithm. Presently (late
10758 2018), ECDSA support is common, but not yet universal, and Ed25519 and
10759 Ed448 support is mostly absent. Therefore, an RSA key should generally
10760 be configured, along with any additional keys for the other algorithms
10761 when desired.
10762 Example (separate files for each key and corresponding certificate
10764 chain):
10765 /etc/postfix/main.cf:
10767 smtpd_tls_chain_files =
10768 ${config_directory}/ed25519.pem,
10769 ${config_directory}/ed448.pem,
10770 ${config_directory}/rsa.pem
10771 /etc/postfix/ed25519.pem:
10773 -----BEGIN PRIVATE KEY-----
10774 MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
10775 -----END PRIVATE KEY-----
10776 -----BEGIN CERTIFICATE-----
10777 MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
10778 ...
10779 nC0egv51YPDWxEHom4QA
10780 -----END CERTIFICATE-----
10781 /etc/postfix/ed448.pem:
10783 -----BEGIN PRIVATE KEY-----
10784 MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
10785 LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
10786 -----END PRIVATE KEY-----
10787 -----BEGIN CERTIFICATE-----
10788 MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
10789 ...
10790 pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
10791 -----END CERTIFICATE-----
10792 /etc/postfix/rsa.pem:
10794 -----BEGIN PRIVATE KEY-----
10795 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
10796 ...
10797 ahQkZ3+krcaJvDSMgvu0tDc=
10798 -----END PRIVATE KEY-----
10799 -----BEGIN CERTIFICATE-----
10800 MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
10801 ...
10802 Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
10803 -----END CERTIFICATE-----
10804 Example (all keys and certificates in a single file):
10806 /etc/postfix/main.cf:
10808 smtpd_tls_chain_files = ${config_directory}/chains.pem
10809 /etc/postfix/chains.pem:
10811 -----BEGIN PRIVATE KEY-----
10812 MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
10813 -----END PRIVATE KEY-----
10814 -----BEGIN CERTIFICATE-----
10815 MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
10816 ...
10817 nC0egv51YPDWxEHom4QA
10818 -----END CERTIFICATE-----
10819 -----BEGIN PRIVATE KEY-----
10820 MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
10821 LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
10822 -----END PRIVATE KEY-----
10823 -----BEGIN CERTIFICATE-----
10824 MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
10825 ...
10826 pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
10827 -----END CERTIFICATE-----
10828 -----BEGIN PRIVATE KEY-----
10829 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
10830 ...
10831 ahQkZ3+krcaJvDSMgvu0tDc=
10832 -----END PRIVATE KEY-----
10833 -----BEGIN CERTIFICATE-----
10834 MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
10835 ...
10836 Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
10837 -----END CERTIFICATE-----
10838 This feature is available in Postfix 3.4 and later.
10840
10842 Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS cipher
10843 list. It is easy to create interoperability problems by choosing a
10844 non-default cipher list. Do not use a non-default TLS cipherlist for MX
10845 hosts on the public Internet. Clients that begin the TLS handshake, but
10846 are unable to agree on a common cipher, may not be able to send any
10847 email to the SMTP server. Using a restricted cipher list may be more
10848 appropriate for a dedicated MSA or an internal mailhub, where one can
10849 exert some control over the TLS software and settings of the connecting
10850 clients.
10851 Note: do not use "" quotes around the parameter value.
10853 This feature is available with Postfix version 2.2. It is not used with
10855 Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead.
10856
10858 The minimum TLS cipher grade that the Postfix SMTP server will use with
10859 opportunistic TLS encryption. Cipher types listed in
10860 smtpd_tls_exclude_ciphers are excluded from the base definition of the
10861 selected cipher grade. The default value is "medium" for Postfix
10862 releases after the middle of 2015, "export" for older releases.
10863 When TLS is mandatory the cipher grade is chosen via the
10865 smtpd_tls_mandatory_ciphers configuration parameter, see there for syn‐
10866 tax details.
10867 This feature is available in Postfix 2.6 and later. With earlier Post‐
10869 fix releases only the smtpd_tls_mandatory_ciphers parameter is imple‐
10870 mented, and opportunistic TLS always uses "export" or better (i.e. all)
10871 ciphers.
10872
10874 File with the Postfix SMTP server DSA certificate in PEM format. This
10875 file may also contain the Postfix SMTP server private DSA key. The DSA
10876 algorithm is obsolete and should not be used.
10877 See the discussion under smtpd_tls_cert_file for more details.
10879 Example:
10881 smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
10883 This feature is available in Postfix 2.2 and later.
10885
10887 File with DH parameters that the Postfix SMTP server should use with
10888 non-export EDH ciphers.
10889 Instead of using the exact same parameter sets as distributed with
10891 other TLS packages, it is more secure to generate your own set of
10892 parameters with something like the following commands:
10893 openssl dhparam -out /etc/postfix/dh512.pem 512
10895 openssl dhparam -out /etc/postfix/dh1024.pem 1024
10896 openssl dhparam -out /etc/postfix/dh2048.pem 2048
10897 It is safe to share the same DH parameters between multiple Postfix
10899 instances. If you prefer, you can generate separate parameters for
10900 each instance.
10901 If you want to take maximal advantage of ciphers that offer forward
10903 secrecy see the Getting started section of FORWARD_SECRECY_README. The
10904 full document conveniently presents all information about Postfix "per‐
10905 fect" forward secrecy support in one place: what forward secrecy is,
10906 how to tweak settings, and what you can expect to see when Postfix uses
10907 ciphers with forward secrecy.
10908 Example:
10910 smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
10912 This feature is available with Postfix version 2.2.
10914
10916 File with DH parameters that the Postfix SMTP server should use with
10917 export-grade EDH ciphers. The default SMTP server cipher grade is
10918 "medium" with Postfix releases after the middle of 2015, and as a
10919 result export-grade cipher suites are by default not used.
10920 See also the discussion under the smtpd_tls_dh1024_param_file configu‐
10922 ration parameter.
10923 Example:
10925 smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
10927 This feature is available with Postfix version 2.2.
10929
10931 File with the Postfix SMTP server DSA private key in PEM format. This
10932 file may be combined with the Postfix SMTP server DSA certificate file
10933 specified with $smtpd_tls_dcert_file. The DSA algorithm is obsolete and
10934 should not be used.
10935 The private key must be accessible without a pass-phrase, i.e. it must
10937 not be encrypted. File permissions should grant read-only access to the
10938 system superuser account ("root"), and no access to anyone else.
10939 This feature is available in Postfix 2.2 and later.
10941
10943 File with the Postfix SMTP server ECDSA certificate in PEM format.
10944 This file may also contain the Postfix SMTP server private ECDSA key.
10945 With Postfix >= 3.4 the preferred way to configure server keys and cer‐
10946 tificates is via the "smtpd_tls_chain_files" parameter.
10947 See the discussion under smtpd_tls_cert_file for more details.
10949 Example:
10951 smtpd_tls_eccert_file = /etc/postfix/ecdsa-scert.pem
10953 This feature is available in Postfix 2.6 and later, when Postfix is
10955 compiled and linked with OpenSSL 1.0.0 or later.
10956
10958 File with the Postfix SMTP server ECDSA private key in PEM format.
10959 This file may be combined with the Postfix SMTP server ECDSA certifi‐
10960 cate file specified with $smtpd_tls_eccert_file. With Postfix >= 3.4
10961 the preferred way to configure server keys and certificates is via the
10962 "smtpd_tls_chain_files" parameter.
10963 The private key must be accessible without a pass-phrase, i.e. it must
10965 not be encrypted. File permissions should grant read-only access to the
10966 system superuser account ("root"), and no access to anyone else.
10967 This feature is available in Postfix 2.6 and later, when Postfix is
10969 compiled and linked with OpenSSL 1.0.0 or later.
10970
10972 The Postfix SMTP server security grade for ephemeral elliptic-curve
10973 Diffie-Hellman (EECDH) key exchange.
10974 The available choices are:
10976 none Don't use EECDH. Ciphers based on EECDH key exchange will be
10978 disabled. This is the default in Postfix versions 2.6 and 2.7.
10979 strong Use EECDH with approximately 128 bits of security at a reason‐
10981 able computational cost. This is the current best-practice
10982 trade-off between security and computational efficiency. This is
10983 the default in Postfix version 2.8 and later.
10984 ultra Use EECDH with approximately 192 bits of security at computa‐
10986 tional cost that is approximately twice as high as 128 bit
10987 strength ECC. Barring significant progress in attacks on ellip‐
10988 tic curve crypto-systems, the "strong" curve is sufficient for
10989 most users.
10990 auto Use the most preferred curve that is supported by both the
10992 client and the server. This setting requires Postfix >= 3.2
10993 compiled and linked with OpenSSL >= 1.0.2. This is the default
10994 setting under the above conditions.
10995 If you want to take maximal advantage of ciphers that offer forward
10997 secrecy see the Getting started section of FORWARD_SECRECY_README. The
10998 full document conveniently presents all information about Postfix "per‐
10999 fect" forward secrecy support in one place: what forward secrecy is,
11000 how to tweak settings, and what you can expect to see when Postfix uses
11001 ciphers with forward secrecy.
11002 This feature is available in Postfix 2.6 and later, when it is compiled
11004 and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
11005 have not been disabled by the vendor.
11006
11008 List of ciphers or cipher types to exclude from the SMTP server cipher
11009 list at all TLS security levels. Excluding valid ciphers can create
11010 interoperability problems. DO NOT exclude ciphers unless it is essen‐
11011 tial to do so. This is not an OpenSSL cipherlist; it is a simple list
11012 separated by whitespace and/or commas. The elements are a single
11013 cipher, or one or more "+" separated cipher properties, in which case
11014 only ciphers matching all the properties are excluded.
11015 Examples (some of these will cause problems):
11017 smtpd_tls_exclude_ciphers = aNULL
11019 smtpd_tls_exclude_ciphers = MD5, DES
11020 smtpd_tls_exclude_ciphers = DES+MD5
11021 smtpd_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
11022 smtpd_tls_exclude_ciphers = kEDH+aRSA
11023 The first setting disables anonymous ciphers. The next setting disables
11025 ciphers that use the MD5 digest algorithm or the (single) DES encryp‐
11026 tion algorithm. The next setting disables ciphers that use MD5 and DES
11027 together. The next setting disables the two ciphers "AES256-SHA" and
11028 "DES-CBC3-MD5". The last setting disables ciphers that use "EDH" key
11029 exchange with RSA authentication.
11030 This feature is available in Postfix 2.3 and later.
11032
11034 The message digest algorithm to construct remote SMTP client-certifi‐
11035 cate fingerprints or public key fingerprints (Postfix 2.9 and later)
11036 for check_ccert_access and permit_tls_clientcerts. The default algo‐
11037 rithm is md5, for backwards compatibility with Postfix releases prior
11038 to 2.5.
11039 Advances in hash function cryptanalysis have led to md5 being depre‐
11041 cated in favor of sha1. However, as long as there are no known "second
11042 pre-image" attacks against md5, its use in this context can still be
11043 considered safe.
11044 While additional digest algorithms are often available with OpenSSL's
11046 libcrypto, only those used by libssl in SSL cipher suites are available
11047 to Postfix.
11048 To find the fingerprint of a specific certificate file, with a specific
11050 digest algorithm, run:
11051 $ openssl x509 -noout -fingerprint -digest -in certfile.pem
11053 The text to the right of "=" sign is the desired fingerprint. For
11055 example:
11056 $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
11058 SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
11059 To extract the public key fingerprint from an X.509 certificate, you
11061 need to extract the public key from the certificate and compute the
11062 appropriate digest of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
11063 key" option of the "x509" command extracts the public key always in
11064 "PEM" format. We pipe the result to another OpenSSL command that con‐
11065 verts the key to DER and then to the "dgst" command to compute the fin‐
11066 gerprint.
11067 The actual command to transform the key to DER format depends on the
11069 version of OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" com‐
11070 mand supports all key types. With OpenSSL 0.9.8 and earlier, the key
11071 type is always RSA (nobody uses DSA, and EC keys are not fully sup‐
11072 ported by 0.9.8), so the "rsa" command is used.
11073 # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
11075 $ openssl x509 -in cert.pem -noout -pubkey |
11076 openssl pkey -pubin -outform DER |
11077 openssl dgst -sha1 -c
11078 (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
11079 # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
11081 $ openssl x509 -in cert.pem -noout -pubkey |
11082 openssl rsa -pubin -outform DER |
11083 openssl dgst -md5 -c
11084 (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
11085 The Postfix SMTP server and client log the peer (leaf) certificate fin‐
11087 gerprint and public key fingerprint when the TLS loglevel is 2 or
11088 higher.
11089 Note: Postfix 2.9.0-2.9.5 computed the public key fingerprint incor‐
11091 rectly. To use public-key fingerprints, upgrade to Postfix 2.9.6 or
11092 later.
11093 Example: client-certificate access table, with sha1 fingerprints:
11095 /etc/postfix/main.cf:
11097 smtpd_tls_fingerprint_digest = sha1
11098 smtpd_client_restrictions =
11099 check_ccert_access hash:/etc/postfix/access,
11100 reject
11101 /etc/postfix/access:
11102 # Action folded to next line...
11103 AF:88:7C:AD:51:95:6F:36:96:F6:01:FB:2E:48:CD:AB:49:25:A2:3B
11104 OK
11105 85:16:78:FD:73:6E:CE:70:E0:31:5F:0D:3C:C8:6D:C4:2C:24:59:E1
11106 permit_auth_destination
11107 This feature is available in Postfix 2.5 and later.
11109
11111 File with the Postfix SMTP server RSA private key in PEM format. This
11112 file may be combined with the Postfix SMTP server RSA certificate file
11113 specified with $smtpd_tls_cert_file. With Postfix >= 3.4 the preferred
11114 way to configure server keys and certificates is via the
11115 "smtpd_tls_chain_files" parameter.
11116 The private key must be accessible without a pass-phrase, i.e. it must
11118 not be encrypted. File permissions should grant read-only access to the
11119 system superuser account ("root"), and no access to anyone else.
11120
11122 Enable additional Postfix SMTP server logging of TLS activity. Each
11123 logging level also includes the information that is logged at a lower
11124 logging level.
11125 0 Disable logging of TLS activity.
11127 1 Log only a summary message on TLS handshake completion - no
11129 logging of client certificate trust-chain verification errors if
11130 client certificate verification is not required. With Postfix
11131 2.8 and earlier, log the summary message, peer certificate sum‐
11132 mary information and unconditionally log trust-chain verifica‐
11133 tion errors.
11134 2 Also log levels during TLS negotiation.
11136 3 Also log hexadecimal and ASCII dump of TLS negotiation
11138 process.
11139 4 Also log hexadecimal and ASCII dump of complete transmission
11141 after STARTTLS.
11142 Do not use "smtpd_tls_loglevel = 2" or higher except in case of prob‐
11144 lems. Use of loglevel 4 is strongly discouraged.
11145 This feature is available in Postfix 2.2 and later.
11147
11149 The minimum TLS cipher grade that the Postfix SMTP server will use with
11150 mandatory TLS encryption. The default grade ("medium") is sufficiently
11151 strong that any benefit from globally restricting TLS sessions to a
11152 more stringent grade is likely negligible, especially given the fact
11153 that many implementations still do not offer any stronger ("high"
11154 grade) ciphers, while those that do, will always use "high" grade
11155 ciphers. So insisting on "high" grade ciphers is generally counter-pro‐
11156 ductive. Allowing "export" or "low" ciphers is typically not a good
11157 idea, as systems limited to just these are limited to obsolete
11158 browsers. No known SMTP clients fail to support at least one "medium"
11159 or "high" grade cipher.
11160 The following cipher grades are supported:
11162 export Enable "EXPORT" grade or stronger OpenSSL ciphers. The underly‐
11164 ing cipherlist is specified via the tls_export_cipherlist con‐
11165 figuration parameter, which you are strongly encouraged to not
11166 change. This choice is insecure and SHOULD NOT be used.
11167 low Enable "LOW" grade or stronger OpenSSL ciphers. The underlying
11169 cipherlist is specified via the tls_low_cipherlist configuration
11170 parameter, which you are strongly encouraged to not change.
11171 This choice is insecure and SHOULD NOT be used.
11172 medium Enable "MEDIUM" grade or stronger OpenSSL ciphers. These use
11174 128-bit or longer symmetric bulk-encryption keys. This is the
11175 default minimum strength for mandatory TLS encryption. The
11176 underlying cipherlist is specified via the tls_medium_cipherlist
11177 configuration parameter, which you are strongly encouraged to
11178 not change.
11179 high Enable only "HIGH" grade OpenSSL ciphers. The underlying
11181 cipherlist is specified via the tls_high_cipherlist configura‐
11182 tion parameter, which you are strongly encouraged to not change.
11183 null Enable only the "NULL" OpenSSL ciphers, these provide authenti‐
11185 cation without encryption. This setting is only appropriate in
11186 the rare case that all clients are prepared to use NULL ciphers
11187 (not normally enabled in TLS clients). The underlying cipherlist
11188 is specified via the tls_null_cipherlist configuration parame‐
11189 ter, which you are strongly encouraged to not change.
11190 Cipher types listed in smtpd_tls_mandatory_exclude_ciphers or
11192 smtpd_tls_exclude_ciphers are excluded from the base definition of the
11193 selected cipher grade. See smtpd_tls_ciphers for cipher controls that
11194 apply to opportunistic TLS.
11195 The underlying cipherlists for grades other than "null" include anony‐
11197 mous ciphers, but these are automatically filtered out if the server is
11198 configured to ask for remote SMTP client certificates. You are very
11199 unlikely to need to take any steps to exclude anonymous ciphers, they
11200 are excluded automatically as required. If you must exclude anonymous
11201 ciphers even when Postfix does not need or use peer certificates, set
11202 "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers only
11203 when TLS is enforced, set "smtpd_tls_mandatory_exclude_ciphers =
11204 aNULL".
11205 This feature is available in Postfix 2.3 and later.
11207
11209 Additional list of ciphers or cipher types to exclude from the Postfix
11210 SMTP server cipher list at mandatory TLS security levels. This list
11211 works in addition to the exclusions listed with
11212 smtpd_tls_exclude_ciphers (see there for syntax details).
11213 This feature is available in Postfix 2.3 and later.
11215
11217 The SSL/TLS protocols accepted by the Postfix SMTP server with manda‐
11218 tory TLS encryption. If the list is empty, the server supports all
11219 available SSL/TLS protocol versions. A non-empty value is a list of
11220 protocol names separated by whitespace, commas or colons. The sup‐
11221 ported protocol names are "SSLv2", "SSLv3" and "TLSv1", and are not
11222 case sensitive. The default value is "!SSLv2, !SSLv3" for Postfix
11223 releases after the middle of 2015, "!SSLv2" for older releases.
11224 With Postfix >= 2.5 the parameter syntax was expanded to support proto‐
11226 col exclusions. One can explicitly exclude "SSLv2" by setting
11227 "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both "SSLv2" and
11228 "SSLv3" set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
11229 the protocols to include, rather than protocols to exclude, is sup‐
11230 ported, but not recommended. The exclusion form more closely matches
11231 the underlying OpenSSL interface semantics.
11232 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
11234 "TLSv1.2". When Postfix <= 2.5 is linked against OpenSSL 1.0.1 or
11235 later, these, or any other new protocol versions, cannot be disabled.
11236 The latest patch levels of Postfix >= 2.6, and all versions of Postfix
11237 >= 2.10 can disable support for "TLSv1.1" or "TLSv1.2".
11238 OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4
11240 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
11241 abled, if need be, via "!TLSv1.3".
11242 Example:
11244 # Preferred syntax with Postfix >= 2.5:
11246 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
11247 # Legacy syntax:
11248 smtpd_tls_mandatory_protocols = TLSv1
11249 This feature is available in Postfix 2.3 and later.
11251
11253 List of TLS protocols that the Postfix SMTP server will exclude or
11254 include with opportunistic TLS encryption. The default value is
11255 "!SSLv2, !SSLv3" for Postfix releases after the middle of 2015, empty
11256 for older releases allowing all protocols to be used with opportunistic
11257 TLS. A non-empty value is a list of protocol names separated by white‐
11258 space, commas or colons. The supported protocol names are "SSLv2",
11259 "SSLv3" and "TLSv1", and are not case sensitive.
11260 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
11262 "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all versions
11263 of Postfix >= 2.10 can disable support for "TLSv1.1" or "TLSv1.2".
11264 OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4
11266 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
11267 abled, if need be, via "!TLSv1.3".
11268 To include a protocol list its name, to exclude it, prefix the name
11270 with a "!" character. To exclude SSLv2 for opportunistic TLS set
11271 "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
11272 "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the proto‐
11273 cols to include, rather than protocols to exclude, is supported, but
11274 not recommended. The exclusion form more closely matches the underly‐
11275 ing OpenSSL interface semantics.
11276 Example:
11278 smtpd_tls_protocols = !SSLv2, !SSLv3
11279 This feature is available in Postfix 2.6 and later.
11281
11283 Request that the Postfix SMTP server produces Received: message head‐
11284 ers that include information about the protocol and cipher used, as
11285 well as the remote SMTP client CommonName and client certificate issuer
11286 CommonName. This is disabled by default, as the information may be
11287 modified in transit through other mail servers. Only information that
11288 was recorded by the final destination can be trusted.
11289 This feature is available in Postfix 2.2 and later.
11291
11293 With mandatory TLS encryption, require a trusted remote SMTP client
11294 certificate in order to allow TLS connections to proceed. This option
11295 implies "smtpd_tls_ask_ccert = yes".
11296 When TLS encryption is optional, this setting is ignored with a warning
11298 written to the mail log.
11299 This feature is available in Postfix 2.2 and later.
11301
11303 The SMTP TLS security level for the Postfix SMTP server; when a
11304 non-empty value is specified, this overrides the obsolete parameters
11305 smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with
11306 "smtpd_tls_wrappermode = yes".
11307 Specify one of the following security levels:
11309 none TLS will not be used.
11311 may Opportunistic TLS: announce STARTTLS support to remote SMTP
11313 clients, but do not require that clients use TLS encryption.
11314 encrypt
11316 Mandatory TLS encryption: announce STARTTLS support to remote
11317 SMTP clients, and require that clients use TLS encryption.
11318 According to RFC 2487 this MUST NOT be applied in case of a pub‐
11319 licly-referenced SMTP server. Instead, this option should be
11320 used only on dedicated servers.
11321 Note 1: the "fingerprint", "verify" and "secure" levels are not sup‐
11323 ported here. The Postfix SMTP server logs a warning and uses "encrypt"
11324 instead. To verify remote SMTP client certificates, see TLS_README for
11325 a discussion of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and per‐
11326 mit_tls_clientcerts features.
11327 Note 2: The parameter setting "smtpd_tls_security_level = encrypt"
11329 implies "smtpd_tls_auth_only = yes".
11330 Note 3: when invoked via "sendmail -bs", Postfix will never offer
11332 STARTTLS due to insufficient privileges to access the server private
11333 key. This is intended behavior.
11334 This feature is available in Postfix 2.3 and later.
11336
11338 Name of the file containing the optional Postfix SMTP server TLS ses‐
11339 sion cache. Specify a database type that supports enumeration, such as
11340 btree or sdbm; there is no need to support concurrent access. The file
11341 is created if it does not exist. The smtpd(8) daemon does not use this
11342 parameter directly, rather the cache is implemented indirectly in the
11343 tlsmgr(8) daemon. This means that per-smtpd-instance master.cf over‐
11344 rides of this parameter are not effective. Note, that each of the cache
11345 databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
11346 base, $smtp_tls_session_cache_database (and with Postfix 2.3 and later
11347 $lmtp_tls_session_cache_database), needs to be stored separately. It is
11348 not at this time possible to store multiple caches in a single data‐
11349 base.
11350 Note: dbm databases are not suitable. TLS session objects are too
11352 large.
11353 As of version 2.5, Postfix no longer uses root privileges when opening
11355 this file. The file should now be stored under the Postfix-owned
11356 data_directory. As a migration aid, an attempt to open the file under a
11357 non-Postfix directory is redirected to the Postfix-owned data_direc‐
11358 tory, and a warning is logged.
11359 As of Postfix 2.11 the preferred mechanism for session resumption is
11361 RFC 5077 TLS session tickets, which don't require server-side storage.
11362 Consequently, for Postfix >= 2.11 this parameter should generally be
11363 left empty. TLS session tickets require an OpenSSL library (at least
11364 version 0.9.8h) that provides full support for this TLS extension. See
11365 also smtpd_tls_session_cache_timeout.
11366 Example:
11368 smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
11370 This feature is available in Postfix 2.2 and later.
11372
11374 The expiration time of Postfix SMTP server TLS session cache informa‐
11375 tion. A cache cleanup is performed periodically every $smtpd_tls_ses‐
11376 sion_cache_timeout seconds. As with $smtpd_tls_session_cache_database,
11377 this parameter is implemented in the tlsmgr(8) daemon and therefore
11378 per-smtpd-instance master.cf overrides are not possible.
11379 As of Postfix 2.11 this setting cannot exceed 100 days. If set <= 0,
11381 session caching is disabled, not just via the database, but also via
11382 RFC 5077 TLS session tickets, which don't require server-side storage.
11383 If set to a positive value less than 2 minutes, the minimum value of 2
11384 minutes is used instead. TLS session tickets require an OpenSSL
11385 library (at least version 0.9.8h) that provides full support for this
11386 TLS extension.
11387 This feature is available in Postfix 2.2 and later, and updated for TLS
11389 session ticket support in Postfix 2.11.
11390
11392 Run the Postfix SMTP server in the non-standard "wrapper" mode, instead
11393 of using the STARTTLS command.
11394 If you want to support this service, enable a special port in mas‐
11396 ter.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP server's
11397 command line. Port 465 (smtps) was once chosen for this purpose.
11398 This feature is available in Postfix 2.2 and later.
11400
11402 The name of the proxy protocol used by an optional before-smtpd proxy
11403 agent. When a proxy agent is used, this protocol conveys local and
11404 remote address and port information. Specify
11405 "smtpd_upstream_proxy_protocol = haproxy" to enable the haproxy proto‐
11406 col; version 2 is supported with Postfix 3.5 and later.
11407 NOTE: To use the nginx proxy with smtpd(8), enable the XCLIENT protocol
11409 with smtpd_authorized_xclient_hosts. This supports SASL authentication
11410 in the proxy agent (Postfix 2.9 and later).
11411 This feature is available in Postfix 2.10 and later.
11413
11415 The time limit for the proxy protocol specified with the
11416 smtpd_upstream_proxy_protocol parameter.
11417 This feature is available in Postfix 2.10 and later.
11419
11421 Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
11422 but do not require that clients use TLS encryption.
11423 Note: when invoked via "sendmail -bs", Postfix will never offer START‐
11425 TLS due to insufficient privileges to access the server private key.
11426 This is intended behavior.
11427 This feature is available in Postfix 2.2 and later. With Postfix 2.3
11429 and later use smtpd_tls_security_level instead.
11430
11432 Detect that a message requires SMTPUTF8 support for the specified mail
11433 origin classes. This is a workaround to avoid chicken-and-egg problems
11434 during the initial SMTPUTF8 roll-out in environments with pre-existing
11435 mail flows that contain UTF8. Those mail flows should not break because
11436 Postfix suddenly refuses to deliver such mail to down-stream MTAs that
11437 don't announce SMTPUTF8 support.
11438 The problem is that Postfix cannot rely solely on the sender's declara‐
11440 tion that a message requires SMTPUTF8 support, because UTF8 may be
11441 introduced during local processing (for example, the client hostname in
11442 Postfix's Received: header, adding @$myorigin or .$mydomain to an
11443 incomplete address, address rewriting, alias expansion, automatic BCC
11444 recipients, local forwarding, and changes made by header checks or Mil‐
11445 ter applications).
11446 For now, the default is to enable "SMTPUTF8 required" autodetection
11448 only for Postfix sendmail command-line submissions and address verifi‐
11449 cation probes. This may change once SMTPUTF8 support achieves world
11450 domination. However, sites that add UTF8 content via local processing
11451 (see above) should autodetect the need for SMTPUTF8 support for all
11452 email.
11453 Specify one or more of the following:
11455 sendmail
11457 Submission with the Postfix sendmail(1) command.
11458 smtpd Mail received with the smtpd(8) daemon.
11460 qmqpd Mail received with the qmqpd(8) daemon.
11462 forward
11464 Local forwarding or aliasing. When a message is received with
11465 "SMTPUTF8 required", then the forwarded (aliased) message always
11466 has "SMTPUTF8 required".
11467 bounce
11469 Submission by the bounce(8) daemon. When a message is received
11470 with "SMTPUTF8 required", then the delivery status notification
11471 always has "SMTPUTF8 required".
11472 notify
11474 Postmaster notification from the smtp(8) or smtpd(8) daemon.
11475 verify
11477 Address verification probe from the verify(8) daemon.
11478 all Enable SMTPUTF8 autodetection for all mail.
11480 This feature is available in Postfix 3.0 and later.
11482
11484 Enable preliminary SMTPUTF8 support for the protocols described in RFC
11485 6531..6533. This requires that Postfix is built to support these proto‐
11486 cols.
11487 This feature is available in Postfix 3.0 and later.
11489
11491 Safety net to keep mail queued that would otherwise be returned to the
11492 sender. This parameter disables locally-generated bounces, changes the
11493 handling of negative responses from remote servers, content filters or
11494 plugins, and prevents the Postfix SMTP server from rejecting mail per‐
11495 manently by changing 5xx reply codes into 4xx. However, soft_bounce is
11496 no cure for address rewriting mistakes or mail routing mistakes.
11497 Note: "soft_bounce = yes" is in some cases implemented by modifying
11499 server responses. Therefore, the response that Postfix logs may differ
11500 from the response that Postfix actually sends or receives.
11501 Example:
11503 soft_bounce = yes
11505
11507 The time after which a stale exclusive mailbox lockfile is removed.
11508 This is used for delivery to file or mailbox.
11509 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
11511 The default time unit is s (seconds).
11512
11514 This feature is documented in the STRESS_README document.
11515 This feature is available in Postfix 2.5 and later.
11517
11519 Reject mail with 8-bit text in message headers. This blocks mail from
11520 poorly written applications.
11521 This feature should not be enabled on a general purpose mail server,
11523 because it is likely to reject legitimate email.
11524 This feature is available in Postfix 2.0 and later.
11526
11528 Enable both strict_7bit_headers and strict_8bitmime_body.
11529 This feature should not be enabled on a general purpose mail server,
11531 because it is likely to reject legitimate email.
11532 This feature is available in Postfix 2.0 and later.
11534
11536 Reject 8-bit message body text without 8-bit MIME content encoding
11537 information. This blocks mail from poorly written applications.
11538 Unfortunately, this also rejects majordomo approval requests when the
11540 included request contains valid 8-bit MIME mail, and it rejects bounces
11541 from mailers that do not MIME encapsulate 8-bit content (for example,
11542 bounces from qmail or from old versions of Postfix).
11543 This feature should not be enabled on a general purpose mail server,
11545 because it is likely to reject legitimate email.
11546 This feature is available in Postfix 2.0 and later.
11548
11550 Defer delivery when a mailbox file is not owned by its recipient. The
11551 default setting is not backwards compatible.
11552 This feature is available in Postfix 2.5.3 and later.
11554
11556 Reject mail with invalid Content-Transfer-Encoding: information for the
11557 message/* or multipart/* MIME content types. This blocks mail from
11558 poorly written software.
11559 This feature should not be enabled on a general purpose mail server,
11561 because it will reject mail after a single violation.
11562 This feature is available in Postfix 2.0 and later.
11564
11566 Require that addresses received in SMTP MAIL FROM and RCPT TO commands
11567 are enclosed with <>, and that those addresses do not contain RFC 822
11568 style comments or phrases. This stops mail from poorly written soft‐
11569 ware.
11570 By default, the Postfix SMTP server accepts RFC 822 syntax in MAIL FROM
11572 and RCPT TO addresses.
11573
11575 Enable stricter enforcement of the SMTPUTF8 protocol. The Postfix SMTP
11576 server accepts UTF8 sender or recipient addresses only when the client
11577 requests an SMTPUTF8 mail transaction.
11578 This feature is available in Postfix 3.0 and later.
11580
11582 Obsolete SUN mailtool compatibility feature. Instead, use "mail‐
11583 box_delivery_lock = dotlock".
11584
11586 Enable the rewriting of "site!user" into "user@site". This is neces‐
11587 sary if your machine is connected to UUCP networks. It is enabled by
11588 default.
11589 Note: with Postfix version 2.2, message header address rewriting hap‐
11591 pens only when one of the following conditions is true:
11592 · The message is received with the Postfix sendmail(1) command,
11594 · The message is received from a network client that matches
11596 $local_header_rewrite_clients,
11597 · The message is received from the network, and the
11599 remote_header_rewrite_domain parameter specifies a non-empty
11600 value.
11601 To get the behavior before Postfix version 2.2, specify
11603 "local_header_rewrite_clients = static:all".
11604 Example:
11606 swap_bangpath = no
11608
11610 The syslog facility of Postfix logging. Specify a facility as defined
11611 in syslog.conf(5). The default facility is "mail".
11612 Warning: a non-default syslog_facility setting takes effect only after
11614 a Postfix process has completed initialization. Errors during process
11615 initialization will be logged with the default facility. Examples are
11616 errors while parsing the command line arguments, and errors while
11617 accessing the Postfix main.cf configuration file.
11618
11620 A prefix that is prepended to the process name in syslog records, so
11621 that, for example, "smtpd" becomes "prefix/smtpd".
11622 Warning: a non-default syslog_name setting takes effect only after a
11624 Postfix process has completed initialization. Errors during process
11625 initialization will be logged with the default name. Examples are
11626 errors while parsing the command line arguments, and errors while
11627 accessing the Postfix main.cf configuration file.
11628
11630 An optional workaround for routers that break TCP window scaling.
11631 Specify a value > 0 and < 65536 to enable this feature. With Postfix
11632 TCP servers (smtpd(8), qmqpd(8)), this feature is implemented by the
11633 Postfix master(8) daemon.
11634 To change this parameter without stopping Postfix, you need to first
11636 terminate all Postfix TCP servers:
11637 # postconf -e master_service_disable=inet
11639 # postfix reload
11640 This immediately terminates all processes that accept network connec‐
11642 tions. Next, you enable Postfix TCP servers with the updated tcp_win‐
11643 dowsize setting:
11644 # postconf -e tcp_windowsize=65535 master_service_disable=
11646 # postfix reload
11647 If you skip these steps with a running Postfix system, then the
11649 tcp_windowsize change will work only for Postfix TCP clients (smtp(8),
11650 lmtp(8)).
11651 This feature is available in Postfix 2.6 and later.
11653
11655 Append the system-supplied default Certification Authority certificates
11656 to the ones specified with *_tls_CApath or *_tls_CAfile. The default
11657 is "no"; this prevents Postfix from trusting third-party certificates
11658 and giving them relay permission with permit_tls_all_clientcerts.
11659 This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8, 2.7.2 and
11661 later versions. Specify "tls_append_default_CA = yes" for backwards
11662 compatibility, to avoid breaking certificate verification with sites
11663 that don't use permit_tls_all_clientcerts.
11664
11666 The number of pseudo-random bytes that an smtp(8) or smtpd(8) process
11667 requests from the tlsmgr(8) server in order to seed its internal pseudo
11668 random number generator (PRNG). The default of 32 bytes (equivalent to
11669 256 bits) is sufficient to generate a 128bit (or 168bit) session key.
11670 This feature is available in Postfix 2.2 and later.
11672
11674 Configure RFC7671 DANE TLSA digest algorithm agility. Do not change
11675 this setting from its default value.
11676 See Section 8 of RFC7671 for correct key rotation procedures.
11678 This feature is available in Postfix 2.11 through 3.1. Postfix 3.2 and
11680 later ignore this configuration parameter and behave as though it were
11681 set to "on".
11682
11684 DANE TLSA (RFC 6698, RFC 7671, RFC 7672) resource-record "matching
11685 type" digest algorithms in descending preference order. All the speci‐
11686 fied algorithms must be supported by the underlying OpenSSL library,
11687 otherwise the Postfix SMTP client will not support DANE TLSA security.
11688 Specify a list of digest names separated by commas and/or whitespace.
11690 Each digest name may be followed by an optional "=<number>" suffix.
11691 For example, "sha512" may instead be specified as "sha512=2" and
11692 "sha256" may instead be specified as "sha256=1". The optional number
11693 must match the <a href="https://www.iana.org/assignments/dane-parame‐
11694 ters/dane-parameters.xhtml#matching-types" >IANA assigned TLSA matching
11695 type number the algorithm in question. Postfix will check this con‐
11696 straint for the algorithms it knows about. Additional matching type
11697 algorithms registered with IANA can be added with explicit numbers pro‐
11698 vided they are supported by OpenSSL.
11699 Invalid list elements are logged with a warning and disable DANE sup‐
11701 port. TLSA RRs that specify digests not included in the list are
11702 ignored with a warning.
11703 Note: It is unwise to omit sha256 from the digest list. This digest
11705 algorithm is the only mandatory to implement digest algorithm in RFC
11706 6698, and many servers are expected publish TLSA records with just
11707 sha256 digests. Unless one of the standard digests is seriously com‐
11708 promised and servers have had ample time to update their TLSA records
11709 you should not omit any standard digests, just arrange them in order
11710 from strongest to weakest.
11711 This feature is available in Postfix 2.11 and later.
11713
11715 Enable support for RFC 6698 (DANE TLSA) DNS records that contain
11716 digests of trust-anchors with certificate usage "2". Do not change
11717 this setting from its default value.
11718 This feature is available in Postfix 2.11 through 3.1. It has been
11720 withdrawn in Postfix 3.2, as trust-anchor TLSA records are now widely
11721 used and have proved sufficiently reliable. Postfix 3.2 and later
11722 ignore this configuration parameter and behaves as though it were set
11723 to "yes".
11724
11726 List or bit-mask of OpenSSL bug work-arounds to disable.
11727 The OpenSSL toolkit includes a set of work-arounds for buggy SSL/TLS
11729 implementations. Applications, such as Postfix, that want to maximize
11730 interoperability ask the OpenSSL library to enable the full set of rec‐
11731 ommended work-arounds.
11732 From time to time, it is discovered that a work-around creates a secu‐
11734 rity issue, and should no longer be used. If upgrading OpenSSL to a
11735 fixed version is not an option or an upgrade is not available in a
11736 timely manner, or in closed environments where no buggy clients or
11737 servers exist, it may be appropriate to disable some or all of the
11738 OpenSSL interoperability work-arounds. This parameter specifies which
11739 bug work-arounds to disable.
11740 If the value of the parameter is a hexadecimal long integer starting
11742 with "0x", the bug work-arounds corresponding to the bits specified in
11743 its value are removed from the SSL_OP_ALL work-around bit-mask (see
11744 openssl/ssl.h and SSL_CTX_set_options(3)). You can specify more bits
11745 than are present in SSL_OP_ALL, excess bits are ignored. Specifying
11746 0xFFFFFFFF disables all bug-workarounds on a 32-bit system. This should
11747 also be sufficient on 64-bit systems, until OpenSSL abandons support
11748 for 32-bit systems and starts using the high 32 bits of a 64-bit
11749 bug-workaround mask.
11750 Otherwise, the parameter is a white-space or comma separated list of
11752 specific named bug work-arounds chosen from the list below. It is pos‐
11753 sible that your OpenSSL version includes new bug work-arounds added
11754 after your Postfix source code was last updated, in that case you can
11755 only disable one of these via the hexadecimal syntax above.
11756 CRYPTOPRO_TLSEXT_BUG
11758 New with GOST support in OpenSSL 1.0.0.
11759 DONT_INSERT_EMPTY_FRAGMENTS
11761 See SSL_CTX_set_options(3)
11762 LEGACY_SERVER_CONNECT
11764 See SSL_CTX_set_options(3)
11765 MICROSOFT_BIG_SSLV3_BUFFER
11767 See SSL_CTX_set_options(3)
11768 MICROSOFT_SESS_ID_BUG
11770 See SSL_CTX_set_options(3)
11771 MSIE_SSLV2_RSA_PADDING
11773 also aliased as CVE-2005-2969. Postfix 2.8 disables this
11774 work-around by default with OpenSSL versions that may predate
11775 the fix. Fixed in OpenSSL 0.9.7h and OpenSSL 0.9.8a.
11776 NETSCAPE_CHALLENGE_BUG
11778 See SSL_CTX_set_options(3)
11779 NETSCAPE_REUSE_CIPHER_CHANGE_BUG
11781 also aliased as CVE-2010-4180. Postfix 2.8 disables this
11782 work-around by default with OpenSSL versions that may predate
11783 the fix. Fixed in OpenSSL 0.9.8q and OpenSSL 1.0.0c.
11784 SSLEAY_080_CLIENT_DH_BUG
11786 See SSL_CTX_set_options(3)
11787 SSLREF2_REUSE_CERT_TYPE_BUG
11789 See SSL_CTX_set_options(3)
11790 TLS_BLOCK_PADDING_BUG
11792 See SSL_CTX_set_options(3)
11793 TLS_D5_BUG
11795 See SSL_CTX_set_options(3)
11796 TLS_ROLLBACK_BUG
11798 See SSL_CTX_set_options(3). This is disabled in OpenSSL 0.9.7
11799 and later. Nobody should still be using 0.9.6!
11800 TLSEXT_PADDING
11802 Postfix >= 3.4. See SSL_CTX_set_options(3).
11803 This feature is available in Postfix 2.8 and later.
11805
11807 The prioritized list of elliptic curves supported by the Postfix SMTP
11808 client and server. These curves are used by the Postfix SMTP server
11809 when "smtpd_tls_eecdh_grade = auto". The selected curves must be
11810 implemented by OpenSSL and be standardized for use in TLS (RFC 4492 or
11811 its imminent successor). It is unwise to list only "bleeding-edge"
11812 curves supported by a small subset of clients. The default list is
11813 suitable for most users.
11814 Postfix skips curve names that are unknown to OpenSSL, or that are
11816 known but not yet implemented. This makes it possible to "anticipate"
11817 support for curves that should be used once they become available. In
11818 particular, in some OpenSSL versions, the new RFC 8031 curves "X25519"
11819 and "X448" may be known by name, but ECDH support for either or both
11820 may be missing. These curves may appear in the default value of this
11821 parameter, even though they'll only be usable with later versions of
11822 OpenSSL.
11823 This feature is available in Postfix 3.2 and later, when it is compiled
11825 and linked with OpenSSL 1.0.2 or later on platforms where EC algorithms
11826 have not been disabled by the vendor.
11827
11829 The elliptic curve used by the Postfix SMTP server for sensibly strong
11830 ephemeral ECDH key exchange. This curve is used by the Postfix SMTP
11831 server when "smtpd_tls_eecdh_grade = strong". The phrase "sensibly
11832 strong" means approximately 128-bit security based on best known
11833 attacks. The selected curve must be implemented by OpenSSL (as reported
11834 by ecparam(1) with the "-list_curves" option) and be one of the curves
11835 listed in Section 5.1.1 of RFC 4492. You should not generally change
11836 this setting. Remote SMTP client implementations must support this
11837 curve for EECDH key exchange to take place. It is unwise to choose an
11838 "bleeding-edge" curve supported by only a small subset of clients.
11839 The default "strong" curve is rated in NSA Suite B for information
11841 classified up to SECRET.
11842 Note: elliptic curve names are poorly standardized; different standards
11844 groups are assigning different names to the same underlying curves.
11845 The curve with the X9.62 name "prime256v1" is also known under the SECG
11846 name "secp256r1", but OpenSSL does not recognize the latter name.
11847 If you want to take maximal advantage of ciphers that offer forward
11849 secrecy see the Getting started section of FORWARD_SECRECY_README. The
11850 full document conveniently presents all information about Postfix "per‐
11851 fect" forward secrecy support in one place: what forward secrecy is,
11852 how to tweak settings, and what you can expect to see when Postfix uses
11853 ciphers with forward secrecy.
11854 This feature is available in Postfix 2.6 and later, when it is compiled
11856 and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
11857 have not been disabled by the vendor.
11858
11860 The elliptic curve used by the Postfix SMTP server for maximally strong
11861 ephemeral ECDH key exchange. This curve is used by the Postfix SMTP
11862 server when "smtpd_tls_eecdh_grade = ultra". The phrase "maximally
11863 strong" means approximately 192-bit security based on best known
11864 attacks. This additional strength comes at a significant computational
11865 cost, most users should instead set "smtpd_tls_eecdh_grade = strong".
11866 The selected curve must be implemented by OpenSSL (as reported by
11867 ecparam(1) with the "-list_curves" option) and be one of the curves
11868 listed in Section 5.1.1 of RFC 4492. You should not generally change
11869 this setting.
11870 This default "ultra" curve is rated in NSA Suite B for information
11872 classified up to TOP SECRET.
11873 If you want to take maximal advantage of ciphers that offer forward
11875 secrecy see the Getting started section of FORWARD_SECRECY_README. The
11876 full document conveniently presents all information about Postfix "per‐
11877 fect" forward secrecy support in one place: what forward secrecy is,
11878 how to tweak settings, and what you can expect to see when Postfix uses
11879 ciphers with forward secrecy.
11880 This feature is available in Postfix 2.6 and later, when it is compiled
11882 and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
11883 have not been disabled by the vendor.
11884
11886 The OpenSSL cipherlist for "export" or higher grade ciphers. This
11887 defines the meaning of the "export" setting in smtpd_tls_ciphers,
11888 smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_manda‐
11889 tory_ciphers, lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. With
11890 Postfix releases before the middle of 2015 this is the default
11891 cipherlist for the opportunistic ("may") TLS client security level and
11892 also the default cipherlist for the SMTP server. You are strongly
11893 encouraged to not change this setting.
11894 This feature is available in Postfix 2.3 and later.
11896
11898 A workaround for implementations that hang Postfix while shutting down
11899 a TLS session, until Postfix times out. With this enabled, Postfix will
11900 not wait for the remote TLS peer to respond to a TLS later.
11901
11903 The OpenSSL cipherlist for "high" grade ciphers. This defines the mean‐
11904 ing of the "high" setting in smtpd_tls_ciphers, smtpd_tls_manda‐
11905 tory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
11906 lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. You are strongly
11907 encouraged to not change this setting.
11908 This feature is available in Postfix 2.3 and later.
11910
11912 A temporary migration aid for sites that use certificate public-key
11913 fingerprints with Postfix 2.9.0..2.9.5, which use an incorrect algo‐
11914 rithm. This parameter has no effect on the certificate fingerprint sup‐
11915 port that is available since Postfix 2.2.
11916 Specify "tls_legacy_public_key_fingerprints = yes" temporarily, pending
11918 a migration from configuration files with incorrect Postfix
11919 2.9.0..2.9.5 certificate public-key finger prints, to the correct fin‐
11920 gerprints used by Postfix 2.9.6 and later. To compute the correct cer‐
11921 tificate public-key fingerprints, see TLS_README.
11922 This feature is available in Postfix 2.9.6 and later.
11924
11926 The OpenSSL cipherlist for "low" or higher grade ciphers. This defines
11927 the meaning of the "low" setting in smtpd_tls_ciphers, smtpd_tls_manda‐
11928 tory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
11929 lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. You are strongly
11930 encouraged to not change this setting.
11931 This feature is available in Postfix 2.3 and later.
11933
11935 The OpenSSL cipherlist for "medium" or higher grade ciphers. This
11936 defines the meaning of the "medium" setting in smtpd_tls_ciphers,
11937 smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_manda‐
11938 tory_ciphers, lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. This
11939 is the default cipherlist for mandatory TLS encryption in the TLS
11940 client (with anonymous ciphers disabled when verifying server certifi‐
11941 cates). This is the default cipherlist for opportunistic TLS with
11942 Postfix releases after the middle of 2015. You are strongly encouraged
11943 to not change this setting.
11944 This feature is available in Postfix 2.3 and later.
11946
11948 The OpenSSL cipherlist for "NULL" grade ciphers that provide authenti‐
11949 cation without encryption. This defines the meaning of the "null" set‐
11950 ting in smtpd_mandatory_tls_ciphers, smtp_tls_mandatory_ciphers and
11951 lmtp_tls_mandatory_ciphers. You are strongly encouraged to not change
11952 this setting.
11953 This feature is available in Postfix 2.3 and later.
11955
11957 With SSLv3 and later, use the Postfix SMTP server's cipher preference
11958 order instead of the remote client's cipher preference order.
11959 By default, the OpenSSL server selects the client's most preferred
11961 cipher that the server supports. With SSLv3 and later, the server may
11962 choose its own most preferred cipher that is supported (offered) by the
11963 client. Setting "tls_preempt_cipherlist = yes" enables server cipher
11964 preferences.
11965 While server cipher selection may in some cases lead to a more secure
11967 or performant cipher choice, there is some risk of interoperability
11968 issues. In the past, some SSL clients have listed lower priority
11969 ciphers that they did not implement correctly. If the server chooses a
11970 cipher that the client prefers less, it may select a cipher whose
11971 client implementation is flawed. Most notably Windows 2003 Microsoft
11972 Exchange servers have flawed implementations of DES-CBC3-SHA, which
11973 OpenSSL considers stronger than RC4-SHA. Enabling server cipher-suite
11974 selection may create interoperability issues with Windows 2003 Micro‐
11975 soft Exchange clients.
11976 This feature is available in Postfix 2.8 and later, in combination with
11978 OpenSSL 0.9.7 and later.
11979
11981 The number of bytes that tlsmgr(8) reads from $tls_random_source when
11982 (re)seeding the in-memory pseudo random number generator (PRNG) pool.
11983 The default of 32 bytes (256 bits) is good enough for 128bit symmetric
11984 keys. If using EGD or a device file, a maximum of 255 bytes is read.
11985 This feature is available in Postfix 2.2 and later.
11987
11989 Name of the pseudo random number generator (PRNG) state file that is
11990 maintained by tlsmgr(8). The file is created when it does not exist,
11991 and its length is fixed at 1024 bytes.
11992 As of version 2.5, Postfix no longer uses root privileges when opening
11994 this file, and the default file location was changed from ${con‐
11995 fig_directory}/prng_exch to ${data_directory}/prng_exch. As a migra‐
11996 tion aid, an attempt to open the file under a non-Postfix directory is
11997 redirected to the Postfix-owned data_directory, and a warning is
11998 logged.
11999 This feature is available in Postfix 2.2 and later.
12001
12003 The time between attempts by tlsmgr(8) to save the state of the pseudo
12004 random number generator (PRNG) to the file specified with $tls_ran‐
12005 dom_exchange_name.
12006 This feature is available in Postfix 2.2 and later.
12008
12010 The maximal time between attempts by tlsmgr(8) to re-seed the in-memory
12011 pseudo random number generator (PRNG) pool from external sources. The
12012 actual time between re-seeding attempts is calculated using the PRNG,
12013 and is between 0 and the time specified.
12014 This feature is available in Postfix 2.2 and later.
12016
12018 The external entropy source for the in-memory tlsmgr(8) pseudo random
12019 number generator (PRNG) pool. Be sure to specify a non-blocking source.
12020 If this source is not a regular file, the entropy source type must be
12021 prepended: egd:/path/to/egd_socket for a source with EGD compatible
12022 socket interface, or dev:/path/to/device for a device file.
12023 Note: on OpenBSD systems specify /dev/arandom when /dev/urandom gives
12025 timeout errors.
12026 This feature is available in Postfix 2.2 and later.
12028
12030 Optional lookup tables that map names received from remote SMTP clients
12031 via the TLS Server Name Indication (SNI) extension to the appropriate
12032 keys and certificate chains. This parameter is implemented in the
12033 Postfix TLS library, and applies to both smtpd(8) and the SMTP server
12034 mode of tlsproxy(8).
12035 When this parameter is non-empty, the Postfix SMTP server enables SNI
12037 extension processing, and logs SNI values that are invalid or don't
12038 match an entry in the the specified tables. When an entry does match,
12039 the SNI name is logged as part of the connection summary at log levels
12040 1 and higher.
12041 The lookup key is either the verbatim SNI domain name or an ancestor
12043 domain prefixed with a leading dot. For internationalized domains, the
12044 lookup key must be in IDNA 2008 A-label form (as required in the TLS
12045 SNI extension).
12046 The syntax of the lookup value is the same as with the
12048 smtp_tls_chain_files parameter (see there for additional details), but
12049 here scoped to just TLS connections in which the client sends a match‐
12050 ing SNI domain name.
12051 Example:
12053 /etc/postfix/main.cf:
12055 #
12056 # The indexed SNI table must be created with "postmap -F"
12057 #
12058 indexed = ${default_database_type}:${config_directory}/
12059 tls_server_sni_maps = ${indexed}sni
12060 /etc/postfix/sni:
12062 #
12063 # The example.com domain has both an RSA and ECDSA certificate
12064 # chain. The chain files MUST start with the private key,
12065 # with the certificate chain next, starting with the leaf
12066 # (server) certificate, and then the issuer certificates.
12067 #
12068 example.com /etc/postfix/sni-chains/rsa2048.example.com.pem,
12069 /etc/postfix/sni-chains/ecdsa-p256.example.com.pem
12070 #
12071 # The example.net domain has a wildcard certificate, and two
12072 # additional DNS names. So its certificate chain is also used
12073 # with any subdomain, plus the additional names.
12074 #
12075 example.net /etc/postfix/sni-chains/example.net.pem
12076 .example.net /etc/postfix/sni-chains/example.net.pem
12077 example.info /etc/postfix/sni-chains/example.net.pem
12078 example.org /etc/postfix/sni-chains/example.net.pem
12079 Note that the SNI lookup tables should also have entries for the
12081 domains that correspond to the Postfix SMTP server's default certifi‐
12082 cate(s). This ensures that the remote SMTP client's TLS SNI extension
12083 gets a positive response when it specifies one of the Postfix SMTP
12084 server's default domains, and ensures that the Postfix SMTP server will
12085 not log an SNI name mismatch for such a domain. The Postfix SMTP
12086 server's default certificates are then only used when the client sends
12087 no SNI or when it sends SNI with a domain that the server knows no cer‐
12088 tificate(s) for.
12089 The mapping from an SNI domain name to a certificate chain is indirect.
12091 In the input source files for "cdb", "hash", "btree" or other tables
12092 that are converted to on-disk indexed files via postmap(1), the value
12093 specified for each key is a list of filenames. When postmap(1) is used
12094 with the -F option, the generated table stores for each lookup key the
12095 base64-encoded contents of the associated files. When querying tables
12096 via postmap -Fq, the table value is decoded from base64, yielding the
12097 original file content, plus a new line.
12098 With "regexp", "pcre", "inline", "texthash", "static" and similar
12100 tables that are interpreted at run-time, and don't have a separate
12101 source format, the table value is again a list files, that are loaded
12102 into memory when the table is opened.
12103 With tables whose content is managed outside of Postfix, such as LDAP,
12105 MySQL, PostgreSQL, socketmap and tcp, the value must be a concatenation
12106 of the desired PEM keys and certificate chains, that is then further
12107 encoded to yield a single-line base64 string. Creation of such tables
12108 and secure storage (the value includes private key material) are out‐
12109 side the responsibility of Postfix.
12110 With "socketmap" and "tcp" the data will be transmitted in the clear,
12112 and there is no query access control, so these are generally unsuitable
12113 for storing SNI chains. With LDAP and SQL, you should restrict read
12114 access and use TLS to protect the sensitive data in transit.
12115 Typically there is only one private key and its chain of certificates
12117 starting with the "leaf" certificate corresponding to that key, and
12118 continuing with the appropriate intermediate issuer CA certificates,
12119 with each certificate ideally followed by its issuer. Servers that
12120 have keys and certificates for more than one algorithm (e.g. both an
12121 RSA key and an ECDSA key, or even RSA, ECDSA and Ed25519) can use mul‐
12122 tiple chains concatenated together, with the key always listed before
12123 the corresponding certificates.
12124 This feature is available in Postfix 3.4 and later.
12126
12128 3.0: aes-128-cbc)
12129 Algorithm used to encrypt RFC5077 TLS session tickets. This algorithm
12130 must use CBC mode, have a 128-bit block size, and must have a key
12131 length between 128 and 256 bits. The default is aes-256-cbc. Overrid‐
12132 ing the default to choose a different algorithm is discouraged.
12133 Setting this parameter empty disables session ticket support in the
12135 Postfix SMTP server. Another way to disable session ticket support is
12136 via the tls_ssl_options parameter.
12137 This feature is available in Postfix 3.0 and later.
12139
12141 List or bit-mask of OpenSSL options to enable.
12142 The OpenSSL toolkit provides a set of options that applications can
12144 enable to tune the OpenSSL behavior. Some of these work around bugs in
12145 other implementations and are on by default. You can use the tls_dis‐
12146 able_workarounds parameter to selectively disable some or all of the
12147 bug work-arounds, making OpenSSL more strict at the cost of non-inter‐
12148 operability with SSL clients or servers that exhibit the bugs.
12149 Other options are off by default, and typically enable or disable fea‐
12151 tures rather than bug work-arounds. These may be turned on (with care)
12152 via the tls_ssl_options parameter. The value is a white-space or comma
12153 separated list of named options chosen from the list below. The names
12154 are not case-sensitive, you can use lower-case if you prefer. The
12155 upper case values below match the corresponding macro name in the ssl.h
12156 header file with the SSL_OP_ prefix removed. It is possible that your
12157 OpenSSL version includes new options added after your Postfix source
12158 code was last updated, in that case you can only enable one of these
12159 via the hexadecimal syntax below.
12160 You should only enable features via the hexadecimal mask when the need
12162 to control the feature is critical (to deal with a new vulnerability or
12163 a serious interoperability problem). Postfix DOES NOT promise back‐
12164 wards compatible behavior with respect to the mask bits. A feature
12165 enabled via the mask in one release may be enabled by other means in a
12166 later release, and the mask bit will then be ignored. Therefore, use
12167 of the hexadecimal mask is only a temporary measure until a new Postfix
12168 or OpenSSL release provides a better solution.
12169 If the value of the parameter is a hexadecimal long integer starting
12171 with "0x", the options corresponding to the bits specified in its value
12172 are enabled (see openssl/ssl.h and SSL_CTX_set_options(3)). You can
12173 only enable options not already controlled by other Postfix settings.
12174 For example, you cannot disable protocols or enable server cipher pref‐
12175 erence. Do not attempt to turn all features by specifying 0xFFFFFFFF,
12176 this is unlikely to be a good idea. Some bug work-arounds are also
12177 valid here, allowing them to be re-enabled if/when they're no longer
12178 enabled by default. The supported values include:
12179 ENABLE_MIDDLEBOX_COMPAT
12181 Postfix >= 3.4. See SSL_CTX_set_options(3).
12182 LEGACY_SERVER_CONNECT
12184 See SSL_CTX_set_options(3).
12185 NO_TICKET
12187 Enabled by default when needed in fully-patched Postfix >= 2.7.
12188 Not needed at all for Postfix >= 2.11, unless for some reason
12189 you do not want to support TLS session resumption. Best not set
12190 explicitly. See SSL_CTX_set_options(3).
12191 NO_COMPRESSION
12193 Disable SSL compression even if supported by the OpenSSL
12194 library. Compression is CPU-intensive, and compression before
12195 encryption does not always improve security.
12196 NO_RENEGOTIATION
12198 Postfix >= 3.4. This can reduce opportunities for a potential
12199 CPU exhaustion attack. See SSL_CTX_set_options(3).
12200 NO_SESSION_RESUMPTION_ON_RENEGOTIATION
12202 Postfix >= 3.4. See SSL_CTX_set_options(3).
12203 PRIORITIZE_CHACHA
12205 Postfix >= 3.4. See SSL_CTX_set_options(3).
12206 This feature is available in Postfix 2.11 and later.
12208
12210 Match multiple DNS labels with "*" in wildcard certificates.
12211 Some mail service providers prepend the customer domain name to a base
12213 domain for which they have a wildcard TLS certificate. For example,
12214 the MX records for example.com hosted by example.net may be:
12215 example.com. IN MX 0 example.com.mx1.example.net.
12217 example.com. IN MX 0 example.com.mx2.example.net.
12218 and the TLS certificate may be for "*.example.net". The "*" then corre‐
12220 sponds with multiple labels in the mail server domain name. While
12221 multi-label wildcards are not widely supported, and are not blessed by
12222 any standard, there is little to be gained by disallowing their use in
12223 this context.
12224 Notes:
12226 · In a certificate name, the "*" is special only when it is used
12228 as the first label.
12229 · While Postfix (2.11 or later) can match "*" with multiple domain
12231 name labels, other implementations likely will not.
12232 · Earlier Postfix implementations behave as if "tls_wild‐
12234 card_matches_multiple_labels = no".
12235 This feature is available in Postfix 2.11 and later.
12237
12239 The name of the tlsmgr(8) service entry in master.cf. This service
12240 maintains TLS session caches and other information in support of TLS.
12241 This feature is available in Postfix 2.11 and later.
12243
12245 A file containing CA certificates of root CAs trusted to sign either
12246 remote TLS server certificates or intermediate CA certificates. See
12247 smtp_tls_CAfile for further details.
12248 This feature is available in Postfix 3.4 and later.
12250
12252 Directory with PEM format Certification Authority certificates that the
12253 Postfix tlsproxy(8) client uses to verify a remote TLS server certifi‐
12254 cate. See smtp_tls_CApath for further details.
12255 This feature is available in Postfix 3.4 and later.
12257
12259 File with the Postfix tlsproxy(8) client RSA certificate in PEM format.
12260 See smtp_tls_cert_file for further details. The preferred way to con‐
12261 figure tlsproxy client keys and certificates is via the
12262 "tlsproxy_client_chain_files" parameter.
12263 This feature is available in Postfix 3.4 and later.
12265
12267 Files with the Postfix tlsproxy(8) client keys and certificate chains
12268 in PEM format. See smtp_tls_chain_files for further details.
12269 This feature is available in Postfix 3.4 and later.
12271
12273 File with the Postfix tlsproxy(8) client DSA certificate in PEM format.
12274 See smtp_tls_dcert_file for further details. DSA is obsolete and should
12275 not be used.
12276 This feature is available in Postfix 3.4 and later.
12278
12280 File with the Postfix tlsproxy(8) client DSA private key in PEM format.
12281 See smtp_tls_dkey_file for further details. DSA is obsolete and should
12282 not be used.
12283 This feature is available in Postfix 3.4 and later.
12285
12287 File with the Postfix tlsproxy(8) client ECDSA certificate in PEM for‐
12288 mat. See smtp_tls_eccert_file for further details. The preferred way to
12289 configure tlsproxy client keys and certificates is via the
12290 "tlsproxy_client_chain_files" parameter.
12291 This feature is available in Postfix 3.4 and later.
12293
12295 File with the Postfix tlsproxy(8) client ECDSA private key in PEM for‐
12296 mat. See smtp_tls_eckey_file for further details. The preferred way to
12297 configure tlsproxy client keys and certificates is via the
12298 "tlsproxy_client_chain_files" parameter.
12299 This feature is available in Postfix 3.4 and later.
12301
12303 Enforcement mode: require that SMTP servers use TLS encryption. See
12304 smtp_enforce_tls for further details.
12305 This feature is available in Postfix 3.4 and later.
12307
12309 The message digest algorithm used to construct remote TLS server cer‐
12310 tificate fingerprints. See smtp_tls_fingerprint_digest for further
12311 details.
12312 This feature is available in Postfix 3.4 and later.
12314
12316 File with the Postfix tlsproxy(8) client RSA private key in PEM format.
12317 See smtp_tls_key_file for further details. The preferred way to config‐
12318 ure tlsproxy client keys and certificates is via the
12319 "tlsproxy_client_chain_files" parameter.
12320 This feature is available in Postfix 3.4 and later.
12322
12324 Enable additional Postfix tlsproxy(8) client logging of TLS activity.
12325 See smtp_tls_loglevel for further details.
12326 This feature is available in Postfix 3.4 and later.
12328
12330 The name of the parameter that provides the tlsproxy_client_loglevel
12331 value.
12332 This feature is available in Postfix 3.4 and later.
12334
12336 Optional lookup tables with the Postfix tlsproxy(8) client TLS usage
12337 policy by next-hop destination and by remote TLS server hostname. See
12338 smtp_tls_per_site for further details.
12339 This feature is available in Postfix 3.4 and later.
12341
12343 Optional lookup tables with the Postfix tlsproxy(8) client TLS security
12344 policy by next-hop destination. See smtp_tls_policy_maps for further
12345 details.
12346 This feature is available in Postfix 3.4 and later.
12348
12350 The verification depth for remote TLS server certificates. See
12351 smtp_tls_scert_verifydepth for further details.
12352 This feature is available in Postfix 3.4 and later.
12354
12356 The default TLS security level for the Postfix tlsproxy(8) client. See
12357 smtp_tls_security_level for further details.
12358 This feature is available in Postfix 3.4 and later.
12360
12362 Opportunistic mode: use TLS when a remote server announces TLS support.
12363 See smtp_use_tls for further details.
12364 This feature is available in Postfix 3.4 and later.
12366
12368 Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
12369 require that clients use TLS encryption. See smtpd_enforce_tls for fur‐
12370 ther details.
12371 This feature is available in Postfix 2.8 and later.
12373
12375 The name of the tlsproxy(8) service entry in master.cf. This service
12376 performs plaintext <=> TLS ciphertext conversion.
12377 This feature is available in Postfix 2.8 and later.
12379
12381 A file containing (PEM format) CA certificates of root CAs trusted to
12382 sign either remote SMTP client certificates or intermediate CA certifi‐
12383 cates. See smtpd_tls_CAfile for further details.
12384 This feature is available in Postfix 2.8 and later.
12386
12388 A directory containing (PEM format) CA certificates of root CAs trusted
12389 to sign either remote SMTP client certificates or intermediate CA cer‐
12390 tificates. See smtpd_tls_CApath for further details.
12391 This feature is available in Postfix 2.8 and later.
12393
12395 sion_ids)
12396 Force the Postfix tlsproxy(8) server to issue a TLS session id, even
12397 when TLS session caching is turned off. See smtpd_tls_always_issue_ses‐
12398 sion_ids for further details.
12399 This feature is available in Postfix 2.8 and later.
12401
12403 Ask a remote SMTP client for a client certificate. See
12404 smtpd_tls_ask_ccert for further details.
12405 This feature is available in Postfix 2.8 and later.
12407
12409 The verification depth for remote SMTP client certificates. A depth of
12410 1 is sufficient if the issuing CA is listed in a local CA file. See
12411 smtpd_tls_ccert_verifydepth for further details.
12412 This feature is available in Postfix 2.8 and later.
12414
12416 File with the Postfix tlsproxy(8) server RSA certificate in PEM format.
12417 This file may also contain the Postfix tlsproxy(8) server private RSA
12418 key. See smtpd_tls_cert_file for further details. With Postfix >= 3.4
12419 the preferred way to configure tlsproxy server keys and certificates is
12420 via the "tlsproxy_tls_chain_files" parameter.
12421 This feature is available in Postfix 2.8 and later.
12423
12425 Files with the Postfix tlsproxy(8) server keys and certificate chains
12426 in PEM format. See smtpd_tls_chain_files for further details.
12427 This feature is available in Postfix 3.4 and later.
12429
12431 The minimum TLS cipher grade that the Postfix tlsproxy(8) server will
12432 use with opportunistic TLS encryption. See smtpd_tls_ciphers for fur‐
12433 ther details.
12434 This feature is available in Postfix 2.8 and later.
12436
12438 File with the Postfix tlsproxy(8) server DSA certificate in PEM format.
12439 This file may also contain the Postfix tlsproxy(8) server private DSA
12440 key. DSA is obsolete and should not be used. See smtpd_tls_dcert_file
12441 for further details.
12442 This feature is available in Postfix 2.8 and later.
12444
12446 File with DH parameters that the Postfix tlsproxy(8) server should use
12447 with non-export EDH ciphers. See smtpd_tls_dh1024_param_file for fur‐
12448 ther details.
12449 This feature is available in Postfix 2.8 and later.
12451
12453 File with DH parameters that the Postfix tlsproxy(8) server should use
12454 with export-grade EDH ciphers. See smtpd_tls_dh512_param_file for fur‐
12455 ther details. The default SMTP server cipher grade is "medium" with
12456 Postfix releases after the middle of 2015, and as a result export-grade
12457 cipher suites are by default not used.
12458 This feature is available in Postfix 2.8 and later.
12460
12462 File with the Postfix tlsproxy(8) server DSA private key in PEM format.
12463 This file may be combined with the Postfix tlsproxy(8) server DSA cer‐
12464 tificate file specified with $smtpd_tls_dcert_file. DSA is obsolete
12465 and should not be used. See smtpd_tls_dkey_file for further details.
12466 This feature is available in Postfix 2.8 and later.
12468
12470 File with the Postfix tlsproxy(8) server ECDSA certificate in PEM for‐
12471 mat. This file may also contain the Postfix tlsproxy(8) server private
12472 ECDSA key. See smtpd_tls_eccert_file for further details. With Post‐
12473 fix >= 3.4 the preferred way to configure tlsproxy server keys and cer‐
12474 tificates is via the "tlsproxy_tls_chain_files" parameter.
12475 This feature is available in Postfix 2.8 and later.
12477
12479 File with the Postfix tlsproxy(8) server ECDSA private key in PEM for‐
12480 mat. This file may be combined with the Postfix tlsproxy(8) server
12481 ECDSA certificate file specified with $smtpd_tls_eccert_file. See
12482 smtpd_tls_eckey_file for further details. With Postfix >= 3.4 the pre‐
12483 ferred way to configure tlsproxy server keys and certificates is via
12484 the "tlsproxy_tls_chain_files" parameter.
12485 This feature is available in Postfix 2.8 and later.
12487
12489 The Postfix tlsproxy(8) server security grade for ephemeral ellip‐
12490 tic-curve Diffie-Hellman (EECDH) key exchange. See
12491 smtpd_tls_eecdh_grade for further details.
12492 This feature is available in Postfix 2.8 and later.
12494
12496 List of ciphers or cipher types to exclude from the tlsproxy(8) server
12497 cipher list at all TLS security levels. See smtpd_tls_exclude_ciphers
12498 for further details.
12499 This feature is available in Postfix 2.8 and later.
12501
12503 The message digest algorithm to construct remote SMTP client-certifi‐
12504 cate fingerprints. See smtpd_tls_fingerprint_digest for further
12505 details.
12506 This feature is available in Postfix 2.8 and later.
12508
12510 File with the Postfix tlsproxy(8) server RSA private key in PEM format.
12511 This file may be combined with the Postfix tlsproxy(8) server RSA cer‐
12512 tificate file specified with $smtpd_tls_cert_file. See
12513 smtpd_tls_key_file for further details. With Postfix >= 3.4 the pre‐
12514 ferred way to configure tlsproxy server keys and certificates is via
12515 the "tlsproxy_tls_chain_files" parameter.
12516 This feature is available in Postfix 2.8 and later.
12518
12520 Enable additional Postfix tlsproxy(8) server logging of TLS activity.
12521 Each logging level also includes the information that is logged at a
12522 lower logging level. See smtpd_tls_loglevel for further details.
12523 This feature is available in Postfix 2.8 and later.
12525
12527 The minimum TLS cipher grade that the Postfix tlsproxy(8) server will
12528 use with mandatory TLS encryption. See smtpd_tls_mandatory_ciphers for
12529 further details.
12530 This feature is available in Postfix 2.8 and later.
12532
12534 tory_exclude_ciphers)
12535 Additional list of ciphers or cipher types to exclude from the
12536 tlsproxy(8) server cipher list at mandatory TLS security levels. See
12537 smtpd_tls_mandatory_exclude_ciphers for further details.
12538 This feature is available in Postfix 2.8 and later.
12540
12542 The SSL/TLS protocols accepted by the Postfix tlsproxy(8) server with
12543 mandatory TLS encryption. If the list is empty, the server supports all
12544 available SSL/TLS protocol versions. See smtpd_tls_mandatory_protocols
12545 for further details.
12546 This feature is available in Postfix 2.8 and later.
12548
12550 List of TLS protocols that the Postfix tlsproxy(8) server will exclude
12551 or include with opportunistic TLS encryption. See smtpd_tls_protocols
12552 for further details.
12553 This feature is available in Postfix 2.8 and later.
12555
12557 With mandatory TLS encryption, require a trusted remote SMTP client
12558 certificate in order to allow TLS connections to proceed. See
12559 smtpd_tls_req_ccert for further details.
12560 This feature is available in Postfix 2.8 and later.
12562
12564 The SMTP TLS security level for the Postfix tlsproxy(8) server; when a
12565 non-empty value is specified, this overrides the obsolete parameters
12566 smtpd_use_tls and smtpd_enforce_tls. See smtpd_tls_security_level for
12567 further details.
12568 This feature is available in Postfix 2.8 and later.
12570
12572 Obsolete expiration time of Postfix tlsproxy(8) server TLS session
12574 cache information. Since the cache is shared with smtpd(8) and managed
12575 by tlsmgr(8), there is only one expiration time for the SMTP server
12576 cache shared by all three services, namely smtpd_tls_ses‐
12577 sion_cache_timeout.
12578 This feature is available in Postfix 2.8 and later.
12580
12582 Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
12583 but do not require that clients use TLS encryption. See smtpd_use_tls
12584 for further details.
12585 This feature is available in Postfix 2.8 and later.
12587
12589 How much time a tlsproxy(8) process may take to process local or remote
12590 I/O before it is terminated by a built-in watchdog timer. This is a
12591 safety mechanism that prevents tlsproxy(8) from becoming non-responsive
12592 due to a bug in Postfix itself or in system software. To avoid false
12593 alarms and unnecessary cache corruption this limit cannot be set under
12594 10s.
12595 Specify a non-zero time value (an integral value plus an optional
12597 one-letter suffix that specifies the time unit). Time units: s (sec‐
12598 onds), m (minutes), h (hours), d (days), w (weeks).
12599 This feature is available in Postfix 2.8 and later
12601
12603 The name of the trace service. This service is implemented by the
12604 bounce(8) daemon and maintains a record of mail deliveries and produces
12605 a mail delivery report when verbose delivery is requested with "send‐
12606 mail -v".
12607 This feature is available in Postfix 2.1 and later.
12609
12611 A transport-specific override for the default_delivery_slot_cost param‐
12612 eter value, where transport is the master.cf name of the message deliv‐
12613 ery transport.
12614 Note: transport_delivery_slot_cost parameters will not show up in
12616 "postconf" command output before Postfix version 2.9. This limitation
12617 applies to many parameters whose name is a combination of a master.cf
12618 service name and a built-in suffix (in this case: "_deliv‐
12619 ery_slot_cost").
12620
12622 A transport-specific override for the default_delivery_slot_discount
12623 parameter value, where transport is the master.cf name of the message
12624 delivery transport.
12625 Note: transport_delivery_slot_discount parameters will not show up in
12627 "postconf" command output before Postfix version 2.9. This limitation
12628 applies to many parameters whose name is a combination of a master.cf
12629 service name and a built-in suffix (in this case: "_delivery_slot_dis‐
12630 count").
12631
12633 A transport-specific override for the default_delivery_slot_loan param‐
12634 eter value, where transport is the master.cf name of the message deliv‐
12635 ery transport.
12636 Note: transport_delivery_slot_loan parameters will not show up in
12638 "postconf" command output before Postfix version 2.9. This limitation
12639 applies to many parameters whose name is a combination of a master.cf
12640 service name and a built-in suffix (in this case: "_deliv‐
12641 ery_slot_loan").
12642
12644 tination_concurrency_failed_cohort_limit)
12645 A transport-specific override for the default_destination_concur‐
12646 rency_failed_cohort_limit parameter value, where transport is the mas‐
12647 ter.cf name of the message delivery transport.
12648 Note: some transport_destination_concurrency_failed_cohort_limit param‐
12650 eters will not show up in "postconf" command output before Postfix ver‐
12651 sion 2.9. This limitation applies to many parameters whose name is a
12652 combination of a master.cf service name and a built-in suffix (in this
12653 case: "_destination_concurrency_failed_cohort_limit").
12654 This feature is available in Postfix 2.5 and later.
12656
12658 rency_limit)
12659 A transport-specific override for the default_destination_concur‐
12660 rency_limit parameter value, where transport is the master.cf name of
12661 the message delivery transport.
12662 Note: some transport_destination_concurrency_limit parameters will not
12664 show up in "postconf" command output before Postfix version 2.9. This
12665 limitation applies to many parameters whose name is a combination of a
12666 master.cf service name and a built-in suffix (in this case: "_destina‐
12667 tion_concurrency_limit").
12668
12670 nation_concurrency_negative_feedback)
12671 A transport-specific override for the default_destination_concur‐
12672 rency_negative_feedback parameter value, where transport is the mas‐
12673 ter.cf name of the message delivery transport.
12674 Note: some transport_destination_concurrency_negative_feedback parame‐
12676 ters will not show up in "postconf" command output before Postfix ver‐
12677 sion 2.9. This limitation applies to many parameters whose name is a
12678 combination of a master.cf service name and a built-in suffix (in this
12679 case: "_destination_concurrency_negative_feedback").
12680 This feature is available in Postfix 2.5 and later.
12682
12684 nation_concurrency_positive_feedback)
12685 A transport-specific override for the default_destination_concur‐
12686 rency_positive_feedback parameter value, where transport is the mas‐
12687 ter.cf name of the message delivery transport.
12688 Note: some transport_destination_concurrency_positive_feedback parame‐
12690 ters will not show up in "postconf" command output before Postfix ver‐
12691 sion 2.9. This limitation applies to many parameters whose name is a
12692 combination of a master.cf service name and a built-in suffix (in this
12693 case: "_destination_concurrency_positive_feedback").
12694 This feature is available in Postfix 2.5 and later.
12696
12698 A transport-specific override for the default_destination_rate_delay
12699 parameter value, where transport is the master.cf name of the message
12700 delivery transport.
12701 Note: some transport_destination_rate_delay parameters will not show up
12703 in "postconf" command output before Postfix version 2.9. This limita‐
12704 tion applies to many parameters whose name is a combination of a mas‐
12705 ter.cf service name and a built-in suffix (in this case: "_destina‐
12706 tion_rate_delay").
12707 This feature is available in Postfix 2.5 and later.
12709
12711 ent_limit)
12712 A transport-specific override for the default_destination_recipi‐
12713 ent_limit parameter value, where transport is the master.cf name of the
12714 message delivery transport.
12715 Note: some transport_destination_recipient_limit parameters will not
12717 show up in "postconf" command output before Postfix version 2.9. This
12718 limitation applies to many parameters whose name is a combination of a
12719 master.cf service name and a built-in suffix (in this case: "_destina‐
12720 tion_recipient_limit").
12721
12723 A transport-specific override for the default_extra_recipient_limit
12724 parameter value, where transport is the master.cf name of the message
12725 delivery transport.
12726 Note: transport_extra_recipient_limit parameters will not show up in
12728 "postconf" command output before Postfix version 2.9. This limitation
12729 applies to many parameters whose name is a combination of a master.cf
12730 service name and a built-in suffix (in this case: "_extra_recipi‐
12731 ent_limit").
12732
12734 currency)
12735 A transport-specific override for the initial_destination_concurrency
12736 parameter value, where transport is the master.cf name of the message
12737 delivery transport.
12738 Note: some transport_initial_destination_concurrency parameters will
12740 not show up in "postconf" command output before Postfix version 2.9.
12741 This limitation applies to many parameters whose name is a combination
12742 of a master.cf service name and a built-in suffix (in this case: "_ini‐
12743 tial_destination_concurrency").
12744 This feature is available in Postfix 2.5 and later.
12746
12748 Optional lookup tables with mappings from recipient address to (message
12749 delivery transport, next-hop destination). See transport(5) for
12750 details.
12751 Specify zero or more "type:table" lookup tables, separated by white‐
12753 space or comma. Tables will be searched in the specified order until a
12754 match is found. If you use this feature with local files, run "postmap
12755 /etc/postfix/transport" after making a change.
12756 Pattern matching of domain names is controlled by the presence or
12758 absence of "transport_maps" in the parent_domain_matches_subdomains
12759 parameter value.
12760 For safety reasons, as of Postfix 2.3 this feature does not allow $num‐
12762 ber substitutions in regular expression maps.
12763 Examples:
12765 transport_maps = dbm:/etc/postfix/transport
12767 transport_maps = hash:/etc/postfix/transport
12768
12770 A transport-specific override for the default_minimum_delivery_slots
12771 parameter value, where transport is the master.cf name of the message
12772 delivery transport.
12773 Note: transport_minimum_delivery_slots parameters will not show up in
12775 "postconf" command output before Postfix version 2.9. This limitation
12776 applies to many parameters whose name is a combination of a master.cf
12777 service name and a built-in suffix (in this case: "_minimum_deliv‐
12778 ery_slots").
12779
12781 A transport-specific override for the default_recipient_limit parameter
12782 value, where transport is the master.cf name of the message delivery
12783 transport.
12784 Note: some transport_recipient_limit parameters will not show up in
12786 "postconf" command output before Postfix version 2.9. This limitation
12787 applies to many parameters whose name is a combination of a master.cf
12788 service name and a built-in suffix (in this case: "_recipient_limit").
12789
12791 A transport-specific override for the default_recipient_refill_delay
12792 parameter value, where transport is the master.cf name of the message
12793 delivery transport.
12794 Note: transport_recipient_refill_delay parameters will not show up in
12796 "postconf" command output before Postfix version 2.9. This limitation
12797 applies to many parameters whose name is a combination of a master.cf
12798 service name and a built-in suffix (in this case: "_recipi‐
12799 ent_refill_delay").
12800 This feature is available in Postfix 2.4 and later.
12802
12804 A transport-specific override for the default_recipient_refill_limit
12805 parameter value, where transport is the master.cf name of the message
12806 delivery transport.
12807 Note: transport_recipient_refill_limit parameters will not show up in
12809 "postconf" command output before Postfix version 2.9. This limitation
12810 applies to many parameters whose name is a combination of a master.cf
12811 service name and a built-in suffix (in this case: "_recipi‐
12812 ent_refill_limit").
12813 This feature is available in Postfix 2.4 and later.
12815
12817 The time between attempts by the Postfix queue manager to contact a
12818 malfunctioning message delivery transport.
12819 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
12821 The default time unit is s (seconds).
12822
12824 A transport-specific override for the command_time_limit parameter
12825 value, where transport is the master.cf name of the message delivery
12826 transport.
12827 Note: transport_time_limit parameters will not show up in "postconf"
12829 command output before Postfix version 2.9. This limitation applies to
12830 many parameters whose name is a combination of a master.cf service name
12831 and a built-in suffix (in this case: "_time_limit").
12832
12834 A transport-specific override for the default_transport_rate_delay
12835 parameter value, where the initial transport in the parameter name is
12836 the master.cf name of the message delivery transport.
12837
12839 The time limit for sending a trigger to a Postfix daemon (for example,
12840 the pickup(8) or qmgr(8) daemon). This time limit prevents programs
12841 from getting stuck when the mail system is under heavy load.
12842 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
12844 The default time unit is s (seconds).
12845
12847 Message header that the Postfix cleanup(8) server inserts when a mes‐
12848 sage contains no To: or Cc: message header. With Postfix 2.8 and later,
12849 the default value is empty. With Postfix 2.4-2.7, specify an empty
12850 value to disable this feature.
12851 Example:
12853 # Default value before Postfix 2.8.
12855 # Note: the ":" and ";" are both required.
12856 undisclosed_recipients_header = To: undisclosed-recipients:;
12857
12859 The numerical response code when the Postfix SMTP server rejects a
12860 sender or recipient address because its domain is unknown. This is one
12861 of the possible replies from the restrictions
12862 reject_unknown_sender_domain and reject_unknown_recipient_domain.
12863 Do not change this unless you have a complete understanding of RFC
12865 5321.
12866
12868 The Postfix SMTP server's action when reject_unknown_sender_domain or
12869 reject_unknown_recipient_domain fail due to a temporary error condi‐
12870 tion. Specify "defer" to defer the remote SMTP client request immedi‐
12871 ately. With the default "defer_if_permit" action, the Postfix SMTP
12872 server continues to look for opportunities to reject mail, and defers
12873 the client request only if it would otherwise be accepted.
12874 This feature is available in Postfix 2.6 and later.
12876
12878 The numerical Postfix SMTP server response code when a client without
12879 valid address <=> name mapping is rejected by the
12880 reject_unknown_client_hostname restriction. The SMTP server always
12881 replies with 450 when the mapping failed due to a temporary error con‐
12882 dition.
12883 Do not change this unless you have a complete understanding of RFC
12885 5321.
12886
12888 The Postfix SMTP server's action when reject_unknown_helo_hostname
12889 fails due to a temporary error condition. Specify "defer" to defer the
12890 remote SMTP client request immediately. With the default "defer_if_per‐
12891 mit" action, the Postfix SMTP server continues to look for opportuni‐
12892 ties to reject mail, and defers the client request only if it would
12893 otherwise be accepted.
12894 This feature is available in Postfix 2.6 and later.
12896
12898 The numerical Postfix SMTP server response code when the hostname spec‐
12899 ified with the HELO or EHLO command is rejected by the
12900 reject_unknown_helo_hostname restriction.
12901 Do not change this unless you have a complete understanding of RFC
12903 5321.
12904
12906 The numerical Postfix SMTP server response code when a recipient
12907 address is local, and $local_recipient_maps specifies a list of lookup
12908 tables that does not match the recipient. A recipient address is local
12909 when its domain matches $mydestination, $proxy_interfaces or
12910 $inet_interfaces.
12911 The default setting is 550 (reject mail) but it is safer to initially
12913 use 450 (try again later) so you have time to find out if your
12914 local_recipient_maps settings are OK.
12915 Example:
12917 unknown_local_recipient_reject_code = 450
12919 This feature is available in Postfix 2.0 and later.
12921
12923 The numerical Postfix SMTP server reply code when a recipient address
12924 matches $relay_domains, and relay_recipient_maps specifies a list of
12925 lookup tables that does not match the recipient address.
12926 This feature is available in Postfix 2.0 and later.
12928
12930 The Postfix SMTP server reply code when a recipient address matches
12931 $virtual_alias_domains, and $virtual_alias_maps specifies a list of
12932 lookup tables that does not match the recipient address.
12933 This feature is available in Postfix 2.0 and later.
12935
12937 The Postfix SMTP server reply code when a recipient address matches
12938 $virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list of
12939 lookup tables that does not match the recipient address.
12940 This feature is available in Postfix 2.0 and later.
12942
12944 The numerical Postfix SMTP server response when a recipient address
12945 probe fails due to a temporary error condition.
12946 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12948 address anyway.
12949 Do not change this unless you have a complete understanding of RFC
12951 5321.
12952 This feature is available in Postfix 2.6 and later.
12954
12956 The numerical Postfix SMTP server response when a recipient address is
12957 rejected by the reject_unverified_recipient restriction.
12958 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12960 address anyway.
12961 Do not change this unless you have a complete understanding of RFC
12963 5321.
12964 This feature is available in Postfix 2.1 and later.
12966
12968 The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
12969 fied_recipient. Do not include the numeric SMTP reply code or the
12970 enhanced status code. By default, the response includes actual address
12971 verification details.
12972 Example:
12974 unverified_recipient_reject_reason = Recipient address lookup failed
12976 This feature is available in Postfix 2.6 and later.
12978
12980 The Postfix SMTP server's action when reject_unverified_recipient fails
12981 due to a temporary error condition. Specify "defer" to defer the remote
12982 SMTP client request immediately. With the default "defer_if_permit"
12983 action, the Postfix SMTP server continues to look for opportunities to
12984 reject mail, and defers the client request only if it would otherwise
12985 be accepted.
12986 This feature is available in Postfix 2.6 and later.
12988
12990 The numerical Postfix SMTP server response code when a sender address
12991 probe fails due to a temporary error condition.
12992 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12994 address anyway.
12995 Do not change this unless you have a complete understanding of RFC
12997 5321.
12998 This feature is available in Postfix 2.6 and later.
13000
13002 The numerical Postfix SMTP server response code when a recipient
13003 address is rejected by the reject_unverified_sender restriction.
13004 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
13006 address anyway.
13007 Do not change this unless you have a complete understanding of RFC
13009 5321.
13010 This feature is available in Postfix 2.1 and later.
13012
13014 The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
13015 fied_sender. Do not include the numeric SMTP reply code or the enhanced
13016 status code. By default, the response includes actual address verifica‐
13017 tion details.
13018 Example:
13020 unverified_sender_reject_reason = Sender address lookup failed
13022 This feature is available in Postfix 2.6 and later.
13024
13026 The Postfix SMTP server's action when reject_unverified_sender fails
13027 due to a temporary error condition. Specify "defer" to defer the remote
13028 SMTP client request immediately. With the default "defer_if_permit"
13029 action, the Postfix SMTP server continues to look for opportunities to
13030 reject mail, and defers the client request only if it would otherwise
13031 be accepted.
13032 This feature is available in Postfix 2.6 and later.
13034
13036 The characters Postfix accepts as VERP delimiter characters on the
13037 Postfix sendmail(1) command line and in SMTP commands.
13038 This feature is available in Postfix 1.1 and later.
13040
13042 The maximal length of an email address after virtual alias expansion.
13043 This stops virtual aliasing loops that increase the address length
13044 exponentially.
13045 This feature is available in Postfix 3.0 and later.
13047
13049 Postfix is final destination for the specified list of virtual alias
13050 domains, that is, domains for which all addresses are aliased to
13051 addresses in other local or remote domains. The SMTP server validates
13052 recipient addresses with $virtual_alias_maps and rejects non-existent
13053 recipients. See also the virtual alias domain class in the
13054 ADDRESS_CLASS_README file
13055 This feature is available in Postfix 2.0 and later. The default value
13057 is backwards compatible with Postfix version 1.1.
13058 The default value is $virtual_alias_maps so that you can keep all
13060 information about virtual alias domains in one place. If you have many
13061 users, it is better to separate information that changes more fre‐
13062 quently (virtual address -> local or remote address mapping) from
13063 information that changes less frequently (the list of virtual domain
13064 names).
13065 Specify a list of host or domain names, "/file/name" or "type:table"
13067 patterns, separated by commas and/or whitespace. A "/file/name" pattern
13068 is replaced by its contents; a "type:table" lookup table is matched
13069 when a table entry matches a lookup string (the lookup result is
13070 ignored). Continue long lines by starting the next line with white‐
13071 space. Specify "!pattern" to exclude a host or domain name from the
13072 list. The form "!/file/name" is supported only in Postfix version 2.4
13073 and later.
13074 See also the VIRTUAL_README and ADDRESS_CLASS_README documents for fur‐
13076 ther information.
13077 Example:
13079 virtual_alias_domains = virtual1.tld virtual2.tld
13081
13083 The maximal number of addresses that virtual alias expansion produces
13084 from each original recipient.
13085 This feature is available in Postfix 2.1 and later.
13087
13089 Optional lookup tables that alias specific mail addresses or domains to
13090 other local or remote address. The table format and lookups are docu‐
13091 mented in virtual(5). For an overview of Postfix address manipulations
13092 see the ADDRESS_REWRITING_README document.
13093 This feature is available in Postfix 2.0 and later. The default value
13095 is backwards compatible with Postfix version 1.1.
13096 Specify zero or more "type:name" lookup tables, separated by whitespace
13098 or comma. Tables will be searched in the specified order until a match
13099 is found. Note: these lookups are recursive.
13100 If you use this feature with indexed files, run "postmap /etc/post‐
13102 fix/virtual" after changing the file.
13103 Examples:
13105 virtual_alias_maps = dbm:/etc/postfix/virtual
13107 virtual_alias_maps = hash:/etc/postfix/virtual
13108
13110 The maximal nesting depth of virtual alias expansion. Currently the
13111 recursion limit is applied only to the left branch of the expansion
13112 graph, so the depth of the tree can in the worst case reach the sum of
13113 the expansion and recursion limits. This may change in the future.
13114 This feature is available in Postfix 2.1 and later.
13116
13118 Optional filter for the virtual(8) delivery agent to change the deliv‐
13119 ery status code or explanatory text of successful or unsuccessful
13120 deliveries. See default_delivery_status_filter for details.
13121 This feature is available in Postfix 3.0 and later.
13123
13125 rency_limit)
13126 The maximal number of parallel deliveries to the same destination via
13127 the virtual message delivery transport. This limit is enforced by the
13128 queue manager. The message delivery transport name is the first field
13129 in the entry in the master.cf file.
13130
13132 ent_limit)
13133 The maximal number of recipients per message for the virtual message
13134 delivery transport. This limit is enforced by the queue manager. The
13135 message delivery transport name is the first field in the entry in the
13136 master.cf file.
13137 Setting this parameter to a value of 1 changes the meaning of vir‐
13139 tual_destination_concurrency_limit from concurrency per domain into
13140 concurrency per recipient.
13141
13143 Lookup tables with the per-recipient group ID for virtual(8) mailbox
13144 delivery.
13145 This parameter is specific to the virtual(8) delivery agent. It does
13147 not apply when mail is delivered with a different mail delivery pro‐
13148 gram.
13149 Specify zero or more "type:name" lookup tables, separated by whitespace
13151 or comma. Tables will be searched in the specified order until a match
13152 is found.
13153 In a lookup table, specify a left-hand side of "@domain.tld" to match
13155 any user in the specified domain that does not have a specific
13156 "user@domain.tld" entry.
13157 When a recipient address has an optional address extension
13159 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
13160 address first, and when the lookup fails, it looks up the unextended
13161 address (user@domain.tld).
13162 Note 1: for security reasons, the virtual(8) delivery agent disallows
13164 regular expression substitution of $1 etc. in regular expression lookup
13165 tables, because that would open a security hole.
13166 Note 2: for security reasons, the virtual(8) delivery agent will
13168 silently ignore requests to use the proxymap(8) server. Instead it will
13169 open the table directly. Before Postfix version 2.2, the virtual(8)
13170 delivery agent will terminate with a fatal error.
13171
13173 A prefix that the virtual(8) delivery agent prepends to all pathname
13174 results from $virtual_mailbox_maps table lookups. This is a safety
13175 measure to ensure that an out of control map doesn't litter the file
13176 system with mailboxes. While virtual_mailbox_base could be set to "/",
13177 this setting isn't recommended.
13178 This parameter is specific to the virtual(8) delivery agent. It does
13180 not apply when mail is delivered with a different mail delivery pro‐
13181 gram.
13182 Example:
13184 virtual_mailbox_base = /var/mail
13186
13188 Postfix is final destination for the specified list of domains; mail is
13189 delivered via the $virtual_transport mail delivery transport. By
13190 default this is the Postfix virtual(8) delivery agent. The SMTP server
13191 validates recipient addresses with $virtual_mailbox_maps and rejects
13192 mail for non-existent recipients. See also the virtual mailbox domain
13193 class in the ADDRESS_CLASS_README file.
13194 This parameter expects the same syntax as the mydestination configura‐
13196 tion parameter.
13197 This feature is available in Postfix 2.0 and later. The default value
13199 is backwards compatible with Postfix version 1.1.
13200
13202 The maximal size in bytes of an individual virtual(8) mailbox or
13203 maildir file, or zero (no limit).
13204 This parameter is specific to the virtual(8) delivery agent. It does
13206 not apply when mail is delivered with a different mail delivery pro‐
13207 gram.
13208
13210 How to lock a UNIX-style virtual(8) mailbox before attempting delivery.
13211 For a list of available file locking methods, use the "postconf -l"
13212 command.
13213 This parameter is specific to the virtual(8) delivery agent. It does
13215 not apply when mail is delivered with a different mail delivery pro‐
13216 gram.
13217 This setting is ignored with maildir style delivery, because such
13219 deliveries are safe without application-level locks.
13220 Note 1: the dotlock method requires that the recipient UID or GID has
13222 write access to the parent directory of the recipient's mailbox file.
13223 Note 2: the default setting of this parameter is system dependent.
13225
13227 Optional lookup tables with all valid addresses in the domains that
13228 match $virtual_mailbox_domains.
13229 Specify zero or more "type:name" lookup tables, separated by whitespace
13231 or comma. Tables will be searched in the specified order until a match
13232 is found.
13233 In a lookup table, specify a left-hand side of "@domain.tld" to match
13235 any user in the specified domain that does not have a specific
13236 "user@domain.tld" entry.
13237 The remainder of this text is specific to the virtual(8) delivery
13239 agent. It does not apply when mail is delivered with a different mail
13240 delivery program.
13241 The virtual(8) delivery agent uses this table to look up the per-recip‐
13243 ient mailbox or maildir pathname. If the lookup result ends in a slash
13244 ("/"), maildir-style delivery is carried out, otherwise the path is
13245 assumed to specify a UNIX-style mailbox file. Note that $virtual_mail‐
13246 box_base is unconditionally prepended to this path.
13247 When a recipient address has an optional address extension
13249 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
13250 address first, and when the lookup fails, it looks up the unextended
13251 address (user@domain.tld).
13252 Note 1: for security reasons, the virtual(8) delivery agent disallows
13254 regular expression substitution of $1 etc. in regular expression lookup
13255 tables, because that would open a security hole.
13256 Note 2: for security reasons, the virtual(8) delivery agent will
13258 silently ignore requests to use the proxymap(8) server. Instead it will
13259 open the table directly. Before Postfix version 2.2, the virtual(8)
13260 delivery agent will terminate with a fatal error.
13261
13263 Optional lookup tables with a) names of domains for which all addresses
13264 are aliased to addresses in other local or remote domains, and b)
13265 addresses that are aliased to addresses in other local or remote
13266 domains. Available before Postfix version 2.0. With Postfix version
13267 2.0 and later, this is replaced by separate controls: vir‐
13268 tual_alias_domains and virtual_alias_maps.
13269
13271 The minimum user ID value that the virtual(8) delivery agent accepts as
13272 a result from $virtual_uid_maps table lookup. Returned values less
13273 than this will be rejected, and the message will be deferred.
13274 This parameter is specific to the virtual(8) delivery agent. It does
13276 not apply when mail is delivered with a different mail delivery pro‐
13277 gram.
13278
13280 The default mail delivery transport and next-hop destination for final
13281 delivery to domains listed with $virtual_mailbox_domains. This infor‐
13282 mation can be overruled with the transport(5) table.
13283 Specify a string of the form transport:nexthop, where transport is the
13285 name of a mail delivery transport defined in master.cf. The :nexthop
13286 destination is optional; its syntax is documented in the manual page of
13287 the corresponding delivery agent.
13288 This feature is available in Postfix 2.0 and later.
13290
13292 Lookup tables with the per-recipient user ID that the virtual(8) deliv‐
13293 ery agent uses while writing to the recipient's mailbox.
13294 This parameter is specific to the virtual(8) delivery agent. It does
13296 not apply when mail is delivered with a different mail delivery pro‐
13297 gram.
13298 Specify zero or more "type:name" lookup tables, separated by whitespace
13300 or comma. Tables will be searched in the specified order until a match
13301 is found.
13302 In a lookup table, specify a left-hand side of "@domain.tld" to match
13304 any user in the specified domain that does not have a specific
13305 "user@domain.tld" entry.
13306 When a recipient address has an optional address extension
13308 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
13309 address first, and when the lookup fails, it looks up the unextended
13310 address (user@domain.tld).
13311 Note 1: for security reasons, the virtual(8) delivery agent disallows
13313 regular expression substitution of $1 etc. in regular expression lookup
13314 tables, because that would open a security hole.
13315 Note 2: for security reasons, the virtual(8) delivery agent will
13317 silently ignore requests to use the proxymap(8) server. Instead it will
13318 open the table directly. Before Postfix version 2.2, the virtual(8)
13319 delivery agent will terminate with a fatal error.
13320
13322 postconf(1), Postfix configuration parameter maintenance
13323 master(5), Postfix daemon configuration maintenance
13324
13326 The Secure Mailer license must be distributed with this software.
13327
13329 Wietse Venema
13330 IBM T.J. Watson Research
13331 P.O. Box 704
13332 Yorktown Heights, NY 10598, USA
13333 Wietse Venema
13335 Google, Inc.
13336 111 8th Avenue
13337 New York, NY 10011, USA
13338 Viktor Dukhovni
13340 POSTCONF(5)