1POSTCONF(5)                   File Formats Manual                  POSTCONF(5)
2
3
4

NAME

6       postconf - Postfix configuration parameters
7

SYNOPSIS

9       postconf parameter ...
10
11       postconf -e "parameter=value" ...
12

DESCRIPTION

14       The  Postfix  main.cf configuration file specifies parameters that con‐
15       trol the operation of the Postfix mail system. Typically the file  con‐
16       tains  only  a small subset of all parameters; parameters not specified
17       are left at their default values.
18
19       The general format of the main.cf file is as follows:
20
21       ·      Each logical line has the form "parameter = value".   Whitespace
22              around the "=" is ignored, as is whitespace at the end of a log‐
23              ical line.
24
25       ·      Empty lines and whitespace-only lines are ignored, as are  lines
26              whose first non-whitespace character is a `#'.
27
28       ·      A  logical  line  starts  with  non-whitespace text. A line that
29              starts with whitespace continues a logical line.
30
31       ·      A parameter value may refer to other parameters.
32
33              ·      The expressions "$name"  and  "${name}"  are  recursively
34                     replaced  with  the  value  of  the  named parameter. The
35                     parameter name must contain only characters from the  set
36                     [a-zA-Z0-9_].  An  undefined  parameter value is replaced
37                     with the empty value.
38
39              ·      The expressions "${name?value}" and "${name?{value}}" are
40                     replaced  with  "value"  when  "$name"  is non-empty. The
41                     parameter name must contain only characters from the  set
42                     [a-zA-Z0-9_]. These forms are supported with Postfix ver‐
43                     sions >= 2.2 and >= 3.0, respectively.
44
45              ·      The expressions "${name:value}" and "${name:{value}}" are
46                     replaced  with "value" when "$name" is empty. The parame‐
47                     ter name must contain only characters from the set [a-zA-
48                     Z0-9_].  These  forms are supported with Postfix versions
49                     >= 2.2 and >= 3.0, respectively.
50
51              ·      The expression  "${name?{value1}:{value2}}"  is  replaced
52                     with   "value1"  when  "$name"  is  non-empty,  and  with
53                     "value2" when "$name" is empty.  The "{}" is required for
54                     "value1",  optional for "value2". The parameter name must
55                     contain only characters from the set [a-zA-Z0-9_].   This
56                     form is supported with Postfix versions >= 3.0.
57
58              ·      The  first  item  inside  "${...}"  may  be  a relational
59                     expression of the form: "{value3} ==  {value4}".  Besides
60                     the   "=="  (equality)  operator  Postfix  supports  "!="
61                     (inequality), "<", "<=", ">=", and ">". The comparison is
62                     numerical  when  both  operands are all digits, otherwise
63                     the comparison is lexicographical. These forms  are  sup‐
64                     ported with Postfix versions >= 3.0.
65
66              ·      Each  "value" is subject to recursive named parameter and
67                     relational expression evaluation, except where noted.
68
69              ·      Whitespace before or after each "{value}" is ignored.
70
71              ·      Specify "$$" to produce a single "$" character.
72
73              ·      The legacy form "$(...)" is equivalent to  the  preferred
74                     form "${...}".
75
76       ·      When the same parameter is defined multiple times, only the last
77              instance is remembered.
78
79       ·      Otherwise, the order of main.cf parameter definitions  does  not
80              matter.
81
82       The remainder of this document is a description of all Postfix configu‐
83       ration parameters. Default values are shown after the parameter name in
84       parentheses, and can be looked up with the "postconf -d" command.
85
86       Note:  this  is not an invitation to make changes to Postfix configura‐
87       tion parameters. Unnecessary changes can impair the  operation  of  the
88       mail system.
89

2bounce_notice_recipient (default: postmaster)

91       The  recipient  of  undeliverable  mail  that cannot be returned to the
92       sender.  This feature is enabled with the notify_classes parameter.
93

access_map_defer_code (default: 450)

95       The numerical Postfix SMTP server response code for  an  access(5)  map
96       "defer" action, including "defer_if_permit" or "defer_if_reject". Prior
97       to Postfix 2.6, the response is hard-coded as "450".
98
99       Do not change this unless you have  a  complete  understanding  of  RFC
100       5321.
101
102       This feature is available in Postfix 2.6 and later.
103

access_map_reject_code (default: 554)

105       The  numerical  Postfix  SMTP server response code for an access(5) map
106       "reject" action.
107
108       Do not change this unless you have  a  complete  understanding  of  RFC
109       5321.
110

address_verify_cache_cleanup_interval (default: 12h)

112       The  amount  of  time  between  verify(8) address verification database
113       cleanup runs. This feature requires  that  the  database  supports  the
114       "delete"  and "sequence" operators.  Specify a zero interval to disable
115       database cleanup.
116
117       After each database cleanup run, the verify(8) daemon logs  the  number
118       of  entries  that were retained and dropped. A cleanup run is logged as
119       "partial" when the daemon  terminates  early  after  "postfix  reload",
120       "postfix stop", or no requests for $max_idle seconds.
121
122       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
123
124       This feature is available in Postfix 2.7.
125

address_verify_default_transport (default: $default_transport)

127       Overrides the default_transport parameter setting for address verifica‐
128       tion probes.
129
130       This feature is available in Postfix 2.1 and later.
131

address_verify_local_transport (default: $local_transport)

133       Overrides the local_transport parameter setting for  address  verifica‐
134       tion probes.
135
136       This feature is available in Postfix 2.1 and later.
137

address_verify_map (default: see postconf -d output)

139       Lookup  table  for persistent address verification status storage.  The
140       table is maintained by the verify(8) service, and is opened before  the
141       process releases privileges.
142
143       The  lookup  table  is  persistent  by default (Postfix 2.7 and later).
144       Specify an empty table name to keep the information in volatile  memory
145       which  is  lost  after  "postfix reload" or "postfix stop". This is the
146       default with Postfix version 2.6 and earlier.
147
148       Specify a location in a file system that will not fill up. If the data‐
149       base  becomes  corrupted,  the world comes to an end. To recover delete
150       (NOT: truncate) the file and do "postfix reload".
151
152       Postfix daemon processes do not use root privileges when  opening  this
153       file  (Postfix 2.5 and later).  The file must therefore be stored under
154       a Postfix-owned directory such as the data_directory.  As  a  migration
155       aid, an attempt to open the file under a non-Postfix directory is redi‐
156       rected to the Postfix-owned data_directory, and a warning is logged.
157
158       Examples:
159
160       address_verify_map = hash:/var/lib/postfix/verify
161       address_verify_map = btree:/var/lib/postfix/verify
162
163       This feature is available in Postfix 2.1 and later.
164

address_verify_negative_cache (default: yes)

166       Enable caching of failed address verification probe results.  When this
167       feature  is  enabled, the cache may pollute quickly with garbage.  When
168       this feature is disabled, Postfix will generate an  address  probe  for
169       every lookup.
170
171       This feature is available in Postfix 2.1 and later.
172

address_verify_negative_expire_time (default: 3d)

174       The  time after which a failed probe expires from the address verifica‐
175       tion cache.
176
177       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
178
179       This feature is available in Postfix 2.1 and later.
180

address_verify_negative_refresh_time (default: 3h)

182       The time after which a failed address verification probe  needs  to  be
183       refreshed.
184
185       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
186
187       This feature is available in Postfix 2.1 and later.
188

address_verify_pending_request_limit (default: see postconf -d output)

190       A  safety  limit that prevents address verification requests from over‐
191       whelming the Postfix queue. By default, the number of pending  requests
192       is  limited  to  1/4  of  the  active  queue  maximum  size  (qmgr_mes‐
193       sage_active_limit). The queue manager enforces the limit by tempfailing
194       requests that exceed the limit. This affects only unknown addresses and
195       inactive addresses that have  expired,  because  the  verify(8)  daemon
196       automatically refreshes an active address before it expires.
197
198       This feature is available in Postfix 3.1 and later.
199

address_verify_poll_count (default: normal: 3, overload: 1)

201       How  many times to query the verify(8) service for the completion of an
202       address verification request in progress.
203
204       By default, the Postfix SMTP server polls the verify(8) service  up  to
205       three  times  under  non-overload  conditions, and only once when under
206       overload.  With Postfix version 2.5 and earlier, the SMTP server always
207       polls the verify(8) service up to three times by default.
208
209       Specify  1  to  implement  a crude form of greylisting, that is, always
210       defer the first delivery request for a new address.
211
212       Examples:
213
214       # Postfix <= 2.6 default
215       address_verify_poll_count = 3
216       # Poor man's greylisting
217       address_verify_poll_count = 1
218
219       This feature is available in Postfix 2.1 and later.
220

address_verify_poll_delay (default: 3s)

222       The delay between queries for the completion of an address verification
223       request in progress.
224
225       The default polling delay is 3 seconds.
226
227       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
228
229       This feature is available in Postfix 2.1 and later.
230

address_verify_positive_expire_time (default: 31d)

232       The  time after which a successful probe expires from the address veri‐
233       fication cache.
234
235       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
236
237       This feature is available in Postfix 2.1 and later.
238

address_verify_positive_refresh_time (default: 7d)

240       The time after which a successful address verification probe  needs  to
241       be  refreshed.  The address verification status is not updated when the
242       probe fails (optimistic caching).
243
244       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
245
246       This feature is available in Postfix 2.1 and later.
247

address_verify_relay_transport (default: $relay_transport)

249       Overrides the relay_transport parameter setting for  address  verifica‐
250       tion probes.
251
252       This feature is available in Postfix 2.1 and later.
253

address_verify_relayhost (default: $relayhost)

255       Overrides  the  relayhost  parameter  setting  for address verification
256       probes. This information can be overruled with the transport(5) table.
257
258       This feature is available in Postfix 2.1 and later.
259

address_verify_sender (default: $double_bounce_sender)

261       The sender address to use in  address  verification  probes;  prior  to
262       Postfix  2.5  the  default  was  "postmaster".  To  avoid problems with
263       address probes that are sent in response to address probes, the Postfix
264       SMTP  server  excludes  the  probe sender address from all SMTPD access
265       blocks.
266
267       Specify an empty value (address_verify_sender =) or <> if you  want  to
268       use  the  null  sender address. Beware, some sites reject mail from <>,
269       even though RFCs require that such addresses be accepted.
270
271       Examples:
272
273       address_verify_sender = <>
274       address_verify_sender = postmaster@my.domain
275
276       This feature is available in Postfix 2.1 and later.
277

address_verify_sender_dependent_default_transport_maps (default:

279       $sender_dependent_default_transport_maps)
280       Overrides the sender_dependent_default_transport_maps parameter setting
281       for address verification probes.
282
283       This feature is available in Postfix 2.7 and later.
284

address_verify_sender_dependent_relayhost_maps (default: $sender_depen‐

286       dent_relayhost_maps)
287       Overrides  the  sender_dependent_relayhost_maps  parameter  setting for
288       address verification probes.
289
290       This feature is available in Postfix 2.3 and later.
291

address_verify_sender_ttl (default: 0s)

293       The time between changes in the time-dependent portion of address veri‐
294       fication probe sender addresses. The time-dependent portion is appended
295       to the  localpart  of  the  address  specified  with  the  address_ver‐
296       ify_sender  parameter.  This  feature  is ignored when the probe sender
297       addresses is the null sender, i.e. the address_verify_sender  value  is
298       empty or <>.
299
300       Historically,  the probe sender address was fixed. This has caused such
301       addresses to end up on spammer  mailing  lists,  and  has  resulted  in
302       wasted network and processing resources.
303
304       To  enable  time-dependent  probe  sender addresses, specify a non-zero
305       time value (an integral value plus an optional one-letter  suffix  that
306       specifies  the  time unit).  Specify a value of at least several hours,
307       to avoid problems with senders that use greylisting.   Avoid  nice  TTL
308       values,  to  make the result less predictable.  Time units are: s (sec‐
309       onds), m (minutes), h (hours), d (days), w (weeks).
310
311       This feature is available in Postfix 2.9 and later.
312

address_verify_service_name (default: verify)

314       The name of the verify(8) address verification  service.  This  service
315       maintains  the  status  of sender and/or recipient address verification
316       probes, and generates probes on request by other Postfix processes.
317

address_verify_transport_maps (default: $transport_maps)

319       Overrides the transport_maps parameter setting for address verification
320       probes.
321
322       This feature is available in Postfix 2.1 and later.
323

address_verify_virtual_transport (default: $virtual_transport)

325       Overrides the virtual_transport parameter setting for address verifica‐
326       tion probes.
327
328       This feature is available in Postfix 2.1 and later.
329

alias_database (default: see postconf -d output)

331       The alias  databases  for  local(8)  delivery  that  are  updated  with
332       "newaliases" or with "sendmail -bi".
333
334       This  is  a separate configuration parameter because not all the tables
335       specified with $alias_maps have to be local files.
336
337       Examples:
338
339       alias_database = hash:/etc/aliases
340       alias_database = hash:/etc/mail/aliases
341

alias_maps (default: see postconf -d output)

343       The alias databases that are used for local(8) delivery. See aliases(5)
344       for  syntax  details.   Specify zero or more "type:name" lookup tables,
345       separated by whitespace or comma. Tables will be searched in the speci‐
346       fied order until a match is found.  Note: these lookups are recursive.
347
348       The default list is system dependent.  On systems with NIS, the default
349       is to search the local alias database, then the NIS alias database.
350
351       If you change the alias  database,  run  "postalias  /etc/aliases"  (or
352       wherever  your  system  stores  the  mail  alias  file),  or simply run
353       "newaliases" to build the necessary DBM or DB file.
354
355       The local(8) delivery agent disallows regular  expression  substitution
356       of $1 etc. in alias_maps, because that would open a security hole.
357
358       The  local(8)  delivery  agent will silently ignore requests to use the
359       proxymap(8) server within alias_maps. Instead it will  open  the  table
360       directly.  Before Postfix version 2.2, the local(8) delivery agent will
361       terminate with a fatal error.
362
363       Examples:
364
365       alias_maps = hash:/etc/aliases, nis:mail.aliases
366       alias_maps = hash:/etc/aliases
367

allow_mail_to_commands (default: alias, forward)

369       Restrict local(8) mail delivery to external commands.  The  default  is
370       to  disallow delivery to "|command" in :include:  files (see aliases(5)
371       for the text that defines this terminology).
372
373       Specify zero or more of: alias, forward or include, in order  to  allow
374       commands  in aliases(5), .forward files or in :include:  files, respec‐
375       tively.
376
377       Example:
378
379       allow_mail_to_commands = alias,forward,include
380

allow_mail_to_files (default: alias, forward)

382       Restrict local(8) mail delivery to external files. The  default  is  to
383       disallow  "/file/name" destinations in :include:  files (see aliases(5)
384       for the text that defines this terminology).
385
386       Specify zero or more of: alias, forward or include, in order  to  allow
387       "/file/name"   destinations   in  aliases(5),  .forward  files  and  in
388       :include:  files, respectively.
389
390       Example:
391
392       allow_mail_to_files = alias,forward,include
393

allow_min_user (default: no)

395       Allow a sender or recipient address to have `-' as the first character.
396       By  default, this is not allowed, to avoid accidents with software that
397       passes email addresses via the command line. Such software would not be
398       able  to  distinguish a malicious address from a bona fide command-line
399       option. Although this can be prevented by inserting a "--" option  ter‐
400       minator  into  the  command  line, this is difficult to enforce consis‐
401       tently and globally.
402
403       As of Postfix version 2.5, this feature is implemented  by  trivial-re‐
404       write(8).   With  earlier  versions  this  feature  was  implemented by
405       qmgr(8) and was limited to recipient addresses only.
406

allow_percent_hack (default: yes)

408       Enable the rewriting of the form "user%domain" to "user@domain".   This
409       is enabled by default.
410
411       Note:  as of Postfix version 2.2, message header address rewriting hap‐
412       pens only when one of the following conditions is true:
413
414       ·      The message is received with the Postfix sendmail(1) command,
415
416       ·      The message is received  from  a  network  client  that  matches
417              $local_header_rewrite_clients,
418
419       ·      The   message   is   received   from   the   network,   and  the
420              remote_header_rewrite_domain  parameter  specifies  a  non-empty
421              value.
422
423       To   get   the   behavior   before   Postfix   version   2.2,   specify
424       "local_header_rewrite_clients = static:all".
425
426       Example:
427
428       allow_percent_hack = no
429

allow_untrusted_routing (default: no)

431       Forward mail with sender-specified  routing  (user[@%!]remote[@%!]site)
432       from untrusted clients to destinations matching $relay_domains.
433
434       By default, this feature is turned off.  This closes a nasty open relay
435       loophole where a backup MX host can be  tricked  into  forwarding  junk
436       mail to a primary MX host which then spams it out to the world.
437
438       This  parameter also controls if non-local addresses with sender-speci‐
439       fied  routing  can  match  Postfix  access  tables.  By  default,  such
440       addresses  cannot  match  Postfix access tables, because the address is
441       ambiguous.
442

alternate_config_directories (default: empty)

444       A list of non-default Postfix configuration  directories  that  may  be
445       specified  with  "-c config_directory" on the command line (in the case
446       of sendmail(1), with the "-C" option), or via the MAIL_CONFIG  environ‐
447       ment parameter.
448
449       This  list  must  be specified in the default Postfix main.cf file, and
450       will be used by set-gid Postfix commands such as postqueue(1) and post‐
451       drop(1).
452
453       Specify  absolute  pathnames,  separated by comma or space. Note: $name
454       expansion is not supported.
455

always_add_missing_headers (default: no)

457       Always add (Resent-) From:, To:, Date: or Message-ID: headers when  not
458       present.   Postfix  2.6  and  later add these headers only when clients
459       match  the  local_header_rewrite_clients  parameter  setting.   Earlier
460       Postfix  versions  always add these headers; this may break DKIM signa‐
461       tures  that  cover  non-existent  headers.    The   undisclosed_recipi‐
462       ents_header  parameter  setting determines whether a To: header will be
463       added.
464

always_bcc (default: empty)

466       Optional address that receives a "blind carbon copy"  of  each  message
467       that is received by the Postfix mail system.
468
469       Note:  with Postfix 2.3 and later the BCC address is added as if it was
470       specified with NOTIFY=NONE. The sender will not be  notified  when  the
471       BCC  address  is  undeliverable,  as  long  as all down-stream software
472       implements RFC 3461.
473
474       Note: with Postfix 2.2 and earlier the sender will be notified when the
475       BCC address is undeliverable.
476
477       Note:  automatic  BCC  recipients  are  produced only for new mail.  To
478       avoid mailer loops, automatic BCC recipients are  not  generated  after
479       Postfix  forwards  mail  internally,  or  after  Postfix generates mail
480       itself.
481

anvil_rate_time_unit (default: 60s)

483       The time unit over which client connection rates and  other  rates  are
484       calculated.
485
486       This  feature is implemented by the anvil(8) service which is available
487       in Postfix version 2.2 and later.
488
489       The default interval is relatively short. Because of the high frequency
490       of updates, the anvil(8) server uses volatile memory only. Thus, infor‐
491       mation is lost whenever the process terminates.
492
493       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
494       The default time unit is s (seconds).
495

anvil_status_update_time (default: 600s)

497       How  frequently  the  anvil(8) connection and rate limiting server logs
498       peak usage information.
499
500       This feature is available in Postfix 2.2 and later.
501
502       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
503       The default time unit is s (seconds).
504

append_at_myorigin (default: yes)

506       With  locally  submitted  mail,  append the string "@$myorigin" to mail
507       addresses without domain information.  With  remotely  submitted  mail,
508       append the string "@$remote_header_rewrite_domain" instead.
509
510       Note  1: this feature is enabled by default and must not be turned off.
511       Postfix does not support domain-less addresses.
512
513       Note 2: with Postfix version 2.2, message header address rewriting hap‐
514       pens only when one of the following conditions is true:
515
516       ·      The message is received with the Postfix sendmail(1) command,
517
518       ·      The  message  is  received  from  a  network client that matches
519              $local_header_rewrite_clients,
520
521       ·      The  message   is   received   from   the   network,   and   the
522              remote_header_rewrite_domain  parameter  specifies  a  non-empty
523              value.
524
525       To   get   the   behavior   before   Postfix   version   2.2,   specify
526       "local_header_rewrite_clients = static:all".
527

append_dot_mydomain (default: Postfix >= 3.0: no, Postfix < 3.0: yes)

529       With   locally  submitted  mail,  append  the  string  ".$mydomain"  to
530       addresses that have no ".domain" information. With  remotely  submitted
531       mail, append the string ".$remote_header_rewrite_domain" instead.
532
533       Note 1: this feature is enabled by default. If disabled, users will not
534       be able to send mail to "user@partialdomainname" but will have to spec‐
535       ify full domain names instead.
536
537       Note 2: with Postfix version 2.2, message header address rewriting hap‐
538       pens only when one of the following conditions is true:
539
540       ·      The message is received with the Postfix sendmail(1) command,
541
542       ·      The message is received  from  a  network  client  that  matches
543              $local_header_rewrite_clients,
544
545       ·      The   message   is   received   from   the   network,   and  the
546              remote_header_rewrite_domain  parameter  specifies  a  non-empty
547              value.
548
549       To   get   the   behavior   before   Postfix   version   2.2,   specify
550       "local_header_rewrite_clients = static:all".
551

application_event_drain_time (default: 100s)

553       How long the postkick(1) command waits for a request to enter the Post‐
554       fix daemon process input buffer before giving up.
555
556       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
557       The default time unit is s (seconds).
558
559       This feature is available in Postfix 2.1 and later.
560

authorized_flush_users (default: static:anyone)

562       List of users who are authorized to flush the queue.
563
564       By default, all users are allowed to flush the queue.  Access is always
565       granted if the invoking user is the super-user or the $mail_owner user.
566       Otherwise, the real UID of the process is looked up in the system pass‐
567       word  file,  and access is granted only if the corresponding login name
568       is on the access list.  The username "unknown" is  used  for  processes
569       whose real UID is not found in the password file.
570
571       Specify  a  list  of user names, "/file/name" or "type:table" patterns,
572       separated by commas and/or whitespace. The  list  is  matched  left  to
573       right,  and the search stops on the first match. A "/file/name" pattern
574       is replaced by its contents; a "type:table"  lookup  table  is  matched
575       when  a name matches a lookup key (the lookup result is ignored).  Con‐
576       tinue long lines by starting the next  line  with  whitespace.  Specify
577       "!pattern"  to  exclude a name from the list. The form "!/file/name" is
578       supported only in Postfix version 2.4 and later.
579
580       This feature is available in Postfix 2.2 and later.
581

authorized_mailq_users (default: static:anyone)

583       List of users who are authorized to view the queue.
584
585       By default, all users are allowed to view the queue.  Access is  always
586       granted if the invoking user is the super-user or the $mail_owner user.
587       Otherwise, the real UID of the process is looked up in the system pass‐
588       word  file,  and access is granted only if the corresponding login name
589       is on the access list.  The username "unknown" is  used  for  processes
590       whose real UID is not found in the password file.
591
592       Specify  a  list  of user names, "/file/name" or "type:table" patterns,
593       separated by commas and/or whitespace. The  list  is  matched  left  to
594       right,  and the search stops on the first match. A "/file/name" pattern
595       is replaced by its contents; a "type:table"  lookup  table  is  matched
596       when  a name matches a lookup key (the lookup result is ignored).  Con‐
597       tinue long lines by starting the next  line  with  whitespace.  Specify
598       "!pattern" to exclude a user name from the list. The form "!/file/name"
599       is supported only in Postfix version 2.4 and later.
600
601       This feature is available in Postfix 2.2 and later.
602

authorized_submit_users (default: static:anyone)

604       List of users who are authorized to submit mail  with  the  sendmail(1)
605       command (and with the privileged postdrop(1) helper command).
606
607       By  default, all users are allowed to submit mail.  Otherwise, the real
608       UID of the process is looked up in the system password file, and access
609       is  granted only if the corresponding login name is on the access list.
610       The username "unknown" is used for processes  whose  real  UID  is  not
611       found in the password file. To deny mail submission access to all users
612       specify an empty list.
613
614       Specify a list of user names, "/file/name"  or  "type:table"  patterns,
615       separated  by  commas  and/or  whitespace.  The list is matched left to
616       right, and the search stops on the first match. A "/file/name"  pattern
617       is  replaced  by  its  contents; a "type:table" lookup table is matched
618       when a name matches a lookup key (the lookup result is ignored).   Con‐
619       tinue  long  lines  by  starting the next line with whitespace. Specify
620       "!pattern" to exclude a user name from the list. The form "!/file/name"
621       is supported only in Postfix version 2.4 and later.
622
623       Example:
624
625       authorized_submit_users = !www, static:all
626
627       This feature is available in Postfix 2.2 and later.
628

authorized_verp_clients (default: $mynetworks)

630       What  remote  SMTP  clients  are  allowed to specify the XVERP command.
631       This command requests that mail be delivered one recipient  at  a  time
632       with a per recipient return address.
633
634       By default, only trusted clients are allowed to specify XVERP.
635
636       This  parameter  was introduced with Postfix version 1.1.  Postfix ver‐
637       sion 2.1 renamed this parameter  to  smtpd_authorized_verp_clients  and
638       changed the default to none.
639
640       Specify  a list of network/netmask patterns, separated by commas and/or
641       whitespace. The mask specifies the number of bits in the  network  part
642       of a host address. You can also specify hostnames or .domain names (the
643       initial  dot  causes  the  domain  to  match  any   name   below   it),
644       "/file/name"  or  "type:table"  patterns.   A  "/file/name"  pattern is
645       replaced by its contents; a "type:table" lookup table is matched when a
646       table  entry  matches  a  lookup string (the lookup result is ignored).
647       Continue long lines by starting the next line with whitespace.  Specify
648       "!pattern"  to  exclude  an address or network block from the list. The
649       form "!/file/name" is supported only in Postfix version 2.4 and later.
650
651       Note: IP version 6 address information must be specified inside  []  in
652       the   authorized_verp_clients   value,  and  in  files  specified  with
653       "/file/name".  IP version 6 addresses contain the  ":"  character,  and
654       would otherwise be confused with a "type:table" pattern.
655

backwards_bounce_logfile_compatibility (default: yes)

657       Produce  additional bounce(8) logfile records that can be read by Post‐
658       fix versions before 2.0. The current and more extensible "name = value"
659       format  is  needed in order to implement more sophisticated functional‐
660       ity.
661
662       This feature is available in Postfix 2.1 and later.
663

berkeley_db_create_buffer_size (default: 16777216)

665       The per-table I/O buffer size for programs that create Berkeley DB hash
666       or btree tables.  Specify a byte count.
667
668       This feature is available in Postfix 2.0 and later.
669

berkeley_db_read_buffer_size (default: 131072)

671       The  per-table  I/O buffer size for programs that read Berkeley DB hash
672       or btree tables.  Specify a byte count.
673
674       This feature is available in Postfix 2.0 and later.
675

best_mx_transport (default: empty)

677       Where the Postfix SMTP client should deliver mail  when  it  detects  a
678       "mail  loops  back  to  myself"  error condition. This happens when the
679       local MTA is the best SMTP mail exchanger for a destination not  listed
680       in    $mydestination,    $inet_interfaces,   $proxy_interfaces,   $vir‐
681       tual_alias_domains, or $virtual_mailbox_domains.  By default, the Post‐
682       fix SMTP client returns such mail as undeliverable.
683
684       Specify, for example, "best_mx_transport = local" to pass the mail from
685       the Postfix SMTP client to the local(8) delivery agent. You can specify
686       any message delivery "transport" or "transport:nexthop" that is defined
687       in the master.cf file. See the transport(5) manual page for the  syntax
688       and meaning of "transport" or "transport:nexthop".
689
690       However,  this  feature  is expensive because it ties up a Postfix SMTP
691       client process while the local(8) delivery agent is doing its work.  It
692       is  more  efficient (for Postfix) to list all hosted domains in a table
693       or database.
694

biff (default: yes)

696       Whether or not to use the local biff service.  This service sends  "new
697       mail"  notifications  to users who have requested new mail notification
698       with the UNIX command "biff y".
699
700       For compatibility reasons this feature is on by  default.   On  systems
701       with  lots  of interactive users, the biff service can be a performance
702       drain.  Specify "biff = no" in main.cf to disable.
703

body_checks (default: empty)

705       Optional lookup tables for  content  inspection  as  specified  in  the
706       body_checks(5) manual page.
707
708       Note: with Postfix versions before 2.0, these rules inspect all content
709       after the primary message headers.
710

body_checks_size_limit (default: 51200)

712       How much text in a message body segment (or attachment, if  you  prefer
713       to  use  that term) is subjected to body_checks inspection.  The amount
714       of text is limited to avoid scanning huge attachments.
715
716       This feature is available in Postfix 2.0 and later.
717

bounce_notice_recipient (default: postmaster)

719       The recipient of postmaster notifications with the message  headers  of
720       mail  that Postfix did not deliver and of SMTP conversation transcripts
721       of mail that Postfix did not receive.  This feature is enabled with the
722       notify_classes parameter.
723

bounce_queue_lifetime (default: 5d)

725       Consider  a bounce message as undeliverable, when delivery fails with a
726       temporary  error,  and  the  time  in  the  queue   has   reached   the
727       bounce_queue_lifetime limit.  By default, this limit is the same as for
728       regular mail.
729
730       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
731       The default time unit is d (days).
732
733       Specify 0 when mail delivery should be tried only once.
734
735       This feature is available in Postfix 2.1 and later.
736

bounce_service_name (default: bounce)

738       The  name  of the bounce(8) service. This service maintains a record of
739       failed delivery attempts and generates non-delivery notifications.
740
741       This feature is available in Postfix 2.0 and later.
742

bounce_size_limit (default: 50000)

744       The maximal  amount  of  original  message  text  that  is  sent  in  a
745       non-delivery notification. Specify a byte count.  A message is returned
746       as   either   message/rfc822   (the   complete    original)    or    as
747       text/rfc822-headers  (the  headers only).  With Postfix version 2.4 and
748       earlier, a message is always returned as message/rfc822  and  is  trun‐
749       cated when it exceeds the size limit.
750
751       Notes:
752
753       ·      If  you  increase  this  limit,  then  you  should  increase the
754              mime_nesting_limit value proportionally.
755
756       ·      Be careful when making changes.  Excessively large  values  will
757              result  in the loss of non-delivery notifications, when a bounce
758              message size exceeds a local or remote MTA's message size limit.
759

bounce_template_file (default: empty)

761       Pathname of a configuration file with bounce message templates.   These
762       override  the  built-in templates of delivery status notification (DSN)
763       messages for undeliverable mail, for delayed mail, successful delivery,
764       or  delivery  verification.  The bounce(5) manual page describes how to
765       edit and test template files.
766
767       Template message body text may contain $name references to Postfix con‐
768       figuration  parameters.  The result of $name expansion can be previewed
769       with "postconf -b file_name" before the file is placed into the Postfix
770       configuration directory.
771
772       This feature is available in Postfix 2.3 and later.
773

broken_sasl_auth_clients (default: no)

775       Enable  interoperability  with  remote  SMTP  clients that implement an
776       obsolete version of the AUTH  command  (RFC  4954).  Examples  of  such
777       clients  are MicroSoft Outlook Express version 4 and MicroSoft Exchange
778       version 5.0.
779
780       Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH
781       support in a non-standard way.
782

canonical_classes (default: envelope_sender, envelope_recipient,

784       header_sender, header_recipient)
785       What addresses are  subject  to  canonical_maps  address  mapping.   By
786       default,  canonical_maps  address mapping is applied to envelope sender
787       and recipient addresses, and to  header  sender  and  header  recipient
788       addresses.
789
790       Specify   one   or   more   of:   envelope_sender,  envelope_recipient,
791       header_sender, header_recipient
792
793       This feature is available in Postfix 2.2 and later.
794

canonical_maps (default: empty)

796       Optional  address  mapping  lookup  tables  for  message  headers   and
797       envelopes.  The  mapping  is  applied  to  both  sender  and  recipient
798       addresses, in both envelopes and in headers,  as  controlled  with  the
799       canonical_classes  parameter.  This is typically used to clean up dirty
800       addresses from legacy mail systems, or to replace login names by First‐
801       name.Lastname.   The table format and lookups are documented in canoni‐
802       cal(5). For an  overview  of  Postfix  address  manipulations  see  the
803       ADDRESS_REWRITING_README document.
804
805       Specify zero or more "type:name" lookup tables, separated by whitespace
806       or comma. Tables will be searched in the specified order until a  match
807       is found.  Note: these lookups are recursive.
808
809       If  you use this feature, run "postmap /etc/postfix/canonical" to build
810       the necessary DBM or DB file  after  every  change.  The  changes  will
811       become visible after a minute or so.  Use "postfix reload" to eliminate
812       the delay.
813
814       Note: with Postfix version 2.2, message header address mapping  happens
815       only when message header address rewriting is enabled:
816
817       ·      The message is received with the Postfix sendmail(1) command,
818
819       ·      The  message  is  received  from  a  network client that matches
820              $local_header_rewrite_clients,
821
822       ·      The  message   is   received   from   the   network,   and   the
823              remote_header_rewrite_domain  parameter  specifies  a  non-empty
824              value.
825
826       To   get   the   behavior   before   Postfix   version   2.2,   specify
827       "local_header_rewrite_clients = static:all".
828
829       Examples:
830
831       canonical_maps = dbm:/etc/postfix/canonical
832       canonical_maps = hash:/etc/postfix/canonical
833

cleanup_service_name (default: cleanup)

835       The  name  of  the  cleanup(8) service. This service rewrites addresses
836       into the standard form, and performs canonical(5) address  mapping  and
837       virtual(5) aliasing.
838
839       This feature is available in Postfix 2.0 and later.
840

command_directory (default: see postconf -d output)

842       The location of all postfix administrative commands.
843

command_execution_directory (default: empty)

845       The  local(8) delivery agent working directory for delivery to external
846       command.  Failure  to  change  directory  causes  the  delivery  to  be
847       deferred.
848
849       The command_execution_directory value is not subject to Postfix config‐
850       uration parameter $name expansion. Instead, the following $name  expan‐
851       sions  are  done on command_execution_directory before the directory is
852       used. Expansion happens in the context of the  delivery  request.   The
853       result  of  $name  expansion is filtered with the character set that is
854       specified with the execution_directory_expansion_filter parameter.
855
856       $user  The recipient's username.
857
858       $shell The recipient's login shell pathname.
859
860       $home  The recipient's home directory.
861
862       $recipient
863              The full recipient address.
864
865       $extension
866              The optional recipient address extension.
867
868       $domain
869              The recipient domain.
870
871       $local The entire recipient localpart.
872
873       $recipient_delimiter
874              The address extension delimiter that was found in the  recipient
875              address  (Postfix  2.11 and later), or the system-wide recipient
876              address extension delimiter (Postfix 2.10 and earlier).
877
878       ${name?value}
879              Expands to value when $name is non-empty.
880
881       ${name:value}
882              Expands to value when $name is empty.
883
884       Instead of $name you can also specify ${name} or $(name).
885
886       This feature is available in Postfix 2.2 and later.
887

command_expansion_filter (default: see postconf -d output)

889       Restrict the characters that the  local(8)  delivery  agent  allows  in
890       $name  expansions of $mailbox_command and $command_execution_directory.
891       Characters outside the allowed set are replaced by underscores.
892

command_time_limit (default: 1000s)

894       Time limit for delivery to external commands. This limit is used by the
895       local(8)  delivery agent, and is the default time limit for delivery by
896       the pipe(8) delivery agent.
897
898       Note: if you set this time limit to a large value you must  update  the
899       global ipc_timeout parameter as well.
900

compatibility_level (default: 0)

902       A  safety  net  that  causes  Postfix  to run with backwards-compatible
903       default settings after an upgrade to a newer Postfix version.
904
905       With backwards compatibility turned on (the main.cf compatibility_level
906       value  is less than the Postfix built-in value), Postfix looks for set‐
907       tings that are left at their implicit default value, and logs a message
908       when a backwards-compatible default setting is required.
909
910           using backwards-compatible default setting name=value
911               to [accept a specific client request]
912
913           using backwards-compatible default setting name=value
914               to [enable specific Postfix behavior]
915
916       See  COMPATIBILITY_README  for specific message details. If such a mes‐
917       sage is logged in the context  of  a  legitimate  request,  the  system
918       administrator should make the backwards-compatible setting permanent in
919       main.cf or master.cf, for example:
920
921           # postconf name=value
922           # postfix reload
923
924       When no more backwards-compatible settings need to be  made  permanent,
925       the  administrator  should turn off backwards compatibility by updating
926       the compatibility_level setting in main.cf:
927
928           # postconf compatibility_level=N
929           # postfix reload
930
931       For N specify the number that is logged in your postfix(1) warning mes‐
932       sage:
933
934           warning: To disable backwards compatibility use "postconf
935               compatibility_level=N" and "postfix reload"
936
937       This feature is available in Postfix 3.0 and later.
938

config_directory (default: see postconf -d output)

940       The default location of the Postfix main.cf and master.cf configuration
941       files. This can be overruled via the following mechanisms:
942
943       ·      The MAIL_CONFIG environment variable (daemon processes and  com‐
944              mands).
945
946       ·      The "-c" command-line option (commands only).
947
948       With  Postfix command that run with set-gid privileges, a config_direc‐
949       tory override requires either root privileges, or it requires that  the
950       directory  is listed with the alternate_config_directories parameter in
951       the default main.cf file.
952

confirm_delay_cleared (default: no)

954       After sending a "your message  is  delayed"  notification,  inform  the
955       sender  when  the delay clears up. This can result in a sudden burst of
956       notifications at the end of a prolonged network outage, and  is  there‐
957       fore disabled by default.
958
959       See also: delay_warning_time.
960
961       This feature is available in Postfix 3.0 and later.
962

connection_cache_protocol_timeout (default: 5s)

964       Time  limit  for  connection cache connect, send or receive operations.
965       The time limit is enforced in the client.
966
967       This feature is available in Postfix 2.3 and later.
968

connection_cache_service_name (default: scache)

970       The name of the scache(8) connection cache service.  This service main‐
971       tains a limited pool of cached sessions.
972
973       This feature is available in Postfix 2.2 and later.
974

connection_cache_status_update_time (default: 600s)

976       How  frequently the scache(8) server logs usage statistics with connec‐
977       tion cache hit and miss rates for logical destinations and for physical
978       endpoints.
979

connection_cache_ttl_limit (default: 2s)

981       The  maximal  time-to-live  value  that  the scache(8) connection cache
982       server allows. Requests that specify a larger TTL will be  stored  with
983       the  maximum  allowed TTL. The purpose of this additional control is to
984       protect the infrastructure against careless people. The  cache  TTL  is
985       already bounded by $max_idle.
986

content_filter (default: empty)

988       After  the  message is queued, send the entire message to the specified
989       transport:destination. The transport name specifies the first field  of
990       a  mail  delivery  agent  definition  in  master.cf;  the syntax of the
991       next-hop destination is described in the manual page of the correspond‐
992       ing delivery agent.  More information about external content filters is
993       in the Postfix FILTER_README file.
994
995       Notes:
996
997       ·      This setting has lower precedence than a FILTER action  that  is
998              specified  in  an  access(5), header_checks(5) or body_checks(5)
999              table.
1000
1001       ·      The meaning of an empty next-hop filter destination  is  version
1002              dependent.  Postfix 2.7 and later will use the recipient domain;
1003              earlier versions will use  $myhostname.   Specify  "default_fil‐
1004              ter_nexthop = $myhostname" for compatibility with Postfix 2.6 or
1005              earlier, or specify a  content_filter  value  with  an  explicit
1006              next-hop destination.
1007

cyrus_sasl_config_path (default: empty)

1009       Search  path  for Cyrus SASL application configuration files, currently
1010       used only to locate the $smtpd_sasl_path.conf file.   Specify  zero  or
1011       more  directories  separated by a colon character, or an empty value to
1012       use Cyrus SASL's built-in search path.
1013
1014       This feature is available in Postfix 2.5 and later when  compiled  with
1015       Cyrus SASL 2.1.22 or later.
1016

daemon_directory (default: see postconf -d output)

1018       The directory with Postfix support programs and daemon programs.  These
1019       should not be invoked directly by humans. The directory must  be  owned
1020       by root.
1021

daemon_table_open_error_is_fatal (default: no)

1023       How  a  Postfix  daemon  process  handles  errors  while opening lookup
1024       tables: gradual degradation or immediate termination.
1025
1026        no  (default)
1027              Gradual degradation: a daemon process logs  a  message  of  type
1028              "error" and continues execution with reduced functionality. Fea‐
1029              tures that do not depend on the unavailable table will work nor‐
1030              mally,  while features that depend on the table will result in a
1031              type "warning" message.
1032              When the notify_classes  parameter  value  contains  the  "data"
1033              class,  the  Postfix  SMTP  server  and client will report tran‐
1034              scripts of sessions with an error because a  table  is  unavail‐
1035              able.
1036
1037        yes  (historical behavior)
1038              Immediate termination: a daemon process logs a type "fatal" mes‐
1039              sage and terminates immediately.  This option reduces the number
1040              of  possible  code  paths  through Postfix, and may therefore be
1041              slightly more secure than the default.
1042
1043       For the sake of sanity, the number of type "error" messages is  limited
1044       to 13 over the lifetime of a daemon process.
1045
1046       This feature is available in Postfix 2.9 and later.
1047

daemon_timeout (default: 18000s)

1049       How  much  time  a  Postfix daemon process may take to handle a request
1050       before it is terminated by a built-in watchdog timer.
1051
1052       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
1053       The default time unit is s (seconds).
1054

data_directory (default: see postconf -d output)

1056       The  directory  with  Postfix-writable data files (for example: caches,
1057       pseudo-random numbers).  This directory must be owned by the mail_owner
1058       account, and must not be shared with non-Postfix software.
1059
1060       This feature is available in Postfix 2.5 and later.
1061

debug_peer_level (default: 2)

1063       The  increment  in verbose logging level when a remote client or server
1064       matches a pattern in the debug_peer_list parameter.
1065

debug_peer_list (default: empty)

1067       Optional list of remote client or server hostname  or  network  address
1068       patterns that cause the verbose logging level to increase by the amount
1069       specified in $debug_peer_level.
1070
1071       Specify domain names, network/netmask patterns,  "/file/name"  patterns
1072       or   "type:table"  lookup  tables.  The  right-hand  side  result  from
1073       "type:table" lookups is ignored.
1074
1075       Pattern matching of domain names  is  controlled  by  the  presence  or
1076       absence  of  "debug_peer_list"  in the parent_domain_matches_subdomains
1077       parameter value.
1078
1079       Examples:
1080
1081       debug_peer_list = 127.0.0.1
1082       debug_peer_list = example.com
1083

debugger_command (default: empty)

1085       The external command to  execute  when  a  Postfix  daemon  program  is
1086       invoked with the -D option.
1087
1088       Use  "command  .. & sleep 5" so that the debugger can attach before the
1089       process marches on. If you use an X-based debugger, be sure to  set  up
1090       your XAUTHORITY environment variable before starting Postfix.
1091
1092       Note: the command is subject to $name expansion, before it is passed to
1093       the default command interpreter. Specify "$$" to produce a  single  "$"
1094       character.
1095
1096       Example:
1097
1098       debugger_command =
1099           PATH=/usr/bin:/usr/X11R6/bin
1100           ddd $daemon_directory/$process_name $process_id & sleep 5
1101

default_database_type (default: see postconf -d output)

1103       The  default  database  type for use in newaliases(1), postalias(1) and
1104       postmap(1) commands. On many UNIX systems the default  type  is  either
1105       dbm  or  hash. The default setting is frozen when the Postfix system is
1106       built.
1107
1108       Examples:
1109
1110       default_database_type = hash
1111       default_database_type = dbm
1112

default_delivery_slot_cost (default: 5)

1114       How often the Postfix queue manager's scheduler is allowed  to  preempt
1115       delivery of one message with another.
1116
1117       Each  transport maintains a so-called "available delivery slot counter"
1118       for each message. One message can be preempted by another one when  the
1119       other  message  can  be  delivered  using no more delivery slots (i.e.,
1120       invocations of delivery agents) than the current  message  counter  has
1121       accumulated  (or  will  eventually  accumulate  -  see about slot loans
1122       below). This parameter controls how often is the counter incremented  -
1123       it  happens  after each default_delivery_slot_cost recipients have been
1124       delivered.
1125
1126       The cost of 0 is used to disable the preempting scheduling  completely.
1127       The minimum value the scheduling algorithm can use is 2 - use it if you
1128       want to maximize the message throughput rate. Although there is no max‐
1129       imum, it doesn't make much sense to use values above say 50.
1130
1131       The  only  reason why the value of 2 is not the default is the way this
1132       parameter affects the delivery of mailing-list mail. In the worst case,
1133       delivery  can  take  somewhere  between (cost+1/cost) and (cost/cost-1)
1134       times more than if the preemptive scheduler was disabled.  The  default
1135       value of 5 turns out to provide reasonable message response times while
1136       making sure the mailing-list deliveries are not extended by  more  than
1137       20-25 percent even in the worst case.
1138
1139       Use  transport_delivery_slot_cost to specify a transport-specific over‐
1140       ride, where transport is the master.cf name  of  the  message  delivery
1141       transport.
1142
1143       Examples:
1144
1145       default_delivery_slot_cost = 0
1146       default_delivery_slot_cost = 2
1147

default_delivery_slot_discount (default: 50)

1149       The  default  value for transport-specific _delivery_slot_discount set‐
1150       tings.
1151
1152       This parameter speeds up the moment when a message preemption can  hap‐
1153       pen.  Instead  of  waiting  until  the  full  amount  of delivery slots
1154       required is available, the preemption can happen when  transport_deliv‐
1155       ery_slot_discount  percent of the required amount plus transport_deliv‐
1156       ery_slot_loan still remains to be  accumulated.   Note  that  the  full
1157       amount  will still have to be accumulated before another preemption can
1158       take place later.
1159
1160       Use transport_delivery_slot_discount to  specify  a  transport-specific
1161       override, where transport is the master.cf name of the message delivery
1162       transport.
1163

default_delivery_slot_loan (default: 3)

1165       The default value for transport-specific _delivery_slot_loan settings.
1166
1167       This parameter speeds up the moment when a message preemption can  hap‐
1168       pen.  Instead  of  waiting  until  the  full  amount  of delivery slots
1169       required is available, the preemption can happen when  transport_deliv‐
1170       ery_slot_discount  percent of the required amount plus transport_deliv‐
1171       ery_slot_loan still remains to be  accumulated.   Note  that  the  full
1172       amount  will still have to be accumulated before another preemption can
1173       take place later.
1174
1175       Use transport_delivery_slot_loan to specify a transport-specific  over‐
1176       ride,  where  transport  is  the master.cf name of the message delivery
1177       transport.
1178

default_delivery_status_filter (default: empty)

1180       Optional filter to replace the delivery status code or explanatory text
1181       of  successful  or  unsuccessful  deliveries.   This does not allow the
1182       replacement of a successful status code (2.X.X)  with  an  unsuccessful
1183       status code (4.X.X or 5.X.X) or vice versa.
1184
1185       Note:  the  (smtp|lmtp)_delivery_status_filter is applied only once per
1186       recipient: when delivery is successful, when delivery is rejected  with
1187       5XX,  or  when  there  are  no more alternate MX or A destinations. Use
1188       smtp_reply_filter or lmtp_reply_filter to  inspect  responses  for  all
1189       delivery attempts.
1190
1191       The following parameters can be used to implement a filter for specific
1192       delivery   agents:   lmtp_delivery_status_filter,   local_delivery_sta‐
1193       tus_filter, pipe_delivery_status_filter, smtp_delivery_status_filter or
1194       virtual_delivery_status_filter. These parameters support the same  fil‐
1195       ter syntax as described here.
1196
1197       Specify  zero  or  more  "type:table"  lookup table names, separated by
1198       comma or whitespace. For each successful or unsuccessful delivery to  a
1199       recipient,  the tables are queried in the specified order with one line
1200       of text that is structured as follows:
1201
1202           enhanced-status-code SPACE explanatory-text
1203
1204       The first table match wins. The lookup result must have the same struc‐
1205       ture  as  the  query, a successful status code (2.X.X) must be replaced
1206       with a successful status code, an unsuccessful status  code  (4.X.X  or
1207       5.X.X)  must  be  replaced  with  an  unsuccessful status code, and the
1208       explanatory text field must be non-empty. Other results will result  in
1209       a warning.
1210
1211       Example  1: convert specific soft TLS errors into hard errors, by over‐
1212       riding the first number in the enhanced status code.
1213
1214           /etc/postfix/main.cf:
1215               smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter
1216
1217           /etc/postfix/smtp_dsn_filter:
1218               /^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/
1219                   5$1
1220               /^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/
1221                   5$1
1222               # Do not change the following into hard bounces. They may
1223               # result from a local configuration problem.
1224               # 4.\d+.\d+ TLS is required, but our TLS engine is unavailable
1225               # 4.\d+.\d+ TLS is required, but unavailable
1226               # 4.\d+.\d+ Cannot start TLS: handshake failure
1227
1228       Example 2: censor the per-recipient delivery status  text  so  that  it
1229       does  not  reveal  the  destination  command  or filename when a remote
1230       sender requests confirmation of successful delivery.
1231
1232           /etc/postfix/main.cf:
1233               local_delivery_status_filter = pcre:/etc/postfix/local_dsn_filter
1234
1235           /etc/postfix/local_dsn_filter:
1236               /^(2\S+ delivered to file).+/    $1
1237               /^(2\S+ delivered to command).+/ $1
1238
1239       Notes:
1240
1241       ·      This feature will NOT override the soft_bounce safety net.
1242
1243       ·      This feature will change the enhanced status code and text  that
1244              is  logged  to  the  maillog  file,  and that is reported to the
1245              sender in delivery confirmation or non-delivery notifications.
1246
1247       This feature is available in Postfix 3.0 and later.
1248

default_destination_concurrency_failed_cohort_limit (default: 1)

1250       How many pseudo-cohorts must suffer  connection  or  handshake  failure
1251       before  a  specific  destination is considered unavailable (and further
1252       delivery is suspended). Specify zero to disable this feature. A  desti‐
1253       nation's pseudo-cohort failure count is reset each time a delivery com‐
1254       pletes without connection or handshake failure for that specific desti‐
1255       nation.
1256
1257       A  pseudo-cohort  is  the number of deliveries equal to a destination's
1258       delivery concurrency.
1259
1260       Use transport_destination_concurrency_failed_cohort_limit to specify  a
1261       transport-specific  override,  where transport is the master.cf name of
1262       the message delivery transport.
1263
1264       This feature is available in Postfix 2.5. The default setting  is  com‐
1265       patible with earlier Postfix versions.
1266

default_destination_concurrency_limit (default: 20)

1268       The  default maximal number of parallel deliveries to the same destina‐
1269       tion.  This is the default limit for delivery via the lmtp(8), pipe(8),
1270       smtp(8) and virtual(8) delivery agents.  With per-destination recipient
1271       limit > 1, a destination is a domain, otherwise it is a recipient.
1272
1273       Use transport_destination_concurrency_limit to specify a transport-spe‐
1274       cific  override,  where  transport is the master.cf name of the message
1275       delivery transport.
1276

default_destination_concurrency_negative_feedback (default: 1)

1278       The per-destination amount of delivery concurrency  negative  feedback,
1279       after  a  delivery  completes  with  a connection or handshake failure.
1280       Feedback values are in the range 0..1 inclusive.  With  negative  feed‐
1281       back,  concurrency  is  decremented  at  the beginning of a sequence of
1282       length 1/feedback. This is unlike positive feedback, where  concurrency
1283       is incremented at the end of a sequence of length 1/feedback.
1284
1285       As  of  Postfix  version  2.5, negative feedback cannot reduce delivery
1286       concurrency to zero.  Instead, a destination is  marked  dead  (further
1287       delivery  suspended)  after  the  failed  pseudo-cohort  count  reaches
1288       $default_destination_concurrency_failed_cohort_limit    (or     $trans‐
1289       port_destination_concurrency_failed_cohort_limit).   To make the sched‐
1290       uler completely immune to connection or handshake failures,  specify  a
1291       zero feedback value and a zero failed pseudo-cohort limit.
1292
1293       Specify one of the following forms:
1294
1295       number
1296
1297       number / number
1298              Constant  feedback.  The  value must be in the range 0..1 inclu‐
1299              sive.  The default setting of "1"  is  compatible  with  Postfix
1300              versions  before 2.5, where a destination's delivery concurrency
1301              is throttled down to zero (and further delivery suspended) after
1302              a single failed pseudo-cohort.
1303
1304       number / concurrency
1305              Variable  feedback  of  "number  / (delivery concurrency)".  The
1306              number must be in the range 0..1 inclusive. With number equal to
1307              "1",  a  destination's  delivery concurrency is decremented by 1
1308              after each failed pseudo-cohort.
1309
1310       A pseudo-cohort is the number of deliveries equal  to  a  destination's
1311       delivery concurrency.
1312
1313       Use  transport_destination_concurrency_negative_feedback  to  specify a
1314       transport-specific override, where transport is the master.cf  name  of
1315       the message delivery transport.
1316
1317       This  feature  is available in Postfix 2.5. The default setting is com‐
1318       patible with earlier Postfix versions.
1319

default_destination_concurrency_positive_feedback (default: 1)

1321       The per-destination amount of delivery concurrency  positive  feedback,
1322       after  a  delivery  completes  without connection or handshake failure.
1323       Feedback values are in  the  range  0..1  inclusive.   The  concurrency
1324       increases  until  it  reaches  the  per-destination maximal concurrency
1325       limit. With positive feedback, concurrency is incremented at the end of
1326       a  sequence  with  length 1/feedback. This is unlike negative feedback,
1327       where concurrency is decremented at the start of a sequence  of  length
1328       1/feedback.
1329
1330       Specify one of the following forms:
1331
1332       number
1333
1334       number / number
1335              Constant  feedback.   The value must be in the range 0..1 inclu‐
1336              sive. The default setting of "1" is compatible with Postfix ver‐
1337              sions  before  2.5,  where  a destination's delivery concurrency
1338              doubles after each successful pseudo-cohort.
1339
1340       number / concurrency
1341              Variable feedback of "number  /  (delivery  concurrency)".   The
1342              number must be in the range 0..1 inclusive. With number equal to
1343              "1", a destination's delivery concurrency is  incremented  by  1
1344              after each successful pseudo-cohort.
1345
1346       A  pseudo-cohort  is  the number of deliveries equal to a destination's
1347       delivery concurrency.
1348
1349       Use transport_destination_concurrency_positive_feedback  to  specify  a
1350       transport-specific  override,  where transport is the master.cf name of
1351       the message delivery transport.
1352
1353       This feature is available in Postfix 2.5 and later.
1354

default_destination_rate_delay (default: 0s)

1356       The default amount of delay that is inserted between individual message
1357       deliveries  to  the same destination and over the same message delivery
1358       transport. Specify a non-zero value to rate-limit those message  deliv‐
1359       eries to at most one per $default_destination_rate_delay.
1360
1361       The  resulting  behavior  depends  on  the  value  of the corresponding
1362       per-destination recipient limit.
1363
1364       ·      With a corresponding per-destination recipient limit  >  1,  the
1365              rate  delay  specifies  the  time between deliveries to the same
1366              domain.  Different domains are delivered in parallel, subject to
1367              the process limits specified in master.cf.
1368
1369       ·      With a corresponding per-destination recipient limit equal to 1,
1370              the rate delay specifies the time between deliveries to the same
1371              recipient.  Different recipients are delivered in parallel, sub‐
1372              ject to the process limits specified in master.cf.
1373
1374       To enable the delay, specify a non-zero time value (an  integral  value
1375       plus an optional one-letter suffix that specifies the time unit).
1376
1377       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
1378       The default time unit is s (seconds).
1379
1380       NOTE: the delay is enforced by the queue manager. The delay timer state
1381       does not survive "postfix reload" or "postfix stop".
1382
1383       Use  transport_destination_rate_delay  to  specify a transport-specific
1384       override, where transport is the master.cf name of the message delivery
1385       transport.
1386
1387       NOTE: with a non-zero _destination_rate_delay, specify a transport_des‐
1388       tination_concurrency_failed_cohort_limit of 10 or more to prevent Post‐
1389       fix  from  deferring  all  mail for the same destination after only one
1390       connection or handshake error.
1391
1392       This feature is available in Postfix 2.5 and later.
1393

default_destination_recipient_limit (default: 50)

1395       The default maximal number of recipients per message delivery.  This is
1396       the  default  limit  for delivery via the lmtp(8), pipe(8), smtp(8) and
1397       virtual(8) delivery agents.
1398
1399       Setting this parameter to a value of 1 affects email deliveries as fol‐
1400       lows:
1401
1402       ·      It changes the meaning of the corresponding per-destination con‐
1403              currency limit, from  concurrency  of  deliveries  to  the  same
1404              domain  into  concurrency  of  deliveries to the same recipient.
1405              Different recipients are delivered in parallel, subject  to  the
1406              process limits specified in master.cf.
1407
1408       ·      It changes the meaning of the corresponding per-destination rate
1409              delay, from the delay between deliveries to the same domain into
1410              the delay between deliveries to the same recipient.  Again, dif‐
1411              ferent recipients are delivered  in  parallel,  subject  to  the
1412              process limits specified in master.cf.
1413
1414       ·      It  changes  the  meaning of other corresponding per-destination
1415              settings in a similar manner, from settings for delivery to  the
1416              same domain into settings for delivery to the same recipient.
1417
1418       Use  transport_destination_recipient_limit  to specify a transport-spe‐
1419       cific override, where transport is the master.cf name  of  the  message
1420       delivery transport.
1421

default_extra_recipient_limit (default: 1000)

1423       The default value for the extra per-transport limit imposed on the num‐
1424       ber of in-memory recipients.  This extra recipient  space  is  reserved
1425       for  the  cases when the Postfix queue manager's scheduler preempts one
1426       message with another and suddenly needs some extra recipients slots for
1427       the chosen message in order to avoid performance degradation.
1428
1429       Use  transport_extra_recipient_limit  to  specify  a transport-specific
1430       override, where transport is the master.cf name of the message delivery
1431       transport.
1432

default_filter_nexthop (default: empty)

1434       When  a content_filter or FILTER request specifies no explicit next-hop
1435       destination, use $default_filter_nexthop instead; when  that  value  is
1436       empty,  use the domain in the recipient address.  Specify "default_fil‐
1437       ter_nexthop = $myhostname" for compatibility with Postfix  version  2.6
1438       and earlier, or specify an explicit next-hop destination with each con‐
1439       tent_filter value or FILTER action.
1440
1441       This feature is available in Postfix 2.7 and later.
1442

default_minimum_delivery_slots (default: 3)

1444       How many recipients a message must have in order to invoke the  Postfix
1445       queue  manager's  scheduling  algorithm  at  all.  Messages which would
1446       never accumulate at least this many delivery  slots  (subject  to  slot
1447       cost parameter as well) are never preempted.
1448
1449       Use  transport_minimum_delivery_slots  to  specify a transport-specific
1450       override, where transport is the master.cf name of the message delivery
1451       transport.
1452

default_privs (default: nobody)

1454       The  default rights used by the local(8) delivery agent for delivery to
1455       external file or command.  These  rights  are  used  when  delivery  is
1456       requested from an aliases(5) file that is owned by root, or when deliv‐
1457       ery is done on behalf of root. DO NOT SPECIFY A PRIVILEGED USER OR  THE
1458       POSTFIX OWNER.
1459

default_process_limit (default: 100)

1461       The  default  maximal  number of Postfix child processes that provide a
1462       given service. This limit can be overruled for specific services in the
1463       master.cf file.
1464

default_rbl_reply (default: see postconf -d output)

1466       The default Postfix SMTP server response template for a request that is
1467       rejected by an RBL-based restriction. This template can be overruled by
1468       specific entries in the optional rbl_reply_maps lookup table.
1469
1470       This feature is available in Postfix 2.0 and later.
1471
1472       The  template  does  not  support Postfix configuration parameter $name
1473       substitution. Instead, it supports exactly one level of $name substitu‐
1474       tion for the following attributes:
1475
1476       $client
1477              The client hostname and IP address, formatted as name[address].
1478
1479       $client_address
1480              The client IP address.
1481
1482       $client_name
1483              The       client       hostname      or      "unknown".      See
1484              reject_unknown_client_hostname for more details.
1485
1486       $reverse_client_name
1487              The client hostname from  address->name  lookup,  or  "unknown".
1488              See reject_unknown_reverse_client_hostname for more details.
1489
1490       $helo_name
1491              The hostname given in HELO or EHLO command or empty string.
1492
1493       $rbl_class
1494              The  blacklisted  entity type: Client host, Helo command, Sender
1495              address, or Recipient address.
1496
1497       $rbl_code
1498              The  numerical  SMTP  response  code,  as  specified  with   the
1499              maps_rbl_reject_code  configuration parameter. Note: The numeri‐
1500              cal SMTP response code is required, and must appear at the start
1501              of  the  reply. With Postfix version 2.3 and later this informa‐
1502              tion may be followed by an RFC 3463 enhanced status code.
1503
1504       $rbl_domain
1505              The RBL domain where $rbl_what is blacklisted.
1506
1507       $rbl_reason
1508              The reason why $rbl_what is blacklisted, or an empty string.
1509
1510       $rbl_what
1511              The entity that is blacklisted (an IP  address,  a  hostname,  a
1512              domain name, or an email address whose domain was blacklisted).
1513
1514       $recipient
1515              The recipient address or <> in case of the null address.
1516
1517       $recipient_domain
1518              The recipient domain or empty string.
1519
1520       $recipient_name
1521              The recipient address localpart or <> in case of null address.
1522
1523       $sender
1524              The sender address or <> in case of the null address.
1525
1526       $sender_domain
1527              The sender domain or empty string.
1528
1529       $sender_name
1530              The sender address localpart or <> in case of the null address.
1531
1532       ${name?text}
1533              Expands to `text' if $name is not empty.
1534
1535       ${name:text}
1536              Expands to `text' if $name is empty.
1537
1538       Instead of $name you can also specify ${name} or $(name).
1539
1540       Note:  when  an  enhanced status code is specified in an RBL reply tem‐
1541       plate, it is subject to modification.   The  following  transformations
1542       are  needed  when the same RBL reply template is used for client, helo,
1543       sender, or recipient access restrictions.
1544
1545       ·      When rejecting a sender address, the Postfix  SMTP  server  will
1546              transform  a  recipient  DSN status (e.g., 4.1.1-4.1.6) into the
1547              corresponding sender DSN status, and vice versa.
1548
1549       ·      When rejecting non-address information (such as the HELO command
1550              argument  or  the  client  hostname/address),  the  Postfix SMTP
1551              server will transform a sender or recipient DSN  status  into  a
1552              generic non-address DSN status (e.g., 4.0.0).
1553

default_recipient_limit (default: 20000)

1555       The default per-transport upper limit on the number of in-memory recip‐
1556       ients.  These limits take priority over the global qmgr_message_recipi‐
1557       ent_limit  after the message has been assigned to the respective trans‐
1558       ports.  See also default_extra_recipient_limit and qmgr_message_recipi‐
1559       ent_minimum.
1560
1561       Use transport_recipient_limit to specify a transport-specific override,
1562       where transport is the master.cf name of the  message  delivery  trans‐
1563       port.
1564

default_recipient_refill_delay (default: 5s)

1566       The  default  per-transport  maximum  delay between recipients refills.
1567       When not all message recipients fit into the memory at once, keep load‐
1568       ing  more  of them at least once every this many seconds.  This is used
1569       to make sure the recipients are refilled in  timely  manner  even  when
1570       $default_recipient_refill_limit is too high for too slow deliveries.
1571
1572       Use  transport_recipient_refill_delay  to  specify a transport-specific
1573       override, where transport is the master.cf name of the message delivery
1574       transport.
1575
1576       This feature is available in Postfix 2.4 and later.
1577

default_recipient_refill_limit (default: 100)

1579       The default per-transport limit on the number of recipients refilled at
1580       once.  When not all message recipients fit into  the  memory  at  once,
1581       keep  loading  more of them in batches of at least this many at a time.
1582       See also $default_recipient_refill_delay, which may result in recipient
1583       batches lower than this when this limit is too high for too slow deliv‐
1584       eries.
1585
1586       Use transport_recipient_refill_limit to  specify  a  transport-specific
1587       override, where transport is the master.cf name of the message delivery
1588       transport.
1589
1590       This feature is available in Postfix 2.4 and later.
1591

default_transport (default: smtp)

1593       The default mail delivery transport and next-hop destination for desti‐
1594       nations   that   do   not   match   $mydestination,   $inet_interfaces,
1595       $proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, or
1596       $relay_domains.    This   information   can   be   overruled  with  the
1597       sender_dependent_default_transport_maps parameter and with  the  trans‐
1598       port(5) table.
1599
1600       In  order  of  decreasing  precedence, the nexthop destination is taken
1601       from   $sender_dependent_default_transport_maps,    $default_transport,
1602       $sender_dependent_relayhost_maps,  $relayhost,  or  from  the recipient
1603       domain.
1604
1605       Specify a string of the form transport:nexthop, where transport is  the
1606       name  of  a mail delivery transport defined in master.cf.  The :nexthop
1607       destination is optional; its syntax is documented in the manual page of
1608       the  corresponding delivery agent. In the case of SMTP or LMTP, specify
1609       one or more destinations separated by comma or whitespace (with Postfix
1610       3.5 and later).
1611
1612       Example:
1613
1614       default_transport = uucp:relayhostname
1615

default_transport_rate_delay (default: 0s)

1617       The default amount of delay that is inserted between individual message
1618       deliveries over the same message delivery transport, regardless of des‐
1619       tination. Specify a non-zero value to rate-limit those message deliver‐
1620       ies to at most one per $default_transport_rate_delay.
1621
1622       Use  transport_transport_rate_delay  to  specify  a  transport-specific
1623       override, where the initial transport is the master.cf name of the mes‐
1624       sage delivery transport.
1625
1626       Example: throttle outbound SMTP  mail  to  at  most  3  deliveries  per
1627       minute.
1628
1629       /etc/postfix/main.cf:
1630           smtp_transport_rate_delay = 20s
1631
1632       To  enable  the delay, specify a non-zero time value (an integral value
1633       plus an optional one-letter suffix that specifies the time unit).
1634
1635       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
1636       The default time unit is s (seconds).
1637
1638       NOTE: the delay is enforced by the queue manager.
1639
1640       This feature is available in Postfix 3.1 and later.
1641

default_verp_delimiters (default: +=)

1643       The  two  default  VERP  delimiter  characters.  These are used when no
1644       explicit delimiters are specified with the SMTP XVERP command  or  with
1645       the  "sendmail  -V"  command-line  option.  Specify characters that are
1646       allowed by the verp_delimiter_filter setting.
1647
1648       This feature is available in Postfix 1.1 and later.
1649

defer_code (default: 450)

1651       The numerical Postfix SMTP server response  code  when  a  remote  SMTP
1652       client request is rejected by the "defer" restriction.
1653
1654       Do  not  change  this  unless  you have a complete understanding of RFC
1655       5321.
1656

defer_service_name (default: defer)

1658       The name of the defer service.  This  service  is  implemented  by  the
1659       bounce(8) daemon and maintains a record of failed delivery attempts and
1660       generates non-delivery notifications.
1661
1662       This feature is available in Postfix 2.0 and later.
1663

defer_transports (default: empty)

1665       The names of message delivery transports that should not  deliver  mail
1666       unless someone issues "sendmail -q" or equivalent. Specify zero or more
1667       names of mail delivery transports names that appear in the first  field
1668       of master.cf.
1669
1670       Example:
1671
1672       defer_transports = smtp
1673

delay_logging_resolution_limit (default: 2)

1675       The  maximal  number  of  digits  after  the decimal point when logging
1676       sub-second delay values.  Specify a number in the range 0..6.
1677
1678       Large delay values are rounded off to an integral number seconds; delay
1679       values  below the delay_logging_resolution_limit are logged as "0", and
1680       delay values under 100s are logged with at most two-digit precision.
1681
1682       The format of the "delays=a/b/c/d" logging is as follows:
1683
1684       ·      a = time from message arrival to last active queue entry
1685
1686       ·      b = time from last active queue entry to connection setup
1687
1688       ·      c = time in connection setup, including DNS, EHLO and STARTTLS
1689
1690       ·      d = time in message transmission
1691
1692       This feature is available in Postfix 2.3 and later.
1693

delay_notice_recipient (default: postmaster)

1695       The recipient of postmaster notifications with the message  headers  of
1696       mail that cannot be delivered within $delay_warning_time time units.
1697
1698       See also: delay_warning_time, notify_classes.
1699

delay_warning_time (default: 0h)

1701       The  time after which the sender receives a copy of the message headers
1702       of mail that is still queued. The confirm_delay_cleared parameter  con‐
1703       trols sender notification when the delay clears up.
1704
1705       To  enable  this  feature,  specify  a non-zero time value (an integral
1706       value plus an optional one-letter suffix that specifies the time unit).
1707
1708       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
1709       The default time unit is h (hours).
1710
1711       See      also:     delay_notice_recipient,     notify_classes,     con‐
1712       firm_delay_cleared.
1713

deliver_lock_attempts (default: 20)

1715       The maximal number of attempts to acquire an exclusive lock on a  mail‐
1716       box file or bounce(8) logfile.
1717

deliver_lock_delay (default: 1s)

1719       The  time  between  attempts  to acquire an exclusive lock on a mailbox
1720       file or bounce(8) logfile.
1721
1722       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
1723       The default time unit is s (seconds).
1724

destination_concurrency_feedback_debug (default: no)

1726       Make  the  queue  manager's  feedback algorithm verbose for performance
1727       analysis purposes.
1728
1729       This feature is available in Postfix 2.5 and later.
1730

detect_8bit_encoding_header (default: yes)

1732       Automatically detect 8BITMIME body content by looking at Content-Trans‐
1733       fer-Encoding:   message   headers;   historically,  this  behavior  was
1734       hard-coded to be "always on".
1735
1736       This feature is available in Postfix 2.5 and later.
1737

disable_dns_lookups (default: no)

1739       Disable DNS lookups in the Postfix SMTP and  LMTP  clients.  When  dis‐
1740       abled,  hosts  are looked up with the getaddrinfo() system library rou‐
1741       tine which normally also looks in /etc/hosts.  As of Postfix 2.11, this
1742       parameter is deprecated; use smtp_dns_support_level instead.
1743
1744       DNS lookups are enabled by default.
1745

disable_mime_input_processing (default: no)

1747       Turn  off MIME processing while receiving mail. This means that no spe‐
1748       cial treatment is given to Content-Type: message headers, and that  all
1749       text  after the initial message headers is considered to be part of the
1750       message body.
1751
1752       This feature is available in Postfix 2.0 and later.
1753
1754       Mime input processing is enabled by default, and is needed in order  to
1755       recognize MIME headers in message content.
1756

disable_mime_output_conversion (default: no)

1758       Disable  the conversion of 8BITMIME format to 7BIT format.  Mime output
1759       conversion is needed when the destination does not  advertise  8BITMIME
1760       support.
1761
1762       This feature is available in Postfix 2.0 and later.
1763

disable_verp_bounces (default: no)

1765       Disable sending one bounce report per recipient.
1766
1767       The default, one per recipient, is what ezmlm needs.
1768
1769       This feature is available in Postfix 1.1 and later.
1770

disable_vrfy_command (default: no)

1772       Disable  the SMTP VRFY command. This stops some techniques used to har‐
1773       vest email addresses.
1774
1775       Example:
1776
1777       disable_vrfy_command = no
1778

dns_ncache_ttl_fix_enable (default: no)

1780       Enable a workaround for future libc incompatibility. The Postfix imple‐
1781       mentation of RFC 2308 negative reply caching relies on the promise that
1782       res_query() and  res_search()  invoke  res_send(),  which  returns  the
1783       server  response  in an application buffer even if the requested record
1784       does not exist. If this promise is broken, specify "yes"  to  enable  a
1785       workaround for DNS reputation lookups.
1786
1787       This feature is available in Postfix 3.1 and later.
1788

dnsblog_reply_delay (default: 0s)

1790       A debugging aid to artificially delay DNS responses.
1791
1792       This feature is available in Postfix 2.8.
1793

dnsblog_service_name (default: dnsblog)

1795       The  name  of  the  dnsblog(8) service entry in master.cf. This service
1796       performs DNS white/blacklist lookups.
1797
1798       This feature is available in Postfix 2.8 and later.
1799

dnssec_probe (default: ns:.)

1801       The DNS query type (default: "ns") and DNS query  name  (default:  ".")
1802       that  Postfix  may use to determine whether DNSSEC validation is avail‐
1803       able.
1804
1805       Background: DNSSEC validation is needed for Postfix DANE support;  this
1806       ensures  that Postfix receives TLSA records with secure TLS server cer‐
1807       tificate info. When DNSSEC validation is unavailable,  mail  deliveries
1808       using  opportunistic  DANE  will not be protected by server certificate
1809       info in TLSA records, and mail deliveries using mandatory DANE will not
1810       be made at all.
1811
1812       By  default,  a  Postfix  process will send a DNSSEC probe after 1) the
1813       process made a DNS query  that  requested  DNSSEC  validation,  2)  the
1814       process did not receive a DNSSEC validated response to this query or to
1815       an earlier query, and 3) the process did  not  already  send  a  DNSSEC
1816       probe.
1817
1818       When  the  DNSSEC  probe  has  no response, or when the response is not
1819       DNSSEC validated, Postfix logs a warning that DNSSEC validation may  be
1820       unavailable.
1821
1822       Example:
1823
1824       warning: DNSSEC validation may be unavailable
1825       warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
1826       warning: reason: dnssec_probe 'ns:.' received no response: Server failure
1827
1828       Possible reasons why DNSSEC validation may be unavailable:
1829
1830       ·      The  local  /etc/resolv.conf  file specifies a DNS resolver that
1831              does  not  validate  DNSSEC  signatures  (that's   $queue_direc‐
1832              tory/etc/resolv.conf  when  a  Postfix  daemon  runs in a chroot
1833              jail).
1834
1835       ·      The local system library does not pass on the "DNSSEC validated"
1836              bit  to Postfix, or Postfix does not know how to ask the library
1837              to do that.
1838
1839       By default, the DNSSEC probe asks for the DNS  root  zone  NS  records,
1840       because  resolvers should always have that information cached. If Post‐
1841       fix runs on a network where the DNS root zone is not reachable, specify
1842       a  different  probe,  or specify an empty dnssec_probe value to disable
1843       the feature.
1844
1845       This feature was backported from Postfix 3.6 to Postfix versions 3.5.9,
1846       3.4.19, 3.3.16. 3.2.21.
1847

dont_remove (default: 0)

1849       Don't remove queue files and save them to the "saved" mail queue.  This
1850       is a debugging aid.  To inspect the envelope information and content of
1851       a Postfix queue file, use the postcat(1) command.
1852

double_bounce_sender (default: double-bounce)

1854       The  sender  address  of postmaster notifications that are generated by
1855       the mail system. All mail to this address  is  silently  discarded,  in
1856       order to terminate mail bounce loops.
1857

duplicate_filter_limit (default: 1000)

1859       The  maximal  number  of  addresses remembered by the address duplicate
1860       filter for aliases(5) or virtual(5) alias expansion,  or  for  showq(8)
1861       queue displays.
1862

empty_address_default_transport_maps_lookup_key (default: <>)

1864       The  sender_dependent_default_transport_maps search string that will be
1865       used instead of the null sender address.
1866
1867       This feature is available in Postfix 2.7 and later.
1868

empty_address_recipient (default: MAILER-DAEMON)

1870       The recipient of mail addressed to the null address.  Postfix does  not
1871       accept  such  addresses in SMTP commands, but they may still be created
1872       locally as the result of configuration or software error.
1873

empty_address_relayhost_maps_lookup_key (default: <>)

1875       The sender_dependent_relayhost_maps search string  that  will  be  used
1876       instead of the null sender address.
1877
1878       This  feature  is available in Postfix 2.5 and later. With earlier ver‐
1879       sions, sender_dependent_relayhost_maps lookups  were  skipped  for  the
1880       null sender address.
1881

enable_errors_to (default: no)

1883       Report mail delivery errors to the address specified with the non-stan‐
1884       dard Errors-To: message header, instead of the envelope sender  address
1885       (this  feature  is  removed  with Postfix version 2.2, is turned off by
1886       default with Postfix version 2.1, and is always turned  on  with  older
1887       Postfix versions).
1888

enable_idna2003_compatibility (default: no)

1890       Enable 'transitional' compatibility between IDNA2003 and IDNA2008, when
1891       converting UTF-8 domain names to/from the ASCII form that is  used  for
1892       DNS  lookups.  Specify "yes" for compatibility with Postfix <= 3.1 (not
1893       recommended). This affects the conversion of domain names that  contain
1894       for  example  the  German  sz  and  the  Greek  zeta.   See http://uni
1895       code.org/cldr/utility/idna.jsp for more examples.
1896
1897       This feature is available in Postfix 3.2 and later.
1898

enable_long_queue_ids (default: no)

1900       Enable long, non-repeating, queue IDs (queue file names).  The  benefit
1901       of  non-repeating  names  is  simpler logfile analysis and easier queue
1902       migration (there is no need to run "postsuper"  to  change  queue  file
1903       names that don't match their message file inode number).
1904
1905       Note:  see below for how to convert long queue file names to Postfix <=
1906       2.8.
1907
1908       Changing the parameter value to "yes" has the following effects:
1909
1910       ·      Existing queue file names are not affected.
1911
1912       ·      New queue files are created with names such as  3Pt2mN2VXxznjll.
1913              These  are encoded in a 52-character alphabet that contains dig‐
1914              its (0-9),  upper-case  letters  (B-Z)  and  lower-case  letters
1915              (b-z).  For  safety reasons the vowels (AEIOUaeiou) are excluded
1916              from the alphabet.  The name format is: 6 or more characters for
1917              the  time in seconds, 4 characters for the time in microseconds,
1918              the 'z'; the remainder is the file inode number encoded  in  the
1919              first 51 characters of the 52-character alphabet.
1920
1921       ·      New messages have a Message-ID header with queueID@myhostname.
1922
1923       ·      The  mailq  (postqueue  -p)  output has a wider Queue ID column.
1924              The number of whitespace-separated fields is not changed.
1925
1926       ·      The hash_queue_depth algorithm uses the first characters of  the
1927              queue  file creation time in microseconds, after conversion into
1928              hexadecimal representation. This produces the same queue hashing
1929              behavior   as   if   the   queue  file  name  was  created  with
1930              "enable_long_queue_ids = no".
1931
1932       Changing the parameter value to "no" has the following effects:
1933
1934       ·      Existing long queue file names are renamed  to  the  short  form
1935              (while running "postfix reload" or "postsuper").
1936
1937       ·      New  queue files are created with names such as C3CD21F3E90 from
1938              a hexadecimal alphabet that contains digits (0-9) and upper-case
1939              letters  (A-F). The name format is: 5 characters for the time in
1940              microseconds; the remainder is the file inode number.
1941
1942       ·      New  messages  have  a  Message-ID   header   with   YYYYMMDDHH‐
1943              MMSS.queueid@myhostname,  where  YYYYMMDDHHMMSS  are  the  year,
1944              month, day, hour, minute and second.
1945
1946       ·      The mailq (postqueue -p) output has  the  same  format  as  with
1947              Postfix <= 2.8.
1948
1949       ·      The  hash_queue_depth algorithm uses the first characters of the
1950              queue file name, with the hexadecimal representation of the file
1951              creation time in microseconds.
1952
1953       Before migration to Postfix <= 2.8, the following commands are required
1954       to convert long queue file names into short names:
1955
1956       # postfix stop
1957       # postconf enable_long_queue_ids=no
1958       # postsuper
1959
1960       Repeat the postsuper command until it reports no more queue  file  name
1961       changes.
1962
1963       This feature is available in Postfix 2.9 and later.
1964

enable_original_recipient (default: yes)

1966       Enable  support  for the original recipient address after an address is
1967       rewritten to a different address (for example  with  aliasing  or  with
1968       canonical mapping).
1969
1970       The original recipient address is used as follows:
1971
1972       Final delivery
1973              With  "enable_original_recipient  = yes", the original recipient
1974              address is stored in  the  X-Original-To  message  header.  This
1975              header  may  be used to distinguish between different recipients
1976              that share the same mailbox.
1977
1978       Recipient deduplication
1979              With "enable_original_recipient = yes",  the  cleanup(8)  daemon
1980              performs duplicate recipient elimination based on the content of
1981              (original recipient, maybe-rewritten recipient)  pairs.   Other‐
1982              wise,  the cleanup(8) daemon performs duplicate recipient elimi‐
1983              nation based only on the maybe-rewritten recipient address.
1984
1985       Note: with Postfix <= 3.2 the "setting enable_original_recipient =  no"
1986       breaks address verification for addresses that are aliased or otherwise
1987       rewritten (Postfix is unable to store the address  verification  result
1988       under the original probe destination address; instead, it can store the
1989       result only under the rewritten address).
1990
1991       This feature is available in Postfix 2.1 and later. Postfix version 2.0
1992       behaves  as  if  this parameter is always set to yes.  Postfix versions
1993       before 2.0 have no support for the original recipient address.
1994

error_notice_recipient (default: postmaster)

1996       The recipient of postmaster notifications about mail delivery  problems
1997       that  are  caused  by  policy,  resource,  software or protocol errors.
1998       These notifications are enabled with the notify_classes parameter.
1999

error_service_name (default: error)

2001       The name of the error(8) pseudo delivery  agent.  This  service  always
2002       returns mail as undeliverable.
2003
2004       This feature is available in Postfix 2.0 and later.
2005

execution_directory_expansion_filter (default: see postconf -d output)

2007       Restrict  the  characters  that  the  local(8) delivery agent allows in
2008       $name expansions of $command_execution_directory.   Characters  outside
2009       the allowed set are replaced by underscores.
2010
2011       This feature is available in Postfix 2.2 and later.
2012

expand_owner_alias (default: no)

2014       When  delivering  to an alias "aliasname" that has an "owner-aliasname"
2015       companion alias, set the envelope sender address to  the  expansion  of
2016       the  "owner-aliasname"  alias.   Normally,  Postfix  sets  the envelope
2017       sender address to the name of the "owner-aliasname" alias.
2018

export_environment (default: see postconf -d output)

2020       The list of environment variables that a Postfix process will export to
2021       non-Postfix  processes. The TZ variable is needed for sane time keeping
2022       on System-V-ish systems.
2023
2024       Specify a list of names and/or name=value pairs,  separated  by  white‐
2025       space or comma. Specify "{ name=value }" to protect whitespace or comma
2026       in parameter values (whitespace after the opening "{"  and  before  the
2027       closing  "}" is ignored). The form name=value is supported with Postfix
2028       version 2.1 and later; the use of {} is supported with Postfix 3.0  and
2029       later.
2030
2031       Example:
2032
2033       export_environment = TZ PATH=/bin:/usr/bin
2034

extract_recipient_limit (default: 10240)

2036       The  maximal  number  of  recipient addresses that Postfix will extract
2037       from message headers when mail is submitted with "sendmail -t".
2038
2039       This feature was removed in Postfix version 2.1.
2040

fallback_relay (default: empty)

2042       Optional list of relay hosts for SMTP destinations that can't be  found
2043       or  that are unreachable. With Postfix 2.3 this parameter is renamed to
2044       smtp_fallback_relay.
2045
2046       By default, mail is returned to the sender when a  destination  is  not
2047       found, and delivery is deferred when a destination is unreachable.
2048
2049       The  fallback relays must be SMTP destinations. Specify a domain, host,
2050       host:port, [host]:port, [address] or [address]:port;  the  form  [host]
2051       turns off MX lookups.  If you specify multiple SMTP destinations, Post‐
2052       fix will try them in the specified order.
2053
2054       Note: before Postfix 2.2, do not use the  fallback_relay  feature  when
2055       relaying  mail  for  a  backup  or  primary  MX domain. Mail would loop
2056       between the Postfix MX host and the fallback_relay host when the  final
2057       destination is unavailable.
2058
2059       ·      In main.cf specify "relay_transport = relay",
2060
2061       ·      In  master.cf specify "-o fallback_relay =" (i.e., empty) at the
2062              end of the relay entry.
2063
2064       ·      In transport maps, specify "relay:nexthop..."  as the right-hand
2065              side for backup or primary MX domain entries.
2066
2067       Postfix  version  2.2 and later will not use the fallback_relay feature
2068       for destinations that it is MX host for.
2069

fallback_transport (default: empty)

2071       Optional message delivery transport that the  local(8)  delivery  agent
2072       should use for names that are not found in the aliases(5) or UNIX pass‐
2073       word database.
2074
2075       The precedence of local(8) delivery  features  from  high  to  low  is:
2076       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
2077       mailbox_command_maps, mailbox_command, home_mailbox,  mail_spool_direc‐
2078       tory, fallback_transport_maps, fallback_transport and luser_relay.
2079

fallback_transport_maps (default: empty)

2081       Optional  lookup  tables with per-recipient message delivery transports
2082       for recipients that the local(8) delivery agent could not find  in  the
2083       aliases(5) or UNIX password database.
2084
2085       The  precedence  of  local(8)  delivery  features  from high to low is:
2086       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
2087       mailbox_command_maps,  mailbox_command, home_mailbox, mail_spool_direc‐
2088       tory, fallback_transport_maps, fallback_transport and luser_relay.
2089
2090       For safety reasons, this feature does not allow  $number  substitutions
2091       in regular expression maps.
2092
2093       This feature is available in Postfix 2.3 and later.
2094

fast_flush_domains (default: $relay_domains)

2096       Optional  list  of  destinations  that are eligible for per-destination
2097       logfiles with mail that is queued to those destinations.
2098
2099       By default, Postfix maintains "fast flush" logfiles only  for  destina‐
2100       tions  that  the  Postfix  SMTP server is willing to relay to (i.e. the
2101       default   is:   "fast_flush_domains   =   $relay_domains";   see    the
2102       relay_domains parameter in the postconf(5) manual).
2103
2104       Specify  a list of hosts or domains, "/file/name" patterns or "type:ta‐
2105       ble" lookup tables, separated by commas  and/or  whitespace.   Continue
2106       long  lines  by  starting the next line with whitespace. A "/file/name"
2107       pattern is replaced by its contents; a  "type:table"  lookup  table  is
2108       matched when the domain or its parent domain appears as lookup key.
2109
2110       Pattern  matching  of  domain  names  is  controlled by the presence or
2111       absence of "fast_flush_domains" in the parent_domain_matches_subdomains
2112       parameter value.
2113
2114       Specify  "fast_flush_domains  ="  (i.e.,  empty) to disable the feature
2115       altogether.
2116

fast_flush_purge_time (default: 7d)

2118       The time after which an empty per-destination "fast flush"  logfile  is
2119       deleted.
2120
2121       You can specify the time as a number, or as a number followed by a let‐
2122       ter that  indicates  the  time  unit:  s=seconds,  m=minutes,  h=hours,
2123       d=days, w=weeks.  The default time unit is days.
2124

fast_flush_refresh_time (default: 12h)

2126       The  time  after  which  a  non-empty  but unread per-destination "fast
2127       flush" logfile needs to be refreshed.  The contents of  a  logfile  are
2128       refreshed by requesting delivery of all messages listed in the logfile.
2129
2130       You can specify the time as a number, or as a number followed by a let‐
2131       ter that  indicates  the  time  unit:  s=seconds,  m=minutes,  h=hours,
2132       d=days, w=weeks.  The default time unit is hours.
2133

fault_injection_code (default: 0)

2135       Force  specific  internal tests to fail, to test the handling of errors
2136       that are difficult to reproduce otherwise.
2137

flush_service_name (default: flush)

2139       The name of the flush(8) service. This service  maintains  per-destina‐
2140       tion  logfiles  with  the  queue  file names of mail that is queued for
2141       those destinations.
2142
2143       This feature is available in Postfix 2.0 and later.
2144

fork_attempts (default: 5)

2146       The maximal number of attempts to fork() a child process.
2147

fork_delay (default: 1s)

2149       The delay between attempts to fork() a child process.
2150
2151       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2152       The default time unit is s (seconds).
2153

forward_expansion_filter (default: see postconf -d output)

2155       Restrict  the  characters  that  the  local(8) delivery agent allows in
2156       $name expansions of $forward_path.  Characters outside the allowed  set
2157       are replaced by underscores.
2158

forward_path (default: see postconf -d output)

2160       The  local(8)  delivery  agent  search list for finding a .forward file
2161       with user-specified delivery methods. The first file that is  found  is
2162       used.
2163
2164       The  forward_path value is not subject to Postfix configuration parame‐
2165       ter $name expansion. Instead, the following $name expansions  are  done
2166       on  forward_path  before  the  search  actually happens.  The result of
2167       $name expansion is filtered with the character set  that  is  specified
2168       with the forward_expansion_filter parameter.
2169
2170       $user  The recipient's username.
2171
2172       $shell The recipient's login shell pathname.
2173
2174       $home  The recipient's home directory.
2175
2176       $recipient
2177              The full recipient address.
2178
2179       $extension
2180              The optional recipient address extension.
2181
2182       $domain
2183              The recipient domain.
2184
2185       $local The entire recipient localpart.
2186
2187       $recipient_delimiter
2188              The  address extension delimiter that was found in the recipient
2189              address (Postfix 2.11 and later), or the  system-wide  recipient
2190              address extension delimiter (Postfix 2.10 and earlier).
2191
2192       ${name?value}
2193              Expands to value when $name is non-empty.
2194
2195       ${name:value}
2196              Expands to value when $name is empty.
2197
2198       Instead of $name you can also specify ${name} or $(name).
2199
2200       Examples:
2201
2202       forward_path = /var/forward/$user
2203       forward_path =
2204           /var/forward/$user/.forward$recipient_delimiter$extension,
2205           /var/forward/$user/.forward
2206

frozen_delivered_to (default: yes)

2208       Update  the local(8) delivery agent's idea of the Delivered-To: address
2209       (see prepend_delivered_header) only once, at the start  of  a  delivery
2210       attempt;  do  not  update  the  Delivered-To:  address  while expanding
2211       aliases or .forward files.
2212
2213       This feature is available in Postfix 2.3 and later. With older  Postfix
2214       releases,  the behavior is as if this parameter is set to "no". The old
2215       setting can be expensive with deeply nested aliases or .forward  files.
2216       When  an  alias  or .forward file changes the Delivered-To: address, it
2217       ties up one queue file and one cleanup process instance while  mail  is
2218       being forwarded.
2219

hash_queue_depth (default: 1)

2221       The number of subdirectory levels for queue directories listed with the
2222       hash_queue_names parameter. Queue hashing is  implemented  by  creating
2223       one  or  more  levels  of directories with one-character names.  Origi‐
2224       nally, these directory names were equal to the first characters of  the
2225       queue  file  name, with the hexadecimal representation of the file cre‐
2226       ation time in microseconds.
2227
2228       With long queue file names, queue hashing produces the same results  as
2229       with  short  names. The file creation time in microseconds is converted
2230       into hexadecimal form before the result is used for queue hashing.  The
2231       base  16 encoding gives finer control over the number of subdirectories
2232       than is possible with the base 52 encoding of long queue file names.
2233
2234       After changing the hash_queue_names or hash_queue_depth parameter, exe‐
2235       cute the command "postfix reload".
2236

hash_queue_names (default: deferred, defer)

2238       The names of queue directories that are split across multiple subdirec‐
2239       tory levels.
2240
2241       Before Postfix version 2.2, the default list of hashed queues was  sig‐
2242       nificantly  larger. Claims about improvements in file system technology
2243       suggest that hashing of the incoming and active  queues  is  no  longer
2244       needed.  Fewer  hashed  directories speed up the time needed to restart
2245       Postfix.
2246
2247       After changing the hash_queue_names or hash_queue_depth parameter, exe‐
2248       cute the command "postfix reload".
2249

header_address_token_limit (default: 10240)

2251       The  maximal number of address tokens are allowed in an address message
2252       header. Information that exceeds the limit is discarded.  The limit  is
2253       enforced by the cleanup(8) server.
2254

header_checks (default: empty)

2256       Optional  lookup tables for content inspection of primary non-MIME mes‐
2257       sage headers, as specified in the header_checks(5) manual page.
2258

header_from_format (default: standard)

2260       The format of the Postfix-generated From: header. This setting  affects
2261       the  appearance of 'full name' information when a local program such as
2262       /bin/mail submits a message without From: header  through  the  Postfix
2263       sendmail(1) command.
2264
2265       Specify one of the following:
2266
2267       standard (default)
2268              Produce  a  header formatted as "From: name <address>".  This is
2269              the default as of Postfix 3.3.
2270
2271       obsolete
2272              Produce a header formatted as "From: address  (name)".  This  is
2273              the behavior prior to Postfix 3.3.
2274
2275       Notes:
2276
2277       ·      Postfix  generates the format "From: address" when name informa‐
2278              tion is unavailable or the envelope  sender  address  is  empty.
2279              This is the same behavior as prior to Postfix 3.3.
2280
2281       ·      In  the  standard  form,  the name will be quoted if it contains
2282              specials as defined in RFC 5322, or the "!%" address operators.
2283
2284       ·      The Postfix sendmail(1) command gets name information  from  the
2285              -F  command-line  option, from the NAME environment variable, or
2286              from the UNIX password file.
2287
2288       This feature is available in Postfix 3.3 and later.
2289

header_size_limit (default: 102400)

2291       The maximal amount of memory in bytes for storing a message header.  If
2292       a  header is larger, the excess is discarded.  The limit is enforced by
2293       the cleanup(8) server.
2294

helpful_warnings (default: yes)

2296       Log warnings about  problematic  configuration  settings,  and  provide
2297       helpful suggestions.
2298
2299       This feature is available in Postfix 2.0 and later.
2300

home_mailbox (default: empty)

2302       Optional  pathname of a mailbox file relative to a local(8) user's home
2303       directory.
2304
2305       Specify a pathname ending in "/" for qmail-style delivery.
2306
2307       The precedence of local(8) delivery  features  from  high  to  low  is:
2308       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
2309       mailbox_command_maps, mailbox_command, home_mailbox,  mail_spool_direc‐
2310       tory, fallback_transport_maps, fallback_transport and luser_relay.
2311
2312       Examples:
2313
2314       home_mailbox = Mailbox
2315       home_mailbox = Maildir/
2316

hopcount_limit (default: 50)

2318       The maximal number of Received:  message headers that is allowed in the
2319       primary message headers. A message that exceeds the limit  is  bounced,
2320       in order to stop a mailer loop.
2321

html_directory (default: see postconf -d output)

2323       The  location of Postfix HTML files that describe how to build, config‐
2324       ure or operate a specific Postfix subsystem or feature.
2325

ignore_mx_lookup_error (default: no)

2327       Ignore DNS MX lookups that produce no response.  By default, the  Post‐
2328       fix SMTP client defers delivery and tries again after some delay.  This
2329       behavior is required by the SMTP standard.
2330
2331       Specify "ignore_mx_lookup_error = yes" to force a DNS A  record  lookup
2332       instead. This violates the SMTP standard and can result in mis-delivery
2333       of mail.
2334

import_environment (default: see postconf -d output)

2336       The list of environment parameters that a  privileged  Postfix  process
2337       will  import  from a non-Postfix parent process, or name=value environ‐
2338       ment overrides.  Unprivileged utilities  will  enforce  the  name=value
2339       overrides,  but  otherwise  will  not change their process environment.
2340       Examples of relevant parameters:
2341
2342       TZ     May be needed for sane time keeping on  most  System-V-ish  sys‐
2343              tems.
2344
2345       DISPLAY
2346              Needed for debugging Postfix daemons with an X-windows debugger.
2347
2348       XAUTHORITY
2349              Needed for debugging Postfix daemons with an X-windows debugger.
2350
2351       MAIL_CONFIG
2352              Needed to make "postfix -c" work.
2353
2354       Specify  a  list  of names and/or name=value pairs, separated by white‐
2355       space or comma. Specify "{ name=value }" to protect whitespace or comma
2356       in  parameter  values  (whitespace after the opening "{" and before the
2357       closing "}" is ignored). The form name=value is supported with  Postfix
2358       version  2.1 and later; the use of {} is supported with Postfix 3.0 and
2359       later.
2360

in_flow_delay (default: 1s)

2362       Time to pause before accepting a new message, when the message  arrival
2363       rate  exceeds  the  message delivery rate. This feature is turned on by
2364       default (it's disabled on SCO UNIX due to an SCO bug).
2365
2366       With the default 100 Postfix SMTP server process limit,  "in_flow_delay
2367       =  1s" limits the mail inflow to 100 messages per second above the num‐
2368       ber of messages delivered per second.
2369
2370       Specify 0 to disable the feature. Valid delays are 0..10.
2371

inet_interfaces (default: all)

2373       The network interface addresses that this mail system receives mail on.
2374       Specify  "all" to receive mail on all network interfaces (default), and
2375       "loopback-only" to receive mail on  loopback  network  interfaces  only
2376       (Postfix  version 2.2 and later).  The parameter also controls delivery
2377       of mail to user@[ip.address].
2378
2379       Note 1: you need to stop and start Postfix when this parameter changes.
2380
2381       Note 2: address information may be enclosed inside [], but this form is
2382       not required here.
2383
2384       When  inet_interfaces  specifies just one IPv4 and/or IPv6 address that
2385       is not a loopback address,  the  Postfix  SMTP  client  will  use  this
2386       address as the IP source address for outbound mail. Support for IPv6 is
2387       available in Postfix version 2.2 and later.
2388
2389       On a multi-homed firewall with separate Postfix instances listening  on
2390       the  "inside"  and "outside" interfaces, this can prevent each instance
2391       from being able to reach remote SMTP servers on the "other side" of the
2392       firewall.  Setting  smtp_bind_address  to  0.0.0.0 avoids the potential
2393       problem for IPv4, and setting smtp_bind_address6 to :: solves the prob‐
2394       lem for IPv6.
2395
2396       A better solution for multi-homed firewalls is to leave inet_interfaces
2397       at the default value and instead use explicit IP addresses in the  mas‐
2398       ter.cf  SMTP  server  definitions.   This  preserves  the  Postfix SMTP
2399       client's loop detection, by ensuring that each  side  of  the  firewall
2400       knows  that  the  other  IP  address  is  still  the same host. Setting
2401       $inet_interfaces to a single IPv4 and/or IPV6 address is primarily use‐
2402       ful  with  virtual  hosting  of domains on secondary IP addresses, when
2403       each IP address serves a different domain (and has a different $myhost‐
2404       name setting).
2405
2406       See also the proxy_interfaces parameter, for network addresses that are
2407       forwarded to Postfix by way of a proxy or address translator.
2408
2409       Examples:
2410
2411       inet_interfaces = all (DEFAULT)
2412       inet_interfaces = loopback-only (Postfix version 2.2 and later)
2413       inet_interfaces = 127.0.0.1
2414       inet_interfaces = 127.0.0.1, [::1] (Postfix version 2.2 and later)
2415       inet_interfaces = 192.168.1.2, 127.0.0.1
2416

inet_protocols (default: all)

2418       The Internet protocols Postfix will  attempt  to  use  when  making  or
2419       accepting  connections.  Specify one or more of "ipv4" or "ipv6", sepa‐
2420       rated by whitespace or commas. The form "all" is equivalent  to  "ipv4,
2421       ipv6"  or  "ipv4", depending on whether the operating system implements
2422       IPv6.
2423
2424       With Postfix 2.8 and earlier the default is "ipv4". For backwards  com‐
2425       patibility  with these releases, the Postfix 2.9 and later upgrade pro‐
2426       cedure appends an explicit "inet_protocols = ipv4" setting  to  main.cf
2427       when no explicit setting is present. This compatibility workaround will
2428       be phased out as IPv6 deployment becomes more common.
2429
2430       This feature is available in Postfix 2.2 and later.
2431
2432       Note: you MUST stop and start Postfix after changing this parameter.
2433
2434       On systems that pre-date IPV6_V6ONLY support (RFC 3493), an IPv6 server
2435       will  also  accept  IPv4 connections, even when IPv4 is turned off with
2436       the inet_protocols parameter.  On  systems  with  IPV6_V6ONLY  support,
2437       Postfix  will  use  separate server sockets for IPv6 and IPv4, and each
2438       will accept only connections for the corresponding protocol.
2439
2440       When IPv4 support is enabled via the inet_protocols parameter,  Postfix
2441       will  look  up DNS type A records, and will convert IPv4-in-IPv6 client
2442       IP addresses (::ffff:1.2.3.4) to their original  IPv4  form  (1.2.3.4).
2443       The  latter  is  needed on hosts that pre-date IPV6_V6ONLY support (RFC
2444       3493).
2445
2446       When IPv6 support is enabled via the inet_protocols parameter,  Postfix
2447       will do DNS type AAAA record lookups.
2448
2449       When  both  IPv4  and IPv6 support are enabled, the Postfix SMTP client
2450       will choose the protocol as specified with the  smtp_address_preference
2451       parameter.  Postfix  versions  before  2.8  attempt to connect via IPv6
2452       before attempting to use IPv4.
2453
2454       Examples:
2455
2456       inet_protocols = ipv4
2457       inet_protocols = all (DEFAULT)
2458       inet_protocols = ipv6
2459       inet_protocols = ipv4, ipv6
2460

info_log_address_format (default: external)

2462       The email address form that will be used in  non-debug  logging  (info,
2463       warning,  etc.).  As  of Postfix 3.5 when an address localpart contains
2464       spaces or other special characters, the localpart will be  quoted,  for
2465       example:
2466
2467               from=<"name with spaces"@example.com>
2468
2469       Older Postfix versions would log the internal (unquoted) form:
2470
2471               from=<name with spaces@example.com>
2472
2473       The  external and internal forms are identical for the vast majority of
2474       email addresses that contain no spaces or other special  characters  in
2475       the localpart.
2476
2477       The  logging  in external form is consistent with the address form that
2478       Postfix 3.2 and later prefer for most table lookups. This is  therefore
2479       the more useful form for non-debug logging.
2480
2481       Specify  "info_log_address_format = internal" for backwards compatibil‐
2482       ity.
2483
2484       Postfix uses the unquoted form  internally,  because  an  attacker  can
2485       specify  an  email  address  in  different  forms by playing games with
2486       quotes and backslashes. An attacker should not  be  able  to  use  such
2487       games to circumvent Postfix access policies.
2488
2489       This feature is available in Postfix 3.5 and later.
2490

initial_destination_concurrency (default: 5)

2492       The  initial per-destination concurrency level for parallel delivery to
2493       the same destination.  With per-destination recipient limit > 1, a des‐
2494       tination is a domain, otherwise it is a recipient.
2495
2496       Use   transport_initial_destination_concurrency  to  specify  a  trans‐
2497       port-specific override, where transport is the master.cf  name  of  the
2498       message delivery transport (Postfix 2.5 and later).
2499
2500       Warning:  with concurrency of 1, one bad message can be enough to block
2501       all mail to a site.
2502

internal_mail_filter_classes (default: empty)

2504       What categories of Postfix-generated mail are subject  to  before-queue
2505       content inspection by non_smtpd_milters, header_checks and body_checks.
2506       Specify zero or more of  the  following,  separated  by  whitespace  or
2507       comma.
2508
2509       bounce Inspect the content of delivery status notifications.
2510
2511       notify Inspect  the  content of postmaster notifications by the smtp(8)
2512              and smtpd(8) processes.
2513
2514       NOTE: It's generally not safe to enable  content  inspection  of  Post‐
2515       fix-generated email messages. The user is warned.
2516
2517       This feature is available in Postfix 2.3 and later.
2518

invalid_hostname_reject_code (default: 501)

2520       The numerical Postfix SMTP server response code when the client HELO or
2521       EHLO command parameter is rejected by the  reject_invalid_helo_hostname
2522       restriction.
2523
2524       Do  not  change  this  unless  you have a complete understanding of RFC
2525       5321.
2526

ipc_idle (default: version dependent)

2528       The time after which a client closes  an  idle  internal  communication
2529       channel.  The purpose is to allow Postfix daemon processes to terminate
2530       voluntarily after they become idle. This is used, for example,  by  the
2531       Postfix address resolving and rewriting clients.
2532
2533       With Postfix 2.4 the default value was reduced from 100s to 5s.
2534
2535       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2536       The default time unit is s (seconds).
2537

ipc_timeout (default: 3600s)

2539       The time limit for sending or receiving information  over  an  internal
2540       communication  channel.  The purpose is to break out of deadlock situa‐
2541       tions. If the time limit is exceeded the software aborts with  a  fatal
2542       error.
2543
2544       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2545       The default time unit is s (seconds).
2546

ipc_ttl (default: 1000s)

2548       The time after which a client closes an active  internal  communication
2549       channel.  The purpose is to allow Postfix daemon processes to terminate
2550       voluntarily after reaching their client limit.  This is used, for exam‐
2551       ple, by the Postfix address resolving and rewriting clients.
2552
2553       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2554       The default time unit is s (seconds).
2555
2556       This feature is available in Postfix 2.1 and later.
2557

line_length_limit (default: 2048)

2559       Upon input, long lines are chopped up  into  pieces  of  at  most  this
2560       length; upon delivery, long lines are reconstructed.
2561

lmdb_map_size (default: 16777216)

2563       The  initial  OpenLDAP  LMDB database size limit in bytes.  Each time a
2564       database becomes full, its size limit is doubled.
2565
2566       This feature is available in Postfix 2.11 and later.
2567

lmtp_address_preference (default: ipv6)

2569       The LMTP-specific version of the smtp_address_preference  configuration
2570       parameter.  See there for details.
2571
2572       This feature is available in Postfix 2.8 and later.
2573

lmtp_address_verify_target (default: rcpt)

2575       The  LMTP-specific version of the smtp_address_verify_target configura‐
2576       tion parameter.  See there for details.
2577
2578       This feature is available in Postfix 3.0 and later.
2579

lmtp_assume_final (default: no)

2581       When a remote LMTP server announces no DSN  support,  assume  that  the
2582       server  performs  final  delivery, and send "delivered" delivery status
2583       notifications instead of "relayed". The default  setting  is  backwards
2584       compatible  to avoid the infinitesimal possibility of breaking existing
2585       LMTP-based content filters.
2586

lmtp_balance_inet_protocols (default: yes)

2588       The LMTP-specific version of the smtp_balance_inet_protocols configura‐
2589       tion parameter. See there for details.
2590
2591       This feature is available in Postfix 3.3 and later.
2592

lmtp_bind_address (default: empty)

2594       The LMTP-specific version of the smtp_bind_address configuration param‐
2595       eter.  See there for details.
2596
2597       This feature is available in Postfix 2.3 and later.
2598

lmtp_bind_address6 (default: empty)

2600       The  LMTP-specific  version  of  the  smtp_bind_address6  configuration
2601       parameter.  See there for details.
2602
2603       This feature is available in Postfix 2.3 and later.
2604

lmtp_body_checks (default: empty)

2606       The LMTP-specific version of the smtp_body_checks configuration parame‐
2607       ter. See there for details.
2608
2609       This feature is available in Postfix 2.5 and later.
2610

lmtp_cache_connection (default: yes)

2612       Keep Postfix LMTP client connections open for up to $max_idle  seconds.
2613       When  the  LMTP  client  receives a request for the same connection the
2614       connection is reused.
2615
2616       This parameter is available in Postfix version 2.2 and  earlier.   With
2617       Postfix  version  2.3  and  later, see lmtp_connection_cache_on_demand,
2618       lmtp_connection_cache_destinations,       or        lmtp_connection_re‐
2619       use_time_limit.
2620
2621       The  effectiveness of cached connections will be determined by the num‐
2622       ber of remote LMTP servers in use, and the concurrency limit  specified
2623       for the Postfix LMTP client. Cached connections are closed under any of
2624       the following conditions:
2625
2626       ·      The Postfix LMTP client idle time limit is reached.  This  limit
2627              is specified with the Postfix max_idle configuration parameter.
2628
2629       ·      A  delivery  request  specifies a different destination than the
2630              one currently cached.
2631
2632       ·      The per-process limit on the  number  of  delivery  requests  is
2633              reached.   This limit is specified with the Postfix max_use con‐
2634              figuration parameter.
2635
2636       ·      Upon the onset of another  delivery  request,  the  remote  LMTP
2637              server  associated  with the current session does not respond to
2638              the RSET command.
2639
2640       Most of these limitations have been with the Postfix a connection cache
2641       that is shared among multiple LMTP client programs.
2642

lmtp_cname_overrides_servername (default: yes)

2644       The  LMTP-specific  version of the smtp_cname_overrides_servername con‐
2645       figuration parameter.  See there for details.
2646
2647       This feature is available in Postfix 2.3 and later.
2648

lmtp_connect_timeout (default: 0s)

2650       The Postfix LMTP client time limit for completing a TCP connection,  or
2651       zero  (use  the operating system built-in time limit).  When no connec‐
2652       tion can be made within the deadline, the LMTP client  tries  the  next
2653       address on the mail exchanger list.
2654
2655       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2656       The default time unit is s (seconds).
2657
2658       Example:
2659
2660       lmtp_connect_timeout = 30s
2661

lmtp_connection_cache_destinations (default: empty)

2663       The LMTP-specific  version  of  the  smtp_connection_cache_destinations
2664       configuration parameter.  See there for details.
2665
2666       This feature is available in Postfix 2.3 and later.
2667

lmtp_connection_cache_on_demand (default: yes)

2669       The  LMTP-specific  version of the smtp_connection_cache_on_demand con‐
2670       figuration parameter.  See there for details.
2671
2672       This feature is available in Postfix 2.3 and later.
2673

lmtp_connection_cache_time_limit (default: 2s)

2675       The LMTP-specific version of the smtp_connection_cache_time_limit  con‐
2676       figuration parameter.  See there for details.
2677
2678       This feature is available in Postfix 2.3 and later.
2679

lmtp_connection_reuse_count_limit (default: 0)

2681       The LMTP-specific version of the smtp_connection_reuse_count_limit con‐
2682       figuration parameter.  See there for details.
2683
2684       This feature is available in Postfix 2.11 and later.
2685

lmtp_connection_reuse_time_limit (default: 300s)

2687       The LMTP-specific version of the smtp_connection_reuse_time_limit  con‐
2688       figuration parameter.  See there for details.
2689
2690       This feature is available in Postfix 2.3 and later.
2691

lmtp_data_done_timeout (default: 600s)

2693       The  Postfix  LMTP  client time limit for sending the LMTP ".", and for
2694       receiving the  remote  LMTP  server  response.   When  no  response  is
2695       received  within the deadline, a warning is logged that the mail may be
2696       delivered multiple times.
2697
2698       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2699       The default time unit is s (seconds).
2700

lmtp_data_init_timeout (default: 120s)

2702       The  Postfix  LMTP client time limit for sending the LMTP DATA command,
2703       and for receiving the remote LMTP server response.
2704
2705       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2706       The default time unit is s (seconds).
2707

lmtp_data_xfer_timeout (default: 180s)

2709       The  Postfix  LMTP  client time limit for sending the LMTP message con‐
2710       tent.  When the connection stalls for more than $lmtp_data_xfer_timeout
2711       the LMTP client terminates the transfer.
2712
2713       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2714       The default time unit is s (seconds).
2715

lmtp_defer_if_no_mx_address_found (default: no)

2717       The LMTP-specific version of the smtp_defer_if_no_mx_address_found con‐
2718       figuration parameter.  See there for details.
2719
2720       This feature is available in Postfix 2.3 and later.
2721

lmtp_delivery_status_filter (default: empty)

2723       The LMTP-specific version of the smtp_delivery_status_filter configura‐
2724       tion parameter.  See there for details.
2725
2726       This feature is available in Postfix 3.0 and later.
2727

lmtp_destination_concurrency_limit (default: $default_destination_concur‐

2729       rency_limit)
2730       The  maximal  number of parallel deliveries to the same destination via
2731       the lmtp message delivery transport. This  limit  is  enforced  by  the
2732       queue  manager.  The message delivery transport name is the first field
2733       in the entry in the master.cf file.
2734

lmtp_destination_recipient_limit (default: $default_destination_recipi‐

2736       ent_limit)
2737       The  maximal  number  of  recipients  per  message for the lmtp message
2738       delivery transport. This limit is enforced by the  queue  manager.  The
2739       message  delivery transport name is the first field in the entry in the
2740       master.cf file.
2741
2742       Setting this parameter to a value of 1 changes the meaning of lmtp_des‐
2743       tination_concurrency_limit from concurrency per domain into concurrency
2744       per recipient.
2745

lmtp_discard_lhlo_keyword_address_maps (default: empty)

2747       Lookup tables, indexed by the remote LMTP  server  address,  with  case
2748       insensitive  lists  of LHLO keywords (pipelining, starttls, auth, etc.)
2749       that the Postfix LMTP client will ignore in the LHLO  response  from  a
2750       remote LMTP server. See lmtp_discard_lhlo_keywords for details. The ta‐
2751       ble  is  not  indexed  by  hostname  for  consistency  with  smtpd_dis‐
2752       card_ehlo_keyword_address_maps.
2753
2754       This feature is available in Postfix 2.3 and later.
2755

lmtp_discard_lhlo_keywords (default: empty)

2757       A  case  insensitive list of LHLO keywords (pipelining, starttls, auth,
2758       etc.) that the Postfix LMTP client will ignore  in  the  LHLO  response
2759       from a remote LMTP server.
2760
2761       This feature is available in Postfix 2.3 and later.
2762
2763       Notes:
2764
2765       ·      Specify the silent-discard pseudo keyword to prevent this action
2766              from being logged.
2767
2768       ·      Use the lmtp_discard_lhlo_keyword_address_maps feature  to  dis‐
2769              card LHLO keywords selectively.
2770

lmtp_dns_reply_filter (default: empty)

2772       Optional  filter  for  Postfix  LMTP  client  DNS  lookup results.  See
2773       smtp_dns_reply_filter for details including an example.
2774
2775       This feature is available in Postfix 3.0 and later.
2776

lmtp_dns_resolver_options (default: empty)

2778       The LMTP-specific version of the  smtp_dns_resolver_options  configura‐
2779       tion parameter.  See there for details.
2780
2781       This feature is available in Postfix 2.8 and later.
2782

lmtp_dns_support_level (default: empty)

2784       The  LMTP-specific  version of the smtp_dns_support_level configuration
2785       parameter.  See there for details.
2786
2787       This feature is available in Postfix 2.11 and later.
2788

lmtp_enforce_tls (default: no)

2790       The LMTP-specific version of the smtp_enforce_tls configuration parame‐
2791       ter.  See there for details.
2792
2793       This feature is available in Postfix 2.3 and later.
2794

lmtp_fallback_relay (default: empty)

2796       Optional  list of relay hosts for LMTP destinations that can't be found
2797       or that are unreachable.  In main.cf elements are separated  by  white‐
2798       space or commas.
2799
2800       By  default,  mail  is returned to the sender when a destination is not
2801       found, and delivery is deferred when a destination is unreachable.
2802
2803       The fallback relays must be TCP destinations, specified without a lead‐
2804       ing  "inet:" prefix.  Specify a host or host:port.  Since MX lookups do
2805       not apply  with  LMTP,  there  is  no  need  to  use  the  "[host]"  or
2806       "[host]:port"  forms.  If you specify multiple LMTP destinations, Post‐
2807       fix will try them in the specified order.
2808
2809       This feature is available in Postfix 3.1 and later.
2810

lmtp_generic_maps (default: empty)

2812       The LMTP-specific version of the smtp_generic_maps configuration param‐
2813       eter.  See there for details.
2814
2815       This feature is available in Postfix 2.3 and later.
2816

lmtp_header_checks (default: empty)

2818       The  LMTP-specific  version  of  the  smtp_header_checks  configuration
2819       parameter. See there for details.
2820
2821       This feature is available in Postfix 2.5 and later.
2822

lmtp_host_lookup (default: dns)

2824       The LMTP-specific version of the smtp_host_lookup configuration parame‐
2825       ter.  See there for details.
2826
2827       This feature is available in Postfix 2.3 and later.
2828

lmtp_lhlo_name (default: $myhostname)

2830       The hostname to send in the LMTP LHLO command.
2831
2832       The  default  value  is  the  machine  hostname.  Specify a hostname or
2833       [ip.add.re.ss].
2834
2835       This information can be specified in the  main.cf  file  for  all  LMTP
2836       clients,  or  it  can be specified in the master.cf file for a specific
2837       client, for example:
2838
2839           /etc/postfix/master.cf:
2840               mylmtp ... lmtp -o lmtp_lhlo_name=foo.bar.com
2841
2842       This feature is available in Postfix 2.3 and later.
2843

lmtp_lhlo_timeout (default: 300s)

2845       The Postfix LMTP client time limit for sending the  LHLO  command,  and
2846       for receiving the initial remote LMTP server response.
2847
2848       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2849       The default time unit is s (seconds).
2850

lmtp_line_length_limit (default: 990)

2852       The LMTP-specific version of the  smtp_line_length_limit  configuration
2853       parameter.  See there for details.
2854
2855       This feature is available in Postfix 2.3 and later.
2856

lmtp_mail_timeout (default: 300s)

2858       The  Postfix  LMTP client time limit for sending the MAIL FROM command,
2859       and for receiving the remote LMTP server response.
2860
2861       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2862       The default time unit is s (seconds).
2863

lmtp_mime_header_checks (default: empty)

2865       The  LMTP-specific version of the smtp_mime_header_checks configuration
2866       parameter. See there for details.
2867
2868       This feature is available in Postfix 2.5 and later.
2869

lmtp_mx_address_limit (default: 5)

2871       The LMTP-specific version of  the  smtp_mx_address_limit  configuration
2872       parameter.  See there for details.
2873
2874       This feature is available in Postfix 2.3 and later.
2875

lmtp_mx_session_limit (default: 2)

2877       The  LMTP-specific  version  of the smtp_mx_session_limit configuration
2878       parameter.  See there for details.
2879
2880       This feature is available in Postfix 2.3 and later.
2881

lmtp_nested_header_checks (default: empty)

2883       The LMTP-specific version of the  smtp_nested_header_checks  configura‐
2884       tion parameter. See there for details.
2885
2886       This feature is available in Postfix 2.5 and later.
2887

lmtp_per_record_deadline (default: no)

2889       The LMTP-specific version of the smtp_per_record_deadline configuration
2890       parameter.  See there for details.
2891
2892       This feature is available in Postfix 2.9 and later.
2893

lmtp_pix_workaround_delay_time (default: 10s)

2895       The LMTP-specific version of the smtp_pix_workaround_delay_time config‐
2896       uration parameter.  See there for details.
2897
2898       This feature is available in Postfix 2.3 and later.
2899

lmtp_pix_workaround_maps (default: empty)

2901       The LMTP-specific version of the smtp_pix_workaround_maps configuration
2902       parameter.  See there for details.
2903
2904       This feature is available in Postfix 2.4 and later.
2905

lmtp_pix_workaround_threshold_time (default: 500s)

2907       The LMTP-specific  version  of  the  smtp_pix_workaround_threshold_time
2908       configuration parameter.  See there for details.
2909
2910       This feature is available in Postfix 2.3 and later.
2911

lmtp_pix_workarounds (default: empty)

2913       The  LMTP-specific  version  of  the  smtp_pix_workaround configuration
2914       parameter.  See there for details.
2915
2916       This feature is available in Postfix 2.4 and later.
2917

lmtp_quit_timeout (default: 300s)

2919       The Postfix LMTP client time limit for sending the  QUIT  command,  and
2920       for receiving the remote LMTP server response.
2921
2922       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2923       The default time unit is s (seconds).
2924

lmtp_quote_rfc821_envelope (default: yes)

2926       The LMTP-specific version of the smtp_quote_rfc821_envelope  configura‐
2927       tion parameter.  See there for details.
2928
2929       This feature is available in Postfix 2.3 and later.
2930

lmtp_randomize_addresses (default: yes)

2932       The LMTP-specific version of the smtp_randomize_addresses configuration
2933       parameter.  See there for details.
2934
2935       This feature is available in Postfix 2.3 and later.
2936

lmtp_rcpt_timeout (default: 300s)

2938       The Postfix LMTP client time limit for sending the RCPT TO command, and
2939       for receiving the remote LMTP server response.
2940
2941       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2942       The default time unit is s (seconds).
2943

lmtp_reply_filter (default: empty)

2945       The LMTP-specific version of the smtp_reply_filter configuration param‐
2946       eter.  See there for details.
2947
2948       This feature is available in Postfix 2.7 and later.
2949

lmtp_rset_timeout (default: 20s)

2951       The  Postfix  LMTP  client time limit for sending the RSET command, and
2952       for receiving the remote LMTP server response. The  LMTP  client  sends
2953       RSET  in order to finish a recipient address probe, or to verify that a
2954       cached connection is still alive.
2955
2956       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2957       The default time unit is s (seconds).
2958

lmtp_sasl_auth_cache_name (default: empty)

2960       The  LMTP-specific  version of the smtp_sasl_auth_cache_name configura‐
2961       tion parameter.  See there for details.
2962
2963       This feature is available in Postfix 2.5 and later.
2964

lmtp_sasl_auth_cache_time (default: 90d)

2966       The LMTP-specific version of the  smtp_sasl_auth_cache_time  configura‐
2967       tion parameter.  See there for details.
2968
2969       This feature is available in Postfix 2.5 and later.
2970

lmtp_sasl_auth_enable (default: no)

2972       Enable SASL authentication in the Postfix LMTP client.
2973

lmtp_sasl_auth_soft_bounce (default: yes)

2975       The  LMTP-specific version of the smtp_sasl_auth_soft_bounce configura‐
2976       tion parameter.  See there for details.
2977
2978       This feature is available in Postfix 2.5 and later.
2979

lmtp_sasl_mechanism_filter (default: empty)

2981       The LMTP-specific version of the smtp_sasl_mechanism_filter  configura‐
2982       tion parameter.  See there for details.
2983
2984       This feature is available in Postfix 2.3 and later.
2985

lmtp_sasl_password_maps (default: empty)

2987       Optional  Postfix  LMTP client lookup tables with one username:password
2988       entry per host or domain.  If a remote host  or  domain  has  no  user‐
2989       name:password  entry,  then the Postfix LMTP client will not attempt to
2990       authenticate to the remote host.
2991

lmtp_sasl_path (default: empty)

2993       Implementation-specific information that is passed through to the  SASL
2994       plug-in implementation that is selected with lmtp_sasl_type.  Typically
2995       this specifies the name of a configuration file or rendezvous point.
2996
2997       This feature is available in Postfix 2.3 and later.
2998

lmtp_sasl_security_options (default: noplaintext, noanonymous)

3000       SASL security options; as of Postfix 2.3 the list of available features
3001       depends  on  the  SASL  client  implementation  that  is  selected with
3002       lmtp_sasl_type.
3003
3004       The following security features are defined for the cyrus  client  SASL
3005       implementation:
3006
3007       noplaintext
3008              Disallow authentication methods that use plaintext passwords.
3009
3010       noactive
3011              Disallow  authentication methods that are vulnerable to non-dic‐
3012              tionary active attacks.
3013
3014       nodictionary
3015              Disallow authentication methods that are vulnerable  to  passive
3016              dictionary attack.
3017
3018       noanonymous
3019              Disallow anonymous logins.
3020
3021       Example:
3022
3023       lmtp_sasl_security_options = noplaintext
3024

lmtp_sasl_tls_security_options (default: $lmtp_sasl_security_options)

3026       The LMTP-specific version of the smtp_sasl_tls_security_options config‐
3027       uration parameter.  See there for details.
3028
3029       This feature is available in Postfix 2.3 and later.
3030

lmtp_sasl_tls_verified_security_options (default: $lmtp_sasl_tls_secu‐

3032       rity_options)
3033       The   LMTP-specific   version   of   the   smtp_sasl_tls_verified_secu‐
3034       rity_options configuration parameter.  See there for details.
3035
3036       This feature is available in Postfix 2.3 and later.
3037

lmtp_sasl_type (default: cyrus)

3039       The SASL plug-in type that the  Postfix  LMTP  client  should  use  for
3040       authentication.   The available types are listed with the "postconf -A"
3041       command.
3042
3043       This feature is available in Postfix 2.3 and later.
3044

lmtp_send_dummy_mail_auth (default: no)

3046       The LMTP-specific version of the  smtp_send_dummy_mail_auth  configura‐
3047       tion parameter.  See there for details.
3048
3049       This feature is available in Postfix 2.9 and later.
3050

lmtp_send_xforward_command (default: no)

3052       Send  an  XFORWARD command to the remote LMTP server when the LMTP LHLO
3053       server response announces XFORWARD support.   This  allows  an  lmtp(8)
3054       delivery  agent,  used for content filter message injection, to forward
3055       the name, address, protocol and HELO name of the original client to the
3056       content  filter  and downstream queuing LMTP server.  Before you change
3057       the value to yes, it is best to make sure that your content filter sup‐
3058       ports this command.
3059
3060       This feature is available in Postfix 2.1 and later.
3061

lmtp_sender_dependent_authentication (default: no)

3063       The  LMTP-specific  version of the smtp_sender_dependent_authentication
3064       configuration parameter.  See there for details.
3065
3066       This feature is available in Postfix 2.3 and later.
3067

lmtp_skip_5xx_greeting (default: yes)

3069       The LMTP-specific version of the  smtp_skip_5xx_greeting  configuration
3070       parameter.  See there for details.
3071
3072       This feature is available in Postfix 2.3 and later.
3073

lmtp_skip_quit_response (default: no)

3075       Wait for the response to the LMTP QUIT command.
3076

lmtp_starttls_timeout (default: 300s)

3078       The  LMTP-specific  version  of the smtp_starttls_timeout configuration
3079       parameter.  See there for details.
3080
3081       This feature is available in Postfix 2.3 and later.
3082

lmtp_tcp_port (default: 24)

3084       The default TCP port that the Postfix LMTP client connects to.  Specify
3085       a symbolic name (see services(5)) or a numeric port.
3086

lmtp_tls_CAfile (default: empty)

3088       The  LMTP-specific version of the smtp_tls_CAfile configuration parame‐
3089       ter.  See there for details.
3090
3091       This feature is available in Postfix 2.3 and later.
3092

lmtp_tls_CApath (default: empty)

3094       The LMTP-specific version of the smtp_tls_CApath configuration  parame‐
3095       ter.  See there for details.
3096
3097       This feature is available in Postfix 2.3 and later.
3098

lmtp_tls_block_early_mail_reply (default: empty)

3100       The  LMTP-specific  version of the smtp_tls_block_early_mail_reply con‐
3101       figuration parameter.  See there for details.
3102
3103       This feature is available in Postfix 2.7 and later.
3104

lmtp_tls_cert_file (default: empty)

3106       The  LMTP-specific  version  of  the  smtp_tls_cert_file  configuration
3107       parameter.  See there for details.
3108
3109       This feature is available in Postfix 2.3 and later.
3110

lmtp_tls_chain_files (default: empty)

3112       The  LMTP-specific  version  of  the smtp_tls_chain_files configuration
3113       parameter. See there for details.
3114
3115       This feature is available in Postfix 3.4 and later.
3116

lmtp_tls_ciphers (default: medium)

3118       The LMTP-specific version of the smtp_tls_ciphers configuration parame‐
3119       ter. See there for details.
3120
3121       This feature is available in Postfix 2.6 and later.
3122

lmtp_tls_connection_reuse (default: no)

3124       The  LMTP-specific  version of the smtp_tls_connection_reuse configura‐
3125       tion parameter. See there for details.
3126
3127       This feature is available in Postfix 3.4 and later.
3128

lmtp_tls_dcert_file (default: empty)

3130       The LMTP-specific  version  of  the  smtp_tls_dcert_file  configuration
3131       parameter.  See there for details.
3132
3133       This feature is available in Postfix 2.3 and later.
3134

lmtp_tls_dkey_file (default: $lmtp_tls_dcert_file)

3136       The  LMTP-specific  version  of  the  smtp_tls_dkey_file  configuration
3137       parameter.  See there for details.
3138
3139       This feature is available in Postfix 2.3 and later.
3140

lmtp_tls_eccert_file (default: empty)

3142       The LMTP-specific version  of  the  smtp_tls_eccert_file  configuration
3143       parameter.  See there for details.
3144
3145       This  feature  is  available  in Postfix 2.6 and later, when Postfix is
3146       compiled and linked with OpenSSL 1.0.0 or later.
3147

lmtp_tls_eckey_file (default: empty)

3149       The LMTP-specific  version  of  the  smtp_tls_eckey_file  configuration
3150       parameter.  See there for details.
3151
3152       This  feature  is  available  in Postfix 2.6 and later, when Postfix is
3153       compiled and linked with OpenSSL 1.0.0 or later.
3154

lmtp_tls_enforce_peername (default: yes)

3156       The LMTP-specific version of the  smtp_tls_enforce_peername  configura‐
3157       tion parameter.  See there for details.
3158
3159       This feature is available in Postfix 2.3 and later.
3160

lmtp_tls_exclude_ciphers (default: empty)

3162       The LMTP-specific version of the smtp_tls_exclude_ciphers configuration
3163       parameter.  See there for details.
3164
3165       This feature is available in Postfix 2.3 and later.
3166

lmtp_tls_fingerprint_cert_match (default: empty)

3168       The LMTP-specific version of the  smtp_tls_fingerprint_cert_match  con‐
3169       figuration parameter.  See there for details.
3170
3171       This feature is available in Postfix 2.5 and later.
3172

lmtp_tls_fingerprint_digest (default: md5)

3174       The LMTP-specific version of the smtp_tls_fingerprint_digest configura‐
3175       tion parameter.  See there for details.
3176
3177       This feature is available in Postfix 2.5 and later.
3178

lmtp_tls_force_insecure_host_tlsa_lookup (default: no)

3180       The    LMTP-specific    version     of     the     smtp_tls_force_inse‐
3181       cure_host_tlsa_lookup configuration parameter.  See there for details.
3182
3183       This feature is available in Postfix 2.11 and later.
3184

lmtp_tls_key_file (default: $lmtp_tls_cert_file)

3186       The LMTP-specific version of the smtp_tls_key_file configuration param‐
3187       eter.  See there for details.
3188
3189       This feature is available in Postfix 2.3 and later.
3190

lmtp_tls_loglevel (default: 0)

3192       The LMTP-specific version of the smtp_tls_loglevel configuration param‐
3193       eter.  See there for details.
3194
3195       This feature is available in Postfix 2.3 and later.
3196

lmtp_tls_mandatory_ciphers (default: medium)

3198       The  LMTP-specific version of the smtp_tls_mandatory_ciphers configura‐
3199       tion parameter.  See there for details.
3200
3201       This feature is available in Postfix 2.3 and later.
3202

lmtp_tls_mandatory_exclude_ciphers (default: empty)

3204       The LMTP-specific  version  of  the  smtp_tls_mandatory_exclude_ciphers
3205       configuration parameter.  See there for details.
3206
3207       This feature is available in Postfix 2.3 and later.
3208

lmtp_tls_mandatory_protocols (default: !SSLv2, !SSLv3)

3210       The  LMTP-specific version of the smtp_tls_mandatory_protocols configu‐
3211       ration parameter. See there for details.
3212
3213       This feature is available in Postfix 2.3 and later.
3214

lmtp_tls_note_starttls_offer (default: no)

3216       The LMTP-specific version of the smtp_tls_note_starttls_offer  configu‐
3217       ration parameter.  See there for details.
3218
3219       This feature is available in Postfix 2.3 and later.
3220

lmtp_tls_per_site (default: empty)

3222       The LMTP-specific version of the smtp_tls_per_site configuration param‐
3223       eter.  See there for details.
3224
3225       This feature is available in Postfix 2.3 and later.
3226

lmtp_tls_policy_maps (default: empty)

3228       The LMTP-specific version  of  the  smtp_tls_policy_maps  configuration
3229       parameter. See there for details.
3230
3231       This feature is available in Postfix 2.3 and later.
3232

lmtp_tls_protocols (default: !SSLv2, !SSLv3)

3234       The  LMTP-specific  version  of  the  smtp_tls_protocols  configuration
3235       parameter. See there for details.
3236
3237       This feature is available in Postfix 2.6 and later.
3238

lmtp_tls_scert_verifydepth (default: 9)

3240       The LMTP-specific version of the smtp_tls_scert_verifydepth  configura‐
3241       tion parameter.  See there for details.
3242
3243       This feature is available in Postfix 2.3 and later.
3244

lmtp_tls_secure_cert_match (default: nexthop)

3246       The  LMTP-specific version of the smtp_tls_secure_cert_match configura‐
3247       tion parameter. See there for details.
3248
3249       This feature is available in Postfix 2.3 and later.
3250

lmtp_tls_security_level (default: empty)

3252       The LMTP-specific version of the smtp_tls_security_level  configuration
3253       parameter.  See there for details.
3254
3255       This feature is available in Postfix 2.3 and later.
3256

lmtp_tls_servername (default: empty)

3258       The  LMTP-specific  version  of  the  smtp_tls_servername configuration
3259       parameter. See there for details.
3260
3261       This feature is available in Postfix 3.4 and later.
3262

lmtp_tls_session_cache_database (default: empty)

3264       The LMTP-specific version of the  smtp_tls_session_cache_database  con‐
3265       figuration parameter. See there for details.
3266
3267       This feature is available in Postfix 2.3 and later.
3268

lmtp_tls_session_cache_timeout (default: 3600s)

3270       The LMTP-specific version of the smtp_tls_session_cache_timeout config‐
3271       uration parameter.  See there for details.
3272
3273       This feature is available in Postfix 2.3 and later.
3274

lmtp_tls_trust_anchor_file (default: empty)

3276       The LMTP-specific version of the smtp_tls_trust_anchor_file  configura‐
3277       tion parameter.  See there for details.
3278
3279       This feature is available in Postfix 2.11 and later.
3280

lmtp_tls_verify_cert_match (default: hostname)

3282       The  LMTP-specific version of the smtp_tls_verify_cert_match configura‐
3283       tion parameter. See there for details.
3284
3285       This feature is available in Postfix 2.3 and later.
3286

lmtp_use_tls (default: no)

3288       The LMTP-specific version of the smtp_use_tls configuration  parameter.
3289       See there for details.
3290
3291       This feature is available in Postfix 2.3 and later.
3292

lmtp_xforward_timeout (default: 300s)

3294       The  Postfix  LMTP  client time limit for sending the XFORWARD command,
3295       and for receiving the remote LMTP server response.
3296
3297       In case of problems the client does NOT try the  next  address  on  the
3298       mail exchanger list.
3299
3300       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
3301       The default time unit is s (seconds).
3302
3303       This feature is available in Postfix 2.1 and later.
3304

local_command_shell (default: empty)

3306       Optional shell program for local(8) delivery  to  non-Postfix  command.
3307       By  default,  non-Postfix  commands are executed directly; commands are
3308       given to given to the default shell (typically, /bin/sh) only when they
3309       contain shell meta characters or shell built-in commands.
3310
3311       "sendmail's  restricted  shell" (smrsh) is what most people will use in
3312       order to restrict what programs can be run  from  e.g.  .forward  files
3313       (smrsh is part of the Sendmail distribution).
3314
3315       Note:  when  a  shell program is specified, it is invoked even when the
3316       command contains no shell built-in commands or meta characters.
3317
3318       Example:
3319
3320       local_command_shell = /some/where/smrsh -c
3321       local_command_shell = /bin/bash -c
3322

local_delivery_status_filter (default: $default_delivery_status_filter)

3324       Optional filter for the local(8) delivery agent to  change  the  status
3325       code or explanatory text of successful or unsuccessful deliveries.  See
3326       default_delivery_status_filter for details.
3327
3328       This feature is available in Postfix 3.0 and later.
3329

local_destination_concurrency_limit (default: 2)

3331       The maximal number of parallel deliveries via the local  mail  delivery
3332       transport   to  the  same  recipient  (when  "local_destination_recipi‐
3333       ent_limit = 1") or the maximal number of  parallel  deliveries  to  the
3334       same  local domain (when "local_destination_recipient_limit > 1"). This
3335       limit is enforced by the queue manager. The message delivery  transport
3336       name is the first field in the entry in the master.cf file.
3337
3338       A  low limit of 2 is recommended, just in case someone has an expensive
3339       shell command in a .forward file or in an alias (e.g., a  mailing  list
3340       manager).  You don't want to run lots of those at the same time.
3341

local_destination_recipient_limit (default: 1)

3343       The  maximal  number  of  recipients per message delivery via the local
3344       mail delivery transport. This limit is enforced by the  queue  manager.
3345       The  message delivery transport name is the first field in the entry in
3346       the master.cf file.
3347
3348       Setting this parameter to a value > 1 changes the meaning of local_des‐
3349       tination_concurrency_limit  from concurrency per recipient into concur‐
3350       rency per domain.
3351

local_header_rewrite_clients (default: permit_inet_interfaces)

3353       Rewrite message header addresses in mail from these clients and  update
3354       incomplete  addresses  with  the domain name in $myorigin or $mydomain;
3355       either don't rewrite message headers from other clients at all, or  re‐
3356       write  message  headers and update incomplete addresses with the domain
3357       specified in the remote_header_rewrite_domain parameter.
3358
3359       See  the  append_at_myorigin  and  append_dot_mydomain  parameters  for
3360       details of how domain names are appended to incomplete addresses.
3361
3362       Specify a list of zero or more of the following:
3363
3364       permit_inet_interfaces
3365              Append the domain name in $myorigin or $mydomain when the client
3366              IP address matches $inet_interfaces. This is enabled by default.
3367
3368       permit_mynetworks
3369              Append the domain name in $myorigin or $mydomain when the client
3370              IP  address  matches  any  network  or network address listed in
3371              $mynetworks. This setting will not prevent  remote  mail  header
3372              address rewriting when mail from a remote client is forwarded by
3373              a neighboring system.
3374
3375       permit_sasl_authenticated
3376              Append the domain name in $myorigin or $mydomain when the client
3377              is successfully authenticated via the RFC 4954 (AUTH) protocol.
3378
3379       permit_tls_clientcerts
3380              Append the domain name in $myorigin or $mydomain when the remote
3381              SMTP client TLS certificate fingerprint or  public  key  finger‐
3382              print  (Postfix  2.9 and later) is listed in $relay_clientcerts.
3383              The  fingerprint  digest  algorithm  is  configurable  via   the
3384              smtpd_tls_fingerprint_digest  parameter (hard-coded as md5 prior
3385              to Postfix version 2.5).
3386
3387       permit_tls_all_clientcerts
3388              Append the domain name in $myorigin or $mydomain when the remote
3389              SMTP client TLS certificate is successfully verified, regardless
3390              of whether it is listed on the server,  and  regardless  of  the
3391              certifying authority.
3392
3393       check_address_map type:table
3394
3395       type:table
3396              Append the domain name in $myorigin or $mydomain when the client
3397              IP address matches  the  specified  lookup  table.   The  lookup
3398              result  is  ignored, and no subnet lookup is done. This is suit‐
3399              able for, e.g., pop-before-smtp lookup tables.
3400
3401       Examples:
3402
3403       The Postfix < 2.2 backwards compatible setting: always rewrite  message
3404       headers,   and  always  append  my  own  domain  to  incomplete  header
3405       addresses.
3406
3407           local_header_rewrite_clients = static:all
3408
3409       The purist (and default) setting: rewrite headers  only  in  mail  from
3410       Postfix sendmail and in SMTP mail from this machine.
3411
3412           local_header_rewrite_clients = permit_inet_interfaces
3413
3414       The intermediate setting: rewrite header addresses and append $myorigin
3415       or $mydomain information only with mail  from  Postfix  sendmail,  from
3416       local clients, or from authorized SMTP clients.
3417
3418       Note:  this setting will not prevent remote mail header address rewrit‐
3419       ing when mail from a remote client is forwarded by a  neighboring  sys‐
3420       tem.
3421
3422           local_header_rewrite_clients = permit_mynetworks,
3423               permit_sasl_authenticated permit_tls_clientcerts
3424               check_address_map hash:/etc/postfix/pop-before-smtp
3425

local_recipient_maps (default: proxy:unix:passwd.byname $alias_maps)

3427       Lookup tables with all names or addresses of local recipients: a recip‐
3428       ient  address  is  local  when  its  domain   matches   $mydestination,
3429       $inet_interfaces  or $proxy_interfaces.  Specify @domain as a wild-card
3430       for domains that do not have  a  valid  recipient  list.   Technically,
3431       tables  listed  with  $local_recipient_maps  are used as lists: Postfix
3432       needs to know only if a lookup string is found or not, but it does  not
3433       use the result from table lookup.
3434
3435       Specify zero or more "type:name" lookup tables, separated by whitespace
3436       or comma. Tables will be searched in the specified order until a  match
3437       is found.
3438
3439       If  this  parameter  is  non-empty (the default), then the Postfix SMTP
3440       server will reject mail for unknown local users.
3441
3442       To turn off local recipient checking in the Postfix SMTP server,  spec‐
3443       ify "local_recipient_maps =" (i.e. empty).
3444
3445       The  default  setting  assumes  that  you use the default Postfix local
3446       delivery agent for local delivery. You need to update the local_recipi‐
3447       ent_maps setting if:
3448
3449       ·      You redefine the local delivery agent in master.cf.
3450
3451       ·      You redefine the "local_transport" setting in main.cf.
3452
3453       ·      You   use  the  "luser_relay",  "mailbox_transport",  or  "fall‐
3454              back_transport" feature of the Postfix local(8) delivery agent.
3455
3456       Details are described in the LOCAL_RECIPIENT_README file.
3457
3458       Beware: if the Postfix SMTP server runs chrooted, you  need  to  access
3459       the  passwd  file  via  the  proxymap(8)  service, in order to overcome
3460       chroot access restrictions. The alternative, maintaining a copy of  the
3461       system password file in the chroot jail is not practical.
3462
3463       Examples:
3464
3465       local_recipient_maps =
3466

local_transport (default: local:$myhostname)

3468       The  default mail delivery transport and next-hop destination for final
3469       delivery to domains listed with mydestination, and for [ipaddress] des‐
3470       tinations  that  match  $inet_interfaces  or  $proxy_interfaces.   This
3471       information can be overruled with the transport(5) table.
3472
3473       By default, local mail is delivered to the  transport  called  "local",
3474       which is just the name of a service that is defined the master.cf file.
3475
3476       Specify  a string of the form transport:nexthop, where transport is the
3477       name of a mail delivery transport defined in master.cf.   The  :nexthop
3478       destination is optional; its syntax is documented in the manual page of
3479       the corresponding delivery agent.
3480
3481       Beware: if you override the default local delivery agent then you  need
3482       to  review  the  LOCAL_RECIPIENT_README  document,  otherwise  the SMTP
3483       server may reject mail for local recipients.
3484

luser_relay (default: empty)

3486       Optional catch-all destination for  unknown  local(8)  recipients.   By
3487       default,  mail for unknown recipients in domains that match $mydestina‐
3488       tion, $inet_interfaces or $proxy_interfaces is returned  as  undeliver‐
3489       able.
3490
3491       The luser_relay value is not subject to Postfix configuration parameter
3492       $name expansion. Instead, the following $name expansions are done:
3493
3494       $domain
3495              The recipient domain.
3496
3497       $extension
3498              The recipient address extension.
3499
3500       $home  The recipient's home directory.
3501
3502       $local The entire recipient address localpart.
3503
3504       $recipient
3505              The full recipient address.
3506
3507       $recipient_delimiter
3508              The address extension delimiter that was found in the  recipient
3509              address  (Postfix  2.11 and later), or the system-wide recipient
3510              address extension delimiter (Postfix 2.10 and earlier).
3511
3512       $shell The recipient's login shell.
3513
3514       $user  The recipient username.
3515
3516       ${name?value}
3517              Expands to value when $name has a non-empty value.
3518
3519       ${name:value}
3520              Expands to value when $name has an empty value.
3521
3522       Instead of $name you can also specify ${name} or $(name).
3523
3524       Note: luser_relay works only for the Postfix local(8) delivery agent.
3525
3526       Note: if you use this feature for accounts not  in  the  UNIX  password
3527       file,  then  you  must specify "local_recipient_maps =" (i.e. empty) in
3528       the main.cf file, otherwise the Postfix SMTP server  will  reject  mail
3529       for non-UNIX accounts with "User unknown in local recipient table".
3530
3531       Examples:
3532
3533       luser_relay = $user@other.host
3534       luser_relay = $local@other.host
3535       luser_relay = admin+$local
3536

mail_name (default: Postfix)

3538       The  mail  system  name  that is displayed in Received: headers, in the
3539       SMTP greeting banner, and in bounced mail.
3540

mail_owner (default: postfix)

3542       The UNIX system account that owns the Postfix queue  and  most  Postfix
3543       daemon  processes.   Specify  the  name of an unprivileged user account
3544       that does not share a user or group ID with other  accounts,  and  that
3545       owns  no  other files or processes on the system.  In particular, don't
3546       specify nobody or daemon.  PLEASE USE A DEDICATED USER ID AND GROUP ID.
3547
3548       When this parameter value  is  changed  you  need  to  re-run  "postfix
3549       set-permissions"  (with  Postfix  version  2.0 and earlier: "/etc/post‐
3550       fix/post-install set-permissions".
3551

mail_release_date (default: see postconf -d output)

3553       The Postfix release date, in "YYYYMMDD" format.
3554

mail_spool_directory (default: see postconf -d output)

3556       The directory where local(8) UNIX-style mailboxes are kept. The default
3557       setting  depends  on  the  system  type. Specify a name ending in / for
3558       maildir-style delivery.
3559
3560       Note: maildir delivery is done with the privileges  of  the  recipient.
3561       If you use the mail_spool_directory setting for maildir style delivery,
3562       then you must create the top-level maildir directory in advance.  Post‐
3563       fix will not create it.
3564
3565       Examples:
3566
3567       mail_spool_directory = /var/mail
3568       mail_spool_directory = /var/spool/mail
3569

mail_version (default: see postconf -d output)

3571       The   version   of   the   mail   system.  Stable  releases  are  named
3572       major.minor.patchlevel. Experimental releases also include the  release
3573       date. The version string can be used in, for example, the SMTP greeting
3574       banner.
3575

mailbox_command (default: empty)

3577       Optional external command that the local(8) delivery agent  should  use
3578       for mailbox delivery.  The command is run with the user ID and the pri‐
3579       mary group ID privileges of the recipient.  Exception: command delivery
3580       for  root executes with $default_privs privileges.  This is not a prob‐
3581       lem, because 1) mail for root should always be aliased to a  real  user
3582       and 2) don't log in as root, use "su" instead.
3583
3584       The following environment variables are exported to the command:
3585
3586       CLIENT_ADDRESS
3587              Remote  client network address. Available in Postfix version 2.2
3588              and later.
3589
3590       CLIENT_HELO
3591              Remote client EHLO command parameter. Available in Postfix  ver‐
3592              sion 2.2 and later.
3593
3594       CLIENT_HOSTNAME
3595              Remote  client  hostname.  Available  in Postfix version 2.2 and
3596              later.
3597
3598       CLIENT_PROTOCOL
3599              Remote client protocol. Available in  Postfix  version  2.2  and
3600              later.
3601
3602       DOMAIN The domain part of the recipient address.
3603
3604       EXTENSION
3605              The optional address extension.
3606
3607       HOME   The recipient home directory.
3608
3609       LOCAL  The recipient address localpart.
3610
3611       LOGNAME
3612              The recipient's username.
3613
3614       ORIGINAL_RECIPIENT
3615              The  entire  recipient  address, before any address rewriting or
3616              aliasing.
3617
3618       RECIPIENT
3619              The full recipient address.
3620
3621       SASL_METHOD
3622              SASL authentication method specified in the remote  client  AUTH
3623              command. Available in Postfix version 2.2 and later.
3624
3625       SASL_SENDER
3626              SASL  sender  address  specified  in the remote client MAIL FROM
3627              command. Available in Postfix version 2.2 and later.
3628
3629       SASL_USER
3630              SASL username specified  in  the  remote  client  AUTH  command.
3631              Available in Postfix version 2.2 and later.
3632
3633       SENDER The full sender address.
3634
3635       SHELL  The recipient's login shell.
3636
3637       USER   The recipient username.
3638
3639       Unlike  other  Postfix  configuration  parameters,  the mailbox_command
3640       parameter is not subjected to $name substitutions. This is to  make  it
3641       easier to specify shell syntax (see example below).
3642
3643       If you can, avoid shell meta characters because they will force Postfix
3644       to run an expensive shell process. If you're delivering via  "procmail"
3645       then  running  a  shell won't make a noticeable difference in the total
3646       cost.
3647
3648       Note: if you use the  mailbox_command  feature  to  deliver  mail  sys‐
3649       tem-wide,  you  must  set  up an alias that forwards mail for root to a
3650       real user.
3651
3652       The precedence of local(8) delivery  features  from  high  to  low  is:
3653       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3654       mailbox_command_maps, mailbox_command, home_mailbox,  mail_spool_direc‐
3655       tory, fallback_transport_maps, fallback_transport and luser_relay.
3656
3657       Examples:
3658
3659       mailbox_command = /some/where/procmail
3660       mailbox_command = /some/where/procmail -a "$EXTENSION"
3661       mailbox_command = /some/where/maildrop -d "$USER"
3662               -f "$SENDER" "$EXTENSION"
3663

mailbox_command_maps (default: empty)

3665       Optional  lookup tables with per-recipient external commands to use for
3666       local(8) mailbox delivery.  Behavior is as with mailbox_command.
3667
3668       The precedence of local(8) delivery  features  from  high  to  low  is:
3669       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3670       mailbox_command_maps, mailbox_command, home_mailbox,  mail_spool_direc‐
3671       tory, fallback_transport_maps, fallback_transport and luser_relay.
3672
3673       Specify zero or more "type:name" lookup tables, separated by whitespace
3674       or comma. Tables will be searched in the specified order until a  match
3675       is found.
3676

mailbox_delivery_lock (default: see postconf -d output)

3678       How  to  lock a UNIX-style local(8) mailbox before attempting delivery.
3679       For a list of available file locking methods,  use  the  "postconf  -l"
3680       command.
3681
3682       This  setting  is  ignored  with  maildir  style delivery, because such
3683       deliveries are safe without explicit locks.
3684
3685       Note: The dotlock method requires that the recipient  UID  or  GID  has
3686       write access to the parent directory of the mailbox file.
3687
3688       Note: the default setting of this parameter is system dependent.
3689

mailbox_size_limit (default: 51200000)

3691       The maximal size of any local(8) individual mailbox or maildir file, or
3692       zero (no limit).  In fact, this limits the size of  any  file  that  is
3693       written  to  upon  local  delivery, including files written by external
3694       commands that are executed by the local(8) delivery agent.
3695
3696       This limit must not be smaller than the message size limit.
3697

mailbox_transport (default: empty)

3699       Optional message delivery transport that the  local(8)  delivery  agent
3700       should use for mailbox delivery to all local recipients, whether or not
3701       they are found in the UNIX passwd database.
3702
3703       The precedence of local(8) delivery  features  from  high  to  low  is:
3704       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3705       mailbox_command_maps, mailbox_command, home_mailbox,  mail_spool_direc‐
3706       tory, fallback_transport_maps, fallback_transport and luser_relay.
3707

mailbox_transport_maps (default: empty)

3709       Optional  lookup  tables with per-recipient message delivery transports
3710       to use for local(8) mailbox delivery, whether or not the recipients are
3711       found in the UNIX passwd database.
3712
3713       The  precedence  of  local(8)  delivery  features  from high to low is:
3714       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3715       mailbox_command_maps,  mailbox_command, home_mailbox, mail_spool_direc‐
3716       tory, fallback_transport_maps, fallback_transport and luser_relay.
3717
3718       Specify zero or more "type:name" lookup tables, separated by whitespace
3719       or  comma. Tables will be searched in the specified order until a match
3720       is found.
3721
3722       For safety reasons, this feature does not allow  $number  substitutions
3723       in regular expression maps.
3724
3725       This feature is available in Postfix 2.3 and later.
3726

maillog_file (default: empty)

3728       The  name  of  an optional logfile that is written by the Postfix post‐
3729       logd(8) service. An empty value selects logging to syslogd(8).  Specify
3730       "/dev/stdout"  to  select  logging  to  standard output. Stdout logging
3731       requires that Postfix is started with "postfix start-fg".
3732
3733       Note 1: The maillog_file parameter value must contain a prefix that  is
3734       specified with the maillog_file_prefixes parameter.
3735
3736       Note  2:  Some Postfix non-daemon programs may still log information to
3737       syslogd(8), before they have processed their  configuration  parameters
3738       and command-line options.
3739
3740       This feature is available in Postfix 3.4 and later.
3741

maillog_file_compressor (default: gzip)

3743       The  program  to  run after rotating $maillog_file with "postfix logro‐
3744       tate". The command is run with the rotated logfile name  as  its  first
3745       argument.
3746
3747       This feature is available in Postfix 3.4 and later.
3748

maillog_file_prefixes (default: /var, /dev/stdout)

3750       A  list  of allowed prefixes for a maillog_file value. This is a safety
3751       feature to contain the damage  from  a  single  configuration  mistake.
3752       Specify one or more prefix strings, separated by comma or whitespace.
3753
3754       This feature is available in Postfix 3.4 and later.
3755

maillog_file_rotate_suffix (default: %Y%m%d-%H%M%S)

3757       The  format of the suffix to append to $maillog_file while rotating the
3758       file with "postfix logrotate". See strftime(3) for syntax. The  default
3759       suffix, YYYYMMDD-HHMMSS, allows logs to be rotated frequently.
3760
3761       This feature is available in Postfix 3.4 and later.
3762

mailq_path (default: see postconf -d output)

3764       Sendmail   compatibility  feature  that  specifies  where  the  Postfix
3765       mailq(1) command is installed. This command can be  used  to  list  the
3766       Postfix mail queue.
3767

manpage_directory (default: see postconf -d output)

3769       Where the Postfix manual pages are installed.
3770

maps_rbl_domains (default: empty)

3772       Obsolete feature: use the reject_rbl_client feature instead.
3773

maps_rbl_reject_code (default: 554)

3775       The  numerical  Postfix  SMTP  server  response code when a remote SMTP
3776       client    request    is    blocked    by     the     reject_rbl_client,
3777       reject_rhsbl_client,  reject_rhsbl_reverse_client,  reject_rhsbl_sender
3778       or reject_rhsbl_recipient restriction.
3779
3780       Do not change this unless you have  a  complete  understanding  of  RFC
3781       5321.
3782

masquerade_classes (default: envelope_sender, header_sender, header_recipient)

3784
3785       What addresses are subject to address masquerading.
3786
3787       By  default,  address  masquerading  is  limited  to  envelope   sender
3788       addresses,  and  to header sender and header recipient addresses.  This
3789       allows you to use address masquerading on a mail  gateway  while  still
3790       being able to forward mail to users on individual machines.
3791
3792       Specify   zero   or   more   of:  envelope_sender,  envelope_recipient,
3793       header_sender, header_recipient
3794

masquerade_domains (default: empty)

3796       Optional list of domains whose subdomain structure will be stripped off
3797       in email addresses.
3798
3799       The  list is processed left to right, and processing stops at the first
3800       match.  Thus,
3801
3802           masquerade_domains = foo.example.com example.com
3803
3804       strips "user@any.thing.foo.example.com" to "user@foo.example.com",  but
3805       strips "user@any.thing.else.example.com" to "user@example.com".
3806
3807       A  domain  name  prefixed with ! means do not masquerade this domain or
3808       its subdomains. Thus,
3809
3810           masquerade_domains = !foo.example.com example.com
3811
3812       does not  change  "user@any.thing.foo.example.com"  or  "user@foo.exam‐
3813       ple.com",  but  strips "user@any.thing.else.example.com" to "user@exam‐
3814       ple.com".
3815
3816       Note: with Postfix version 2.2,  message  header  address  masquerading
3817       happens only when message header address rewriting is enabled:
3818
3819       ·      The message is received with the Postfix sendmail(1) command,
3820
3821       ·      The  message  is  received  from  a  network client that matches
3822              $local_header_rewrite_clients,
3823
3824       ·      The  message   is   received   from   the   network,   and   the
3825              remote_header_rewrite_domain  parameter  specifies  a  non-empty
3826              value.
3827
3828       To   get   the   behavior   before   Postfix   version   2.2,   specify
3829       "local_header_rewrite_clients = static:all".
3830
3831       Example:
3832
3833       masquerade_domains = $mydomain
3834

masquerade_exceptions (default: empty)

3836       Optional  list  of  user  names  that are not subjected to address mas‐
3837       querading, even when their addresses match $masquerade_domains.
3838
3839       By default, address masquerading makes no exceptions.
3840
3841       Specify a list of user names, "/file/name"  or  "type:table"  patterns,
3842       separated  by  commas  and/or  whitespace.  The list is matched left to
3843       right, and the search stops on the first match. A "/file/name"  pattern
3844       is  replaced  by  its  contents; a "type:table" lookup table is matched
3845       when a name matches a lookup key (the lookup result is ignored).   Con‐
3846       tinue  long  lines  by  starting the next line with whitespace. Specify
3847       "!pattern" to exclude a name from the list. The form  "!/file/name"  is
3848       supported only in Postfix version 2.4 and later.
3849
3850       Examples:
3851
3852       masquerade_exceptions = root, mailer-daemon
3853       masquerade_exceptions = root
3854

master_service_disable (default: empty)

3856       Selectively disable master(8) listener ports by service type or by ser‐
3857       vice name and type.  Specify a list of service types  ("inet",  "unix",
3858       "fifo",  or  "pass")  or  "name/type" tuples, where "name" is the first
3859       field of a master.cf entry and "type" is a service type. As with  other
3860       Postfix  matchlists, a search stops at the first match.  Specify "!pat‐
3861       tern" to exclude a service from the list.  By  default,  all  master(8)
3862       listener ports are enabled.
3863
3864       Note:  this  feature does not support "/file/name" or "type:table" pat‐
3865       terns, nor does it support wildcards such as  "*"  or  "all".  This  is
3866       intentional.
3867
3868       Examples:
3869
3870       # With Postfix 2.6..2.10 use '.' instead of '/'.
3871       # Turn on all master(8) listener ports (the default).
3872       master_service_disable =
3873       # Turn off only the main SMTP listener port.
3874       master_service_disable = smtp/inet
3875       # Turn off all TCP/IP listener ports.
3876       master_service_disable = inet
3877       # Turn off all TCP/IP listener ports except "foo".
3878       master_service_disable = !foo/inet, inet
3879
3880       This feature is available in Postfix 2.6 and later.
3881

max_idle (default: 100s)

3883       The  maximum  amount  of time that an idle Postfix daemon process waits
3884       for an incoming connection before terminating voluntarily.  This param‐
3885       eter  is  ignored  by the Postfix queue manager and by other long-lived
3886       Postfix daemon processes.
3887
3888       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
3889       The default time unit is s (seconds).
3890

max_use (default: 100)

3892       The  maximal  number  of  incoming  connections  that  a Postfix daemon
3893       process will service before terminating voluntarily.  This parameter is
3894       ignored  by  the  Postfix queue manager and by other long-lived Postfix
3895       daemon processes.
3896

maximal_backoff_time (default: 4000s)

3898       The maximal time between attempts to deliver a deferred message.
3899
3900       This parameter should be set to a value greater than or equal to $mini‐
3901       mal_backoff_time. See also $queue_run_delay.
3902
3903       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
3904       The default time unit is s (seconds).
3905

maximal_queue_lifetime (default: 5d)

3907       Consider a message as undeliverable, when delivery fails with a  tempo‐
3908       rary   error,  and  the  time  in  the  queue  has  reached  the  maxi‐
3909       mal_queue_lifetime limit.
3910
3911       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
3912       The default time unit is d (days).
3913
3914       Specify 0 when mail delivery should be tried only once.
3915

message_drop_headers (default: bcc, content-length, resent-bcc, return-path)

3917       Names  of  message headers that the cleanup(8) daemon will remove after
3918       applying header_checks(5) and before invoking Milter applications.  The
3919       default setting is compatible with Postfix < 3.0.
3920
3921       Specify a list of header names, separated by comma or space.  Names are
3922       matched in a case-insensitive manner.  The  list  of  supported  header
3923       names is limited only by available memory.
3924
3925       This feature is available in Postfix 3.0 and later.
3926

message_reject_characters (default: empty)

3928       The set of characters that Postfix will reject in message content.  The
3929       usual C-like escape sequences are recognized: \a \b \f \n \r \t \v \ddd
3930       (up to three octal digits) and \\.
3931
3932       Note  1: this feature does not recognize text that requires MIME decod‐
3933       ing. It inspects raw  message  content,  just  like  header_checks  and
3934       body_checks.
3935
3936       Note  2:  this  feature  is  disabled  with "receive_override_options =
3937       no_header_body_checks".
3938
3939       Example:
3940
3941       message_reject_characters = \0
3942
3943       This feature is available in Postfix 2.3 and later.
3944

message_size_limit (default: 10240000)

3946       The maximal size in bytes of a message, including envelope information.
3947
3948       Note: be careful when making changes.  Excessively  small  values  will
3949       result in the loss of non-delivery notifications, when a bounce message
3950       size exceeds the local or remote MTA's message size limit.
3951

message_strip_characters (default: empty)

3953       The set of characters that Postfix will remove  from  message  content.
3954       The  usual C-like escape sequences are recognized: \a \b \f \n \r \t \v
3955       \ddd (up to three octal digits) and \\.
3956
3957       Note 1: this feature does not recognize text that requires MIME  decod‐
3958       ing.  It  inspects  raw  message  content,  just like header_checks and
3959       body_checks.
3960
3961       Note 2: this  feature  is  disabled  with  "receive_override_options  =
3962       no_header_body_checks".
3963
3964       Example:
3965
3966       message_strip_characters = \0
3967
3968       This feature is available in Postfix 2.3 and later.
3969

meta_directory (default: see 'postconf -d' output)

3971       The  location  of  non-executable  files that are shared among multiple
3972       Postfix instances,  such  as  postfix-files,  dynamicmaps.cf,  and  the
3973       multi-instance  template files main.cf.proto and master.cf.proto.  This
3974       directory should contain only Postfix-related  files.   Typically,  the
3975       meta_directory  parameter  has the same default as the config_directory
3976       parameter (/etc/postfix or /usr/local/etc/postfix).
3977
3978       For backwards compatibility with Postfix  versions  2.6..2.11,  specify
3979       "meta_directory  =  $daemon_directory"  in main.cf before installing or
3980       upgrading Postfix, or specify  "meta_directory  =  /path/name"  on  the
3981       "make makefiles", "make install" or "make upgrade" command line.
3982
3983       This feature is available in Postfix 3.0 and later.
3984

milter_command_timeout (default: 30s)

3986       The  time  limit  for sending an SMTP command to a Milter (mail filter)
3987       application, and for receiving the response.
3988
3989       Specify a non-zero time value  (an  integral  value  plus  an  optional
3990       one-letter suffix that specifies the time unit).
3991
3992       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
3993       The default time unit is s (seconds).
3994
3995       This feature is available in Postfix 2.3 and later.
3996

milter_connect_macros (default: see postconf -d output)

3998       The macros that are sent to Milter  (mail  filter)  applications  after
3999       completion  of  an  SMTP  connection.  See  MILTER_README for a list of
4000       available macro names and their meanings.
4001
4002       This feature is available in Postfix 2.3 and later.
4003

milter_connect_timeout (default: 30s)

4005       The time limit for connecting to a Milter  (mail  filter)  application,
4006       and for negotiating protocol options.
4007
4008       Specify  a  non-zero  time  value  (an  integral value plus an optional
4009       one-letter suffix that specifies the time unit).
4010
4011       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
4012       The default time unit is s (seconds).
4013
4014       This feature is available in Postfix 2.3 and later.
4015

milter_content_timeout (default: 300s)

4017       The  time  limit  for sending message content to a Milter (mail filter)
4018       application, and for receiving the response.
4019
4020       Specify a non-zero time value  (an  integral  value  plus  an  optional
4021       one-letter suffix that specifies the time unit).
4022
4023       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
4024       The default time unit is s (seconds).
4025
4026       This feature is available in Postfix 2.3 and later.
4027

milter_data_macros (default: see postconf -d output)

4029       The macros that are sent to version 4 or higher  Milter  (mail  filter)
4030       applications  after the SMTP DATA command. See MILTER_README for a list
4031       of available macro names and their meanings.
4032
4033       This feature is available in Postfix 2.3 and later.
4034

milter_default_action (default: tempfail)

4036       The default action when a Milter (mail filter) response is  unavailable
4037       (for example, bad Postfix configuration or Milter failure). Specify one
4038       of the following:
4039
4040       accept Proceed as if the mail filter was not present.
4041
4042       reject Reject all further commands in this  session  with  a  permanent
4043              status code.
4044
4045       tempfail
4046              Reject  all  further  commands  in this session with a temporary
4047              status code.
4048
4049       quarantine
4050              Like "accept", but freeze  the  message  in  the  "hold"  queue.
4051              Available with Postfix 2.6 and later.
4052
4053       This feature is available in Postfix 2.3 and later.
4054

milter_end_of_data_macros (default: see postconf -d output)

4056       The macros that are sent to Milter (mail filter) applications after the
4057       message end-of-data. See MILTER_README for a list  of  available  macro
4058       names and their meanings.
4059
4060       This feature is available in Postfix 2.3 and later.
4061

milter_end_of_header_macros (default: see postconf -d output)

4063       The macros that are sent to Milter (mail filter) applications after the
4064       end of the message header. See MILTER_README for a  list  of  available
4065       macro names and their meanings.
4066
4067       This feature is available in Postfix 2.5 and later.
4068

milter_header_checks (default: empty)

4070       Optional  lookup  tables for content inspection of message headers that
4071       are produced by Milter applications.  See the  header_checks(5)  manual
4072       page available actions. Currently, PREPEND is not implemented.
4073
4074       The  following  example sends all mail that is marked as SPAM to a spam
4075       handling machine. Note that matches are case-insensitive by default.
4076
4077       /etc/postfix/main.cf:
4078           milter_header_checks = pcre:/etc/postfix/milter_header_checks
4079
4080       /etc/postfix/milter_header_checks:
4081           /^X-SPAM-FLAG:\s+YES/ FILTER mysmtp:sanitizer.example.com:25
4082
4083       The milter_header_checks mechanism could also be used for whitelisting.
4084       For  example  it  could  be  used  to skip heavy content inspection for
4085       DKIM-signed mail from known friendly domains.
4086
4087       This feature is available in Postfix 2.7, and as an optional patch  for
4088       Postfix 2.6.
4089

milter_helo_macros (default: see postconf -d output)

4091       The macros that are sent to Milter (mail filter) applications after the
4092       SMTP HELO or EHLO command. See MILTER_README for a  list  of  available
4093       macro names and their meanings.
4094
4095       This feature is available in Postfix 2.3 and later.
4096

milter_macro_daemon_name (default: $myhostname)

4098       The  {daemon_name}  macro  value for Milter (mail filter) applications.
4099       See MILTER_README for a list of available macro names and  their  mean‐
4100       ings.
4101
4102       This feature is available in Postfix 2.3 and later.
4103

milter_macro_defaults (default: empty)

4105       Optional list of name=value pairs that specify default values for arbi‐
4106       trary macros that Postfix  may  send  to  Milter  applications.   These
4107       defaults  are  used when there is no corresponding information from the
4108       message delivery context.
4109
4110       Specify name=value or {name}=value pairs separated by comma  or  white‐
4111       space.   Enclose  a  pair in "{}" when a value contains comma or white‐
4112       space (this form ignores whitespace after the enclosing "{", around the
4113       "=", and before the enclosing "}").
4114
4115       This feature is available in Postfix 3.1 and later.
4116

milter_macro_v (default: $mail_name $mail_version)

4118       The  {v}  macro  value for Milter (mail filter) applications.  See MIL‐
4119       TER_README for a list of available macro names and their meanings.
4120
4121       This feature is available in Postfix 2.3 and later.
4122

milter_mail_macros (default: see postconf -d output)

4124       The macros that are sent to Milter (mail filter) applications after the
4125       SMTP MAIL FROM command. See MILTER_README for a list of available macro
4126       names and their meanings.
4127
4128       This feature is available in Postfix 2.3 and later.
4129

milter_protocol (default: 6)

4131       The mail filter protocol version and optional protocol  extensions  for
4132       communication  with  a  Milter  application;  prior  to Postfix 2.6 the
4133       default protocol is 2. Postfix sends this  version  number  during  the
4134       initial protocol handshake.  It should match the version number that is
4135       expected by the mail filter application (or by its Milter library).
4136
4137       Protocol versions:
4138
4139       2      Use Sendmail 8 mail filter  protocol  version  2  (default  with
4140              Sendmail version 8.11 .. 8.13 and Postfix version 2.3 ..  2.5).
4141
4142       3      Use Sendmail 8 mail filter protocol version 3.
4143
4144       4      Use Sendmail 8 mail filter protocol version 4.
4145
4146       6      Use  Sendmail  8  mail  filter  protocol version 6 (default with
4147              Sendmail version 8.14 and Postfix version 2.6).
4148
4149       Protocol extensions:
4150
4151       no_header_reply
4152              Specify this when the Milter application will not reply for each
4153              individual message header.
4154
4155       This feature is available in Postfix 2.3 and later.
4156

milter_rcpt_macros (default: see postconf -d output)

4158       The macros that are sent to Milter (mail filter) applications after the
4159       SMTP RCPT TO command. See MILTER_README for a list of  available  macro
4160       names and their meanings.
4161
4162       This feature is available in Postfix 2.3 and later.
4163

milter_unknown_command_macros (default: see postconf -d output)

4165       The  macros  that  are sent to version 3 or higher Milter (mail filter)
4166       applications after an unknown SMTP command.  See  MILTER_README  for  a
4167       list of available macro names and their meanings.
4168
4169       This feature is available in Postfix 2.3 and later.
4170

mime_boundary_length_limit (default: 2048)

4172       The maximal length of MIME multipart boundary strings. The MIME proces‐
4173       sor is unable to distinguish between boundary strings that do not  dif‐
4174       fer in the first $mime_boundary_length_limit characters.
4175
4176       This feature is available in Postfix 2.0 and later.
4177

mime_header_checks (default: $header_checks)

4179       Optional  lookup  tables for content inspection of MIME related message
4180       headers, as described in the header_checks(5) manual page.
4181
4182       This feature is available in Postfix 2.0 and later.
4183

mime_nesting_limit (default: 100)

4185       The maximal recursion level that the MIME processor will handle.  Post‐
4186       fix refuses mail that is nested deeper than the specified limit.
4187
4188       This feature is available in Postfix 2.0 and later.
4189

minimal_backoff_time (default: 300s)

4191       The  minimal time between attempts to deliver a deferred message; prior
4192       to Postfix 2.4 the default value was 1000s.
4193
4194       This parameter also limits the time an unreachable destination is  kept
4195       in the short-term, in-memory, destination status cache.
4196
4197       This parameter should be set greater than or equal to $queue_run_delay.
4198       See also $maximal_backoff_time.
4199
4200       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
4201       The default time unit is s (seconds).
4202

multi_instance_directories (default: empty)

4204       An  optional  list  of  non-default  Postfix configuration directories;
4205       these directories belong to additional Postfix instances that share the
4206       Postfix  executable  files  and  documentation with the default Postfix
4207       instance, and that  are  started,  stopped,  etc.,  together  with  the
4208       default  Postfix  instance.   Specify  a list of pathnames separated by
4209       comma or whitespace.
4210
4211       When $multi_instance_directories is empty, the postfix(1) command  runs
4212       in single-instance mode and operates on a single Postfix instance only.
4213       Otherwise, the postfix(1)  command  runs  in  multi-instance  mode  and
4214       invokes    the    multi-instance    manager    specified    with    the
4215       multi_instance_wrapper parameter. The multi-instance  manager  in  turn
4216       executes postfix(1) commands for the default instance and for all Post‐
4217       fix instances in $multi_instance_directories.
4218
4219       Currently, this parameter setting is ignored  except  for  the  default
4220       main.cf file.
4221
4222       This feature is available in Postfix 2.6 and later.
4223

multi_instance_enable (default: no)

4225       Allow  this  Postfix  instance  to  be  started,  stopped,  etc.,  by a
4226       multi-instance manager.  By default, new instances  are  created  in  a
4227       safe  state  that prevents them from being started inadvertently.  This
4228       parameter is reserved for the multi-instance manager.
4229
4230       This feature is available in Postfix 2.6 and later.
4231

multi_instance_group (default: empty)

4233       The optional instance group name of  this  Postfix  instance.  A  group
4234       identifies  closely-related  Postfix  instances that the multi-instance
4235       manager can start, stop, etc., as a unit.  This parameter  is  reserved
4236       for the multi-instance manager.
4237
4238       This feature is available in Postfix 2.6 and later.
4239

multi_instance_name (default: empty)

4241       The  optional instance name of this Postfix instance. This name becomes
4242       also the default value for the syslog_name parameter.
4243
4244       This feature is available in Postfix 2.6 and later.
4245

multi_instance_wrapper (default: empty)

4247       The pathname of a multi-instance manager command  that  the  postfix(1)
4248       command  invokes when the multi_instance_directories parameter value is
4249       non-empty. The pathname may be followed by  initial  command  arguments
4250       separated  by  whitespace;  shell metacharacters such as quotes are not
4251       supported in this context.
4252
4253       The postfix(1) command invokes the manager command with the  postfix(1)
4254       non-option  command arguments on the manager command line, and with all
4255       installation configuration parameters exported into the manager command
4256       process environment. The manager command in turn invokes the postfix(1)
4257       command for individual Postfix instances as "postfix  -c  config_direc‐
4258       tory command".
4259
4260       This feature is available in Postfix 2.6 and later.
4261

multi_recipient_bounce_reject_code (default: 550)

4263       The  numerical  Postfix  SMTP  server  response code when a remote SMTP
4264       client request is blocked by the reject_multi_recipient_bounce restric‐
4265       tion.
4266
4267       Do  not  change  this  unless  you have a complete understanding of RFC
4268       5321.
4269
4270       This feature is available in Postfix 2.1 and later.
4271

mydestination (default: $myhostname, localhost.$mydomain, localhost)

4273       The list of domains that are delivered via  the  $local_transport  mail
4274       delivery  transport.  By  default this is the Postfix local(8) delivery
4275       agent which looks up all recipients in  /etc/passwd  and  /etc/aliases.
4276       The  SMTP  server  validates  recipient  addresses  with $local_recipi‐
4277       ent_maps and rejects non-existent recipients. See also the local domain
4278       class in the ADDRESS_CLASS_README file.
4279
4280       The  default  mydestination value specifies names for the local machine
4281       only.  On a mail domain gateway, you should also include $mydomain.
4282
4283       The  $local_transport  delivery  method  is  also  selected  for   mail
4284       addressed  to  user@[the.net.work.address]  of  the mail system (the IP
4285       addresses  specified  with  the  inet_interfaces  and  proxy_interfaces
4286       parameters).
4287
4288       Warnings:
4289
4290       ·      Do  not specify the names of virtual domains - those domains are
4291              specified elsewhere. See VIRTUAL_README for more information.
4292
4293       ·      Do not specify the names of domains that this machine is  backup
4294              MX host for. See STANDARD_CONFIGURATION_README for how to set up
4295              backup MX hosts.
4296
4297       ·      By default, the Postfix SMTP server rejects mail for  recipients
4298              not  listed  with  the  local_recipient_maps parameter.  See the
4299              postconf(5) manual for a description of the local_recipient_maps
4300              and unknown_local_recipient_reject_code parameters.
4301
4302       Specify  a  list  of host or domain names, "/file/name" or "type:table"
4303       patterns, separated by commas and/or whitespace. A "/file/name" pattern
4304       is  replaced  by  its  contents; a "type:table" lookup table is matched
4305       when a name matches a lookup key (the lookup result is ignored).   Con‐
4306       tinue long lines by starting the next line with whitespace.
4307
4308       Examples:
4309
4310       mydestination = $myhostname, localhost.$mydomain $mydomain
4311       mydestination = $myhostname, localhost.$mydomain www.$mydomain, ftp.$mydomain
4312

mydomain (default: see postconf -d output)

4314       The  internet  domain  name of this mail system.  The default is to use
4315       $myhostname minus the first component, or  "localdomain"  (Postfix  2.3
4316       and  later).   $mydomain is used as a default value for many other con‐
4317       figuration parameters.
4318
4319       Example:
4320
4321       mydomain = domain.tld
4322

myhostname (default: see postconf -d output)

4324       The internet hostname of this mail system. The default is  to  use  the
4325       fully-qualified  domain  name  (FQDN) from gethostname(), or to use the
4326       non-FQDN result from gethostname() and append  ".$mydomain".   $myhost‐
4327       name  is  used  as a default value for many other configuration parame‐
4328       ters.
4329
4330       Example:
4331
4332       myhostname = host.example.com
4333

mynetworks (default: see postconf -d output)

4335       The list of "trusted" remote SMTP clients  that  have  more  privileges
4336       than "strangers".
4337
4338       In particular, "trusted" SMTP clients are allowed to relay mail through
4339       Postfix.  See the smtpd_relay_restrictions parameter description in the
4340       postconf(5) manual.
4341
4342       You  can specify the list of "trusted" network addresses by hand or you
4343       can let Postfix do it for you (which is the default).  See the descrip‐
4344       tion of the mynetworks_style parameter for more information.
4345
4346       If  you specify the mynetworks list by hand, Postfix ignores the mynet‐
4347       works_style setting.
4348
4349       Specify a list of network addresses or network/netmask patterns,  sepa‐
4350       rated  by commas and/or whitespace. Continue long lines by starting the
4351       next line with whitespace.
4352
4353       The netmask specifies the number of bits in the network part of a  host
4354       address.   You  can also specify "/file/name" or "type:table" patterns.
4355       A "/file/name" pattern is replaced  by  its  contents;  a  "type:table"
4356       lookup table is matched when a table entry matches a lookup string (the
4357       lookup result is ignored).
4358
4359       The list is matched left to right, and the search stops  on  the  first
4360       match.   Specify "!pattern" to exclude an address or network block from
4361       the list. The form "!/file/name" is supported only in  Postfix  version
4362       2.4 and later.
4363
4364       Note  1:  Pattern  matching  of  domain  names  is controlled by the or
4365       absence of "mynetworks" in the parent_domain_matches_subdomains parame‐
4366       ter value.
4367
4368       Note 2: IP version 6 address information must be specified inside [] in
4369       the mynetworks value, and in files  specified  with  "/file/name".   IP
4370       version  6  addresses contain the ":" character, and would otherwise be
4371       confused with a "type:table" pattern.
4372
4373       Examples:
4374
4375       mynetworks = 127.0.0.0/8 168.100.189.0/28
4376       mynetworks = !192.168.0.1, 192.168.0.0/28
4377       mynetworks = 127.0.0.0/8 168.100.189.0/28 [::1]/128 [2001:240:587::]/64
4378       mynetworks = $config_directory/mynetworks
4379       mynetworks = hash:/etc/postfix/network_table
4380

mynetworks_style (default: Postfix >= 3.0: host, Postfix < 3.0: subnet)

4382       The method to generate the default value for the mynetworks  parameter.
4383       This is the list of trusted networks for relay access control etc.
4384
4385       ·      Specify  "mynetworks_style  =  host" when Postfix should "trust"
4386              only the local machine.
4387
4388       ·      Specify "mynetworks_style = subnet" when Postfix should  "trust"
4389              remote  SMTP  clients  in  the  same IP subnetworks as the local
4390              machine.  On Linux, this works correctly  only  with  interfaces
4391              specified with the "ifconfig" command.
4392
4393       ·      Specify  "mynetworks_style  = class" when Postfix should "trust"
4394              remote SMTP clients in the same IP class A/B/C networks  as  the
4395              local  machine.  Caution: this may cause Postfix to "trust" your
4396              entire provider's network.  Instead, specify an explicit  mynet‐
4397              works  list by hand, as described with the mynetworks configura‐
4398              tion parameter.
4399

myorigin (default: $myhostname)

4401       The domain name that locally-posted mail appears to come from, and that
4402       locally  posted mail is delivered to. The default, $myhostname, is ade‐
4403       quate for small sites.  If you run a domain with multiple machines, you
4404       should  (1) change this to $mydomain and (2) set up a domain-wide alias
4405       database that aliases each user to user@that.users.mailhost.
4406
4407       Example:
4408
4409       myorigin = $mydomain
4410

nested_header_checks (default: $header_checks)

4412       Optional lookup tables for content inspection of non-MIME message head‐
4413       ers  in  attached messages, as described in the header_checks(5) manual
4414       page.
4415
4416       This feature is available in Postfix 2.0 and later.
4417

newaliases_path (default: see postconf -d output)

4419       Sendmail compatibility feature  that  specifies  the  location  of  the
4420       newaliases(1) command. This command can be used to rebuild the local(8)
4421       aliases(5) database.
4422

non_fqdn_reject_code (default: 504)

4424       The numerical Postfix SMTP server reply code when a client  request  is
4425       rejected  by  the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender
4426       or reject_non_fqdn_recipient restriction.
4427

non_smtpd_milters (default: empty)

4429       A list of Milter (mail filter) applications for new mail that does  not
4430       arrive  via the Postfix smtpd(8) server. This includes local submission
4431       via the sendmail(1) command line, new mail that arrives via the Postfix
4432       qmqpd(8)  server,  and old mail that is re-injected into the queue with
4433       "postsuper -r".  Specify space or comma  as  separator.  See  the  MIL‐
4434       TER_README document for details.
4435
4436       This feature is available in Postfix 2.3 and later.
4437

notify_classes (default: resource, software)

4439       The  list  of  error  classes  that are reported to the postmaster. The
4440       default is to report only the most serious problems. The  paranoid  may
4441       wish  to  turn on the policy (UCE and mail relaying) and protocol error
4442       (broken mail software) reports.
4443
4444       NOTE: postmaster notifications  may  contain  confidential  information
4445       such  as  SASL passwords or message content.  It is the system adminis‐
4446       trator's responsibility to treat such information with care.
4447
4448       The error classes are:
4449
4450       bounce (also implies 2bounce)
4451              Send the postmaster copies of the headers of bounced  mail,  and
4452              send transcripts of SMTP sessions when Postfix rejects mail. The
4453              notification  is  sent  to  the  address  specified   with   the
4454              bounce_notice_recipient  configuration parameter (default: post‐
4455              master).
4456
4457       2bounce
4458              Send undeliverable bounced mail to the postmaster. The notifica‐
4459              tion    is    sent   to   the   address   specified   with   the
4460              2bounce_notice_recipient configuration parameter (default: post‐
4461              master).
4462
4463       data   Send  the  postmaster  a  transcript of the SMTP session with an
4464              error because a critical data file was unavailable. The  notifi‐
4465              cation   is   sent   to   the   address   specified   with   the
4466              error_notice_recipient configuration parameter  (default:  post‐
4467              master).
4468              This feature is available in Postfix 2.9 and later.
4469
4470       delay  Send  the  postmaster copies of the headers of delayed mail (see
4471              delay_warning_time). The notification is  sent  to  the  address
4472              specified  with the delay_notice_recipient configuration parame‐
4473              ter (default: postmaster).
4474
4475       policy Send the postmaster a transcript of  the  SMTP  session  when  a
4476              client request was rejected because of (UCE) policy. The notifi‐
4477              cation   is   sent   to   the   address   specified   with   the
4478              error_notice_recipient  configuration  parameter (default: post‐
4479              master).
4480
4481       protocol
4482              Send the postmaster a transcript of the SMTP session in case  of
4483              client  or  server  protocol errors. The notification is sent to
4484              the address specified with the error_notice_recipient configura‐
4485              tion parameter (default: postmaster).
4486
4487       resource
4488              Inform  the  postmaster  of  mail  not delivered due to resource
4489              problems.  The notification is sent  to  the  address  specified
4490              with    the   error_notice_recipient   configuration   parameter
4491              (default: postmaster).
4492
4493       software
4494              Inform the postmaster of mail  not  delivered  due  to  software
4495              problems.   The  notification  is  sent to the address specified
4496              with   the   error_notice_recipient   configuration    parameter
4497              (default: postmaster).
4498
4499       Examples:
4500
4501       notify_classes = bounce, delay, policy, protocol, resource, software
4502       notify_classes = 2bounce, resource, software
4503

nullmx_reject_code (default: 556)

4505       The  numerical reply code when the Postfix SMTP server rejects a sender
4506       or recipient address because its domain has a nullmx DNS record (an  MX
4507       record  with  an  empty  hostname). This is one of the possible replies
4508       from     the     restrictions     reject_unknown_sender_domain      and
4509       reject_unknown_recipient_domain.
4510
4511       This feature is available in Postfix 3.0 and later.
4512

openssl_path (default: openssl)

4514       The  location  of the OpenSSL command line program openssl(1).  This is
4515       used by the "postfix tls" command to create private  keys,  certificate
4516       signing  requests,  self-signed certificates, and to compute public key
4517       digests for DANE TLSA records.  In  multi-instance  environments,  this
4518       parameter  is  always  determined from the configuration of the default
4519       Postfix instance.
4520
4521       Example:
4522
4523           /etc/postfix/main.cf:
4524               # NetBSD pkgsrc:
4525               openssl_path = /usr/pkg/bin/openssl
4526               # Local build:
4527               openssl_path = /usr/local/bin/openssl
4528
4529       This feature is available in Postfix 3.1 and later.
4530

owner_request_special (default: yes)

4532       Enable special treatment for owner-listname entries in  the  aliases(5)
4533       file,  and  don't  split  owner-listname  and  listname-request address
4534       localparts when the recipient_delimiter is set to "-".  This feature is
4535       useful for mailing lists.
4536

parent_domain_matches_subdomains (default: see postconf -d output)

4538       A list of Postfix features where the pattern "example.com" also matches
4539       subdomains of example.com, instead of  requiring  an  explicit  ".exam‐
4540       ple.com"  pattern.   This  is planned backwards compatibility:  eventu‐
4541       ally, all Postfix features are expected  to  require  explicit  ".exam‐
4542       ple.com" style patterns when you really want to match subdomains.
4543
4544       The following Postfix feature names are supported.
4545
4546       Postfix version 1.0 and later
4547              debug_peer_list,     fast_flush_domains,     mynetworks,    per‐
4548              mit_mx_backup_networks, relay_domains, transport_maps
4549
4550       Postfix version 1.1 and later
4551              qmqpd_authorized_clients, smtpd_access_maps,
4552
4553       Postfix version 2.8 and later
4554              postscreen_access_list
4555
4556       Postfix version 3.0 and later
4557              smtpd_client_event_limit_exceptions
4558

permit_mx_backup_networks (default: empty)

4560       Restrict the use of the permit_mx_backup SMTP access  feature  to  only
4561       domains  whose primary MX hosts match the listed networks.  The parame‐
4562       ter value syntax is the same as with the  mynetworks  parameter;  note,
4563       however, that the default value is empty.
4564
4565       Pattern  matching  of  domain  names  is  controlled by the presence or
4566       absence     of     "permit_mx_backup_networks"     in     the      par‐
4567       ent_domain_matches_subdomains parameter value.
4568

pickup_service_name (default: pickup)

4570       The  name  of  the  pickup(8) service. This service picks up local mail
4571       submissions from the Postfix maildrop queue.
4572
4573       This feature is available in Postfix 2.0 and later.
4574

pipe_delivery_status_filter (default: $default_delivery_status_filter)

4576       Optional filter for the pipe(8) delivery agent to change  the  delivery
4577       status  code or explanatory text of successful or unsuccessful deliver‐
4578       ies.  See default_delivery_status_filter for details.
4579
4580       This feature is available in Postfix 3.0 and later.
4581

plaintext_reject_code (default: 450)

4583       The numerical Postfix SMTP server  response  code  when  a  request  is
4584       rejected by the reject_plaintext_session restriction.
4585
4586       This feature is available in Postfix 2.3 and later.
4587

postlog_service_name (default: postlog)

4589       The  name  of the postlogd(8) service entry in master.cf.  This service
4590       appends logfile records to the file  specified  with  the  maillog_file
4591       parameter.
4592
4593       This feature is available in Postfix 3.4 and later.
4594

postlogd_watchdog_timeout (default: 10s)

4596       How  much  time  a  postlogd(8)  process  may take to process a request
4597       before it is terminated by a built-in watchdog timer. This is a  safety
4598       mechanism that prevents postlogd(8) from becoming non-responsive due to
4599       a bug in Postfix itself or in system software. This limit cannot be set
4600       under 10s.
4601
4602       Specify  a  non-zero  time  value  (an  integral value plus an optional
4603       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
4604       onds), m (minutes), h (hours), d (days), w (weeks).
4605
4606       This feature is available in Postfix 3.4 and later.
4607

postmulti_control_commands (default: reload flush)

4609       The  postfix(1)  commands that the postmulti(1) instance manager treats
4610       as "control" commands, that operate on  running  instances.  For  these
4611       commands, disabled instances are skipped.
4612
4613       This feature is available in Postfix 2.6 and later.
4614

postmulti_start_commands (default: start)

4616       The  postfix(1)  commands that the postmulti(1) instance manager treats
4617       as  "start"  commands.  For  these  commands,  disabled  instances  are
4618       "checked"  rather  than  "started",  and  failure  to  "start" a member
4619       instance of  an  instance  group  will  abort  the  start-up  of  later
4620       instances.
4621
4622       This feature is available in Postfix 2.6 and later.
4623

postmulti_stop_commands (default: see postconf -d output)

4625       The  postfix(1)  commands that the postmulti(1) instance manager treats
4626       as "stop" commands. For these commands, disabled instances are skipped,
4627       and enabled instances are processed in reverse order.
4628
4629       This feature is available in Postfix 2.6 and later.
4630

postscreen_access_list (default: permit_mynetworks)

4632       Permanent   white/blacklist   for  remote  SMTP  client  IP  addresses.
4633       postscreen(8) searches this list immediately after a remote SMTP client
4634       connects.   Specify  a  comma- or whitespace-separated list of commands
4635       (in upper or lower case) or lookup tables. The search  stops  upon  the
4636       first command that fires for the client IP address.
4637
4638        permit_mynetworks
4639              Whitelist  the  client and terminate the search if the client IP
4640              address matches $mynetworks.  Do not subject the client  to  any
4641              before/after  220  greeting  tests.  Pass the connection immedi‐
4642              ately to a Postfix SMTP server process.
4643              Pattern matching of domain names is controlled by  the  presence
4644              or    absence    of   "postscreen_access_list"   in   the   par‐
4645              ent_domain_matches_subdomains parameter value.
4646
4647        type:table
4648              Query the specified lookup table. Each table lookup result is an
4649              access  list,  except  that  access  lists inside a table cannot
4650              specify type:table entries.
4651              To discourage the use of hash, btree, etc. tables, there  is  no
4652              support  for  substring  matching like smtpd(8). Use CIDR tables
4653              instead.
4654
4655        permit
4656              Whitelist the client and terminate the search.  Do  not  subject
4657              the client to any before/after 220 greeting tests. Pass the con‐
4658              nection immediately to a Postfix SMTP server process.
4659
4660        reject
4661              Blacklist the client  and  terminate  the  search.  Subject  the
4662              client  to  the  action  configured  with  the postscreen_black‐
4663              list_action configuration parameter.
4664
4665        dunno All postscreen(8) access lists implicitly have this  command  at
4666              the end.
4667              When   dunno  is executed inside a lookup table, return from the
4668              lookup table and evaluate the next command.
4669              When  dunno  is executed outside a lookup table,  terminate  the
4670              search,  and  subject  the client to the configured before/after
4671              220 greeting tests.
4672
4673       Example:
4674
4675       /etc/postfix/main.cf:
4676           postscreen_access_list = permit_mynetworks,
4677               cidr:/etc/postfix/postscreen_access.cidr
4678           postscreen_blacklist_action = enforce
4679
4680       /etc/postfix/postscreen_access.cidr:
4681           # Rules are evaluated in the order as specified.
4682           # Blacklist 192.168.* except 192.168.0.1.
4683           192.168.0.1         dunno
4684           192.168.0.0/16      reject
4685
4686       This feature is available in Postfix 2.8.
4687

postscreen_bare_newline_action (default: ignore)

4689       The action that postscreen(8) takes when a remote SMTP client  sends  a
4690       bare  newline  character,  that  is, a newline not preceded by carriage
4691       return.  Specify one of the following:
4692
4693       ignore Ignore the failure of this test. Allow other tests to  complete.
4694              Do  not  repeat this test before some the result from some other
4695              test expires.  This option is useful for testing and  collecting
4696              statistics without blocking mail permanently.
4697
4698       enforce
4699              Allow  other  tests to complete. Reject attempts to deliver mail
4700              with a 550 SMTP reply, and log the helo/sender/recipient  infor‐
4701              mation.  Repeat this test the next time the client connects.
4702
4703       drop   Drop  the  connection  immediately with a 521 SMTP reply. Repeat
4704              this test the next time the client connects.
4705
4706       This feature is available in Postfix 2.8.
4707

postscreen_bare_newline_enable (default: no)

4709       Enable "bare newline" SMTP protocol tests in the postscreen(8)  server.
4710       These  tests  are expensive: a remote SMTP client must disconnect after
4711       it passes the test, before it can talk to a real Postfix SMTP server.
4712
4713       This feature is available in Postfix 2.8.
4714

postscreen_bare_newline_ttl (default: 30d)

4716       The amount of time that postscreen(8) will use the result from  a  suc‐
4717       cessful "bare newline" SMTP protocol test. During this time, the client
4718       IP address is excluded from this test. The default is  long  because  a
4719       remote  SMTP client must disconnect after it passes the test, before it
4720       can talk to a real Postfix SMTP server.
4721
4722       Specify a non-zero time value  (an  integral  value  plus  an  optional
4723       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
4724       onds), m (minutes), h (hours), d (days), w (weeks).
4725
4726       This feature is available in Postfix 2.8.
4727

postscreen_blacklist_action (default: ignore)

4729       The action that postscreen(8) takes when a remote SMTP client is perma‐
4730       nently  blacklisted with the postscreen_access_list parameter.  Specify
4731       one of the following:
4732
4733       ignore (default)
4734              Ignore  this result. Allow other tests to complete.  Repeat this
4735              test  the  next time the client connects.  This option is useful
4736              for testing and collecting statistics without blocking mail.
4737
4738       enforce
4739              Allow other tests to complete. Reject attempts to  deliver  mail
4740              with  a 550 SMTP reply, and log the helo/sender/recipient infor‐
4741              mation.  Repeat this test the next time the client connects.
4742
4743       drop   Drop the connection immediately with a 521  SMTP  reply.  Repeat
4744              this test the next time the client connects.
4745
4746       This feature is available in Postfix 2.8.
4747

postscreen_cache_cleanup_interval (default: 12h)

4749       The  amount  of  time  between postscreen(8) cache cleanup runs.  Cache
4750       cleanup increases the load on the cache database and  should  therefore
4751       not  be  run  frequently. This feature requires that the cache database
4752       supports the "delete" and "sequence" operators.  Specify a zero  inter‐
4753       val to disable cache cleanup.
4754
4755       After  each cache cleanup run, the postscreen(8) daemon logs the number
4756       of entries that were retained and dropped. A cleanup run is  logged  as
4757       "partial"  when  the  daemon  terminates  early after "postfix reload",
4758       "postfix stop", or no requests for $max_idle seconds.
4759
4760       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4761
4762       This feature is available in Postfix 2.8.
4763

postscreen_cache_map (default: btree:$data_directory/postscreen_cache)

4765       Persistent storage for the postscreen(8) server decisions.
4766
4767       To  share  a  postscreen(8)  cache   between   multiple   postscreen(8)
4768       instances,   use  "postscreen_cache_map  =  proxy:btree:/path/to/file".
4769       This requires Postfix version 2.9 or later; earlier proxymap(8)  imple‐
4770       mentations don't support cache cleanup. For an alternative approach see
4771       the memcache_table(5) manpage.
4772
4773       This feature is available in Postfix 2.8.
4774

postscreen_cache_retention_time (default: 7d)

4776       The amount of time that postscreen(8) will cache an  expired  temporary
4777       whitelist  entry before it is removed. This prevents clients from being
4778       logged as "NEW" just because their cache entry expired an hour ago.  It
4779       also  prevents  the cache from filling up with clients that passed some
4780       deep protocol test once and never came back.
4781
4782       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4783
4784       This feature is available in Postfix 2.8.
4785

postscreen_client_connection_count_limit (default: $smtpd_client_connec‐

4787       tion_count_limit)
4788       How  many simultaneous connections any remote SMTP client is allowed to
4789       have with the postscreen(8) daemon. By default, this limit is the  same
4790       as  with the Postfix SMTP server. Note that the triage process can take
4791       several seconds, with the time spent  in  postscreen_greet_wait  delay,
4792       and  with  the  time  spent talking to the postscreen(8) built-in dummy
4793       SMTP protocol engine.
4794
4795       This feature is available in Postfix 2.8.
4796

postscreen_command_count_limit (default: 20)

4798       The limit on  the  total  number  of  commands  per  SMTP  session  for
4799       postscreen(8)'s built-in SMTP protocol engine.  This SMTP engine defers
4800       or rejects all attempts to deliver mail, therefore there is no need  to
4801       enforce  separate  limits on the number of junk commands and error com‐
4802       mands.
4803
4804       This feature is available in Postfix 2.8.
4805

postscreen_command_filter (default: $smtpd_command_filter)

4807       A mechanism to  transform  commands  from  remote  SMTP  clients.   See
4808       smtpd_command_filter for further details.
4809
4810       This feature is available in Postfix 2.8 and later.
4811

postscreen_command_time_limit (default: normal: 300s, overload: 10s)

4813       The  time  limit  to  read  an entire command line with postscreen(8)'s
4814       built-in SMTP protocol engine.
4815
4816       This feature is available in Postfix 2.8.
4817

postscreen_disable_vrfy_command (default: $disable_vrfy_command)

4819       Disable the SMTP VRFY command in the postscreen(8)  daemon.   See  dis‐
4820       able_vrfy_command for details.
4821
4822       This feature is available in Postfix 2.8.
4823

postscreen_discard_ehlo_keyword_address_maps (default: $smtpd_dis‐

4825       card_ehlo_keyword_address_maps)
4826       Lookup tables, indexed by the remote SMTP  client  address,  with  case
4827       insensitive  lists  of EHLO keywords (pipelining, starttls, auth, etc.)
4828       that the postscreen(8) server will not send in the EHLO response  to  a
4829       remote  SMTP  client. See smtpd_discard_ehlo_keywords for details.  The
4830       table is not searched by hostname for robustness reasons.
4831
4832       This feature is available in Postfix 2.8 and later.
4833

postscreen_discard_ehlo_keywords (default: $smtpd_discard_ehlo_keywords)

4835       A case insensitive list of EHLO keywords (pipelining,  starttls,  auth,
4836       etc.)  that the postscreen(8) server will not send in the EHLO response
4837       to a remote SMTP client. See smtpd_discard_ehlo_keywords for details.
4838
4839       This feature is available in Postfix 2.8 and later.
4840

postscreen_dnsbl_action (default: ignore)

4842       The action that postscreen(8) takes when a remote  SMTP  client's  com‐
4843       bined  DNSBL  score is equal to or greater than a threshold (as defined
4844       with the postscreen_dnsbl_sites and postscreen_dnsbl_threshold  parame‐
4845       ters).  Specify one of the following:
4846
4847       ignore (default)
4848              Ignore  the failure of this test. Allow other tests to complete.
4849              Repeat this test the next time the client connects.  This option
4850              is useful for testing and collecting statistics without blocking
4851              mail.
4852
4853       enforce
4854              Allow other tests to complete. Reject attempts to  deliver  mail
4855              with  a 550 SMTP reply, and log the helo/sender/recipient infor‐
4856              mation.  Repeat this test the next time the client connects.
4857
4858       drop   Drop the connection immediately with a 521  SMTP  reply.  Repeat
4859              this test the next time the client connects.
4860
4861       This feature is available in Postfix 2.8.
4862

postscreen_dnsbl_max_ttl (default:

4864       ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h)
4865       The maximum amount of time that postscreen(8) will use the result  from
4866       a  successful  DNS-based  reputation test before a client IP address is
4867       required to pass that test again. If the DNS reply specifies a  shorter
4868       TTL  value,  that  value  will  be used unless it would be smaller than
4869       postscreen_dnsbl_min_ttl.
4870
4871       Specify a non-zero time value  (an  integral  value  plus  an  optional
4872       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
4873       onds), m (minutes), h (hours), d (days), w (weeks).
4874
4875       This feature is available in Postfix 3.1. The default setting is  back‐
4876       wards-compatible with older Postfix versions.
4877

postscreen_dnsbl_min_ttl (default: 60s)

4879       The  minimum amount of time that postscreen(8) will use the result from
4880       a successful DNS-based reputation test before a client  IP  address  is
4881       required  to  pass that test again. If the DNS reply specifies a larger
4882       TTL value, that value will be used  unless  it  would  be  larger  than
4883       postscreen_dnsbl_max_ttl.
4884
4885       Specify  a  non-zero  time  value  (an  integral value plus an optional
4886       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
4887       onds), m (minutes), h (hours), d (days), w (weeks).
4888
4889       This feature is available in Postfix 3.1.
4890

postscreen_dnsbl_reply_map (default: empty)

4892       A  mapping  from actual DNSBL domain name which includes a secret pass‐
4893       word, to the DNSBL domain name that postscreen will reply with when  it
4894       rejects  mail.   When no mapping is found, the actual DNSBL domain will
4895       be used.
4896
4897       For maximal stability it is best to use a file that is read into memory
4898       such  as  pcre:,  regexp:  or texthash: (texthash: is similar to hash:,
4899       except a) there is no need to run postmap(1) before  the  file  can  be
4900       used, and b) texthash: does not detect changes after the file is read).
4901
4902       Example:
4903
4904       /etc/postfix/main.cf:
4905           postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
4906
4907       /etc/postfix/dnsbl_reply:
4908          secret.zen.spamhaus.org      zen.spamhaus.org
4909
4910       This feature is available in Postfix 2.8.
4911

postscreen_dnsbl_sites (default: empty)

4913       Optional  list  of DNS white/blacklist domains, filters and weight fac‐
4914       tors. When the list is non-empty,  the  dnsblog(8)  daemon  will  query
4915       these  domains  with  the  IP  addresses  of  remote  SMTP clients, and
4916       postscreen(8) will update  an  SMTP  client's  DNSBL  score  with  each
4917       non-error reply.
4918
4919       Caution: when postscreen rejects mail, it replies with the DNSBL domain
4920       name. Use the postscreen_dnsbl_reply_map  feature  to  hide  "password"
4921       information in DNSBL domain names.
4922
4923       When  a client's score is equal to or greater than the threshold speci‐
4924       fied with postscreen_dnsbl_threshold, postscreen(8) can drop  the  con‐
4925       nection with the remote SMTP client.
4926
4927       Specify  a  list of domain=filter*weight entries, separated by comma or
4928       whitespace.
4929
4930       ·      When no "=filter"  is  specified,  postscreen(8)  will  use  any
4931              non-error DNSBL reply.  Otherwise, postscreen(8) uses only DNSBL
4932              replies that match the filter. The filter has the form  d.d.d.d,
4933              where  each  d is a number, or a pattern inside [] that contains
4934              one or more ";"-separated numbers or number..number ranges.
4935
4936       ·      When no "*weight" is  specified,  postscreen(8)  increments  the
4937              remote  SMTP  client's  DNSBL score by 1.  Otherwise, the weight
4938              must be an integral number, and postscreen(8) adds the specified
4939              weight to the remote SMTP client's DNSBL score.  Specify a nega‐
4940              tive number for whitelisting.
4941
4942       ·      When one postscreen_dnsbl_sites entry  produces  multiple  DNSBL
4943              responses, postscreen(8) applies the weight at most once.
4944
4945       Examples:
4946
4947       To  use  example.com  as a high-confidence blocklist, and to block mail
4948       with example.net and example.org only when both agree:
4949
4950       postscreen_dnsbl_threshold = 2
4951       postscreen_dnsbl_sites = example.com*2, example.net, example.org
4952
4953       To filter only DNSBL replies containing 127.0.0.4:
4954
4955       postscreen_dnsbl_sites = example.com=127.0.0.4
4956
4957       This feature is available in Postfix 2.8.
4958

postscreen_dnsbl_threshold (default: 1)

4960       The inclusive lower bound for blocking a remote SMTP client,  based  on
4961       its  combined  DNSBL  score  as defined with the postscreen_dnsbl_sites
4962       parameter.
4963
4964       This feature is available in Postfix 2.8.
4965

postscreen_dnsbl_timeout (default: 10s)

4967       The time limit for DNSBL or DNSWL lookups. This is  separate  from  the
4968       timeouts   in  the  dnsblog(8)  daemon  which  are  defined  by  system
4969       resolver(3) routines.
4970
4971       This feature is available in Postfix 3.0.
4972

postscreen_dnsbl_ttl (default: 1h)

4974       The amount of time that postscreen(8) will use the result from  a  suc‐
4975       cessful  DNS-based  reputation  test  before  a  client  IP  address is
4976       required to pass that test again.
4977
4978       Specify a non-zero time value  (an  integral  value  plus  an  optional
4979       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
4980       onds), m (minutes), h (hours), d (days), w (weeks).
4981
4982       This feature is available  in  Postfix  2.8-3.0.  It  was  replaced  by
4983       postscreen_dnsbl_max_ttl in Postfix 3.1.
4984

postscreen_dnsbl_whitelist_threshold (default: 0)

4986       Allow  a  remote  SMTP client to skip "before" and "after 220 greeting"
4987       protocol tests, based on its combined DNSBL score as defined  with  the
4988       postscreen_dnsbl_sites parameter.
4989
4990       Specify  a  negative value to enable this feature. When a client passes
4991       the postscreen_dnsbl_whitelist_threshold without  having  failed  other
4992       tests,  all  pending  or disabled tests are flagged as completed with a
4993       time-to-live value equal to  postscreen_dnsbl_ttl.   When  a  test  was
4994       already  completed,  its  time-to-live  value is updated if it was less
4995       than postscreen_dnsbl_ttl.
4996
4997       This feature is available in Postfix 2.11.
4998

postscreen_enforce_tls (default: $smtpd_enforce_tls)

5000       Mandatory TLS: announce STARTTLS support to remote  SMTP  clients,  and
5001       require      that      clients     use     TLS     encryption.      See
5002       smtpd_postscreen_enforce_tls for details.
5003
5004       This feature is available in Postfix 2.8 and  later.   Preferably,  use
5005       postscreen_tls_security_level instead.
5006

postscreen_expansion_filter (default: see postconf -d output)

5008       List  of  characters  that  are  permitted  in postscreen_reject_footer
5009       attribute expansions.  See smtpd_expansion_filter for further details.
5010
5011       This feature is available in Postfix 2.8 and later.
5012

postscreen_forbidden_commands (default: $smtpd_forbidden_commands)

5014       List of commands that the postscreen(8) server considers  in  violation
5015       of  the  SMTP  protocol.  See  smtpd_forbidden_commands for syntax, and
5016       postscreen_non_smtp_command_action for possible actions.
5017
5018       This feature is available in Postfix 2.8.
5019

postscreen_greet_action (default: ignore)

5021       The action that postscreen(8) takes when a remote  SMTP  client  speaks
5022       before    its    turn    within    the    time   specified   with   the
5023       postscreen_greet_wait parameter.  Specify one of the following:
5024
5025       ignore (default)
5026              Ignore the failure of this test. Allow other tests to  complete.
5027              Repeat this test the next time the client connects.  This option
5028              is useful for testing and collecting statistics without blocking
5029              mail.
5030
5031       enforce
5032              Allow  other  tests to complete. Reject attempts to deliver mail
5033              with a 550 SMTP reply, and log the helo/sender/recipient  infor‐
5034              mation.  Repeat this test the next time the client connects.
5035
5036       drop   Drop  the  connection  immediately with a 521 SMTP reply. Repeat
5037              this test the next time the client connects.
5038
5039       In either case, postscreen(8) will not whitelist the remote SMTP client
5040       IP address.
5041
5042       This feature is available in Postfix 2.8.
5043

postscreen_greet_banner (default: $smtpd_banner)

5045       The   text   in   the   optional  "220-text..."  server  response  that
5046       postscreen(8) sends ahead  of  the  real  Postfix  SMTP  server's  "220
5047       text..."  response,  in  an attempt to confuse bad SMTP clients so that
5048       they speak before their turn (pre-greet).  Specify an  empty  value  to
5049       disable this feature.
5050
5051       This feature is available in Postfix 2.8.
5052

postscreen_greet_ttl (default: 1d)

5054       The  amount  of time that postscreen(8) will use the result from a suc‐
5055       cessful PREGREET test. During this  time,  the  client  IP  address  is
5056       excluded  from  this  test.  The default is relatively short, because a
5057       good client can immediately talk to a real Postfix SMTP server.
5058
5059       Specify a non-zero time value  (an  integral  value  plus  an  optional
5060       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
5061       onds), m (minutes), h (hours), d (days), w (weeks).
5062
5063       This feature is available in Postfix 2.8.
5064

postscreen_greet_wait (default: normal: 6s, overload: 2s)

5066       The amount of time that postscreen(8) will wait for an SMTP  client  to
5067       send a command before its turn, and for DNS blocklist lookup results to
5068       arrive (default: up to 2 seconds under stress, up to 6  seconds  other‐
5069       wise).
5070
5071       Specify  a  non-zero  time  value  (an  integral value plus an optional
5072       one-letter suffix that specifies the time unit).
5073
5074       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5075
5076       This feature is available in Postfix 2.8.
5077

postscreen_helo_required (default: $smtpd_helo_required)

5079       Require that a remote SMTP client sends HELO or EHLO before  commencing
5080       a MAIL transaction.
5081
5082       This feature is available in Postfix 2.8.
5083

postscreen_non_smtp_command_action (default: drop)

5085       The  action  that  postscreen(8)  takes when a remote SMTP client sends
5086       non-SMTP commands as specified with  the  postscreen_forbidden_commands
5087       parameter.  Specify one of the following:
5088
5089       ignore Ignore  the failure of this test. Allow other tests to complete.
5090              Do not repeat this test before some the result from  some  other
5091              test  expires.  This option is useful for testing and collecting
5092              statistics without blocking mail permanently.
5093
5094       enforce
5095              Allow other tests to complete. Reject attempts to  deliver  mail
5096              with  a 550 SMTP reply, and log the helo/sender/recipient infor‐
5097              mation.  Repeat this test the next time the client connects.
5098
5099       drop   Drop the connection immediately with a 521  SMTP  reply.  Repeat
5100              this  test the next time the client connects. This action is the
5101              same as with the Postfix SMTP server's  smtpd_forbidden_commands
5102              feature.
5103
5104       This feature is available in Postfix 2.8.
5105

postscreen_non_smtp_command_enable (default: no)

5107       Enable  "non-SMTP  command"  tests  in  the postscreen(8) server. These
5108       tests are expensive: a client must disconnect after it passes the test,
5109       before it can talk to a real Postfix SMTP server.
5110
5111       This feature is available in Postfix 2.8.
5112

postscreen_non_smtp_command_ttl (default: 30d)

5114       The  amount  of time that postscreen(8) will use the result from a suc‐
5115       cessful "non_smtp_command" SMTP protocol test. During  this  time,  the
5116       client  IP  address  is  excluded  from  this test. The default is long
5117       because a client must disconnect after it passes the  test,  before  it
5118       can talk to a real Postfix SMTP server.
5119
5120       Specify  a  non-zero  time  value  (an  integral value plus an optional
5121       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
5122       onds), m (minutes), h (hours), d (days), w (weeks).
5123
5124       This feature is available in Postfix 2.8.
5125

postscreen_pipelining_action (default: enforce)

5127       The  action  that  postscreen(8)  takes when a remote SMTP client sends
5128       multiple commands instead of sending one command and  waiting  for  the
5129       server to respond.  Specify one of the following:
5130
5131       ignore Ignore  the failure of this test. Allow other tests to complete.
5132              Do not repeat this test before some the result from  some  other
5133              test  expires.  This option is useful for testing and collecting
5134              statistics without blocking mail permanently.
5135
5136       enforce
5137              Allow other tests to complete. Reject attempts to  deliver  mail
5138              with  a 550 SMTP reply, and log the helo/sender/recipient infor‐
5139              mation.  Repeat this test the next time the client connects.
5140
5141       drop   Drop the connection immediately with a 521  SMTP  reply.  Repeat
5142              this test the next time the client connects.
5143
5144       This feature is available in Postfix 2.8.
5145

postscreen_pipelining_enable (default: no)

5147       Enable  "pipelining"  SMTP  protocol tests in the postscreen(8) server.
5148       These tests are expensive: a  good  client  must  disconnect  after  it
5149       passes the test, before it can talk to a real Postfix SMTP server.
5150
5151       This feature is available in Postfix 2.8.
5152

postscreen_pipelining_ttl (default: 30d)

5154       The  amount  of time that postscreen(8) will use the result from a suc‐
5155       cessful "pipelining" SMTP protocol test. During this time,  the  client
5156       IP  address  is  excluded from this test. The default is long because a
5157       good client must disconnect after it passes the  test,  before  it  can
5158       talk to a real Postfix SMTP server.
5159
5160       Specify  a  non-zero  time  value  (an  integral value plus an optional
5161       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
5162       onds), m (minutes), h (hours), d (days), w (weeks).
5163
5164       This feature is available in Postfix 2.8.
5165

postscreen_post_queue_limit (default: $default_process_limit)

5167       The number of clients that can be waiting for service from a real Post‐
5168       fix SMTP server process. When this queue  is  full,  all  clients  will
5169       receive a 421 response.
5170
5171       This feature is available in Postfix 2.8.
5172

postscreen_pre_queue_limit (default: $default_process_limit)

5174       The  number  of non-whitelisted clients that can be waiting for a deci‐
5175       sion whether they will receive service from a real Postfix SMTP  server
5176       process.  When  this  queue  is  full, all non-whitelisted clients will
5177       receive a 421 response.
5178
5179       This feature is available in Postfix 2.8.
5180
5182       Optional information that is appended after a 4XX or 5XX  postscreen(8)
5183       server response. See smtpd_reject_footer for further details.
5184
5185       This feature is available in Postfix 2.8 and later.
5186
5188       Optional  lookup  table for information that is appended after a 4XX or
5189       5XX postscreen(8) server  response.  See  smtpd_reject_footer_maps  for
5190       further details.
5191
5192       This feature is available in Postfix 3.4 and later.
5193

postscreen_tls_security_level (default: $smtpd_tls_security_level)

5195       The  SMTP  TLS  security  level  for  the  postscreen(8) server; when a
5196       non-empty value is specified, this overrides  the  obsolete  parameters
5197       postscreen_use_tls   and  postscreen_enforce_tls.  See  smtpd_tls_secu‐
5198       rity_level for details.
5199
5200       This feature is available in Postfix 2.8 and later.
5201

postscreen_upstream_proxy_protocol (default: empty)

5203       The name of the proxy protocol used by  an  optional  before-postscreen
5204       proxy  agent.  When  a proxy agent is used, this protocol conveys local
5205       and    remote     address     and     port     information.     Specify
5206       "postscreen_upstream_proxy_protocol  =  haproxy"  to enable the haproxy
5207       protocol; version 2 is supported with Postfix 3.5 and later.
5208
5209       This feature is available in Postfix 2.10 and later.
5210

postscreen_upstream_proxy_timeout (default: 5s)

5212       The  time  limit  for   the   proxy   protocol   specified   with   the
5213       postscreen_upstream_proxy_protocol parameter.
5214
5215       This feature is available in Postfix 2.10 and later.
5216

postscreen_use_tls (default: $smtpd_use_tls)

5218       Opportunistic  TLS:  announce  STARTTLS support to remote SMTP clients,
5219       but do not require that clients use TLS encryption.
5220
5221       This feature is available in Postfix 2.8 and  later.   Preferably,  use
5222       postscreen_tls_security_level instead.
5223

postscreen_watchdog_timeout (default: 10s)

5225       How  much  time a postscreen(8) process may take to respond to a remote
5226       SMTP client command or to perform a cache operation before it is termi‐
5227       nated  by  a  built-in watchdog timer.  This is a safety mechanism that
5228       prevents postscreen(8) from becoming non-responsive due  to  a  bug  in
5229       Postfix itself or in system software.  To avoid false alarms and unnec‐
5230       essary cache corruption this limit cannot be set under 10s.
5231
5232       Specify a non-zero time value  (an  integral  value  plus  an  optional
5233       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
5234       onds), m (minutes), h (hours), d (days), w (weeks).
5235
5236       This feature is available in Postfix 2.8.
5237

postscreen_whitelist_interfaces (default: static:all)

5239       A  list  of  local  postscreen(8)   server   IP   addresses   where   a
5240       non-whitelisted remote SMTP client can obtain postscreen(8)'s temporary
5241       whitelist status. This status is required before the client can talk to
5242       a  Postfix  SMTP  server  process.   By  default,  a  client can obtain
5243       postscreen(8)'s whitelist status on any local postscreen(8)  server  IP
5244       address.
5245
5246       When postscreen(8) listens on both primary and backup MX addresses, the
5247       postscreen_whitelist_interfaces parameter can be configured to give the
5248       temporary  whitelist status only when a client connects to a primary MX
5249       address. Once a client is whitelisted it can talk  to  a  Postfix  SMTP
5250       server  on  any  address.  Thus, clients that connect only to backup MX
5251       addresses will never become whitelisted, and will never be  allowed  to
5252       talk to a Postfix SMTP server process.
5253
5254       Specify  a list of network addresses or network/netmask patterns, sepa‐
5255       rated by commas and/or whitespace. The netmask specifies the number  of
5256       bits  in  the  network  part  of a host address. Continue long lines by
5257       starting the next line with whitespace.
5258
5259       You  can  also  specify  "/file/name"  or  "type:table"  patterns.    A
5260       "/file/name" pattern is replaced by its contents; a "type:table" lookup
5261       table is matched when a table entry matches a lookup string (the lookup
5262       result is ignored).
5263
5264       The  list  is  matched left to right, and the search stops on the first
5265       match. Specify "!pattern" to exclude an address or network  block  from
5266       the list.
5267
5268       Note:  IP  version 6 address information must be specified inside [] in
5269       the postscreen_whitelist_interfaces value, and in files specified  with
5270       "/file/name".   IP  version  6 addresses contain the ":" character, and
5271       would otherwise be confused with a "type:table" pattern.
5272
5273       Example:
5274
5275       /etc/postfix/main.cf:
5276           # Don't whitelist connections to the backup IP address.
5277           postscreen_whitelist_interfaces = !168.100.189.8, static:all
5278
5279       This feature is available in Postfix 2.9 and later.
5280

prepend_delivered_header (default: command, file, forward)

5282       The message delivery contexts where the Postfix local(8) delivery agent
5283       prepends a Delivered-To:  message header with the address that the mail
5284       was delivered to. This information  is  used  for  mail  delivery  loop
5285       detection.
5286
5287       By  default,  the Postfix local delivery agent prepends a Delivered-To:
5288       header when forwarding mail and when delivering to file  (mailbox)  and
5289       command.  Turning  off the Delivered-To: header when forwarding mail is
5290       not recommended.
5291
5292       Specify zero or more of forward, file, or command.
5293
5294       Example:
5295
5296       prepend_delivered_header = forward
5297

process_id (read-only)

5299       The process ID of a Postfix command or daemon process.
5300

process_id_directory (default: pid)

5302       The location of Postfix PID files relative to  $queue_directory.   This
5303       is a read-only parameter.
5304

process_name (read-only)

5306       The process name of a Postfix command or daemon process.
5307

propagate_unmatched_extensions (default: canonical, virtual)

5309       What  address  lookup  tables copy an address extension from the lookup
5310       key to the lookup result.
5311
5312       For  example,  with  a  virtual(5)  mapping  of   "joe@example.com   =>
5313       joe.user@example.net",  the address "joe+foo@example.com" would rewrite
5314       to "joe.user+foo@example.net".
5315
5316       Specify zero or more of canonical, virtual, alias, forward, include  or
5317       generic.  These  cause address extension propagation with canonical(5),
5318       virtual(5), and aliases(5) maps, with local(8) .forward  and  :include:
5319       file lookups, and with smtp(8) generic maps, respectively.
5320
5321       Note:  enabling this feature for types other than canonical and virtual
5322       is likely to cause problems when mail  is  forwarded  to  other  sites,
5323       especially with mail that is sent to a mailing list exploder address.
5324
5325       Examples:
5326
5327       propagate_unmatched_extensions = canonical, virtual, alias,
5328               forward, include
5329       propagate_unmatched_extensions = canonical, virtual
5330

proxy_interfaces (default: empty)

5332       The  network interface addresses that this mail system receives mail on
5333       by way of a proxy or network address translation unit.
5334
5335       This feature is available in Postfix 2.0 and later.
5336
5337       You must specify your "outside" proxy/NAT addresses when your system is
5338       a  backup MX host for other domains, otherwise mail delivery loops will
5339       happen when the primary MX host is down.
5340
5341       Example:
5342
5343       proxy_interfaces = 1.2.3.4
5344

proxy_read_maps (default: see postconf -d output)

5346       The lookup tables that the proxymap(8) server is allowed to access  for
5347       the read-only service.
5348
5349       Specify zero or more "type:name" lookup tables, separated by whitespace
5350       or comma.  Table references that don't begin with proxy: are ignored.
5351
5352       This feature is available in Postfix 2.0 and later.
5353

proxy_write_maps (default: see postconf -d output)

5355       The lookup tables that the proxymap(8) server is allowed to access  for
5356       the  read-write  service.  Postfix-owned local database files should be
5357       stored under the Postfix-owned data_directory.  Table  references  that
5358       don't begin with proxy: are ignored.
5359
5360       This feature is available in Postfix 2.5 and later.
5361

proxymap_service_name (default: proxymap)

5363       The  name of the proxymap read-only table lookup service.  This service
5364       is normally implemented by the proxymap(8) daemon.
5365
5366       This feature is available in Postfix 2.6 and later.
5367

proxywrite_service_name (default: proxywrite)

5369       The name of the proxywrite read-write table lookup service.  This  ser‐
5370       vice is normally implemented by the proxymap(8) daemon.
5371
5372       This feature is available in Postfix 2.6 and later.
5373

qmgr_clog_warn_time (default: 300s)

5375       The minimal delay between warnings that a specific destination is clog‐
5376       ging up the Postfix active queue. Specify 0 to disable.
5377
5378       This feature is enabled with the helpful_warnings parameter.
5379
5380       This feature is available in Postfix 2.0 and later.
5381

qmgr_daemon_timeout (default: 1000s)

5383       How much time a Postfix queue manager process  may  take  to  handle  a
5384       request before it is terminated by a built-in watchdog timer.
5385
5386       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
5387       The default time unit is s (seconds).
5388
5389       This feature is available in Postfix 2.8 and later.
5390

qmgr_fudge_factor (default: 100)

5392       Obsolete feature: the percentage of delivery resources that a busy mail
5393       system will use up for delivery of a large mailing  list message.
5394
5395       This feature exists only in the oqmgr(8) old queue manager. The current
5396       queue manager solves the problem in a better way.
5397

qmgr_ipc_timeout (default: 60s)

5399       The time limit for the queue manager to  send  or  receive  information
5400       over an internal communication channel.  The purpose is to break out of
5401       deadlock situations. If the time limit is exceeded the software  either
5402       retries or aborts the operation.
5403
5404       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
5405       The default time unit is s (seconds).
5406
5407       This feature is available in Postfix 2.8 and later.
5408

qmgr_message_active_limit (default: 20000)

5410       The maximal number of messages in the active queue.
5411

qmgr_message_recipient_limit (default: 20000)

5413       The maximal number of recipients held in memory by  the  Postfix  queue
5414       manager,  and the maximal size of the short-term, in-memory "dead" des‐
5415       tination status cache.
5416

qmgr_message_recipient_minimum (default: 10)

5418       The minimal number of in-memory recipients for any message. This  takes
5419       priority  over  any  other in-memory recipient limits (i.e., the global
5420       qmgr_message_recipient_limit and the per transport _recipient_limit) if
5421       necessary. The minimum value allowed for this parameter is 1.
5422

qmqpd_authorized_clients (default: empty)

5424       What  remote  QMQP  clients  are allowed to connect to the Postfix QMQP
5425       server port.
5426
5427       By default, no client is allowed to use the service.  This  is  because
5428       the QMQP server will relay mail to any destination.
5429
5430       Specify  a  list  of  client  patterns. A list pattern specifies a host
5431       name, a domain name, an internet address, or  a  network/mask  pattern,
5432       where  the mask specifies the number of bits in the network part.  When
5433       a pattern specifies a file name, its contents are substituted  for  the
5434       file  name; when a pattern is a "type:table" table specification, table
5435       lookup is used instead.
5436
5437       Patterns are separated by whitespace and/or commas. In order to reverse
5438       the  result,  precede a pattern with an exclamation point (!). The form
5439       "!/file/name" is supported only in Postfix version 2.4 and later.
5440
5441       Pattern matching of domain names  is  controlled  by  the  presence  or
5442       absence of "qmqpd_authorized_clients" in the parent_domain_matches_sub‐
5443       domains parameter value.
5444
5445       Example:
5446
5447       qmqpd_authorized_clients = !192.168.0.1, 192.168.0.0/24
5448

qmqpd_client_port_logging (default: no)

5450       Enable logging of the remote QMQP client port in addition to the  host‐
5451       name and IP address. The logging format is "host[address]:port".
5452
5453       This feature is available in Postfix 2.5 and later.
5454

qmqpd_error_delay (default: 1s)

5456       How  long  the Postfix QMQP server will pause before sending a negative
5457       reply to the remote QMQP client. The purpose is to slow  down  confused
5458       or malicious clients.
5459
5460       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
5461       The default time unit is s (seconds).
5462

qmqpd_timeout (default: 300s)

5464       The time limit for sending or receiving information over  the  network.
5465       If  a  read or write operation blocks for more than $qmqpd_timeout sec‐
5466       onds the Postfix QMQP server gives up and disconnects.
5467
5468       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
5469       The default time unit is s (seconds).
5470

queue_directory (default: see postconf -d output)

5472       The location of the Postfix top-level queue directory. This is the root
5473       directory of Postfix daemon processes that run chrooted.
5474

queue_file_attribute_count_limit (default: 100)

5476       The maximal number of (name=value) attributes that may be stored  in  a
5477       Postfix queue file. The limit is enforced by the cleanup(8) server.
5478
5479       This feature is available in Postfix 2.0 and later.
5480

queue_minfree (default: 0)

5482       The minimal amount of free space in bytes in the queue file system that
5483       is needed to receive mail.  This is currently used by the Postfix  SMTP
5484       server to decide if it will accept any mail at all.
5485
5486       By default, the Postfix SMTP server rejects MAIL FROM commands when the
5487       amount of free space is less than 1.5*$message_size_limit (Postfix ver‐
5488       sion  2.1  and  later).   To specify a higher minimum free space limit,
5489       specify a queue_minfree value that is at least 1.5*$message_size_limit.
5490
5491       With Postfix versions 2.0 and earlier, a queue_minfree  value  of  zero
5492       means there is no minimum required amount of free space.
5493

queue_run_delay (default: 300s)

5495       The  time  between  deferred queue scans by the queue manager; prior to
5496       Postfix 2.4 the default value was 1000s.
5497
5498       This parameter should be set  less  than  or  equal  to  $minimal_back‐
5499       off_time. See also $maximal_backoff_time.
5500
5501       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
5502       The default time unit is s (seconds).
5503

queue_service_name (default: qmgr)

5505       The name of the qmgr(8) service. This service manages the Postfix queue
5506       and schedules delivery requests.
5507
5508       This feature is available in Postfix 2.0 and later.
5509

rbl_reply_maps (default: empty)

5511       Optional  lookup  tables  with  RBL  response templates. The tables are
5512       indexed by the RBL domain name. By default, Postfix  uses  the  default
5513       template  as specified with the default_rbl_reply configuration parame‐
5514       ter. See there for a discussion of the syntax of RBL reply templates.
5515
5516       This feature is available in Postfix 2.0 and later.
5517

readme_directory (default: see postconf -d output)

5519       The location of Postfix README files that describe how to  build,  con‐
5520       figure or operate a specific Postfix subsystem or feature.
5521

receive_override_options (default: empty)

5523       Enable  or disable recipient validation, built-in content filtering, or
5524       address mapping. Typically, these are specified in  master.cf  as  com‐
5525       mand-line arguments for the smtpd(8), qmqpd(8) or pickup(8) daemons.
5526
5527       Specify  zero  or  more of the following options.  The options override
5528       main.cf settings and are either implemented by smtpd(8),  qmqpd(8),  or
5529       pickup(8) themselves, or they are forwarded to the cleanup server.
5530
5531       no_unknown_recipient_checks
5532              Do  not  try  to  reject  unknown recipients (SMTP server only).
5533              This is typically specified AFTER an external content filter.
5534
5535       no_address_mappings
5536              Disable canonical address mapping, virtual alias map  expansion,
5537              address  masquerading,  and  automatic  BCC  (blind carbon-copy)
5538              recipients. This is typically specified BEFORE an external  con‐
5539              tent filter.
5540
5541       no_header_body_checks
5542              Disable header/body_checks. This is typically specified AFTER an
5543              external content filter.
5544
5545       no_milters
5546              Disable Milter (mail filter)  applications.  This  is  typically
5547              specified AFTER an external content filter.
5548
5549       Note: when the "BEFORE content filter" receive_override_options setting
5550       is specified in the main.cf file, specify the  "AFTER  content  filter"
5551       receive_override_options setting in master.cf (and vice versa).
5552
5553       Examples:
5554
5555       receive_override_options =
5556           no_unknown_recipient_checks, no_header_body_checks
5557       receive_override_options = no_address_mappings
5558
5559       This feature is available in Postfix 2.1 and later.
5560

recipient_bcc_maps (default: empty)

5562       Optional  BCC  (blind  carbon-copy)  address  lookup tables, indexed by
5563       recipient address.  The BCC address  (multiple  results  are  not  sup‐
5564       ported) is added when mail enters from outside of Postfix.
5565
5566       Specify zero or more "type:name" lookup tables, separated by whitespace
5567       or comma. Tables will be searched in the specified order until a  match
5568       is found.
5569
5570       The table search order is as follows:
5571
5572       ·      Look  up  the  "user+extension@domain.tld" address including the
5573              optional address extension.
5574
5575       ·      Look up  the  "user@domain.tld"  address  without  the  optional
5576              address extension.
5577
5578       ·      Look up the "user+extension" address local part when the recipi‐
5579              ent domain equals $myorigin, $mydestination, $inet_interfaces or
5580              $proxy_interfaces.
5581
5582       ·      Look  up the "user" address local part when the recipient domain
5583              equals   $myorigin,    $mydestination,    $inet_interfaces    or
5584              $proxy_interfaces.
5585
5586       ·      Look up the "@domain.tld" part.
5587
5588       Note:  with Postfix 2.3 and later the BCC address is added as if it was
5589       specified with NOTIFY=NONE. The sender will not be  notified  when  the
5590       BCC  address  is  undeliverable,  as  long  as all down-stream software
5591       implements RFC 3461.
5592
5593       Note: with Postfix 2.2 and earlier the sender will  unconditionally  be
5594       notified when the BCC address is undeliverable.
5595
5596       Note:  automatic  BCC  recipients  are  produced only for new mail.  To
5597       avoid mailer loops, automatic BCC recipients are  not  generated  after
5598       Postfix  forwards  mail  internally,  or  after  Postfix generates mail
5599       itself.
5600
5601       Example:
5602
5603       recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
5604
5605       After a change, run "postmap /etc/postfix/recipient_bcc".
5606
5607       This feature is available in Postfix 2.1 and later.
5608

recipient_canonical_classes (default: envelope_recipient, header_recipient)

5610       What addresses are subject to recipient_canonical_maps address mapping.
5611       By  default,  recipient_canonical_maps  address  mapping  is applied to
5612       envelope recipient addresses, and to header recipient addresses.
5613
5614       Specify one or more of: envelope_recipient, header_recipient
5615
5616       This feature is available in Postfix 2.2 and later.
5617

recipient_canonical_maps (default: empty)

5619       Optional address mapping lookup tables for envelope and header  recipi‐
5620       ent  addresses.  The table format and lookups are documented in canoni‐
5621       cal(5).
5622
5623       Note: $recipient_canonical_maps is processed before $canonical_maps.
5624
5625       Example:
5626
5627       recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
5628

recipient_delimiter (default: empty)

5630       The set of characters that can separate a user name from its  extension
5631       (example:  user+foo), or a .forward file name from its extension (exam‐
5632       ple: .forward+foo).  Basically, the software tries user+foo  and  .for‐
5633       ward+foo  before  trying user and .forward.  This implementation recog‐
5634       nizes one delimiter character and one extension per  email  address  or
5635       .forward file name.
5636
5637       When  the recipient_delimiter set contains multiple characters (Postfix
5638       2.11 and later), a user name or .forward file name  is  separated  from
5639       its  extension by the first character that matches the recipient_delim‐
5640       iter set.
5641
5642       See canonical(5), local(8), relocated(5) and virtual(5) for the effects
5643       of  recipient_delimiter  on lookups in aliases, canonical, virtual, and
5644       relocated maps, and see  the  propagate_unmatched_extensions  parameter
5645       for propagating an extension from one email address to another.
5646
5647       When used in command_execution_directory, forward_path, or luser_relay,
5648       ${recipient_delimiter} is replaced with the actual recipient  delimiter
5649       that was found in the recipient email address (Postfix 2.11 and later),
5650       or it is replaced with the main.cf recipient_delimiter parameter  value
5651       (Postfix 2.10 and earlier).
5652
5653       The  recipient_delimiter  is  not applied to the mailer-daemon address,
5654       the postmaster address, or the double-bounce address. With the  default
5655       "owner_request_special  = yes" setting, the recipient_delimiter is also
5656       not applied to addresses with the special "owner-" prefix or  the  spe‐
5657       cial "-request" suffix.
5658
5659       Examples:
5660
5661       # Handle Postfix-style extensions.
5662       recipient_delimiter = +
5663
5664       # Handle both Postfix and qmail extensions (Postfix 2.11 and later).
5665       recipient_delimiter = +-
5666
5667       # Use .forward for mail without address extension, and for mail with
5668       # an unrecognized address extension.
5669       forward_path = $home/.forward${recipient_delimiter}${extension},
5670           $home/.forward
5671

reject_code (default: 554)

5673       The  numerical  Postfix  SMTP  server  response code when a remote SMTP
5674       client request is rejected by the "reject" restriction.
5675
5676       Do not change this unless you have  a  complete  understanding  of  RFC
5677       5321.
5678

reject_tempfail_action (default: defer_if_permit)

5680       The  Postfix  SMTP server's action when a reject-type restriction fails
5681       due to a temporary error condition. Specify "defer" to defer the remote
5682       SMTP  client  request  immediately.  With the default "defer_if_permit"
5683       action, the Postfix SMTP server continues to look for opportunities  to
5684       reject  mail,  and defers the client request only if it would otherwise
5685       be accepted.
5686
5687       For finer control, see:  unverified_recipient_tempfail_action,  unveri‐
5688       fied_sender_tempfail_action,    unknown_address_tempfail_action,    and
5689       unknown_helo_hostname_tempfail_action.
5690
5691       This feature is available in Postfix 2.6 and later.
5692

relay_clientcerts (default: empty)

5694       List of tables with remote SMTP client-certificate fingerprints or pub‐
5695       lic key fingerprints (Postfix 2.9 and later) for which the Postfix SMTP
5696       server will allow access with the permit_tls_clientcerts feature.   The
5697       fingerprint  digest algorithm is configurable via the smtpd_tls_finger‐
5698       print_digest parameter (hard-coded as  md5  prior  to  Postfix  version
5699       2.5).
5700
5701       Postfix  lookup tables are in the form of (key, value) pairs.  Since we
5702       only need the key, the value can be chosen freely, e.g.   the  name  of
5703       the   user   or  host:  D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80
5704       lutzpc.at.home
5705
5706       Example:
5707
5708       relay_clientcerts = hash:/etc/postfix/relay_clientcerts
5709
5710       For more fine-grained control,  use  check_ccert_access  to  select  an
5711       appropriate   access(5)   policy   for   each   client.   See  RESTRIC‐
5712       TION_CLASS_README.
5713
5714       Note: Postfix 2.9.0-2.9.5 computed the public  key  fingerprint  incor‐
5715       rectly.  To  use  public-key  fingerprints, upgrade to Postfix 2.9.6 or
5716       later.
5717
5718       This feature is available with Postfix version 2.2.
5719

relay_destination_concurrency_limit (default: $default_destination_concur‐

5721       rency_limit)
5722       The  maximal  number of parallel deliveries to the same destination via
5723       the relay message delivery transport. This limit  is  enforced  by  the
5724       queue  manager.  The message delivery transport name is the first field
5725       in the entry in the master.cf file.
5726
5727       This feature is available in Postfix 2.0 and later.
5728

relay_destination_recipient_limit (default: $default_destination_recipi‐

5730       ent_limit)
5731       The  maximal  number  of  recipients  per message for the relay message
5732       delivery transport. This limit is enforced by the  queue  manager.  The
5733       message  delivery transport name is the first field in the entry in the
5734       master.cf file.
5735
5736       Setting this  parameter  to  a  value  of  1  changes  the  meaning  of
5737       relay_destination_concurrency_limit  from  concurrency  per domain into
5738       concurrency per recipient.
5739
5740       This feature is available in Postfix 2.0 and later.
5741

relay_domains (default: Postfix >= 3.0: empty, Postfix < 3.0: $mydestination)

5743       What destination domains (and  subdomains  thereof)  this  system  will
5744       relay  mail  to. For details about how the relay_domains value is used,
5745       see   the    description    of    the    permit_auth_destination    and
5746       reject_unauth_destination SMTP recipient restrictions.
5747
5748       Domains  that match $relay_domains are delivered with the $relay_trans‐
5749       port mail delivery  transport.  The  SMTP  server  validates  recipient
5750       addresses  with  $relay_recipient_maps and rejects non-existent recipi‐
5751       ents.   See   also   the   relay   domains   address   class   in   the
5752       ADDRESS_CLASS_README file.
5753
5754       Note: Postfix will not automatically forward mail for domains that list
5755       this  system  as  their  primary  or  backup  MX  host.  See  the  per‐
5756       mit_mx_backup restriction in the postconf(5) manual page.
5757
5758       Specify  a  list  of  host  or  domain  names, "/file/name" patterns or
5759       "type:table" lookup tables,  separated  by  commas  and/or  whitespace.
5760       Continue  long  lines  by  starting  the  next  line with whitespace. A
5761       "/file/name" pattern is replaced by its contents; a "type:table" lookup
5762       table  is matched when a (parent) domain appears as lookup key. Specify
5763       "!pattern" to exclude a domain from the list. The form "!/file/name" is
5764       supported only in Postfix version 2.4 and later.
5765
5766       Pattern  matching  of  domain  names  is  controlled by the presence or
5767       absence  of  "relay_domains"  in  the  parent_domain_matches_subdomains
5768       parameter value.
5769

relay_domains_reject_code (default: 554)

5771       The  numerical  Postfix SMTP server response code when a client request
5772       is rejected by the reject_unauth_destination recipient restriction.
5773
5774       Do not change this unless you have  a  complete  understanding  of  RFC
5775       5321.
5776

relay_recipient_maps (default: empty)

5778       Optional  lookup  tables  with  all valid addresses in the domains that
5779       match $relay_domains. Specify @domain as a wild-card for  domains  that
5780       have  no valid recipient list, and become a source of backscatter mail:
5781       Postfix accepts spam for non-existent recipients and then floods  inno‐
5782       cent  people  with undeliverable mail.  Technically, tables listed with
5783       $relay_recipient_maps are used as lists: Postfix needs to know only  if
5784       a  lookup  string  is found or not, but it does not use the result from
5785       table lookup.
5786
5787       Specify zero or more "type:name" lookup tables, separated by whitespace
5788       or  comma. Tables will be searched in the specified order until a match
5789       is found.
5790
5791       If this parameter is non-empty,  then  the  Postfix  SMTP  server  will
5792       reject mail to unknown relay users. This feature is off by default.
5793
5794       See  also  the  relay domains address class in the ADDRESS_CLASS_README
5795       file.
5796
5797       Example:
5798
5799       relay_recipient_maps = hash:/etc/postfix/relay_recipients
5800
5801       This feature is available in Postfix 2.0 and later.
5802

relay_transport (default: relay)

5804       The default mail delivery transport and next-hop destination for remote
5805       delivery  to domains listed with $relay_domains. In order of decreasing
5806       precedence, the nexthop destination  is  taken  from  $relay_transport,
5807       $sender_dependent_relayhost_maps,  $relayhost,  or  from  the recipient
5808       domain. This information can be overruled with the transport(5) table.
5809
5810       Specify a string of the form transport:nexthop, where transport is  the
5811       name  of  a mail delivery transport defined in master.cf.  The :nexthop
5812       destination is optional; its syntax is documented in the manual page of
5813       the corresponding delivery agent.
5814
5815       See  also  the  relay domains address class in the ADDRESS_CLASS_README
5816       file.
5817
5818       This feature is available in Postfix 2.0 and later.
5819

relayhost (default: empty)

5821       The next-hop destination(s) for  non-local  mail;  overrides  non-local
5822       domains  in  recipient  addresses.  This  information is overruled with
5823       relay_transport,               sender_dependent_default_transport_maps,
5824       default_transport,  sender_dependent_relayhost_maps and with the trans‐
5825       port(5) table.
5826
5827       On an intranet, specify the organizational domain name. If your  inter‐
5828       nal  DNS  uses  no MX records, specify the name of the intranet gateway
5829       host instead.
5830
5831       In the case of SMTP or LMTP delivery, specify one or more  destinations
5832       in the form of a domain name, hostname, hostname:port, [hostname]:port,
5833       [hostaddress] or [hostaddress]:port, separated by comma or  whitespace.
5834       The  form  [hostname]  turns  off MX lookups. Multiple destinations are
5835       supported in Postfix 3.5 and later.
5836
5837       If you're connected via UUCP,  see  the  UUCP_README  file  for  useful
5838       information.
5839
5840       Examples:
5841
5842       relayhost = $mydomain
5843       relayhost = [gateway.example.com]
5844       relayhost = mail1.example:587, mail2.example:587
5845       relayhost = [an.ip.add.ress]
5846

relocated_maps (default: empty)

5848       Optional  lookup  tables  with  new  contact  information  for users or
5849       domains that no longer exist.  The table format and lookups  are  docu‐
5850       mented in relocated(5).
5851
5852       Specify zero or more "type:name" lookup tables, separated by whitespace
5853       or comma. Tables will be searched in the specified order until a  match
5854       is found.
5855
5856       If  you use this feature, run "postmap /etc/postfix/relocated" to build
5857       the necessary DBM or DB file after change,  then  "postfix  reload"  to
5858       make the changes visible.
5859
5860       Examples:
5861
5862       relocated_maps = dbm:/etc/postfix/relocated
5863       relocated_maps = hash:/etc/postfix/relocated
5864

remote_header_rewrite_domain (default: empty)

5866       Don't  rewrite  message  headers  from  remote clients at all when this
5867       parameter is empty; otherwise, rewrite message headers and  append  the
5868       specified  domain  name  to incomplete addresses.  The local_header_re‐
5869       write_clients parameter controls what clients Postfix considers local.
5870
5871       Examples:
5872
5873       The  safe  setting:  append  "domain.invalid"  to   incomplete   header
5874       addresses  from  remote SMTP clients, so that those addresses cannot be
5875       confused with local addresses.
5876
5877           remote_header_rewrite_domain = domain.invalid
5878
5879       The default, purist, setting: don't rewrite headers from remote clients
5880       at all.
5881
5882           remote_header_rewrite_domain =
5883

require_home_directory (default: no)

5885       Require  that  a local(8) recipient's home directory exists before mail
5886       delivery is attempted. By default this test is  disabled.   It  can  be
5887       useful for environments that import home directories to the mail server
5888       (IMPORTING HOME DIRECTORIES IS NOT RECOMMENDED).
5889

reset_owner_alias (default: no)

5891       Reset the local(8) delivery agent's idea of the owner-alias  attribute,
5892       when  delivering mail to a child alias that does not have its own owner
5893       alias.
5894
5895       This feature is available in Postfix 2.8 and later. With older  Postfix
5896       releases, the behavior is as if this parameter is set to "yes".
5897
5898       As  documented  in aliases(5), when an alias name has a companion alias
5899       named owner-name, this will replace the  envelope  sender  address,  so
5900       that delivery errors will be reported to the owner alias instead of the
5901       sender. This configuration is recommended for mailing lists.
5902
5903       A less known property of the owner alias is that  it  also  forces  the
5904       local(8)  delivery agent to write local and remote addresses from alias
5905       expansion to a new queue file, instead of attempting to deliver mail to
5906       local addresses as soon as they come out of alias expansion.
5907
5908       Writing local addresses from alias expansion to a new queue file allows
5909       for robust handling of temporary delivery errors: errors with one local
5910       member  have  no effect on deliveries to other members of the list.  On
5911       the other hand, delivery to local addresses as soon as they come out of
5912       alias  expansion  is  fragile: a temporary error with one local address
5913       from alias expansion will cause the entire alias to be expanded repeat‐
5914       edly  until  the  error  goes away, or until the message expires in the
5915       queue.  In that case, a problem with one list member results in  multi‐
5916       ple message deliveries to other list members.
5917
5918       The  default  behavior  of  Postfix  2.8  and  later  is  to  keep  the
5919       owner-alias attribute of the parent alias, when delivering  mail  to  a
5920       child  alias  that  does  not  have  its  own  owner alias. Then, local
5921       addresses from that child alias will be written to a  new  queue  file,
5922       and  a  temporary error with one local address will not affect delivery
5923       to other mailing list members.
5924
5925       Unfortunately, older Postfix releases reset the  owner-alias  attribute
5926       when  delivering mail to a child alias that does not have its own owner
5927       alias. To be precise, this resets only the decision  to  create  a  new
5928       queue  file,  not the decision to override the envelope sender address.
5929       The local(8) delivery agent then attempts to deliver local addresses as
5930       soon  as  they  come  out of child alias expansion.  If delivery to any
5931       address from child alias expansion fails with a temporary error  condi‐
5932       tion, the entire mailing list may be expanded repeatedly until the mail
5933       expires in the queue, resulting in multiple deliveries of the same mes‐
5934       sage to mailing list members.
5935

resolve_dequoted_address (default: yes)

5937       Resolve  a  recipient  address  safely instead of correctly, by looking
5938       inside quotes.
5939
5940       By default, the Postfix address resolver does  not  quote  the  address
5941       localpart  as  per  RFC  822, so that additional @ or % or !  operators
5942       remain visible. This behavior is safe but it is also technically incor‐
5943       rect.
5944
5945       If  you  specify  "resolve_dequoted_address  =  no",  then  the Postfix
5946       resolver will not know about additional @ etc. operators in the address
5947       localpart. This opens opportunities for obscure mail relay attacks with
5948       user@domain@domain addresses when Postfix provides  backup  MX  service
5949       for Sendmail systems.
5950

resolve_null_domain (default: no)

5952       Resolve  an  address  that  ends in the "@" null domain as if the local
5953       hostname were specified, instead of rejecting the address as invalid.
5954
5955       This feature is available in Postfix 2.1 and later.   Earlier  versions
5956       always resolve the null domain as the local hostname.
5957
5958       The  Postfix  SMTP  server  uses this feature to reject mail from or to
5959       addresses that end in the "@" null domain, and from addresses that  re‐
5960       write into a form that ends in the "@" null domain.
5961

resolve_numeric_domain (default: no)

5963       Resolve  "user@ipaddress"  as  "user@[ipaddress]", instead of rejecting
5964       the address as invalid.
5965
5966       This feature is available in Postfix 2.3 and later.
5967

rewrite_service_name (default: rewrite)

5969       The name of  the  address  rewriting  service.  This  service  rewrites
5970       addresses  to  standard  form  and resolves them to a (delivery method,
5971       next-hop host, recipient) triple.
5972
5973       This feature is available in Postfix 2.0 and later.
5974

sample_directory (default: /etc/postfix)

5976       The name of the directory with  example  Postfix  configuration  files.
5977       Starting  with  Postfix  2.1,  these  files have been replaced with the
5978       postconf(5) manual page.
5979

send_cyrus_sasl_authzid (default: no)

5981       When authenticating to a remote SMTP or LMTP server  with  the  default
5982       setting  "no",  send  no SASL authoriZation ID (authzid); send only the
5983       SASL authentiCation ID (authcid) plus the authcid's password.
5984
5985       The non-default setting "yes" enables the  behavior  of  older  Postfix
5986       versions.   These  always send a SASL authzid that is equal to the SASL
5987       authcid, but this  causes  interoperability  problems  with  some  SMTP
5988       servers.
5989
5990       This feature is available in Postfix 2.4.4 and later.
5991

sender_based_routing (default: no)

5993       This  parameter  should  not  be used. It was replaced by sender_depen‐
5994       dent_relayhost_maps in Postfix version 2.3.
5995

sender_bcc_maps (default: empty)

5997       Optional BCC (blind carbon-copy)  address  lookup  tables,  indexed  by
5998       sender  address.   The BCC address (multiple results are not supported)
5999       is added when mail enters from outside of Postfix.
6000
6001       Specify zero or more "type:name" lookup tables, separated by whitespace
6002       or  comma. Tables will be searched in the specified order until a match
6003       is found.
6004
6005       The table search order is as follows:
6006
6007       ·      Look up the "user+extension@domain.tld"  address  including  the
6008              optional address extension.
6009
6010       ·      Look  up  the  "user@domain.tld"  address  without  the optional
6011              address extension.
6012
6013       ·      Look up the "user+extension" address local part when the  sender
6014              domain  equals  $myorigin,  $mydestination,  $inet_interfaces or
6015              $proxy_interfaces.
6016
6017       ·      Look up the "user" address local part  when  the  sender  domain
6018              equals    $myorigin,    $mydestination,    $inet_interfaces   or
6019              $proxy_interfaces.
6020
6021       ·      Look up the "@domain.tld" part.
6022
6023       Note: with Postfix 2.3 and later the BCC address is added as if it  was
6024       specified  with  NOTIFY=NONE.  The sender will not be notified when the
6025       BCC address is undeliverable,  as  long  as  all  down-stream  software
6026       implements RFC 3461.
6027
6028       Note: with Postfix 2.2 and earlier the sender will be notified when the
6029       BCC address is undeliverable.
6030
6031       Note: automatic BCC recipients are produced  only  for  new  mail.   To
6032       avoid  mailer  loops,  automatic BCC recipients are not generated after
6033       Postfix forwards mail  internally,  or  after  Postfix  generates  mail
6034       itself.
6035
6036       Example:
6037
6038       sender_bcc_maps = hash:/etc/postfix/sender_bcc
6039
6040       After a change, run "postmap /etc/postfix/sender_bcc".
6041
6042       This feature is available in Postfix 2.1 and later.
6043

sender_canonical_classes (default: envelope_sender, header_sender)

6045       What  addresses  are  subject to sender_canonical_maps address mapping.
6046       By default, sender_canonical_maps address mapping is applied  to  enve‐
6047       lope sender addresses, and to header sender addresses.
6048
6049       Specify one or more of: envelope_sender, header_sender
6050
6051       This feature is available in Postfix 2.2 and later.
6052

sender_canonical_maps (default: empty)

6054       Optional  address  mapping lookup tables for envelope and header sender
6055       addresses.  The table format and  lookups  are  documented  in  canoni‐
6056       cal(5).
6057
6058       Example:  you  want to rewrite the SENDER address "user@ugly.domain" to
6059       "user@pretty.domain", while still being able to send mail to the RECIP‐
6060       IENT address "user@ugly.domain".
6061
6062       Note: $sender_canonical_maps is processed before $canonical_maps.
6063
6064       Example:
6065
6066       sender_canonical_maps = hash:/etc/postfix/sender_canonical
6067

sender_dependent_default_transport_maps (default: empty)

6069       A  sender-dependent override for the global default_transport parameter
6070       setting. The tables are searched by the  envelope  sender  address  and
6071       @domain.  A  lookup result of DUNNO terminates the search without over‐
6072       riding the global default_transport parameter setting.   This  informa‐
6073       tion is overruled with the transport(5) table.
6074
6075       Specify zero or more "type:name" lookup tables, separated by whitespace
6076       or comma. Tables will be searched in the specified order until a  match
6077       is found.
6078
6079       Note:  this overrides default_transport, not transport_maps, and there‐
6080       fore the expected syntax is that of default_transport, not  the  syntax
6081       of  transport_maps.   Specifically,  this  does  not support the trans‐
6082       port_maps syntax for  null  transport,  null  nexthop,  or  null  email
6083       addresses.
6084
6085       For  safety  reasons, this feature does not allow $number substitutions
6086       in regular expression maps.
6087
6088       This feature is available in Postfix 2.7 and later.
6089

sender_dependent_relayhost_maps (default: empty)

6091       A sender-dependent override for the global relayhost parameter setting.
6092       The  tables  are searched by the envelope sender address and @domain. A
6093       lookup result of DUNNO terminates the  search  without  overriding  the
6094       global relayhost parameter setting (Postfix 2.6 and later). This infor‐
6095       mation    is    overruled    with    relay_transport,     sender_depen‐
6096       dent_default_transport_maps,  default_transport  and  with  the  trans‐
6097       port(5) table.
6098
6099       Specify zero or more "type:name" lookup tables, separated by whitespace
6100       or  comma. Tables will be searched in the specified order until a match
6101       is found.
6102
6103       For safety reasons, this feature does not allow  $number  substitutions
6104       in regular expression maps.
6105
6106       This feature is available in Postfix 2.3 and later.
6107

sendmail_fix_line_endings (default: always)

6109       Controls  how  the Postfix sendmail command converts email message line
6110       endings from <CR><LF> into UNIX format (<LF>).
6111
6112       always Always convert message lines ending in <CR><LF>. This setting is
6113              the default with Postfix 2.9 and later.
6114
6115       strict Convert message lines ending in <CR><LF> only if the first input
6116              line ends in <CR><LF>. This setting is backwards-compatible with
6117              Postfix 2.8 and earlier.
6118
6119       never  Never  convert  message  lines  ending in <CR><LF>. This setting
6120              exists for completeness only.
6121
6122       This feature is available in Postfix 2.9 and later.
6123

sendmail_path (default: see postconf -d output)

6125       A Sendmail compatibility feature that specifies  the  location  of  the
6126       Postfix  sendmail(1)  command.  This command can be used to submit mail
6127       into the Postfix queue.
6128

service_name (read-only)

6130       The master.cf service name of a Postfix daemon  process.  This  can  be
6131       used  to  distinguish  the logging from different services that use the
6132       same program name.
6133
6134       Example master.cf entries:
6135
6136       # Distinguish inbound MTA logging from submission and smtps logging.
6137       smtp      inet  n       -       n       -       -       smtpd
6138       submission inet n       -       n       -       -       smtpd
6139           -o syslog_name=postfix/$service_name
6140       smtps     inet  n       -       n       -       -       smtpd
6141           -o syslog_name=postfix/$service_name
6142
6143       # Distinguish outbound MTA logging from inbound relay logging.
6144       smtp      unix  -       -       n       -       -       smtp
6145       relay     unix  -       -       n       -       -       smtp
6146           -o syslog_name=postfix/$service_name
6147

service_throttle_time (default: 60s)

6149       How long the Postfix master(8)  waits  before  forking  a  server  that
6150       appears to be malfunctioning.
6151
6152       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6153       The default time unit is s (seconds).
6154

setgid_group (default: postdrop)

6156       The group ownership of set-gid Postfix commands and  of  group-writable
6157       Postfix  directories.  When this parameter value is changed you need to
6158       re-run "postfix set-permissions" (with Postfix version 2.0 and earlier:
6159       "/etc/postfix/post-install set-permissions".
6160

shlib_directory (default: see 'postconf -d' output)

6162       The location of Postfix dynamically-linked libraries (libpostfix-*.so),
6163       and the default location of  Postfix  database  plugins  (postfix-*.so)
6164       that  have  a  relative  pathname  in  the  dynamicmaps.cf  file.   The
6165       shlib_directory  parameter  defaults  to  "no"  when  Postfix   dynami‐
6166       cally-linked  libraries  and  database  plugins are disabled at compile
6167       time,  otherwise  it  typically   defaults   to   /usr/lib/postfix   or
6168       /usr/local/lib/postfix.
6169
6170       Notes:
6171
6172       ·      The directory specified with shlib_directory should contain only
6173              Postfix-related files. Postfix dynamically-linked libraries  and
6174              database  plugins  should  not be installed in a "public" system
6175              directory such as /usr/lib or  /usr/local/lib.  Linking  Postfix
6176              dynamically-linked   library  files  or  database  plugins  into
6177              non-Postfix  programs  is  not   supported.    Postfix   dynami‐
6178              cally-linked  libraries  and  database plugins implement a Post‐
6179              fix-internal API that changes without maintaining compatibility.
6180
6181       ·      You can change the shlib_directory value after Postfix is built.
6182              However,  you  may have to run ldconfig or equivalent to prevent
6183              Postfix programs from failing because the libpostfix-*.so  files
6184              are  not  found.   No ldconfig command is needed if you keep the
6185              libpostfix-*.so files in the compiled-in  default  $shlib_direc‐
6186              tory location.
6187
6188       This feature is available in Postfix 3.0 and later.
6189

show_user_unknown_table_name (default: yes)

6191       Display  the  name  of  the  recipient  table  in  the  "User  unknown"
6192       responses.  The extra detail  makes  troubleshooting  easier  but  also
6193       reveals information that is nobody else's business.
6194
6195       This feature is available in Postfix 2.0 and later.
6196

showq_service_name (default: showq)

6198       The name of the showq(8) service. This service produces mail queue sta‐
6199       tus reports.
6200
6201       This feature is available in Postfix 2.0 and later.
6202

smtp_address_preference (default: any)

6204       The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP client
6205       will  try  first,  when  a destination has IPv6 and IPv4 addresses with
6206       equal MX preference. This feature has no effect unless the  inet_proto‐
6207       cols setting enables both IPv4 and IPv6.
6208
6209       Postfix  SMTP  client  address preference has evolved. With Postfix 2.8
6210       the default is "ipv6"; earlier implementations are hard-coded to prefer
6211       IPv6 over IPv4.
6212
6213       Notes for mail delivery between sites that have both IPv4 and IPv6 con‐
6214       nectivity:
6215
6216       ·      The setting "smtp_address_preference = ipv6" is unsafe.  It  can
6217              fail  to deliver mail when there is an outage that affects IPv6,
6218              while the destination is still reachable over IPv4.
6219
6220       ·      The setting "smtp_address_preference = any" is safe. With  this,
6221              mail  will  eventually  be  delivered even if there is an outage
6222              that affects IPv6 or IPv4, as long as it does not affect both.
6223
6224       This feature is available in Postfix 2.8 and later.
6225

smtp_address_verify_target (default: rcpt)

6227       In the context of email address verification, the SMTP  protocol  stage
6228       that  determines  whether an email address is deliverable.  Specify one
6229       of "rcpt" or "data".  The latter is needed  with  remote  SMTP  servers
6230       that  reject  recipients  after the DATA command. Use transport_maps to
6231       apply this feature selectively:
6232
6233           /etc/postfix/main.cf:
6234               transport_maps = hash:/etc/postfix/transport
6235
6236           /etc/postfix/transport:
6237               smtp-domain-that-verifies-after-data    smtp-data-target:
6238               lmtp-domain-that-verifies-after-data    lmtp-data-target:
6239
6240           /etc/postfix/master.cf:
6241               smtp-data-target    unix    -    -    n    -    -    smtp
6242                   -o smtp_address_verify_target=data
6243               lmtp-data-target    unix    -    -    n    -    -    lmtp
6244                   -o lmtp_address_verify_target=data
6245
6246       Unselective use of the "data" target does no harm, but will  result  in
6247       unnecessary  "lost  connection  after  DATA" events at remote SMTP/LMTP
6248       servers.
6249
6250       This feature is available in Postfix 3.0 and later.
6251

smtp_always_send_ehlo (default: yes)

6253       Always send EHLO at the start of an SMTP session.
6254
6255       With "smtp_always_send_ehlo = no", the Postfix SMTP client  sends  EHLO
6256       only when the word "ESMTP" appears in the server greeting banner (exam‐
6257       ple: 220 spike.porcupine.org ESMTP Postfix).
6258

smtp_balance_inet_protocols (default: yes)

6260       When a remote destination resolves to a combination of  IPv4  and  IPv6
6261       addresses,  ensure  that  the  Postfix SMTP client can try both address
6262       types before it runs into the smtp_mx_address_limit.
6263
6264       This avoids an interoperability problem when a destination resolves  to
6265       primarily  IPv6  addresses,  the  smtp_address_limit feature eliminates
6266       most or all IPv4 addresses, and the destination is not  reachable  over
6267       IPv6.
6268
6269       This feature is available in Postfix 3.3 and later.
6270

smtp_bind_address (default: empty)

6272       An  optional  numerical  network  address  that the Postfix SMTP client
6273       should bind to when making an IPv4 connection.
6274
6275       This can be specified in the main.cf file for all SMTP clients,  or  it
6276       can be specified in the master.cf file for a specific client, for exam‐
6277       ple:
6278
6279           /etc/postfix/master.cf:
6280               smtp ... smtp -o smtp_bind_address=11.22.33.44
6281
6282       Note 1: when inet_interfaces specifies no more than one  IPv4  address,
6283       and that address is a non-loopback address, it is automatically used as
6284       the smtp_bind_address.  This supports virtual IP hosting, but can be  a
6285       problem on multi-homed firewalls. See the inet_interfaces documentation
6286       for more detail.
6287
6288       Note 2: address information may be enclosed inside [], but this form is
6289       not required here.
6290

smtp_bind_address6 (default: empty)

6292       An  optional  numerical  network  address  that the Postfix SMTP client
6293       should bind to when making an IPv6 connection.
6294
6295       This feature is available in Postfix 2.2 and later.
6296
6297       This can be specified in the main.cf file for all SMTP clients,  or  it
6298       can be specified in the master.cf file for a specific client, for exam‐
6299       ple:
6300
6301           /etc/postfix/master.cf:
6302               smtp ... smtp -o smtp_bind_address6=1:2:3:4:5:6:7:8
6303
6304       Note 1: when inet_interfaces specifies no more than one  IPv6  address,
6305       and that address is a non-loopback address, it is automatically used as
6306       the smtp_bind_address6.  This supports virtual IP hosting, but can be a
6307       problem on multi-homed firewalls. See the inet_interfaces documentation
6308       for more detail.
6309
6310       Note 2: address information may be enclosed inside [], but this form is
6311       not recommended here.
6312

smtp_body_checks (default: empty)

6314       Restricted  body_checks(5)  tables  for the Postfix SMTP client.  These
6315       tables are searched while mail is being delivered.  Actions that change
6316       the delivery time or destination are not available.
6317
6318       This feature is available in Postfix 2.5 and later.
6319

smtp_cname_overrides_servername (default: version dependent)

6321       When  the remote SMTP servername is a DNS CNAME, replace the servername
6322       with the result from CNAME expansion for the purpose of  logging,  SASL
6323       password lookup, TLS policy decisions, or TLS certificate verification.
6324       The value "no" hardens Postfix smtp_tls_per_site  hostname-based  poli‐
6325       cies against false hostname information in DNS CNAME records, and makes
6326       SASL password file lookups more predictable. This is the  default  set‐
6327       ting as of Postfix 2.3.
6328
6329       When   DNS   CNAME  records  are  validated  with  secure  DNS  lookups
6330       (smtp_dns_support_level = dnssec), they are always allowed to  override
6331       the above servername (Postfix 2.11 and later).
6332
6333       This feature is available in Postfix 2.2.9 and later.
6334

smtp_connect_timeout (default: 30s)

6336       The  Postfix SMTP client time limit for completing a TCP connection, or
6337       zero (use the operating system built-in time limit).
6338
6339       When no connection can be made within the deadline,  the  Postfix  SMTP
6340       client  tries the next address on the mail exchanger list. Specify 0 to
6341       disable the time limit (i.e. use whatever timeout is implemented by the
6342       operating system).
6343
6344       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6345       The default time unit is s (seconds).
6346

smtp_connection_cache_destinations (default: empty)

6348       Permanently enable SMTP connection caching for the  specified  destina‐
6349       tions.   With SMTP connection caching, a connection is not closed imme‐
6350       diately after completion of a mail transaction.  Instead,  the  connec‐
6351       tion  is kept open for up to $smtp_connection_cache_time_limit seconds.
6352       This allows connections to be reused  for  other  deliveries,  and  can
6353       improve mail delivery performance.
6354
6355       Specify  a  comma  or  white  space  separated  list of destinations or
6356       pseudo-destinations:
6357
6358       ·      if mail is sent  without  a  relay  host:  a  domain  name  (the
6359              right-hand  side  of  an  email address, without the [] around a
6360              numeric IP address),
6361
6362       ·      if mail is sent via a relay host: a relay host name (without  []
6363              or  non-default  TCP  port),  as  specified in main.cf or in the
6364              transport map,
6365
6366       ·      if mail is sent via a UNIX-domain socket:  a  pathname  (without
6367              the unix: prefix),
6368
6369       ·      a  /file/name  with  domain  names  and/or  relay  host names as
6370              defined above,
6371
6372       ·      a "type:table" with domain names and/or relay host names on  the
6373              left-hand  side.   The  right-hand side result from "type:table"
6374              lookups is ignored.
6375
6376       This feature is available in Postfix 2.2 and later.
6377

smtp_connection_cache_on_demand (default: yes)

6379       Temporarily enable SMTP connection caching while a  destination  has  a
6380       high volume of mail in the active queue.  With SMTP connection caching,
6381       a connection is not closed  immediately  after  completion  of  a  mail
6382       transaction.  Instead, the connection is kept open for up to $smtp_con‐
6383       nection_cache_time_limit seconds.  This allows connections to be reused
6384       for other deliveries, and can improve mail delivery performance.
6385
6386       This feature is available in Postfix 2.2 and later.
6387

smtp_connection_cache_time_limit (default: 2s)

6389       When  SMTP  connection  caching  is enabled, the amount of time that an
6390       unused SMTP client socket is kept open before it  is  closed.   Do  not
6391       specify larger values without permission from the remote sites.
6392
6393       This feature is available in Postfix 2.2 and later.
6394

smtp_connection_reuse_count_limit (default: 0)

6396       When  SMTP  connection  caching is enabled, the number of times that an
6397       SMTP session may be reused before it is closed,  or  zero  (no  limit).
6398       With a reuse count limit of N, a connection is used up to N+1 times.
6399
6400       NOTE: This feature is unsafe. When a high-volume destination has multi‐
6401       ple inbound MTAs, then the slowest inbound MTA will  attract  the  most
6402       connections  to  that destination.  This limitation does not exist with
6403       the smtp_connection_reuse_time_limit feature.
6404
6405       This feature is available in Postfix 2.11.
6406

smtp_connection_reuse_time_limit (default: 300s)

6408       The amount of time during which Postfix will  use  an  SMTP  connection
6409       repeatedly.  The timer starts when the connection is initiated (i.e. it
6410       includes the connect, greeting and helo latency,  in  addition  to  the
6411       latencies of subsequent mail delivery transactions).
6412
6413       This feature addresses a performance stability problem with remote SMTP
6414       servers. This problem is not specific to Postfix: it  can  happen  when
6415       any  MTA  sends large amounts of SMTP email to a site that has multiple
6416       MX hosts.
6417
6418       The problem starts when one of a set of MX hosts  becomes  slower  than
6419       the  rest.   Even though SMTP clients connect to fast and slow MX hosts
6420       with equal probability, the slow MX host ends up with more simultaneous
6421       inbound  connections than the faster MX hosts, because the slow MX host
6422       needs more time to serve each client request.
6423
6424       The slow MX host becomes  a  connection  attractor.   If  one  MX  host
6425       becomes  N  times  slower  than  the  rest,  it dominates mail delivery
6426       latency unless there are more than N  fast  MX  hosts  to  counter  the
6427       effect.  And  if  the  number  of  MX hosts is smaller than N, the mail
6428       delivery latency becomes  effectively  that  of  the  slowest  MX  host
6429       divided by the total number of MX hosts.
6430
6431       The solution uses connection caching in a way that differs from Postfix
6432       version 2.2.  By limiting the amount of time during which a  connection
6433       can  be  used  repeatedly (instead of limiting the number of deliveries
6434       over that connection), Postfix not only restores fairness in  the  dis‐
6435       tribution of simultaneous connections across a set of MX hosts, it also
6436       favors deliveries over connections that perform well, which is  exactly
6437       what we want.
6438
6439       The  default  reuse time limit, 300s, is comparable to the various smtp
6440       transaction timeouts which are fair estimates of maximum excess latency
6441       for  a slow delivery.  Note that hosts may accept thousands of messages
6442       over a single connection  within  the  default  connection  reuse  time
6443       limit.  This number is much larger than the default Postfix version 2.2
6444       limit of 10 messages per cached connection. It may prove  necessary  to
6445       lower the limit to avoid interoperability issues with MTAs that exhibit
6446       bugs when many messages are delivered via a single connection.  A lower
6447       reuse  time limit risks losing the benefit of connection reuse when the
6448       average connection and mail delivery latency  exceeds  the  reuse  time
6449       limit.
6450
6451       This feature is available in Postfix 2.3 and later.
6452

smtp_data_done_timeout (default: 600s)

6454       The  Postfix  SMTP  client time limit for sending the SMTP ".", and for
6455       receiving the remote SMTP server response.
6456
6457       When no response is received within the deadline, a warning  is  logged
6458       that the mail may be delivered multiple times.
6459
6460       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6461       The default time unit is s (seconds).
6462

smtp_data_init_timeout (default: 120s)

6464       The Postfix SMTP client time limit for sending the SMTP  DATA  command,
6465       and for receiving the remote SMTP server response.
6466
6467       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6468       The default time unit is s (seconds).
6469

smtp_data_xfer_timeout (default: 180s)

6471       The Postfix SMTP client time limit for sending the  SMTP  message  con‐
6472       tent.    When   the   connection   makes  no  progress  for  more  than
6473       $smtp_data_xfer_timeout seconds the Postfix SMTP client terminates  the
6474       transfer.
6475
6476       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6477       The default time unit is s (seconds).
6478

smtp_defer_if_no_mx_address_found (default: no)

6480       Defer mail delivery when no MX record resolves to an IP address.
6481
6482       The default (no) is to return the mail  as  undeliverable.  With  older
6483       Postfix  versions  the  default  was to keep trying to deliver the mail
6484       until someone fixed the MX record or until the mail was too old.
6485
6486       Note: the Postfix SMTP client always ignores MX records with  equal  or
6487       worse preference than the local MTA itself.
6488
6489       This feature is available in Postfix 2.1 and later.
6490

smtp_delivery_status_filter (default: $default_delivery_status_filter)

6492       Optional  filter  for the smtp(8) delivery agent to change the delivery
6493       status code or explanatory text of successful or unsuccessful  deliver‐
6494       ies.  See default_delivery_status_filter for details.
6495
6496       NOTE: This feature modifies Postfix SMTP client error or non-error mes‐
6497       sages that may or may not be derived from remote SMTP server responses.
6498       In  contrast, the smtp_reply_filter feature modifies remote SMTP server
6499       responses only.
6500

smtp_destination_concurrency_limit (default: $default_destination_concur‐

6502       rency_limit)
6503       The  maximal  number of parallel deliveries to the same destination via
6504       the smtp message delivery transport. This  limit  is  enforced  by  the
6505       queue  manager.  The message delivery transport name is the first field
6506       in the entry in the master.cf file.
6507

smtp_destination_recipient_limit (default: $default_destination_recipi‐

6509       ent_limit)
6510       The  maximal  number  of  recipients  per  message for the smtp message
6511       delivery transport. This limit is enforced by the  queue  manager.  The
6512       message  delivery transport name is the first field in the entry in the
6513       master.cf file.
6514
6515       Setting this parameter to a value of 1 changes the meaning of smtp_des‐
6516       tination_concurrency_limit from concurrency per domain into concurrency
6517       per recipient.
6518

smtp_discard_ehlo_keyword_address_maps (default: empty)

6520       Lookup tables, indexed by the remote SMTP  server  address,  with  case
6521       insensitive  lists  of EHLO keywords (pipelining, starttls, auth, etc.)
6522       that the Postfix SMTP client will ignore in the EHLO  response  from  a
6523       remote SMTP server. See smtp_discard_ehlo_keywords for details. The ta‐
6524       ble  is  not  indexed  by  hostname  for  consistency  with  smtpd_dis‐
6525       card_ehlo_keyword_address_maps.
6526
6527       Specify zero or more "type:name" lookup tables, separated by whitespace
6528       or comma. Tables will be searched in the specified order until a  match
6529       is found.
6530
6531       This feature is available in Postfix 2.2 and later.
6532

smtp_discard_ehlo_keywords (default: empty)

6534       A  case  insensitive list of EHLO keywords (pipelining, starttls, auth,
6535       etc.) that the Postfix SMTP client will ignore  in  the  EHLO  response
6536       from a remote SMTP server.
6537
6538       This feature is available in Postfix 2.2 and later.
6539
6540       Notes:
6541
6542       ·      Specify the silent-discard pseudo keyword to prevent this action
6543              from being logged.
6544
6545       ·      Use the smtp_discard_ehlo_keyword_address_maps feature  to  dis‐
6546              card EHLO keywords selectively.
6547

smtp_dns_reply_filter (default: empty)

6549       Optional  filter  for  Postfix SMTP client DNS lookup results.  Specify
6550       zero or more lookup tables.  The lookup  tables  are  searched  in  the
6551       given  order  for  a match with the DNS lookup result, converted to the
6552       following form:
6553
6554           name ttl class type preference value
6555
6556       The class field is always "IN", the preference field exists only for MX
6557       records, the names of hosts, domains, etc.  end in ".", and those names
6558       are in ASCII form (xn--mumble form in the case of UTF8 names).
6559
6560       When a match is found, the table lookup result specifies an action.  By
6561       default,  the  table  query  and  the action name are case-insensitive.
6562       Currently, only the IGNORE action is implemented.
6563
6564       Notes:
6565
6566       ·      Postfix DNS reply filters have no effect on implicit DNS lookups
6567              through nsswitch.conf or equivalent mechanisms.
6568
6569       ·      The  Postfix  SMTP/LMTP  client  uses  smtp_dns_reply_filter and
6570              lmtp_dns_reply_filter only to discover a  remote  SMTP  or  LMTP
6571              service  (record  types  MX, A, AAAAA, and TLSA).  These lookups
6572              are also made to implement the features reject_unverified_sender
6573              and reject_unverified_recipient.
6574
6575       ·      The  Postfix SMTP/LMTP client defers mail delivery when a filter
6576              removes all lookup results from a successful query.
6577
6578       ·      Postfix SMTP server uses smtpd_dns_reply_filter only to look  up
6579              MX,  A,  AAAAA,  and  TXT  records  to  implement  the  features
6580              reject_unknown_helo_hostname,      reject_unknown_sender_domain,
6581              reject_unknown_recipient_domain,        reject_rbl_*,        and
6582              reject_rhsbl_*.
6583
6584       ·      The Postfix SMTP server logs a warning or defers  mail  delivery
6585              when  a  filter  removes  all  lookup  results from a successful
6586              query.
6587
6588       Example: ignore Google AAAA records in Postfix SMTP client DNS lookups,
6589       because Google sometimes hard-rejects mail from IPv6 clients with valid
6590       PTR etc. records.
6591
6592       /etc/postfix/main.cf:
6593           smtp_dns_reply_filter = pcre:/etc/postfix/smtp_dns_reply_filter
6594
6595       /etc/postfix/smtp_dns_reply_filter:
6596           # /domain ttl IN AAAA address/ action, all case-insensitive.
6597           # Note: the domain name ends in ".".
6598           /^\S+\.google\.com\.\s+\S+\s+\S+\s+AAAA\s+/ IGNORE
6599
6600       This feature is available in Postfix 3.0 and later.
6601

smtp_dns_resolver_options (default: empty)

6603       DNS Resolver options for the Postfix SMTP client.  Specify zero or more
6604       of  the  following  options,  separated by comma or whitespace.  Option
6605       names are case-sensitive. Some options refer to domain names  that  are
6606       specified in the file /etc/resolv.conf or equivalent.
6607
6608       res_defnames
6609              Append  the current domain name to single-component names (those
6610              that do not contain a "." character). This can produce incorrect
6611              results, and is the hard-coded behavior prior to Postfix 2.8.
6612
6613       res_dnsrch
6614              Search  for  host  names  in  the  current  domain and in parent
6615              domains. This can produce incorrect results and is therefore not
6616              recommended.
6617
6618       This feature is available in Postfix 2.8 and later.
6619

smtp_dns_support_level (default: empty)

6621       Level  of  DNS support in the Postfix SMTP client.  With "smtp_dns_sup‐
6622       port_level"  left  at  its  empty  default  value,  the  legacy   "dis‐
6623       able_dns_lookups"  parameter  controls  whether  DNS  is enabled in the
6624       Postfix SMTP client, otherwise the legacy parameter is ignored.
6625
6626       Specify one of the following:
6627
6628       disabled
6629              Disable DNS lookups.  No MX lookups are performed  and  hostname
6630              to  address  lookups are unconditionally "native".  This setting
6631              is not appropriate for hosts that deliver  mail  to  the  public
6632              Internet.   Some  obsolete  how-to documents recommend disabling
6633              DNS lookups in some configurations with  content_filters.   This
6634              is no longer required and strongly discouraged.
6635
6636       enabled
6637              Enable DNS lookups.  Nexthop destination domains not enclosed in
6638              "[]" will be subject to MX lookups.  If "dns" and  "native"  are
6639              included  in the "smtp_host_lookup" parameter value, DNS will be
6640              queried first to resolve MX-host A records, followed by "native"
6641              lookups if no answer is found in DNS.
6642
6643       dnssec Enable  DNSSEC  lookups.   The "dnssec" setting differs from the
6644              "enabled" setting above in the following ways:
6645
6646       ·      Any MX lookups will  set  RES_USE_DNSSEC  and  RES_USE_EDNS0  to
6647              request  DNSSEC-validated  responses.  If  the  MX  response  is
6648              DNSSEC-validated the corresponding hostnames are considered val‐
6649              idated.
6650
6651       ·      The  address  lookups of validated hostnames are also validated,
6652              (provided  of  course  "smtp_host_lookup"  includes  "dns",  see
6653              below).
6654
6655       ·      Temporary failures in DNSSEC-enabled hostname-to-address resolu‐
6656              tion block any "native" lookups.   Additional  "native"  lookups
6657              only happen when DNSSEC lookups hard-fail (NODATA or NXDOMAIN).
6658
6659       The  Postfix  SMTP  client  considers  non-MX  "[nexthop]"  and  "[nex‐
6660       thop]:port" destinations equivalent to statically-validated MX  records
6661       of the form "nexthop.  IN MX 0 nexthop."  Therefore, with "dnssec" sup‐
6662       port turned on, validated hostname-to-address lookups apply to the nex‐
6663       thop  domain  of any "[nexthop]" or "[nexthop]:port" destination.  This
6664       is also true for LMTP "inet:host" and "inet:host:port" destinations, as
6665       LMTP hostnames are never subject to MX lookups.
6666
6667       The "dnssec" setting is recommended only if you plan to use the dane or
6668       dane-only TLS security level,  otherwise  enabling  DNSSEC  support  in
6669       Postfix  offers  no additional security.  Postfix DNSSEC support relies
6670       on an upstream recursive nameserver that validates  DNSSEC  signatures.
6671       Such  a  DNS  server  will always filter out forged DNS responses, even
6672       when Postfix itself is not configured to use DNSSEC.
6673
6674       When using Postfix DANE support the "smtp_host_lookup" parameter should
6675       include "dns", as DANE is not applicable to hosts resolved via "native"
6676       lookups.
6677
6678       As mentioned above, Postfix is  not  a  validating  stub  resolver;  it
6679       relies  on  the  system's  configured DNSSEC-validating recursive name‐
6680       server to perform  all  DNSSEC  validation.   Since  this  nameserver's
6681       DNSSEC-validated responses will be fully trusted, it is strongly recom‐
6682       mended that the MTA  host  have  a  local  DNSSEC-validating  recursive
6683       caching  nameserver  listening on a loopback address, and be configured
6684       to use only this nameserver for all lookups.   Otherwise,  Postfix  may
6685       remain  subject  to man-in-the-middle attacks that forge responses from
6686       the recursive nameserver
6687
6688       DNSSEC support requires a version of Postfix compiled against a reason‐
6689       ably-modern  DNS resolver(3) library that implements the RES_USE_DNSSEC
6690       and RES_USE_EDNS0 resolver options.
6691
6692       This feature is available in Postfix 2.11 and later.
6693

smtp_enforce_tls (default: no)

6695       Enforcement mode: require that remote SMTP servers use TLS  encryption,
6696       and  never  send mail in the clear.  This also requires that the remote
6697       SMTP server hostname matches the information in the remote server  cer‐
6698       tificate,  and  that the remote SMTP server certificate was issued by a
6699       CA that is trusted by the  Postfix  SMTP  client.  If  the  certificate
6700       doesn't  verify or the hostname doesn't match, delivery is deferred and
6701       mail stays in the queue.
6702
6703       The server hostname is matched against all names provided  as  dNSNames
6704       in  the SubjectAlternativeName.  If no dNSNames are specified, the Com‐
6705       monName  is  checked.   The  behavior   may   be   changed   with   the
6706       smtp_tls_enforce_peername option.
6707
6708       This  option  is  useful  only if you are definitely sure that you will
6709       only connect to servers that support RFC 2487 _and_ that provide  valid
6710       server  certificates.   Typical  use is for clients that send all their
6711       email to a dedicated mailhub.
6712
6713       This feature is available in Postfix 2.2 and later.  With  Postfix  2.3
6714       and later use smtp_tls_security_level instead.
6715

smtp_fallback_relay (default: $fallback_relay)

6717       Optional  list of relay hosts for SMTP destinations that can't be found
6718       or that are unreachable. With Postfix 2.2 and earlier this parameter is
6719       called fallback_relay.
6720
6721       By  default,  mail  is returned to the sender when a destination is not
6722       found, and delivery is deferred when a destination is unreachable.
6723
6724       With bulk email deliveries, it can be beneficial to  run  the  fallback
6725       relay MTA on the same host, so that it can reuse the sender IP address.
6726       This speeds up deliveries that are delayed by IP-based reputation  sys‐
6727       tems (greylist, etc.).
6728
6729       The  fallback relays must be SMTP destinations. Specify a domain, host,
6730       host:port, [host]:port, [address] or [address]:port;  the  form  [host]
6731       turns off MX lookups.  If you specify multiple SMTP destinations, Post‐
6732       fix will try them in the specified order.
6733
6734       To prevent mailer loops between MX hosts and fall-back  hosts,  Postfix
6735       version 2.2 and later will not use the fallback relays for destinations
6736       that it is MX host for (assuming DNS lookup is turned on).
6737

smtp_generic_maps (default: empty)

6739       Optional lookup tables that perform address rewriting  in  the  Postfix
6740       SMTP  client,  typically  to  transform  a locally valid address into a
6741       globally valid address when sending mail across the Internet.  This  is
6742       needed  when  the  local  machine does not have its own Internet domain
6743       name, but uses something like localdomain.local instead.
6744
6745       Specify zero or more "type:name" lookup tables, separated by whitespace
6746       or  comma. Tables will be searched in the specified order until a match
6747       is found.
6748
6749       The table format and lookups are documented in generic(5); examples are
6750       shown in the ADDRESS_REWRITING_README and STANDARD_CONFIGURATION_README
6751       documents.
6752
6753       This feature is available in Postfix 2.2 and later.
6754

smtp_header_checks (default: empty)

6756       Restricted header_checks(5) tables for the Postfix SMTP client.   These
6757       tables are searched while mail is being delivered.  Actions that change
6758       the delivery time or destination are not available.
6759
6760       This feature is available in Postfix 2.5 and later.
6761

smtp_helo_name (default: $myhostname)

6763       The hostname to send in the SMTP HELO or EHLO command.
6764
6765       The default value is the  machine  hostname.   Specify  a  hostname  or
6766       [ip.add.re.ss].
6767
6768       This  information  can  be  specified  in the main.cf file for all SMTP
6769       clients, or it can be specified in the master.cf file  for  a  specific
6770       client, for example:
6771
6772           /etc/postfix/master.cf:
6773               mysmtp ... smtp -o smtp_helo_name=foo.bar.com
6774
6775       This feature is available in Postfix 2.0 and later.
6776

smtp_helo_timeout (default: 300s)

6778       The  Postfix  SMTP  client time limit for sending the HELO or EHLO com‐
6779       mand, and for receiving the initial remote SMTP server response.
6780
6781       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
6782       The default time unit is s (seconds).
6783

smtp_host_lookup (default: dns)

6785       What  mechanisms  the  Postfix  SMTP client uses to look up a host's IP
6786       address.  This parameter is ignored when DNS lookups are disabled (see:
6787       disable_dns_lookups  and  smtp_dns_support_level).  The "dns" mechanism
6788       is always tried before "native" if both are listed.
6789
6790       Specify one of the following:
6791
6792       dns    Hosts can be found in the DNS (preferred).
6793
6794       native Use the native naming service only (nsswitch.conf, or equivalent
6795              mechanism).
6796
6797       dns, native
6798              Use the native service for hosts not found in the DNS.
6799
6800       This feature is available in Postfix 2.1 and later.
6801

smtp_line_length_limit (default: 998)

6803       The  maximal  length of message header and body lines that Postfix will
6804       send via SMTP. This limit does not include the <CR><LF> at the  end  of
6805       each  line.  Longer lines are broken by inserting "<CR><LF><SPACE>", to
6806       minimize the damage to MIME formatted mail.
6807
6808       The Postfix limit of 998 characters not including <CR><LF>  is  consis‐
6809       tent  with  the  SMTP limit of 1000 characters including <CR><LF>.  The
6810       Postfix limit was 990 with Postfix 2.8 and earlier.
6811

smtp_mail_timeout (default: 300s)

6813       The Postfix SMTP client time limit for sending the MAIL  FROM  command,
6814       and for receiving the remote SMTP server response.
6815
6816       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6817       The default time unit is s (seconds).
6818

smtp_mime_header_checks (default: empty)

6820       Restricted mime_header_checks(5) tables for the  Postfix  SMTP  client.
6821       These  tables are searched while mail is being delivered.  Actions that
6822       change the delivery time or destination are not available.
6823
6824       This feature is available in Postfix 2.5 and later.
6825

smtp_mx_address_limit (default: 5)

6827       The maximal number of MX (mail exchanger) IP addresses that can  result
6828       from  Postfix  SMTP  client mail exchanger lookups, or zero (no limit).
6829       Prior to Postfix version 2.3, this limit was disabled by default.
6830
6831       This feature is available in Postfix 2.1 and later.
6832

smtp_mx_session_limit (default: 2)

6834       The maximal number of SMTP sessions per  delivery  request  before  the
6835       Postfix  SMTP client gives up or delivers to a fall-back relay host, or
6836       zero (no limit). This restriction ignores sessions that  fail  to  com‐
6837       plete  the  SMTP initial handshake (Postfix version 2.2 and earlier) or
6838       that fail to complete the EHLO and TLS handshake (Postfix  version  2.3
6839       and later).
6840
6841       This feature is available in Postfix 2.1 and later.
6842

smtp_nested_header_checks (default: empty)

6844       Restricted  nested_header_checks(5) tables for the Postfix SMTP client.
6845       These tables are searched while mail is being delivered.  Actions  that
6846       change the delivery time or destination are not available.
6847
6848       This feature is available in Postfix 2.5 and later.
6849

smtp_never_send_ehlo (default: no)

6851       Never  send  EHLO  at  the  start  of  an  SMTP  session.  See also the
6852       smtp_always_send_ehlo parameter.
6853

smtp_per_record_deadline (default: no)

6855       Change the behavior of the smtp_*_timeout  time  limits,  from  a  time
6856       limit per read or write system call, to a time limit to send or receive
6857       a complete record (an SMTP command line, SMTP response line, SMTP  mes‐
6858       sage  content  line,  or TLS protocol message).  This limits the impact
6859       from hostile peers that trickle data one byte at a time.
6860
6861       Note: when per-record deadlines are enabled, a short timeout may  cause
6862       problems  with TLS over very slow network connections.  The reasons are
6863       that a TLS protocol message can be up to 16 kbytes long  (with  TLSv1),
6864       and that an entire TLS protocol message must be sent or received within
6865       the per-record deadline.
6866
6867       This feature is available in Postfix 2.9 and later. With older  Postfix
6868       releases, the behavior is as if this parameter is set to "no".
6869

smtp_pix_workaround_delay_time (default: 10s)

6871       How  long  the Postfix SMTP client pauses before sending ".<CR><LF>" in
6872       order to work around the PIX firewall "<CR><LF>.<CR><LF>" bug.
6873
6874       Choosing a too short time makes this workaround ineffective when  send‐
6875       ing large messages over slow network connections.
6876

smtp_pix_workaround_maps (default: empty)

6878       Lookup tables, indexed by the remote SMTP server address, with per-des‐
6879       tination workarounds for CISCO PIX firewall bugs.   The  table  is  not
6880       indexed   by   hostname  for  consistency  with  smtp_discard_ehlo_key‐
6881       word_address_maps.
6882
6883       Specify zero or more "type:name" lookup tables, separated by whitespace
6884       or  comma. Tables will be searched in the specified order until a match
6885       is found.
6886
6887       This feature is available in Postfix 2.4 and later.
6888

smtp_pix_workaround_threshold_time (default: 500s)

6890       How long a message must be queued before the Postfix SMTP client  turns
6891       on  the  PIX  firewall  "<CR><LF>.<CR><LF>" bug workaround for delivery
6892       through firewalls with "smtp fixup" mode turned on.
6893
6894       By default, the workaround is turned off for mail that  is  queued  for
6895       less  than  500  seconds.  In  other  words, the workaround is normally
6896       turned off for the first delivery attempt.
6897
6898       Specify 0 to enable the PIX firewall "<CR><LF>.<CR><LF>" bug workaround
6899       upon the first delivery attempt.
6900

smtp_pix_workarounds (default: disable_esmtp, delay_dotcrlf)

6902       A  list  that specifies zero or more workarounds for CISCO PIX firewall
6903       bugs. These workarounds are implemented by  the  Postfix  SMTP  client.
6904       Workaround names are separated by comma or space, and are case insensi‐
6905       tive.  This parameter setting can  be  overruled  with  per-destination
6906       smtp_pix_workaround_maps settings.
6907
6908       delay_dotcrlf
6909              Insert  a  delay before sending ".<CR><LF>" after the end of the
6910              message content.  The delay is  subject  to  the  smtp_pix_work‐
6911              around_delay_time and smtp_pix_workaround_threshold_time parame‐
6912              ter settings.
6913
6914       disable_esmtp
6915              Disable all extended SMTP commands: send HELO instead of EHLO.
6916
6917       This feature is available in Postfix 2.4 and later.  The  default  set‐
6918       tings are backwards compatible with earlier Postfix versions.
6919

smtp_quit_timeout (default: 300s)

6921       The  Postfix  SMTP  client time limit for sending the QUIT command, and
6922       for receiving the remote SMTP server response.
6923
6924       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
6925       The default time unit is s (seconds).
6926

smtp_quote_rfc821_envelope (default: yes)

6928       Quote  addresses  in Postfix SMTP client MAIL FROM and RCPT TO commands
6929       as required by RFC 5321. This includes putting quotes around an address
6930       localpart that ends in ".".
6931
6932       The  default  is to comply with RFC 5321. If you have to send mail to a
6933       broken SMTP server, configure a special SMTP client in master.cf:
6934
6935           /etc/postfix/master.cf:
6936               broken-smtp . . . smtp -o smtp_quote_rfc821_envelope=no
6937
6938       and route mail for the destination in  question  to  the  "broken-smtp"
6939       message delivery with a transport(5) table.
6940
6941       This feature is available in Postfix 2.1 and later.
6942

smtp_randomize_addresses (default: yes)

6944       Randomize  the  order of equal-preference MX host addresses.  This is a
6945       performance feature of the Postfix SMTP client.
6946

smtp_rcpt_timeout (default: 300s)

6948       The Postfix SMTP client time limit for sending the SMTP  RCPT  TO  com‐
6949       mand, and for receiving the remote SMTP server response.
6950
6951       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6952       The default time unit is s (seconds).
6953

smtp_reply_filter (default: empty)

6955       A mechanism to transform replies from remote SMTP servers one line at a
6956       time.   This  is  a last-resort tool to work around server replies that
6957       break interoperability  with  the  Postfix  SMTP  client.   Other  uses
6958       involve   fault   injection  to  test  Postfix's  handling  of  invalid
6959       responses.
6960
6961       Notes:
6962
6963       ·      In the case of a multi-line reply, the Postfix SMTP client  uses
6964              the  final  reply  line's numerical SMTP reply code and enhanced
6965              status code.
6966
6967       ·      The numerical SMTP reply code (XYZ) takes  precedence  over  the
6968              enhanced  status  code  (X.Y.Z).   When the enhanced status code
6969              initial digit differs from the SMTP reply code initial digit, or
6970              when no enhanced status code is present, the Postfix SMTP client
6971              uses a generic enhanced status code (X.0.0) instead.
6972
6973       Specify the name of a "type:table" lookup table. The search string is a
6974       single  SMTP reply line as received from the remote SMTP server, except
6975       that the trailing <CR><LF> are removed.  When the lookup succeeds,  the
6976       result replaces the single SMTP reply line.
6977
6978       Examples:
6979
6980       /etc/postfix/main.cf:
6981           smtp_reply_filter = pcre:/etc/postfix/reply_filter
6982
6983       /etc/postfix/reply_filter:
6984           # Transform garbage into "250-filler..." so that it looks like
6985           # one line from a multi-line reply. It does not matter what we
6986           # substitute here as long it has the right syntax.  The Postfix
6987           # SMTP client will use the final line's numerical SMTP reply
6988           # code and enhanced status code.
6989           !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage
6990
6991       This feature is available in Postfix 2.7.
6992

smtp_rset_timeout (default: 20s)

6994       The  Postfix  SMTP  client time limit for sending the RSET command, and
6995       for receiving the remote SMTP server response. The  SMTP  client  sends
6996       RSET  in order to finish a recipient address probe, or to verify that a
6997       cached session is still usable.
6998
6999       This feature is available in Postfix 2.1 and later.
7000

smtp_sasl_auth_cache_name (default: empty)

7002       An optional table to prevent repeated SASL authentication failures with
7003       the same remote SMTP server hostname, username and password. Each table
7004       (key, value) pair contains a server name, a username and password,  and
7005       the full server response. This information is stored when a remote SMTP
7006       server rejects an authentication attempt with a  535  reply  code.   As
7007       long  as the smtp_sasl_password_maps information does no change, and as
7008       long as the smtp_sasl_auth_cache_name information does not expire  (see
7009       smtp_sasl_auth_cache_time)  the Postfix SMTP client avoids SASL authen‐
7010       tication attempts with the same  server,  username  and  password,  and
7011       instead    bounces    or   defers   mail   as   controlled   with   the
7012       smtp_sasl_auth_soft_bounce configuration parameter.
7013
7014       Use  a  per-destination  delivery  concurrency  of  1   (for   example,
7015       "smtp_destination_concurrency_limit  =  1",  "relay_destination_concur‐
7016       rency_limit = 1", etc.), otherwise multiple delivery agents may experi‐
7017       ence a login failure at the same time.
7018
7019       The  table  must  be  accessed via the proxywrite service, i.e. the map
7020       name must start with "proxy:". The table should  be  stored  under  the
7021       directory specified with the data_directory parameter.
7022
7023       This  feature  uses  cryptographic  hashing to protect plain-text pass‐
7024       words, and requires that Postfix is compiled with TLS support.
7025
7026       Example:
7027
7028       smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
7029
7030       This feature is available in Postfix 2.5 and later.
7031

smtp_sasl_auth_cache_time (default: 90d)

7033       The maximal age of an  smtp_sasl_auth_cache_name  entry  before  it  is
7034       removed.
7035
7036       This feature is available in Postfix 2.5 and later.
7037

smtp_sasl_auth_enable (default: no)

7039       Enable SASL authentication in the Postfix SMTP client.  By default, the
7040       Postfix SMTP client uses no authentication.
7041
7042       Example:
7043
7044       smtp_sasl_auth_enable = yes
7045

smtp_sasl_auth_soft_bounce (default: yes)

7047       When a remote SMTP server rejects a SASL authentication request with  a
7048       535  reply code, defer mail delivery instead of returning mail as unde‐
7049       liverable. The latter behavior was hard-coded prior to Postfix  version
7050       2.5.
7051
7052       Note: the setting "yes" overrides the global soft_bounce parameter, but
7053       the setting "no" does not.
7054
7055       Example:
7056
7057       # Default as of Postfix 2.5
7058       smtp_sasl_auth_soft_bounce = yes
7059       # The old hard-coded default
7060       smtp_sasl_auth_soft_bounce = no
7061
7062       This feature is available in Postfix 2.5 and later.
7063

smtp_sasl_mechanism_filter (default: empty)

7065       If non-empty, a Postfix SMTP client filter for the remote SMTP server's
7066       list of offered SASL mechanisms.  Different client and server implemen‐
7067       tations may support different mechanism lists; by default, the  Postfix
7068       SMTP  client  will  use  the  intersection of the two. smtp_sasl_mecha‐
7069       nism_filter specifies an optional third  mechanism  list  to  intersect
7070       with.
7071
7072       Specify  mechanism  names, "/file/name" patterns or "type:table" lookup
7073       tables.  The  right-hand  side  result  from  "type:table"  lookups  is
7074       ignored.  Specify "!pattern" to exclude a mechanism name from the list.
7075       The form "!/file/name" is supported only in  Postfix  version  2.4  and
7076       later.
7077
7078       This feature is available in Postfix 2.2 and later.
7079
7080       Examples:
7081
7082       smtp_sasl_mechanism_filter = plain, login
7083       smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs
7084       smtp_sasl_mechanism_filter = !gssapi, !login, static:rest
7085

smtp_sasl_password_maps (default: empty)

7087       Optional  Postfix  SMTP client lookup tables with one username:password
7088       entry per sender, remote hostname or next-hop domain. Per-sender lookup
7089       is  done  only  when sender-dependent authentication is enabled.  If no
7090       username:password entry is found, then the Postfix SMTP client will not
7091       attempt to authenticate to the remote host.
7092
7093       The  Postfix  SMTP client opens the lookup table before going to chroot
7094       jail, so you can leave the password file in /etc/postfix.
7095
7096       Specify zero or more "type:name" lookup tables, separated by whitespace
7097       or  comma. Tables will be searched in the specified order until a match
7098       is found.
7099

smtp_sasl_path (default: empty)

7101       Implementation-specific information that the Postfix SMTP client passes
7102       through  to  the  SASL  plug-in  implementation  that  is selected with
7103       smtp_sasl_type.  Typically this specifies the name of  a  configuration
7104       file or rendezvous point.
7105
7106       This feature is available in Postfix 2.3 and later.
7107

smtp_sasl_security_options (default: noplaintext, noanonymous)

7109       Postfix  SMTP  client SASL security options; as of Postfix 2.3 the list
7110       of available features depends on the SASL client implementation that is
7111       selected with smtp_sasl_type.
7112
7113       The  following  security features are defined for the cyrus client SASL
7114       implementation:
7115
7116       Specify zero or more of the following:
7117
7118       noplaintext
7119              Disallow methods that use plaintext passwords.
7120
7121       noactive
7122              Disallow methods subject to active (non-dictionary) attack.
7123
7124       nodictionary
7125              Disallow methods subject to passive (dictionary) attack.
7126
7127       noanonymous
7128              Disallow methods that allow anonymous authentication.
7129
7130       mutual_auth
7131              Only allow  methods  that  provide  mutual  authentication  (not
7132              available with SASL version 1).
7133
7134       Example:
7135
7136       smtp_sasl_security_options = noplaintext
7137

smtp_sasl_tls_security_options (default: $smtp_sasl_security_options)

7139       The  SASL  authentication security options that the Postfix SMTP client
7140       uses for TLS encrypted SMTP sessions.
7141
7142       This feature is available in Postfix 2.2 and later.
7143

smtp_sasl_tls_verified_security_options (default: $smtp_sasl_tls_secu‐

7145       rity_options)
7146       The  SASL  authentication security options that the Postfix SMTP client
7147       uses for TLS encrypted SMTP sessions with a  verified  server  certifi‐
7148       cate.
7149
7150       When  mail  is  sent  to the public MX host for the recipient's domain,
7151       server certificates are by default optional, and delivery proceeds even
7152       if  certificate  verification fails. For delivery via a submission ser‐
7153       vice that requires SASL authentication, it may be appropriate  to  send
7154       plaintext  passwords only when the connection to the server is strongly
7155       encrypted and the server identity is verified.
7156
7157       The smtp_sasl_tls_verified_security_options parameter makes it possible
7158       to  only  enable  plaintext  mechanisms when a secure connection to the
7159       server is available. Submission servers subject  to  this  policy  must
7160       either  have  verifiable  certificates  or offer suitable non-plaintext
7161       SASL mechanisms.
7162
7163       This feature is available in Postfix 2.6 and later.
7164

smtp_sasl_type (default: cyrus)

7166       The SASL plug-in type that the  Postfix  SMTP  client  should  use  for
7167       authentication.   The available types are listed with the "postconf -A"
7168       command.
7169
7170       This feature is available in Postfix 2.3 and later.
7171

smtp_send_dummy_mail_auth (default: no)

7173       Whether or not to append the "AUTH=<>" option to the MAIL FROM  command
7174       in  SASL-authenticated  SMTP sessions. The default is not to send this,
7175       to avoid problems with broken remote SMTP servers.  Before Postfix  2.9
7176       the behavior is as if "smtp_send_dummy_mail_auth = yes".
7177
7178       This feature is available in Postfix 2.9 and later.
7179

smtp_send_xforward_command (default: no)

7181       Send  the  non-standard  XFORWARD  command when the Postfix SMTP server
7182       EHLO response announces XFORWARD support.
7183
7184       This allows a Postfix SMTP delivery agent, used for injecting mail into
7185       a  content filter, to forward the name, address, protocol and HELO name
7186       of the original client to the content  filter  and  downstream  queuing
7187       SMTP   server.  This  can  produce  more  useful  logging  than  local‐
7188       host[127.0.0.1] etc.
7189
7190       This feature is available in Postfix 2.1 and later.
7191

smtp_sender_dependent_authentication (default: no)

7193       Enable sender-dependent authentication in the Postfix SMTP client; this
7194       is  available  only with SASL authentication, and disables SMTP connec‐
7195       tion caching to ensure that mail from different senders  will  use  the
7196       appropriate credentials.
7197
7198       This feature is available in Postfix 2.3 and later.
7199

smtp_skip_4xx_greeting (default: yes)

7201       Skip SMTP servers that greet with a 4XX status code (go away, try again
7202       later).
7203
7204       By default, the Postfix SMTP client moves on the next  mail  exchanger.
7205       Specify  "smtp_skip_4xx_greeting = no" if Postfix should defer delivery
7206       immediately.
7207
7208       This feature is available in Postfix 2.0 and  earlier.   Later  Postfix
7209       versions  always  skip remote SMTP servers that greet with a 4XX status
7210       code.
7211

smtp_skip_5xx_greeting (default: yes)

7213       Skip remote SMTP servers that greet with a 5XX status code.
7214
7215       By default, the Postfix SMTP client moves on the next  mail  exchanger.
7216       Specify "smtp_skip_5xx_greeting = no" if Postfix should bounce the mail
7217       immediately. Caution: the latter behavior  appears  to  contradict  RFC
7218       2821.
7219

smtp_skip_quit_response (default: yes)

7221       Do not wait for the response to the SMTP QUIT command.
7222

smtp_starttls_timeout (default: 300s)

7224       Time limit for Postfix SMTP client write and read operations during TLS
7225       startup and shutdown handshake procedures.
7226
7227       This feature is available in Postfix 2.2 and later.
7228

smtp_tcp_port (default: smtp)

7230       The default TCP port that the Postfix SMTP client connects to.  Specify
7231       a symbolic name (see services(5)) or a numeric port.
7232

smtp_tls_CAfile (default: empty)

7234       A  file  containing  CA certificates of root CAs trusted to sign either
7235       remote SMTP server certificates or intermediate CA certificates.  These
7236       are  loaded  into  memory  before  the smtp(8) client enters the chroot
7237       jail.  If  the  number  of  trusted  roots  is  large,  consider  using
7238       smtp_tls_CApath  instead,  but  note  that the latter directory must be
7239       present in the chroot jail if the smtp(8) client is chrooted. This file
7240       may  also be used to augment the client certificate trust chain, but it
7241       is  best  to  include  all  the  required  certificates   directly   in
7242       $smtp_tls_cert_file (or, Postfix >= 3.4 $smtp_tls_chain_files).
7243
7244       Specify  "smtp_tls_CAfile  =  /path/to/system_CA_file"  to use ONLY the
7245       system-supplied default Certification Authority certificates.
7246
7247       Specify "tls_append_default_CA = no" to prevent Postfix from  appending
7248       the system-supplied default CAs and trusting third-party certificates.
7249
7250       Example:
7251
7252       smtp_tls_CAfile = /etc/postfix/CAcert.pem
7253
7254       This feature is available in Postfix 2.2 and later.
7255

smtp_tls_CApath (default: empty)

7257       Directory with PEM format Certification Authority certificates that the
7258       Postfix SMTP client uses to verify a remote  SMTP  server  certificate.
7259       Don't  forget  to  create the necessary "hash" links with, for example,
7260       "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
7261
7262       To use this option in chroot mode, this directory (or a copy)  must  be
7263       inside the chroot jail.
7264
7265       Specify  "smtp_tls_CApath  =  /path/to/system_CA_directory" to use ONLY
7266       the system-supplied default Certification Authority certificates.
7267
7268       Specify "tls_append_default_CA = no" to prevent Postfix from  appending
7269       the system-supplied default CAs and trusting third-party certificates.
7270
7271       Example:
7272
7273       smtp_tls_CApath = /etc/postfix/certs
7274
7275       This feature is available in Postfix 2.2 and later.
7276

smtp_tls_block_early_mail_reply (default: no)

7278       Try  to detect a mail hijacking attack based on a TLS protocol vulnera‐
7279       bility (CVE-2009-3555), where  an  attacker  prepends  malicious  HELO,
7280       MAIL,  RCPT,  DATA  commands to a Postfix SMTP client TLS session.  The
7281       attack would succeed with non-Postfix SMTP servers that  reply  to  the
7282       malicious HELO, MAIL, RCPT, DATA commands after negotiating the Postfix
7283       SMTP client TLS session.
7284
7285       This feature is available in Postfix 2.7.
7286

smtp_tls_cert_file (default: empty)

7288       File with the Postfix SMTP client RSA certificate in PEM format.   This
7289       file  may  also  contain  the  Postfix SMTP client private RSA key, and
7290       these may be the same as the Postfix SMTP server  RSA  certificate  and
7291       key  file.   With  Postfix >= 3.4 the preferred way to configure client
7292       keys and certificates is via the "smtp_tls_chain_files" parameter.
7293
7294       Do not configure client certificates unless you must present client TLS
7295       certificates  to  one or more servers. Client certificates are not usu‐
7296       ally needed, and can cause problems in configurations  that  work  well
7297       without them. The recommended setting is to let the defaults stand:
7298
7299           smtp_tls_cert_file =
7300           smtp_tls_key_file =
7301           smtp_tls_eccert_file =
7302           smtp_tls_eckey_file =
7303           # Obsolete DSA parameters
7304           smtp_tls_dcert_file =
7305           smtp_tls_dkey_file =
7306           # Postfix >= 3.4 interface
7307           smtp_tls_chain_files =
7308
7309       The  best  way  to use the default settings is to comment out the above
7310       parameters in main.cf if present.
7311
7312       To enable remote SMTP servers to verify the Postfix  SMTP  client  cer‐
7313       tificate,  the  issuing  CA  certificates must be made available to the
7314       server. You should include the required certificates in the client cer‐
7315       tificate  file,  the  client  certificate first, then the issuing CA(s)
7316       (bottom-up order).
7317
7318       Example: the certificate for "client.example.com" was issued by "inter‐
7319       mediate CA" which itself has a certificate issued by "root CA".  As the
7320       "root" super-user create the client.pem file with:
7321
7322           # umask 077
7323           # cat client_key.pem client_cert.pem intermediate_CA.pem > chain.pem
7324
7325       If you also want to verify remote SMTP server  certificates  issued  by
7326       these  CAs,  you can add the CA certificates to the smtp_tls_CAfile, in
7327       which case it is not necessary to have them in the  smtp_tls_cert_file,
7328       smtp_tls_dcert_file (obsolete) or smtp_tls_eccert_file.
7329
7330       A certificate supplied here must be usable as an SSL client certificate
7331       and hence pass the "openssl verify -purpose sslclient ..." test.
7332
7333       Example:
7334
7335       smtp_tls_cert_file = /etc/postfix/chain.pem
7336
7337       This feature is available in Postfix 2.2 and later.
7338

smtp_tls_chain_files (default: empty)

7340       List of one or more PEM files, each holding one or  more  private  keys
7341       directly followed by a corresponding certificate chain.  The file names
7342       are separated by commas and/or whitespace.   This  parameter  obsoletes
7343       the  legacy algorithm-specific key and certificate file settings.  When
7344       this parameter is non-empty, the legacy parameters are ignored,  and  a
7345       warning is logged if any are also non-empty.
7346
7347       With  the proliferation of multiple private key algorithms-which, as of
7348       OpenSSL 1.1.1, include DSA (obsolete), RSA, ECDSA, Ed25519 and Ed448-it
7349       is increasingly impractical to use separate parameters to configure the
7350       key and certificate chain for each algorithm.  Therefore,  Postfix  now
7351       supports  storing multiple keys and corresponding certificate chains in
7352       a single file or in a set of files.
7353
7354       Each key must appear immediately before the corresponding  certificate,
7355       optionally followed by additional issuer certificates that complete the
7356       certificate chain for that key.  When  multiple  files  are  specified,
7357       they  are  equivalent  to a single file that is concatenated from those
7358       files in the given order.  Thus, while a key must  always  precede  its
7359       certificate  and issuer chain, it can be in a separate file, so long as
7360       that file is listed immediately before the file that holds  the  corre‐
7361       sponding  certificate  chain.  Once all the files are concatenated, the
7362       sequence of PEM objects must be: key1, cert1,  [chain1],  key2,  cert2,
7363       [chain2], ..., keyN, certN, [chainN].
7364
7365       Storing  the private key in the same file as the corresponding certifi‐
7366       cate is more reliable.  With the key and certificate in separate files,
7367       there is a chance that during key rollover a Postfix process might load
7368       a private key and certificate from separate  files  that  don't  match.
7369       Various  operational errors may even result in a persistent broken con‐
7370       figuration in which the certificate does not match the private key.
7371
7372       The file or files must contain at most one key of each type.   If,  for
7373       example,  two  or  more  RSA  keys and corresponding chains are listed,
7374       depending on the version of OpenSSL either only the last  one  will  be
7375       used  or  an  configuration  error  may  be  detected.  Note that while
7376       "Ed25519" and "Ed448" are considered separate algorithms,  the  various
7377       ECDSA  curves (typically one of prime256v1, secp384r1 or secp521r1) are
7378       considered as different parameters of a single "ECDSA" algorithm, so it
7379       is  not  presently  possible  to configure keys for more than one ECDSA
7380       curve.
7381
7382       Example (separate files for  each  key  and  corresponding  certificate
7383       chain):
7384
7385           /etc/postfix/main.cf:
7386               smtp_tls_chain_files =
7387                   ${config_directory}/ed25519.pem,
7388                   ${config_directory}/ed448.pem,
7389                   ${config_directory}/rsa.pem
7390
7391           /etc/postfix/ed25519.pem:
7392               -----BEGIN PRIVATE KEY-----
7393               MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
7394               -----END PRIVATE KEY-----
7395               -----BEGIN CERTIFICATE-----
7396               MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
7397               ...
7398               nC0egv51YPDWxEHom4QA
7399               -----END CERTIFICATE-----
7400
7401           /etc/postfix/ed448.pem:
7402               -----BEGIN PRIVATE KEY-----
7403               MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
7404               LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
7405               -----END PRIVATE KEY-----
7406               -----BEGIN CERTIFICATE-----
7407               MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
7408               ...
7409               pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
7410               -----END CERTIFICATE-----
7411
7412           /etc/postfix/rsa.pem:
7413               -----BEGIN PRIVATE KEY-----
7414               MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
7415               ...
7416               ahQkZ3+krcaJvDSMgvu0tDc=
7417               -----END PRIVATE KEY-----
7418               -----BEGIN CERTIFICATE-----
7419               MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
7420               ...
7421               Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
7422               -----END CERTIFICATE-----
7423
7424       Example (all keys and certificates in a single file):
7425
7426           /etc/postfix/main.cf:
7427               smtp_tls_chain_files = ${config_directory}/chains.pem
7428
7429           /etc/postfix/chains.pem:
7430               -----BEGIN PRIVATE KEY-----
7431               MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
7432               -----END PRIVATE KEY-----
7433               -----BEGIN CERTIFICATE-----
7434               MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
7435               ...
7436               nC0egv51YPDWxEHom4QA
7437               -----END CERTIFICATE-----
7438               -----BEGIN PRIVATE KEY-----
7439               MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
7440               LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
7441               -----END PRIVATE KEY-----
7442               -----BEGIN CERTIFICATE-----
7443               MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
7444               ...
7445               pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
7446               -----END CERTIFICATE-----
7447               -----BEGIN PRIVATE KEY-----
7448               MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
7449               ...
7450               ahQkZ3+krcaJvDSMgvu0tDc=
7451               -----END PRIVATE KEY-----
7452               -----BEGIN CERTIFICATE-----
7453               MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
7454               ...
7455               Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
7456               -----END CERTIFICATE-----
7457
7458       This feature is available in Postfix 3.4 and later.
7459

smtp_tls_cipherlist (default: empty)

7461       Obsolete  Postfix  < 2.3 control for the Postfix SMTP client TLS cipher
7462       list. As this feature applies to all TLS security levels, it is easy to
7463       create interoperability problems by choosing a non-default cipher list.
7464       Do not use a non-default TLS cipher list on hosts that deliver email to
7465       the  public  Internet: you will be unable to send email to servers that
7466       only support the ciphers you exclude. Using a  restricted  cipher  list
7467       may  be  more appropriate for an internal MTA, where one can exert some
7468       control over the TLS software and settings of the peer servers.
7469
7470       Note: do not use "" quotes around the parameter value.
7471
7472       This feature is available in Postfix version 2.2. It is not  used  with
7473       Postfix 2.3 and later; use smtp_tls_mandatory_ciphers instead.
7474

smtp_tls_ciphers (default: medium)

7476       The minimum TLS cipher grade that the Postfix SMTP client will use with
7477       opportunistic    TLS    encryption.    Cipher    types    listed     in
7478       smtp_tls_exclude_ciphers  are  excluded from the base definition of the
7479       selected cipher grade.   The default  value  is  "medium"  for  Postfix
7480       releases after the middle of 2015, "export" for older releases.
7481
7482       When   TLS   is   mandatory   the   cipher  grade  is  chosen  via  the
7483       smtp_tls_mandatory_ciphers configuration parameter, see there for  syn‐
7484       tax details. See smtp_tls_policy_maps for information on how to config‐
7485       ure ciphers on a per-destination basis.
7486
7487       This feature is available in Postfix 2.6 and later. With earlier  Post‐
7488       fix  releases  only  the smtp_tls_mandatory_ciphers parameter is imple‐
7489       mented, and opportunistic TLS always uses "export" or better (i.e. all)
7490       ciphers.
7491

smtp_tls_connection_reuse (default: no)

7493       Try  to  make  multiple  deliveries per TLS-encrypted connection.  This
7494       uses the tlsproxy(8) service to encrypt an SMTP  connection,  uses  the
7495       scache(8) service to save that connection, and relies on hints from the
7496       qmgr(8) daemon.
7497
7498       See "Client-side TLS connection reuse" for background details.
7499
7500       This feature is available in Postfix 3.4 and later.
7501

smtp_tls_dane_insecure_mx_policy (default: see postconf -d output)

7503       The TLS policy for MX hosts with "secure" TLSA records when the nexthop
7504       destination  security level is dane, but the MX record was found via an
7505       "insecure" MX lookup.  The choices are:
7506
7507       may    The TLSA records will be ignored and TLS will be  optional.   If
7508              the MX host does not appear to support STARTTLS, or the STARTTLS
7509              handshake fails, mail may be sent in the clear.
7510
7511       encrypt
7512              The TLSA records will signal a requirement to  use  TLS.   While
7513              TLS encryption will be required, authentication will not be per‐
7514              formed.
7515
7516       dane (default)
7517              The TLSA records will be used just as with "secure" MX  records.
7518              TLS  encryption  will  be  required, and, if at least one of the
7519              TLSA records is "usable", authentication will be required.  When
7520              authentication  succeeds,  it  will be logged only as "Trusted",
7521              not "Verified", because the MX host name could have been forged.
7522              The  default  setting  for  Postfix  >=  3.6  is   "dane"   with
7523              "smtp_tls_security_level = dane", otherwise "may". This behavior
7524              was  backported  to  Postfix  versions  3.5.9,  3.4.19,  3.3.16.
7525              3.2.21.   With  earlier Postfix versions the default setting was
7526              always "dane".
7527
7528       Though with "insecure" MX records an  active  attacker  can  compromise
7529       SMTP  transport  security  by returning forged MX records, such attacks
7530       are "tamper-evident" since any forged MX hostnames will be recorded  in
7531       the  mail logs.  Attackers who place a high value staying hidden may be
7532       deterred from forging MX records.
7533
7534       This feature is available in Postfix 3.1 and later. The may  policy  is
7535       backwards-compatible with earlier Postfix versions.
7536

smtp_tls_dcert_file (default: empty)

7538       File  with the Postfix SMTP client DSA certificate in PEM format.  This
7539       file may also contain the Postfix SMTP client private DSA key.  The DSA
7540       algorithm is obsolete and should not be used.
7541
7542       See the discussion under smtp_tls_cert_file for more details.
7543
7544       Example:
7545
7546       smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
7547
7548       This feature is available in Postfix 2.2 and later.
7549

smtp_tls_dkey_file (default: $smtp_tls_dcert_file)

7551       File  with the Postfix SMTP client DSA private key in PEM format.  This
7552       file may be combined with the Postfix SMTP client DSA certificate  file
7553       specified  with $smtp_tls_dcert_file. The DSA algorithm is obsolete and
7554       should not be used.
7555
7556       The private key must be accessible without a pass-phrase, i.e. it  must
7557       not be encrypted. File permissions should grant read-only access to the
7558       system superuser account ("root"), and no access to anyone else.
7559
7560       This feature is available in Postfix 2.2 and later.
7561

smtp_tls_eccert_file (default: empty)

7563       File with the Postfix SMTP client  ECDSA  certificate  in  PEM  format.
7564       This  file  may also contain the Postfix SMTP client ECDSA private key.
7565       With Postfix >= 3.4 the preferred way to configure client keys and cer‐
7566       tificates is via the "smtp_tls_chain_files" parameter.
7567
7568       See the discussion under smtp_tls_cert_file for more details.
7569
7570       Example:
7571
7572       smtp_tls_eccert_file = /etc/postfix/ecdsa-ccert.pem
7573
7574       This  feature  is  available  in Postfix 2.6 and later, when Postfix is
7575       compiled and linked with OpenSSL 1.0.0 or later.
7576

smtp_tls_eckey_file (default: $smtp_tls_eccert_file)

7578       File with the Postfix SMTP client ECDSA  private  key  in  PEM  format.
7579       This  file  may be combined with the Postfix SMTP client ECDSA certifi‐
7580       cate file specified with $smtp_tls_eccert_file.  With  Postfix  >=  3.4
7581       the  preferred way to configure client keys and certificates is via the
7582       "smtp_tls_chain_files" parameter.
7583
7584       The private key must be accessible without a pass-phrase, i.e. it  must
7585       not be encrypted. File permissions should grant read-only access to the
7586       system superuser account ("root"), and no access to anyone else.
7587
7588       This feature is available in Postfix 2.6 and  later,  when  Postfix  is
7589       compiled and linked with OpenSSL 1.0.0 or later.
7590

smtp_tls_enforce_peername (default: yes)

7592       With  mandatory  TLS  encryption,  require  that the remote SMTP server
7593       hostname matches the information in the remote SMTP server certificate.
7594       As  of  RFC 2487 the requirements for hostname checking for MTA clients
7595       are not specified.
7596
7597       This option can be set to "no" to disable strict  peer  name  checking.
7598       This  setting  has  no  effect  on sessions that are controlled via the
7599       smtp_tls_per_site table.
7600
7601       Disabling the hostname verification can make sense in  closed  environ‐
7602       ment where special CAs are created.  If not used carefully, this option
7603       opens the danger of a "man-in-the-middle"  attack  (the  CommonName  of
7604       this attacker will be logged).
7605
7606       This  feature  is  available in Postfix 2.2 and later. With Postfix 2.3
7607       and later use smtp_tls_security_level instead.
7608

smtp_tls_exclude_ciphers (default: empty)

7610       List of ciphers or cipher types to exclude from the Postfix SMTP client
7611       cipher  list  at  all  TLS  security  levels.  This  is  not an OpenSSL
7612       cipherlist, it is a simple list separated by whitespace and/or  commas.
7613       The  elements  are a single cipher, or one or more "+" separated cipher
7614       properties, in which case only ciphers matching all the properties  are
7615       excluded.
7616
7617       Examples (some of these will cause problems):
7618
7619           smtp_tls_exclude_ciphers = aNULL
7620           smtp_tls_exclude_ciphers = MD5, DES
7621           smtp_tls_exclude_ciphers = DES+MD5
7622           smtp_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
7623           smtp_tls_exclude_ciphers = kEDH+aRSA
7624
7625       The  first  setting,  disables anonymous ciphers. The next setting dis‐
7626       ables ciphers that use the MD5 digest algorithm  or  the  (single)  DES
7627       encryption  algorithm.  The  next setting disables ciphers that use MD5
7628       and  DES  together.   The  next  setting  disables  the   two   ciphers
7629       "AES256-SHA" and "DES-CBC3-MD5". The last setting disables ciphers that
7630       use "EDH" key exchange with RSA authentication.
7631
7632       This feature is available in Postfix 2.3 and later.
7633

smtp_tls_fingerprint_cert_match (default: empty)

7635       List of acceptable remote SMTP server certificate fingerprints for  the
7636       "fingerprint"  TLS  security  level  (smtp_tls_security_level = finger‐
7637       print). At this security level, Certification Authorities are not used,
7638       and  certificate expiration times are ignored. Instead, server certifi‐
7639       cates are verified directly via their certificate fingerprint or public
7640       key  fingerprint  (Postfix 2.9 and later). The fingerprint is a message
7641       digest of the server certificate (or public key). The digest  algorithm
7642       is selected via the smtp_tls_fingerprint_digest parameter.
7643
7644       When  an  smtp_tls_policy_maps  table entry specifies the "fingerprint"
7645       security level, any "match" attributes in that entry specify  the  list
7646       of  valid fingerprints for the corresponding destination. Multiple fin‐
7647       gerprints can be combined with  a  "|"  delimiter  in  a  single  match
7648       attribute, or multiple match attributes can be employed.
7649
7650       Example:  Certificate  fingerprint  verification with internal mailhub.
7651       Two matching fingerprints are listed. The  relayhost  may  be  multiple
7652       physical hosts behind a load-balancer, each with its own private/public
7653       key and self-signed certificate. Alternatively, a single relayhost  may
7654       be  in  the process of switching from one set of private/public keys to
7655       another, and both keys are trusted just prior to the transition.
7656
7657           relayhost = [mailhub.example.com]
7658           smtp_tls_security_level = fingerprint
7659           smtp_tls_fingerprint_digest = md5
7660           smtp_tls_fingerprint_cert_match =
7661               3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
7662               EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
7663
7664       Example: Certificate fingerprint verification  with  selected  destina‐
7665       tions.  As in the example above, we show two matching fingerprints:
7666
7667           /etc/postfix/main.cf:
7668               smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
7669               smtp_tls_fingerprint_digest = md5
7670
7671           /etc/postfix/tls_policy:
7672               example.com fingerprint
7673                   match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
7674                   match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
7675
7676       This feature is available in Postfix 2.5 and later.
7677

smtp_tls_fingerprint_digest (default: md5)

7679       The  message digest algorithm used to construct remote SMTP server cer‐
7680       tificate  fingerprints.  At  the  "fingerprint"  TLS   security   level
7681       (smtp_tls_security_level = fingerprint), the server certificate is ver‐
7682       ified by directly matching its certificate fingerprint  or  its  public
7683       key fingerprint (Postfix 2.9 and later). The fingerprint is the message
7684       digest of the server certificate (or its public key) using the selected
7685       algorithm.  With  a  digest  algorithm  resistant to "second pre-image"
7686       attacks, it is not feasible to create a new public key and  a  matching
7687       certificate (or public/private key-pair) that has the same fingerprint.
7688
7689       The  default  algorithm  is  md5; this is consistent with the backwards
7690       compatible setting of the digest used to verify client certificates  in
7691       the SMTP server.
7692
7693       The  best practice algorithm is now sha1. Recent advances in hash func‐
7694       tion cryptanalysis have led to md5 being deprecated in favor  of  sha1.
7695       However,  as  long  as  there  are  no known "second pre-image" attacks
7696       against md5, its use in this context can still be considered safe.
7697
7698       While additional digest algorithms are often available  with  OpenSSL's
7699       libcrypto, only those used by libssl in SSL cipher suites are available
7700       to Postfix. For now this means just md5 or sha1.
7701
7702       To find the fingerprint of a specific certificate file, with a specific
7703       digest algorithm, run:
7704
7705           $ openssl x509 -noout -fingerprint -digest -in certfile.pem
7706
7707       The  text  to  the  right  of "=" sign is the desired fingerprint.  For
7708       example:
7709
7710           $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
7711           SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
7712
7713       To extract the public key fingerprint from an  X.509  certificate,  you
7714       need  to  extract  the  public key from the certificate and compute the
7715       appropriate digest of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
7716       key"  option  of  the  "x509" command extracts the public key always in
7717       "PEM" format. We pipe the result to another OpenSSL command  that  con‐
7718       verts the key to DER and then to the "dgst" command to compute the fin‐
7719       gerprint.
7720
7721       The actual command to transform the key to DER format  depends  on  the
7722       version  of OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" com‐
7723       mand supports all key types. With OpenSSL 0.9.8 and  earlier,  the  key
7724       type  is  always  RSA  (nobody uses DSA, and EC keys are not fully sup‐
7725       ported by 0.9.8), so the "rsa" command is used.
7726
7727           # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
7728           $ openssl x509 -in cert.pem -noout -pubkey |
7729               openssl pkey -pubin -outform DER |
7730               openssl dgst -sha1 -c
7731           (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
7732
7733           # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
7734           $ openssl x509 -in cert.pem -noout -pubkey |
7735               openssl rsa -pubin -outform DER |
7736               openssl dgst -md5 -c
7737           (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
7738
7739       The Postfix SMTP server and client log the peer (leaf) certificate fin‐
7740       gerprint  and  public  key  fingerprint  when  the TLS loglevel is 2 or
7741       higher.
7742
7743       Note: Postfix 2.9.0-2.9.5 computed the public  key  fingerprint  incor‐
7744       rectly.  To  use  public-key  fingerprints, upgrade to Postfix 2.9.6 or
7745       later.
7746
7747       This feature is available in Postfix 2.5 and later.
7748

smtp_tls_force_insecure_host_tlsa_lookup (default: no)

7750       Lookup the associated DANE TLSA RRset even when a hostname  is  not  an
7751       alias  and  its  address  records  lie  in  an  unsigned zone.  This is
7752       unlikely to ever yield DNSSEC validated results, since child  zones  of
7753       unsigned  zones are also unsigned in the absence of DLV or locally con‐
7754       figured non-root trust-anchors.  We  anticipate  that  such  mechanisms
7755       will  not be used for just the "_tcp" subdomain of a host.  Suppressing
7756       the TLSA RRset lookup reduces latency and avoids  potential  interoper‐
7757       ability  problems with nameservers for unsigned zones that are not pre‐
7758       pared to handle the new TLSA RRset.
7759
7760       This feature is available in Postfix 2.11.
7761

smtp_tls_key_file (default: $smtp_tls_cert_file)

7763       File with the Postfix SMTP client RSA private key in PEM format.   This
7764       file  may be combined with the Postfix SMTP client RSA certificate file
7765       specified with $smtp_tls_cert_file.  With Postfix >= 3.4 the  preferred
7766       way   to   configure   client   keys   and   certificates  is  via  the
7767       "smtp_tls_chain_files" parameter.
7768
7769       The private key must be accessible without a pass-phrase, i.e. it  must
7770       not be encrypted. File permissions should grant read-only access to the
7771       system superuser account ("root"), and no access to anyone else.
7772
7773       Example:
7774
7775       smtp_tls_key_file = $smtp_tls_cert_file
7776
7777       This feature is available in Postfix 2.2 and later.
7778

smtp_tls_loglevel (default: 0)

7780       Enable additional Postfix SMTP client logging of  TLS  activity.   Each
7781       logging  level  also includes the information that is logged at a lower
7782       logging level.
7783
7784              0 Disable logging of TLS activity.
7785
7786              1 Log only a summary message on TLS handshake  completion  -  no
7787              logging  of remote SMTP server certificate trust-chain verifica‐
7788              tion errors if server certificate verification is not  required.
7789              With Postfix 2.8 and earlier, log the summary message and uncon‐
7790              ditionally log trust-chain verification errors.
7791
7792              2 Also log levels during TLS negotiation.
7793
7794              3 Also  log  hexadecimal  and  ASCII  dump  of  TLS  negotiation
7795              process.
7796
7797              4  Also  log hexadecimal and ASCII dump of complete transmission
7798              after STARTTLS.
7799
7800       Do not use "smtp_tls_loglevel = 2" or higher except in  case  of  prob‐
7801       lems. Use of loglevel 4 is strongly discouraged.
7802
7803       This feature is available in Postfix 2.2 and later.
7804

smtp_tls_mandatory_ciphers (default: medium)

7806       The minimum TLS cipher grade that the Postfix SMTP client will use with
7807       mandatory TLS encryption.  The default value "medium" is  suitable  for
7808       most destinations with which you may want to enforce TLS, and is beyond
7809       the reach of today's cryptanalytic  methods.  See  smtp_tls_policy_maps
7810       for information on how to configure ciphers on a per-destination basis.
7811
7812       The following cipher grades are supported:
7813
7814       export Enable "EXPORT" grade or better OpenSSL ciphers.  The underlying
7815              cipherlist is specified via the tls_export_cipherlist configura‐
7816              tion parameter, which you are strongly encouraged to not change.
7817              This choice is insecure and SHOULD NOT be used.
7818
7819       low    Enable "LOW" grade or better OpenSSL  ciphers.   The  underlying
7820              cipherlist is specified via the tls_low_cipherlist configuration
7821              parameter, which you are  strongly  encouraged  to  not  change.
7822              This choice is insecure and SHOULD NOT be used.
7823
7824       medium Enable "MEDIUM" grade or better OpenSSL ciphers.  The underlying
7825              cipherlist is specified via the tls_medium_cipherlist configura‐
7826              tion parameter, which you are strongly encouraged to not change.
7827
7828       high   Enable  only  "HIGH" grade OpenSSL ciphers.  This setting may be
7829              appropriate when all mandatory TLS destinations (e.g.  when  all
7830              mail is routed to a suitably capable relayhost) support at least
7831              one "HIGH" grade cipher. The underlying cipherlist is  specified
7832              via  the  tls_high_cipherlist configuration parameter, which you
7833              are strongly encouraged to not change.
7834
7835       null   Enable only the "NULL" OpenSSL ciphers, these provide  authenti‐
7836              cation  without encryption.  This setting is only appropriate in
7837              the rare case that all servers are prepared to use NULL  ciphers
7838              (not  normally  enabled in TLS servers). A plausible use-case is
7839              an LMTP server listening on a UNIX-domain socket that is config‐
7840              ured  to  support  "NULL"  ciphers. The underlying cipherlist is
7841              specified via the tls_null_cipherlist  configuration  parameter,
7842              which you are strongly encouraged to not change.
7843
7844       The  underlying cipherlists for grades other than "null" include anony‐
7845       mous ciphers, but these are automatically filtered out if  the  Postfix
7846       SMTP  client is configured to verify server certificates.  You are very
7847       unlikely to need to take any steps to exclude anonymous  ciphers,  they
7848       are excluded automatically as necessary.  If you must exclude anonymous
7849       ciphers at the "may" or "encrypt" security  levels,  when  the  Postfix
7850       SMTP   client   does   not   need   or   use   peer  certificates,  set
7851       "smtp_tls_exclude_ciphers = aNULL". To exclude anonymous  ciphers  only
7852       when TLS is enforced, set "smtp_tls_mandatory_exclude_ciphers = aNULL".
7853
7854       This feature is available in Postfix 2.3 and later.
7855

smtp_tls_mandatory_exclude_ciphers (default: empty)

7857       Additional  list of ciphers or cipher types to exclude from the Postfix
7858       SMTP client cipher list at mandatory TLS  security  levels.  This  list
7859       works     in     addition     to    the    exclusions    listed    with
7860       smtp_tls_exclude_ciphers (see there for syntax details).
7861
7862       Starting with Postfix 2.6, the mandatory cipher exclusions can be spec‐
7863       ified   on  a  per-destination  basis  via  the  TLS  policy  "exclude"
7864       attribute. See smtp_tls_policy_maps for notes and examples.
7865
7866       This feature is available in Postfix 2.3 and later.
7867

smtp_tls_mandatory_protocols (default: !SSLv2, !SSLv3)

7869       List of SSL/TLS protocols that the Postfix SMTP client  will  use  with
7870       mandatory  TLS  encryption.   In  main.cf  the  values are separated by
7871       whitespace, commas or colons. In the policy table "protocols" attribute
7872       (see  smtp_tls_policy_maps) the only valid separator is colon. An empty
7873       value means allow all protocols. The valid protocol names, (see  \fBfB‐
7874       SSL_get_version(3)),  are  "SSLv2",  "SSLv3"  and  "TLSv1". The default
7875       value is "!SSLv2, !SSLv3" for Postfix  releases  after  the  middle  of
7876       2015, "!SSLv2" for older releases.
7877
7878       With Postfix >= 2.5 the parameter syntax was expanded to support proto‐
7879       col  exclusions.  One  can  explicitly  exclude  "SSLv2"   by   setting
7880       "smtp_tls_mandatory_protocols  =  !SSLv2".  To exclude both "SSLv2" and
7881       "SSLv3" set "smtp_tls_mandatory_protocols =  !SSLv2,  !SSLv3".  Listing
7882       the  protocols  to  include,  rather than protocols to exclude, is sup‐
7883       ported, but not recommended. The exclusion form  more  closely  matches
7884       the underlying OpenSSL interface semantics.
7885
7886       The range of protocols advertised by an SSL/TLS client must be contigu‐
7887       ous.  When a protocol version is enabled, disabling any higher  version
7888       implicitly  disables all versions above that higher version.  Thus, for
7889       example (assuming the OpenSSL library supports both SSLv2 and SSLv3):
7890
7891           smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
7892       also disables any protocols version  higher  than  TLSv1  leaving  only
7893       "SSLv3" enabled.
7894
7895       Note:  As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
7896       "TLSv1.2". When Postfix <= 2.5  is  linked  against  OpenSSL  1.0.1  or
7897       later,  these,  or  any other new protocol versions, cannot be disabled
7898       except by also disabling "TLSv1" (typically leaving just "SSLv3").  The
7899       latest  patch  levels of Postfix >= 2.6, and all versions of Postfix >=
7900       2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2".
7901
7902       OpenSSL 1.1.1 introduces support for "TLSv1.3".  With  Postfix  >=  3.4
7903       (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
7904       abled, if need be, via "!TLSv1.3".
7905
7906       At the dane and dane-only security levels, when usable TLSA records are
7907       obtained  for  the remote SMTP server, the Postfix SMTP client is obli‐
7908       gated to include the SNI TLS extension in its SSL client hello message.
7909       This  may help the remote SMTP server live up to its promise to provide
7910       a certificate that matches its  TLSA  records.   Since  TLS  extensions
7911       require  TLS 1.0 or later, the Postfix SMTP client must disable "SSLv2"
7912       and "SSLv3" when SNI is required.  If you use "dane" or "dane-only"  do
7913       not disable TLSv1, except perhaps via the policy table for destinations
7914       which you are sure will support "TLSv1.1" or "TLSv1.2".
7915
7916       See  the  documentation  of  the  smtp_tls_policy_maps  parameter   and
7917       TLS_README for more information about security levels.
7918
7919       Example:
7920
7921       # Preferred syntax with Postfix >= 2.5:
7922       smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
7923       # Legacy syntax:
7924       smtp_tls_mandatory_protocols = TLSv1
7925
7926       This feature is available in Postfix 2.3 and later.
7927

smtp_tls_note_starttls_offer (default: no)

7929       Log the hostname of a remote SMTP server that offers STARTTLS, when TLS
7930       is not already enabled for that server.
7931
7932       The logfile record looks like:
7933
7934       postfix/smtp[pid]:  Host offered STARTTLS: [name.of.host]
7935
7936       This feature is available in Postfix 2.2 and later.
7937

smtp_tls_per_site (default: empty)

7939       Optional lookup tables with the Postfix SMTP client TLS usage policy by
7940       next-hop  destination  and  by  remote SMTP server hostname.  When both
7941       lookups succeed, the more specific per-site policy  (NONE,  MUST,  etc)
7942       overrides  the  less  specific  one (MAY), and the more secure per-site
7943       policy (MUST, etc) overrides the less secure one (NONE).  With  Postfix
7944       2.3   and   later   smtp_tls_per_site   is  strongly  discouraged:  use
7945       smtp_tls_policy_maps instead.
7946
7947       Use of the bare hostname as the per-site table lookup key  is  discour‐
7948       aged.  Always  use  the full destination nexthop (enclosed in [] with a
7949       possible ":port" suffix). A recipient domain  or  MX-enabled  transport
7950       next-hop  with  no  port  suffix  may look like a bare hostname, but is
7951       still a suitable destination.
7952
7953       Specify a next-hop destination or  server  hostname  on  the  left-hand
7954       side;  no wildcards are allowed. The next-hop destination is either the
7955       recipient domain, or the destination specified with a transport(5)  ta‐
7956       ble, the relayhost parameter, or the relay_transport parameter.  On the
7957       right hand side specify one of the following keywords:
7958
7959       NONE   Don't use TLS at all. This overrides a less specific MAY  lookup
7960              result from the alternate host or next-hop lookup key, and over‐
7961              rides   the   global   smtp_use_tls,    smtp_enforce_tls,    and
7962              smtp_tls_enforce_peername settings.
7963
7964       MAY    Try  to  use  TLS if the server announces support, otherwise use
7965              the unencrypted connection. This has less precedence than a more
7966              specific  result  (including  NONE)  from  the alternate host or
7967              next-hop lookup key, and has less precedence than the more  spe‐
7968              cific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peer‐
7969              name = yes".
7970
7971       MUST_NOPEERMATCH
7972              Require TLS encryption, but do not require that the remote  SMTP
7973              server  hostname  matches  the  information  in  the remote SMTP
7974              server certificate, or that the server certificate was issued by
7975              a  trusted  CA. This overrides a less secure NONE or a less spe‐
7976              cific MAY lookup result from  the  alternate  host  or  next-hop
7977              lookup    key,    and   overrides   the   global   smtp_use_tls,
7978              smtp_enforce_tls and smtp_tls_enforce_peername settings.
7979
7980       MUST   Require TLS encryption, require  that  the  remote  SMTP  server
7981              hostname  matches the information in the remote SMTP server cer‐
7982              tificate, and require that the remote  SMTP  server  certificate
7983              was  issued  by  a trusted CA. This overrides a less secure NONE
7984              and MUST_NOPEERMATCH or a less specific MAY lookup  result  from
7985              the  alternate  host  or  next-hop lookup key, and overrides the
7986              global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peer‐
7987              name settings.
7988
7989       The above keywords correspond to the "none", "may", "encrypt" and "ver‐
7990       ify" security levels  for  the  new  smtp_tls_security_level  parameter
7991       introduced in Postfix 2.3. Starting with Postfix 2.3, and independently
7992       of how the policy  is  specified,  the  smtp_tls_mandatory_ciphers  and
7993       smtp_tls_mandatory_protocols  parameters  apply  when TLS encryption is
7994       mandatory. Connections  for  which  encryption  is  optional  typically
7995       enable  all "export" grade and better ciphers (see smtp_tls_ciphers and
7996       smtp_tls_protocols).
7997
7998       As long as no secure DNS lookup mechanism is available, false hostnames
7999       in  MX  or  CNAME responses can change the server hostname that Postfix
8000       uses for TLS policy lookup and server  certificate  verification.  Even
8001       with  a  perfect  match between the server hostname and the server cer‐
8002       tificate, there is no guarantee that Postfix is connected to the  right
8003       server.   See TLS_README (Closing a DNS loophole with obsolete per-site
8004       TLS policies) for a possible work-around.
8005
8006       This feature is available in Postfix 2.2 and later.  With  Postfix  2.3
8007       and later use smtp_tls_policy_maps instead.
8008

smtp_tls_policy_maps (default: empty)

8010       Optional lookup tables with the Postfix SMTP client TLS security policy
8011       by next-hop destination; when a  non-empty  value  is  specified,  this
8012       overrides the obsolete smtp_tls_per_site parameter.  See TLS_README for
8013       a more detailed discussion of TLS security levels.
8014
8015       Specify zero or more "type:name" lookup tables, separated by whitespace
8016       or  comma. Tables will be searched in the specified order until a match
8017       is found.
8018
8019       The TLS policy table is indexed by the full next-hop destination, which
8020       is  either  the recipient domain, or the verbatim next-hop specified in
8021       the    transport    table,    $local_transport,     $virtual_transport,
8022       $relay_transport  or  $default_transport.  This  includes any enclosing
8023       square brackets and any non-default destination server port suffix. The
8024       LMTP  socket type prefix (inet: or unix:) is not included in the lookup
8025       key.
8026
8027       Only the next-hop domain, or $myhostname  with  LMTP  over  UNIX-domain
8028       sockets,  is used as the nexthop name for certificate verification. The
8029       port and any enclosing square brackets are used  in  the  table  lookup
8030       key, but are not used for server name verification.
8031
8032       When  the lookup key is a domain name without enclosing square brackets
8033       or any :port suffix (typically the  recipient  domain),  and  the  full
8034       domain  is not found in the table, just as with the transport(5) table,
8035       the parent domain starting with a leading "." is  matched  recursively.
8036       This allows one to specify a security policy for a recipient domain and
8037       all its sub-domains.
8038
8039       The lookup result is a security level, followed by an optional list  of
8040       whitespace  and/or  comma separated name=value attributes that override
8041       related main.cf settings. The TLS security levels in order of  increas‐
8042       ing security are:
8043
8044       none   No TLS. No additional attributes are supported at this level.
8045
8046       may    Opportunistic  TLS.  Since  sending  in the clear is acceptable,
8047              demanding stronger than  default  TLS  security  merely  reduces
8048              interoperability. The optional "ciphers", "exclude", and "proto‐
8049              cols" attributes (available for opportunistic TLS  with  Postfix
8050              >=  2.6) and "connection_reuse" attribute (Postfix >= 3.4) over‐
8051              ride   the    "smtp_tls_ciphers",    "smtp_tls_exclude_ciphers",
8052              "smtp_tls_protocols", and "smtp_tls_connection_reuse" configura‐
8053              tion parameters. When opportunistic TLS handshakes fail, Postfix
8054              retries  the  connection  with  TLS  disabled.  This allows mail
8055              delivery to sites with non-interoperable TLS implementations.
8056
8057       encrypt
8058              Mandatory TLS encryption. At this level and higher, the optional
8059              "protocols"  attribute  overrides  the  main.cf  smtp_tls_manda‐
8060              tory_protocols parameter, the optional "ciphers" attribute over‐
8061              rides  the  main.cf  smtp_tls_mandatory_ciphers  parameter,  the
8062              optional "exclude" attribute  (Postfix  >=  2.6)  overrides  the
8063              main.cf  smtp_tls_mandatory_exclude_ciphers  parameter,  and the
8064              optional "connection_reuse" attribute (Postfix >= 3.4) overrides
8065              the  main.cf  smtp_tls_connection_reuse parameter. In the policy
8066              table, multiple protocols or excluded ciphers must be  separated
8067              by  colons,  as  attribute  values may not contain whitespace or
8068              commas.
8069
8070       dane   Opportunistic DANE TLS.  The TLS policy for the  destination  is
8071              obtained  via  TLSA  records  in DNSSEC.  If no TLSA records are
8072              found, the effective  security  level  used  is  may.   If  TLSA
8073              records  are  found, but none are usable, the effective security
8074              level is encrypt.  When usable TLSA records are obtained for the
8075              remote  SMTP  server, the server certificate must match the TLSA
8076              records.  RFC 7672 (DANE) TLS authentication and DNSSEC  support
8077              is  available with Postfix 2.11 and later. The optional "connec‐
8078              tion_reuse" attribute (Postfix >=  3.4)  overrides  the  main.cf
8079              smtp_tls_connection_reuse parameter.
8080
8081       dane-only
8082              Mandatory  DANE  TLS.   The  TLS  policy  for the destination is
8083              obtained via TLSA records in DNSSEC.  If  no  TLSA  records  are
8084              found,  or none are usable, no connection is made to the server.
8085              When usable TLSA  records  are  obtained  for  the  remote  SMTP
8086              server, the server certificate must match the TLSA records.  RFC
8087              7672 (DANE) TLS authentication and DNSSEC support  is  available
8088              with  Postfix  2.11  and  later. The optional "connection_reuse"
8089              attribute (Postfix >= 3.4) overrides the  main.cf  smtp_tls_con‐
8090              nection_reuse parameter.
8091
8092       fingerprint
8093              Certificate fingerprint verification. Available with Postfix 2.5
8094              and later. At this security level, there are no trusted Certifi‐
8095              cation  Authorities.  The  certificate  trust  chain, expiration
8096              date,  ...  are  not  checked.  Instead,  the   optional   match
8097              attribute,  or  else the main.cf smtp_tls_fingerprint_cert_match
8098              parameter, lists the certificate fingerprints or the public  key
8099              fingerprint (Postfix 2.9 and later) of the valid server certifi‐
8100              cate. The digest algorithm used to calculate the fingerprint  is
8101              selected  by the smtp_tls_fingerprint_digest parameter. Multiple
8102              fingerprints can be combined with a "|" delimiter  in  a  single
8103              match  attribute,  or multiple match attributes can be employed.
8104              The ":" character is not  used  as  a  delimiter  as  it  occurs
8105              between  each  pair  of  fingerprint  (hexadecimal)  digits. The
8106              optional "connection_reuse" attribute (Postfix >= 3.4) overrides
8107              the main.cf smtp_tls_connection_reuse parameter.
8108
8109       verify Mandatory  TLS  verification.   At  this  security level, DNS MX
8110              lookups are trusted to be secure enough, and the  name  verified
8111              in  the  server  certificate  is usually obtained indirectly via
8112              unauthenticated DNS MX lookups.  The optional "match"  attribute
8113              overrides  the  main.cf smtp_tls_verify_cert_match parameter. In
8114              the policy table, multiple match patterns and strategies must be
8115              separated by colons.  In practice explicit control over matching
8116              is more common with the "secure" policy,  described  below.  The
8117              optional "connection_reuse" attribute (Postfix >= 3.4) overrides
8118              the main.cf smtp_tls_connection_reuse parameter.
8119
8120       secure Secure-channel TLS. At this  security  level,  DNS  MX  lookups,
8121              though  potentially  used  to  determine  the candidate next-hop
8122              gateway IP addresses, are not trusted to be  secure  enough  for
8123              TLS peername verification. Instead, the default name verified in
8124              the server certificate is obtained directly from  the  next-hop,
8125              or  is  explicitly  specified  via  the optional match attribute
8126              which overrides the main.cf  smtp_tls_secure_cert_match  parame‐
8127              ter. In the policy table, multiple match patterns and strategies
8128              must be separated by colons.  The match attribute is most useful
8129              when multiple domains are supported by common server, the policy
8130              entries for additional domains specify matching  rules  for  the
8131              primary  domain  certificate.  While  transport  table overrides
8132              routing the secondary domains to the primary nexthop also  allow
8133              secure verification, they risk delivery to the wrong destination
8134              when domains change hands or are re-assigned  to  new  gateways.
8135              With  the  "match" attribute approach, routing is not perturbed,
8136              and mail is deferred if verification of a new MX host fails. The
8137              optional "connection_reuse" attribute (Postfix >= 3.4) overrides
8138              the main.cf smtp_tls_connection_reuse parameter.
8139
8140       Example:
8141
8142       /etc/postfix/main.cf:
8143           smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
8144           # Postfix 2.5 and later
8145           smtp_tls_fingerprint_digest = md5
8146
8147       /etc/postfix/tls_policy:
8148           example.edu                 none
8149           example.mil                 may
8150           example.gov                 encrypt protocols=TLSv1
8151           example.com                 verify ciphers=high
8152           example.net                 secure
8153           .example.net                secure match=.example.net:example.net
8154           [mail.example.org]:587      secure match=nexthop
8155           # Postfix 2.5 and later
8156           [thumb.example.org]          fingerprint
8157               match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
8158               match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
8159
8160       Note: The hostname strategy if  listed  in  a  non-default  setting  of
8161       smtp_tls_secure_cert_match  or in the match attribute in the policy ta‐
8162       ble can render the secure level vulnerable to DNS forgery. Do  not  use
8163       the hostname strategy for secure-channel configurations in environments
8164       where DNS security is not assured.
8165
8166       This feature is available in Postfix 2.3 and later.
8167

smtp_tls_protocols (default: !SSLv2, !SSLv3)

8169       List of TLS protocols that the Postfix  SMTP  client  will  exclude  or
8170       include  with  opportunistic  TLS  encryption.  The  default  value  is
8171       "!SSLv2, !SSLv3"  for  Postfix  releases  after  the  middle  of  2015,
8172       "!SSLv2"  for  older  releases.  Before  Postfix  2.6, the Postfix SMTP
8173       client would use all protocols with opportunistic TLS.
8174
8175       In main.cf the values are separated by whitespace, commas or colons. In
8176       the policy table (see smtp_tls_policy_maps) the only valid separator is
8177       colon. An empty value means allow all  protocols.  The  valid  protocol
8178       names, (see \fBfBSSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".
8179
8180       The range of protocols advertised by an SSL/TLS client must be contigu‐
8181       ous.  When a protocol version is enabled, disabling any higher  version
8182       implicitly  disables all versions above that higher version.  Thus, for
8183       example (assuming the OpenSSL library supports both SSLv2 and SSLv3):
8184
8185           smtp_tls_protocols = !SSLv2, !TLSv1
8186       also disables any protocols version  higher  than  TLSv1  leaving  only
8187       "SSLv3" enabled.
8188
8189       Note:  As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
8190       "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all  versions
8191       of  Postfix  >=  2.10  can  explicitly disable support for "TLSv1.1" or
8192       "TLSv1.2"
8193
8194       OpenSSL 1.1.1 introduces support for "TLSv1.3".  With  Postfix  >=  3.4
8195       (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
8196       abled, if need be, via "!TLSv1.3".
8197
8198       To include a protocol list its name, to exclude  it,  prefix  the  name
8199       with  a  "!"  character.  To  exclude  SSLv2  for opportunistic TLS set
8200       "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3"  set
8201       "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols
8202       to include, rather than protocols to exclude,  is  supported,  but  not
8203       recommended.   The  exclusion  form more closely matches the underlying
8204       OpenSSL interface semantics.
8205
8206       Example:
8207       # TLSv1 or better:
8208       smtp_tls_protocols = !SSLv2, !SSLv3
8209
8210       This feature is available in Postfix 2.6 and later.
8211

smtp_tls_scert_verifydepth (default: 9)

8213       The verification depth for remote SMTP server certificates. A depth  of
8214       1 is sufficient if the issuing CA is listed in a local CA file.
8215
8216       The  default verification depth is 9 (the OpenSSL default) for compati‐
8217       bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
8218       value  was  5, but the limit was not actually enforced. If you have set
8219       this to a lower  non-default  value,  certificates  with  longer  trust
8220       chains  may  now fail to verify. Certificate chains with 1 or 2 CAs are
8221       common, deeper chains are more rare and any  number  between  5  and  9
8222       should suffice in practice. You can choose a lower number if, for exam‐
8223       ple, you trust certificates directly signed by an issuing  CA  but  not
8224       any CAs it delegates to.
8225
8226       This feature is available in Postfix 2.2 and later.
8227

smtp_tls_secure_cert_match (default: nexthop, dot-nexthop)

8229       How  the  Postfix  SMTP client verifies the server certificate peername
8230       for the "secure" TLS security level. In a  "secure"  TLS  policy  table
8231       ($smtp_tls_policy_maps)  entry the optional "match" attribute overrides
8232       this main.cf setting.
8233
8234       This parameter specifies one or more patterns or  strategies  separated
8235       by  commas,  whitespace  or colons.  In the policy table the only valid
8236       separator is the colon character.
8237
8238       For  a  description  of  the  pattern  and  strategy  syntax  see   the
8239       smtp_tls_verify_cert_match parameter. The "hostname" strategy should be
8240       avoided in this context, as in the absence  of  a  secure  global  DNS,
8241       using  the  results  of  MX  lookups in certificate verification is not
8242       immune to active (man-in-the-middle) attacks on DNS.
8243
8244       Sample main.cf setting:
8245
8246           smtp_tls_secure_cert_match = nexthop
8247
8248       Sample policy table override:
8249
8250           example.net     secure match=example.com:.example.com
8251           .example.net    secure match=example.com:.example.com
8252
8253       This feature is available in Postfix 2.3 and later.
8254

smtp_tls_security_level (default: empty)

8256       The default SMTP TLS security level for the Postfix SMTP client; when a
8257       non-empty  value  is  specified, this overrides the obsolete parameters
8258       smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
8259
8260       Specify one of the following security levels:
8261
8262       none   No TLS. TLS will not be used unless enabled for specific  desti‐
8263              nations via smtp_tls_policy_maps.
8264
8265       may    Opportunistic  TLS.  Use  TLS if this is supported by the remote
8266              SMTP server, otherwise use plaintext. Since sending in the clear
8267              is  acceptable,  demanding  stronger  than  default TLS security
8268              merely reduces  interoperability.   The  "smtp_tls_ciphers"  and
8269              "smtp_tls_protocols"  (Postfix  >= 2.6) configuration parameters
8270              provide control over the protocols and cipher  grade  used  with
8271              opportunistic  TLS.  With earlier releases the opportunistic TLS
8272              cipher grade is always "export" and no protocols  are  disabled.
8273              When  TLS  handshakes  fail,  the connection is retried with TLS
8274              disabled.  This allows mail delivery to sites with  non-interop‐
8275              erable TLS implementations.
8276
8277       encrypt
8278              Mandatory  TLS  encryption. Since a minimum level of security is
8279              intended, it is reasonable to  be  specific  about  sufficiently
8280              secure protocol versions and ciphers. At this security level and
8281              higher, the main.cf parameters smtp_tls_mandatory_protocols  and
8282              smtp_tls_mandatory_ciphers specify the TLS protocols and minimum
8283              cipher grade which the administrator considers secure enough for
8284              mandatory  encrypted  sessions.  This  security  level is not an
8285              appropriate default for systems delivering mail to the Internet.
8286
8287       dane   Opportunistic DANE TLS.  At this security level, the TLS  policy
8288              for  the destination is obtained via DNSSEC.  For TLSA policy to
8289              be in effect, the destination domain's containing DNS zone  must
8290              be signed and the Postfix SMTP client's operating system must be
8291              configured to send its DNS queries to a recursive DNS nameserver
8292              that is able to validate the signed records.  Each MX host's DNS
8293              zone should also be signed, and should publish  DANE  TLSA  (RFC
8294              7672) records that specify how that MX host's TLS certificate is
8295              to be verified.  TLSA records do not preempt the normal SMTP  MX
8296              host selection algorithm, if some MX hosts support TLSA and oth‐
8297              ers do not, TLS security will vary from  delivery  to  delivery.
8298              It  is  up  to  the domain owner to configure their MX hosts and
8299              their DNS sensibly.  To configure the Postfix  SMTP  client  for
8300              DNSSEC  lookups  see  the  documentation  for  the smtp_dns_sup‐
8301              port_level  main.cf  parameter.   When   DNSSEC-validated   TLSA
8302              records are not found the effective tls security level is "may".
8303              When TLSA records are found, but are all unusable the  effective
8304              security  level  is  "encrypt".   For  purposes  of protocol and
8305              cipher selection, the "dane" security level is  treated  like  a
8306              "mandatory"  TLS  security level, and weak ciphers and protocols
8307              are disabled.  Since DANE authenticates server certificates  the
8308              "aNULL"  cipher-suites are transparently excluded at this level,
8309              no need to configure this manually.  RFC 7672 (DANE) TLS authen‐
8310              tication is available with Postfix 2.11 and later.
8311
8312       dane-only
8313              Mandatory  DANE  TLS.   This is just like "dane" above, but DANE
8314              TLSA authentication is required.  There is no fallback to  "may"
8315              or  "encrypt"  when  TLSA  records are missing or unusable.  RFC
8316              7672 (DANE) TLS authentication is available  with  Postfix  2.11
8317              and later.
8318
8319       fingerprint
8320              Certificate  fingerprint  verification.  At this security level,
8321              there are no trusted Certification Authorities.  The certificate
8322              trust  chain,  expiration  date, etc., are not checked. Instead,
8323              the smtp_tls_fingerprint_cert_match parameter lists the certifi‐
8324              cate  fingerprint  or  public  key  fingerprint (Postfix 2.9 and
8325              later) of the valid server  certificate.  The  digest  algorithm
8326              used   to   calculate   the   fingerprint  is  selected  by  the
8327              smtp_tls_fingerprint_digest parameter.  Available  with  Postfix
8328              2.5 and later.
8329
8330       verify Mandatory  TLS  verification.  At  this  security  level, DNS MX
8331              lookups are trusted to be secure enough, and the  name  verified
8332              in  the  server  certificate  is usually obtained indirectly via
8333              unauthenticated DNS MX lookups.  The  smtp_tls_verify_cert_match
8334              parameter  controls how the server name is verified. In practice
8335              explicit control over matching is more common  at  the  "secure"
8336              level,  described below. This security level is not an appropri‐
8337              ate default for systems delivering mail to the Internet.
8338
8339       secure Secure-channel TLS.  At this security  level,  DNS  MX  lookups,
8340              though  potentially  used  to  determine  the candidate next-hop
8341              gateway IP addresses, are not trusted to be  secure  enough  for
8342              TLS peername verification. Instead, the default name verified in
8343              the server certificate is obtained from the next-hop  domain  as
8344              specified in the smtp_tls_secure_cert_match configuration param‐
8345              eter. The default matching rule is  that  a  server  certificate
8346              matches when its name is equal to or is a sub-domain of the nex‐
8347              thop domain. This security level is not an  appropriate  default
8348              for systems delivering mail to the Internet.
8349
8350       Examples:
8351
8352       # No TLS. Formerly: smtp_use_tls=no and smtp_enforce_tls=no.
8353       smtp_tls_security_level = none
8354
8355       # Opportunistic TLS.
8356       smtp_tls_security_level = may
8357       # Postfix >= 2.6:
8358       # Do not tweak opportunistic ciphers or protocol unless it is essential
8359       # to do so (if a security vulnerability is found in the SSL library that
8360       # can be mitigated by disabling a particular protocol or raising the
8361       # cipher grade from "export" to "low" or "medium").
8362       smtp_tls_ciphers = export
8363       smtp_tls_protocols = !SSLv2, !SSLv3
8364
8365       # Mandatory (high-grade) TLS encryption.
8366       smtp_tls_security_level = encrypt
8367       smtp_tls_mandatory_ciphers = high
8368
8369       # Mandatory TLS verification of hostname or nexthop domain.
8370       smtp_tls_security_level = verify
8371       smtp_tls_mandatory_ciphers = high
8372       smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
8373
8374       # Secure channel TLS with exact nexthop name match.
8375       smtp_tls_security_level = secure
8376       smtp_tls_mandatory_protocols = TLSv1
8377       smtp_tls_mandatory_ciphers = high
8378       smtp_tls_secure_cert_match = nexthop
8379
8380       # Certificate fingerprint verification (Postfix >= 2.5).
8381       # The CA-less "fingerprint" security level only scales to a limited
8382       # number of destinations. As a global default rather than a per-site
8383       # setting, this is practical when mail for all recipients is sent
8384       # to a central mail hub.
8385       relayhost = [mailhub.example.com]
8386       smtp_tls_security_level = fingerprint
8387       smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
8388       smtp_tls_mandatory_ciphers = high
8389       smtp_tls_fingerprint_cert_match =
8390           3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
8391           EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
8392
8393       This feature is available in Postfix 2.3 and later.
8394

smtp_tls_servername (default: empty)

8396       Optional  name to send to the remote SMTP server in the TLS Server Name
8397       Indication (SNI) extension.  The SNI extension is always on  when  DANE
8398       is  used to authenticate the server, and in that case the SNI name sent
8399       is the one required by RFC7672 and this parameter is ignored.
8400
8401       Some SMTP servers use the received SNI name to  select  an  appropriate
8402       certificate  chain  to  present  to the client.  While this may improve
8403       interoperability with such servers, it may reduce interoperability with
8404       other  servers that choose to abort the connection when they don't have
8405       a certificate chain configured for the requested  name.   Such  servers
8406       should  select  a default certificate chain and continue the handshake,
8407       but some may not.  Therefore, absent DANE,  no  SNI  name  is  sent  by
8408       default.
8409
8410       The  SNI  name  must be either a valid DNS hostname, or else one of the
8411       special values hostname or nexthop,  which  select  either  the  remote
8412       hostname or the nexthop domain respectively.  DNS names for SNI must be
8413       in A-label (punycode) form.  Invalid  DNS  names  log  a  configuration
8414       error warning and mail delivery is deferred.
8415
8416       Except  when  using a relayhost to forward all email, the only sensible
8417       non-empty main.cf  setting  for  this  parameter  is  hostname.   Other
8418       non-empty  values are only practical on a per-destination basis via the
8419       servername attribute of the Postfix TLS policy table.  When  in  doubt,
8420       leave  this  parameter  empty,  and  configure  per-destination  SNI as
8421       needed.
8422
8423       This feature is available in Postfix 3.4 and later.
8424

smtp_tls_session_cache_database (default: empty)

8426       Name of the file containing the optional Postfix SMTP client  TLS  ses‐
8427       sion  cache. Specify a database type that supports enumeration, such as
8428       btree or sdbm; there is no need to support concurrent access.  The file
8429       is  created  if it does not exist. The smtp(8) daemon does not use this
8430       parameter directly, rather the cache is implemented indirectly  in  the
8431       tlsmgr(8) daemon. This means that per-smtp-instance master.cf overrides
8432       of this parameter are not effective.  Note,  that  each  of  the  cache
8433       databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
8434       base, $smtp_tls_session_cache_database (and with Postfix 2.3 and  later
8435       $lmtp_tls_session_cache_database), needs to be stored separately. It is
8436       not at this time possible to store multiple caches in  a  single  data‐
8437       base.
8438
8439       Note:  dbm  databases  are  not  suitable.  TLS session objects are too
8440       large.
8441
8442       As of version 2.5, Postfix no longer uses root privileges when  opening
8443       this  file.  The  file  should  now  be  stored under the Postfix-owned
8444       data_directory. As a migration aid, an attempt to open the file under a
8445       non-Postfix  directory  is  redirected to the Postfix-owned data_direc‐
8446       tory, and a warning is logged.
8447
8448       Example:
8449
8450       smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
8451
8452       This feature is available in Postfix 2.2 and later.
8453

smtp_tls_session_cache_timeout (default: 3600s)

8455       The expiration time of Postfix SMTP client TLS session  cache  informa‐
8456       tion.   A  cache cleanup is performed periodically every $smtp_tls_ses‐
8457       sion_cache_timeout seconds. As  with  $smtp_tls_session_cache_database,
8458       this  parameter  is  implemented  in the tlsmgr(8) daemon and therefore
8459       per-smtp-instance master.cf overrides are not possible.
8460
8461       As of Postfix 2.11 this setting cannot exceed 100 days.  If set  <=  0,
8462       session  caching  is  disabled.  If set to a positive value less than 2
8463       minutes, the minimum value of 2 minutes is used instead.
8464
8465       This feature is available in Postfix 2.2 and later.
8466

smtp_tls_trust_anchor_file (default: empty)

8468       Zero or more PEM-format files  with  trust-anchor  certificates  and/or
8469       public  keys.  If the parameter is not empty the root CAs in CAfile and
8470       CApath are no longer trusted.  Rather, the  Postfix  SMTP  client  will
8471       only  trust  certificate-chains signed by one of the trust-anchors con‐
8472       tained in the chosen files.  The  specified  trust-anchor  certificates
8473       and  public  keys  are  not  subject  to  expiration,  and  need not be
8474       (self-signed) root CAs.  They may, if desired, be intermediate certifi‐
8475       cates.  Therefore, these certificates also may be found "in the middle"
8476       of the trust chain  presented  by  the  remote  SMTP  server,  and  any
8477       untrusted  issuing parent certificates will be ignored.  Specify a list
8478       of pathnames separated by comma or whitespace.
8479
8480       Whether specified in  main.cf,  or  on  a  per-destination  basis,  the
8481       trust-anchor  PEM file must be accessible to the Postfix SMTP client in
8482       the chroot jail if applicable.  The trust-anchor  file  should  contain
8483       only certificates and public keys, no private key material, and must be
8484       readable by the non-privileged $mail_owner user.  This allows  destina‐
8485       tions  to  be  bound  to  a  set of specific CAs or public keys without
8486       trusting the same CAs for all destinations.
8487
8488       The main.cf parameter  supports  single-purpose  Postfix  installations
8489       that  send  mail  to  a  fixed  set  of  SMTP peers.  At most sites, if
8490       trust-anchor files are used  at  all,  they  will  be  specified  on  a
8491       per-destination  basis  via  the "tafile" attribute of the "verify" and
8492       "secure" levels in smtp_tls_policy_maps.
8493
8494       The underlying mechanism is in support of RFC 7672 (DANE  TLSA),  which
8495       defines  mechanisms for an SMTP client MTA to securely determine server
8496       TLS certificates via DNS.
8497
8498       If you want your trust anchors to be public keys, with OpenSSL you  can
8499       extract a single PEM public key from a PEM X.509 file containing a sin‐
8500       gle certificate, as follows:
8501
8502           $ openssl x509 -in cert.pem -out ta-key.pem -noout -pubkey
8503
8504       This feature is available in Postfix 2.11 and later.
8505

smtp_tls_verify_cert_match (default: hostname)

8507       How the Postfix SMTP client verifies the  server  certificate  peername
8508       for  the  "verify"  TLS  security level. In a "verify" TLS policy table
8509       ($smtp_tls_policy_maps) entry the optional "match" attribute  overrides
8510       this main.cf setting.
8511
8512       This  parameter  specifies one or more patterns or strategies separated
8513       by commas, whitespace or colons.  In the policy table  the  only  valid
8514       separator is the colon character.
8515
8516       Patterns specify domain names, or domain name suffixes:
8517
8518       example.com
8519              Match  the  example.com domain, i.e. one of the names the server
8520              certificate must be example.com, upper and lower  case  distinc‐
8521              tions are ignored.
8522
8523       .example.com
8524              Match subdomains of the example.com domain, i.e. match a name in
8525              the server certificate that consists of  a  non-zero  number  of
8526              labels  followed by a .example.com suffix. Case distinctions are
8527              ignored.
8528
8529       Strategies specify a transformation from the  next-hop  domain  to  the
8530       expected name in the server certificate:
8531
8532       nexthop
8533              Match against the next-hop domain, which is either the recipient
8534              domain, or the transport  next-hop  configured  for  the  domain
8535              stripped  of  any  optional socket type prefix, enclosing square
8536              brackets and trailing port. When MX lookups are not  suppressed,
8537              this  is the original nexthop domain prior to the MX lookup, not
8538              the result of the MX lookup. For LMTP delivery  via  UNIX-domain
8539              sockets, the verified next-hop name is $myhostname.  This strat‐
8540              egy is suitable for  use  with  the  "secure"  policy.  Case  is
8541              ignored.
8542
8543       dot-nexthop
8544              As above, but match server certificate names that are subdomains
8545              of the next-hop domain. Case is ignored.
8546
8547       hostname
8548              Match against the hostname of the server, often obtained via  an
8549              unauthenticated DNS MX lookup. For LMTP delivery via UNIX-domain
8550              sockets, the verified name is $myhostname. This matches the ver‐
8551              ification  strategy  of  the  "MUST"  keyword  in  the  obsolete
8552              smtp_tls_per_site table, and is suitable for use with the  "ver‐
8553              ify"  security  level.  When  the  next-hop  name is enclosed in
8554              square brackets to suppress MX lookups, the "hostname"  strategy
8555              is the same as the "nexthop" strategy. Case is ignored.
8556
8557       Sample main.cf setting:
8558
8559       smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
8560
8561       Sample policy table override:
8562
8563       example.com     verify  match=hostname:nexthop
8564       .example.com    verify  match=example.com:.example.com:hostname
8565
8566       This feature is available in Postfix 2.3 and later.
8567

smtp_tls_wrappermode (default: no)

8569       Request  that  the  Postfix SMTP client connects using the legacy SMTPS
8570       protocol instead of using the STARTTLS command.
8571
8572       This mode requires "smtp_tls_security_level = encrypt" or stronger.
8573
8574       Example: deliver all remote mail via a  provider's  server  "mail.exam‐
8575       ple.com".
8576
8577       /etc/postfix/main.cf:
8578           # Client-side SMTPS requires "encrypt" or stronger.
8579           smtp_tls_security_level = encrypt
8580           smtp_tls_wrappermode = yes
8581           # The [] suppress MX lookups.
8582           relayhost = [mail.example.com]:465
8583
8584       More  examples  are in TLS_README, including examples for older Postfix
8585       versions.
8586
8587       This feature is available in Postfix 3.0 and later.
8588

smtp_use_tls (default: no)

8590       Opportunistic mode: use TLS when a remote SMTP server announces  START‐
8591       TLS  support,  otherwise  send the mail in the clear. Beware: some SMTP
8592       servers offer STARTTLS even if it is not configured.   With  Postfix  <
8593       2.3,  if  the  TLS  handshake  fails, and no other server is available,
8594       delivery is deferred and mail stays in the queue. If this is a  concern
8595       for you, use the smtp_tls_per_site feature instead.
8596
8597       This  feature  is  available in Postfix 2.2 and later. With Postfix 2.3
8598       and later use smtp_tls_security_level instead.
8599

smtp_xforward_timeout (default: 300s)

8601       The Postfix SMTP client time limit for sending  the  XFORWARD  command,
8602       and for receiving the remote SMTP server response.
8603
8604       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
8605       The default time unit is s (seconds).
8606
8607       This feature is available in Postfix 2.1 and later.
8608

smtpd_authorized_verp_clients (default: $authorized_verp_clients)

8610       What remote SMTP clients are allowed  to  specify  the  XVERP  command.
8611       This  command  requests  that mail be delivered one recipient at a time
8612       with a per recipient return address.
8613
8614       By default, no clients are allowed to specify XVERP.
8615
8616       This parameter was renamed with Postfix version 2.1. The default  value
8617       is backwards compatible with Postfix version 2.0.
8618
8619       Specify  a list of network/netmask patterns, separated by commas and/or
8620       whitespace. The mask specifies the number of bits in the  network  part
8621       of a host address. You can also specify hostnames or .domain names (the
8622       initial  dot  causes  the  domain  to  match  any   name   below   it),
8623       "/file/name"  or  "type:table"  patterns.   A  "/file/name"  pattern is
8624       replaced by its contents; a "type:table" lookup table is matched when a
8625       table  entry  matches  a  lookup string (the lookup result is ignored).
8626       Continue long lines by starting the next line with whitespace.  Specify
8627       "!pattern"  to  exclude  an address or network block from the list. The
8628       form "!/file/name" is supported only in Postfix version 2.4 and later.
8629
8630       Note: IP version 6 address information must be specified inside  []  in
8631       the  smtpd_authorized_verp_clients  value,  and in files specified with
8632       "/file/name".  IP version 6 addresses contain the  ":"  character,  and
8633       would otherwise be confused with a "type:table" pattern.
8634

smtpd_authorized_xclient_hosts (default: empty)

8636       What  remote SMTP clients are allowed to use the XCLIENT feature.  This
8637       command overrides remote SMTP  client  information  that  is  used  for
8638       access  control.  Typical use is for SMTP-based content filters, fetch‐
8639       mail-like programs,  or  SMTP  server  access  rule  testing.  See  the
8640       XCLIENT_README document for details.
8641
8642       This feature is available in Postfix 2.1 and later.
8643
8644       By default, no clients are allowed to specify XCLIENT.
8645
8646       Specify  a list of network/netmask patterns, separated by commas and/or
8647       whitespace. The mask specifies the number of bits in the  network  part
8648       of a host address. You can also specify hostnames or .domain names (the
8649       initial  dot  causes  the  domain  to  match  any   name   below   it),
8650       "/file/name"  or  "type:table"  patterns.   A  "/file/name"  pattern is
8651       replaced by its contents; a "type:table" lookup table is matched when a
8652       table  entry  matches  a  lookup string (the lookup result is ignored).
8653       Continue long lines by starting the next line with whitespace.  Specify
8654       "!pattern"  to  exclude  an address or network block from the list. The
8655       form "!/file/name" is supported only in Postfix version 2.4 and later.
8656
8657       Note: IP version 6 address information must be specified inside  []  in
8658       the  smtpd_authorized_xclient_hosts  value, and in files specified with
8659       "/file/name".  IP version 6 addresses contain the  ":"  character,  and
8660       would otherwise be confused with a "type:table" pattern.
8661

smtpd_authorized_xforward_hosts (default: empty)

8663       What remote SMTP clients are allowed to use the XFORWARD feature.  This
8664       command forwards information that is  used  to  improve  logging  after
8665       SMTP-based  content  filters.  See  the  XFORWARD_README  document  for
8666       details.
8667
8668       This feature is available in Postfix 2.1 and later.
8669
8670       By default, no clients are allowed to specify XFORWARD.
8671
8672       Specify a list of network/netmask patterns, separated by commas  and/or
8673       whitespace.  The  mask specifies the number of bits in the network part
8674       of a host address. You can also specify hostnames or .domain names (the
8675       initial   dot   causes   the  domain  to  match  any  name  below  it),
8676       "/file/name" or  "type:table"  patterns.   A  "/file/name"  pattern  is
8677       replaced by its contents; a "type:table" lookup table is matched when a
8678       table entry matches a lookup string (the  lookup  result  is  ignored).
8679       Continue  long lines by starting the next line with whitespace. Specify
8680       "!pattern" to exclude an address or network block from  the  list.  The
8681       form "!/file/name" is supported only in Postfix version 2.4 and later.
8682
8683       Note:  IP  version 6 address information must be specified inside [] in
8684       the smtpd_authorized_xforward_hosts value, and in files specified  with
8685       "/file/name".   IP  version  6 addresses contain the ":" character, and
8686       would otherwise be confused with a "type:table" pattern.
8687

smtpd_banner (default: $myhostname ESMTP $mail_name)

8689       The text that follows the 220 status code in the SMTP greeting  banner.
8690       Some  people like to see the mail version advertised. By default, Post‐
8691       fix shows no version.
8692
8693       You MUST specify $myhostname at the start of the text. This is required
8694       by the SMTP protocol.
8695
8696       Example:
8697
8698       smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
8699

smtpd_client_auth_rate_limit (default: 0)

8701       The  maximal number of AUTH commands that any client is allowed to send
8702       to this service per time unit, regardless of  whether  or  not  Postfix
8703       actually  accepts  those commands.  The time unit is specified with the
8704       anvil_rate_time_unit configuration parameter.
8705
8706       By default, there is no limit on the number AUTH commands that a client
8707       may send.
8708
8709       To disable this feature, specify a limit of 0.
8710
8711       WARNING:  The purpose of this feature is to limit abuse. It must not be
8712       used to regulate legitimate mail traffic.
8713
8714       This feature is available in Postfix 3.1 and later.
8715

smtpd_client_connection_count_limit (default: 50)

8717       How many simultaneous connections any client is allowed to make to this
8718       service.   By  default,  the  limit  is set to half the default process
8719       limit value.
8720
8721       To disable this feature, specify a limit of 0.
8722
8723       WARNING: The purpose of this feature is to limit abuse. It must not  be
8724       used to regulate legitimate mail traffic.
8725
8726       This feature is available in Postfix 2.2 and later.
8727

smtpd_client_connection_rate_limit (default: 0)

8729       The maximal number of connection attempts any client is allowed to make
8730       to this service per time unit.  The time unit  is  specified  with  the
8731       anvil_rate_time_unit configuration parameter.
8732
8733       By  default,  a  client  can  make as many connections per time unit as
8734       Postfix can accept.
8735
8736       To disable this feature, specify a limit of 0.
8737
8738       WARNING: The purpose of this feature is to limit abuse. It must not  be
8739       used to regulate legitimate mail traffic.
8740
8741       This feature is available in Postfix 2.2 and later.
8742
8743       Example:
8744
8745       smtpd_client_connection_rate_limit = 1000
8746

smtpd_client_event_limit_exceptions (default: $mynetworks)

8748       Clients that are excluded from smtpd_client_*_count/rate_limit restric‐
8749       tions. See the mynetworks parameter description for the parameter value
8750       syntax.
8751
8752       By default, clients in trusted networks are excluded. Specify a list of
8753       network blocks, hostnames or .domain names (the initial dot causes  the
8754       domain to match any name below it).
8755
8756       Note:  IP  version 6 address information must be specified inside [] in
8757       the smtpd_client_event_limit_exceptions value, and in  files  specified
8758       with  "/file/name".   IP version 6 addresses contain the ":" character,
8759       and would otherwise be confused with a "type:table" pattern.
8760
8761       Pattern matching of domain names  is  controlled  by  the  presence  or
8762       absence    of   "smtpd_client_event_limit_exceptions"   in   the   par‐
8763       ent_domain_matches_subdomains parameter value (postfix 3.0 and later).
8764
8765       This feature is available in Postfix 2.2 and later.
8766

smtpd_client_message_rate_limit (default: 0)

8768       The maximal number of message delivery  requests  that  any  client  is
8769       allowed to make to this service per time unit, regardless of whether or
8770       not Postfix actually accepts those messages.  The time unit  is  speci‐
8771       fied with the anvil_rate_time_unit configuration parameter.
8772
8773       By  default,  a  client  can send as many message delivery requests per
8774       time unit as Postfix can accept.
8775
8776       To disable this feature, specify a limit of 0.
8777
8778       WARNING: The purpose of this feature is to limit abuse. It must not  be
8779       used to regulate legitimate mail traffic.
8780
8781       This feature is available in Postfix 2.2 and later.
8782
8783       Example:
8784
8785       smtpd_client_message_rate_limit = 1000
8786

smtpd_client_new_tls_session_rate_limit (default: 0)

8788       The  maximal  number of new (i.e., uncached) TLS sessions that a remote
8789       SMTP client is allowed to negotiate with this service  per  time  unit.
8790       The  time unit is specified with the anvil_rate_time_unit configuration
8791       parameter.
8792
8793       By default, a remote SMTP client can negotiate as many new TLS sessions
8794       per time unit as Postfix can accept.
8795
8796       To  disable  this  feature,  specify a limit of 0. Otherwise, specify a
8797       limit that is at least the per-client concurrent session limit, or else
8798       legitimate client sessions may be rejected.
8799
8800       WARNING:  The purpose of this feature is to limit abuse. It must not be
8801       used to regulate legitimate mail traffic.
8802
8803       This feature is available in Postfix 2.3 and later.
8804
8805       Example:
8806
8807       smtpd_client_new_tls_session_rate_limit = 100
8808

smtpd_client_port_logging (default: no)

8810       Enable logging of the remote SMTP client port in addition to the  host‐
8811       name and IP address. The logging format is "host[address]:port".
8812
8813       This feature is available in Postfix 2.5 and later.
8814

smtpd_client_recipient_rate_limit (default: 0)

8816       The maximal number of recipient addresses that any client is allowed to
8817       send to this service per time unit, regardless of whether or not  Post‐
8818       fix actually accepts those recipients.  The time unit is specified with
8819       the anvil_rate_time_unit configuration parameter.
8820
8821       By default, a client can send as many recipient addresses per time unit
8822       as Postfix can accept.
8823
8824       To disable this feature, specify a limit of 0.
8825
8826       WARNING:  The purpose of this feature is to limit abuse. It must not be
8827       used to regulate legitimate mail traffic.
8828
8829       This feature is available in Postfix 2.2 and later.
8830
8831       Example:
8832
8833       smtpd_client_recipient_rate_limit = 1000
8834

smtpd_client_restrictions (default: empty)

8836       Optional restrictions that the Postfix SMTP server applies in the  con‐
8837       text  of a client connection request.  See SMTPD_ACCESS_README, section
8838       "Delayed evaluation of SMTP access restriction lists" for a  discussion
8839       of evaluation context and time.
8840
8841       The default is to allow all connection requests.
8842
8843       Specify  a list of restrictions, separated by commas and/or whitespace.
8844       Continue  long  lines  by  starting  the  next  line  with  whitespace.
8845       Restrictions  are applied in the order as specified; the first restric‐
8846       tion that matches wins.
8847
8848       The following restrictions are specific to client  hostname  or  client
8849       network address information.
8850
8851       check_ccert_access type:table
8852              By default use the remote SMTP client certificate fingerprint or
8853              the public key fingerprint (Postfix 2.9 and later) as lookup key
8854              for  the specified access(5) database; with Postfix version 2.2,
8855              also require that the remote SMTP client certificate is verified
8856              successfully.   The fingerprint digest algorithm is configurable
8857              via the smtpd_tls_fingerprint_digest  parameter  (hard-coded  as
8858              md5  prior  to  Postfix  version  2.5).   This  feature requires
8859              "smtpd_tls_ask_ccert = yes" and is available with  Postfix  ver‐
8860              sion 2.2 and later.
8861              Alternatively,  check_ccert_access  accepts  an  explicit search
8862              order (Postfix 3.5 and  later).  The  default  search  order  as
8863              described above corresponds with:
8864              check_ccert_access  {  type:table, { search_order = cert_finger‐
8865              print, pubkey_fingerprint } }
8866              The commas are optional.
8867
8868       check_client_access type:table
8869              Search the specified access database for  the  client  hostname,
8870              parent  domains,  client  IP  address,  or  networks obtained by
8871              stripping least significant octets.  See  the  access(5)  manual
8872              page for details.
8873
8874       check_client_a_access type:table
8875              Search the specified access(5) database for the IP addresses for
8876              the client  hostname,  and  execute  the  corresponding  action.
8877              Note:  a  result  of  "OK"  is  not  allowed for safety reasons.
8878              Instead, use DUNNO in  order  to  exclude  specific  hosts  from
8879              blacklists.  This feature is available in Postfix 3.0 and later.
8880
8881       check_client_mx_access type:table
8882              Search the specified access(5) database for the MX hosts for the
8883              client hostname, and execute the corresponding action.  Note:  a
8884              result  of  "OK" is not allowed for safety reasons. Instead, use
8885              DUNNO in order to exclude specific hosts from blacklists.   This
8886              feature is available in Postfix 2.7 and later.
8887
8888       check_client_ns_access type:table
8889              Search  the specified access(5) database for the DNS servers for
8890              the client  hostname,  and  execute  the  corresponding  action.
8891              Note:  a  result  of  "OK"  is  not  allowed for safety reasons.
8892              Instead, use DUNNO in  order  to  exclude  specific  hosts  from
8893              blacklists.  This feature is available in Postfix 2.7 and later.
8894
8895       check_reverse_client_hostname_access type:table
8896              Search  the specified access database for the unverified reverse
8897              client hostname, parent domains, client IP address, or  networks
8898              obtained   by   stripping  least  significant  octets.  See  the
8899              access(5) manual page for details.  Note: a result  of  "OK"  is
8900              not  allowed for safety reasons.  Instead, use DUNNO in order to
8901              exclude specific hosts from blacklists.  This feature is  avail‐
8902              able in Postfix 2.6 and later.
8903
8904       check_reverse_client_hostname_a_access type:table
8905              Search the specified access(5) database for the IP addresses for
8906              the unverified reverse client hostname, and execute  the  corre‐
8907              sponding  action.   Note:  a  result  of "OK" is not allowed for
8908              safety reasons.  Instead, use DUNNO in order to exclude specific
8909              hosts from blacklists.  This feature is available in Postfix 3.0
8910              and later.
8911
8912       check_reverse_client_hostname_mx_access type:table
8913              Search the specified access(5) database for the MX hosts for the
8914              unverified  reverse client hostname, and execute the correspond‐
8915              ing action.  Note: a result of "OK" is not  allowed  for  safety
8916              reasons.   Instead, use DUNNO in order to exclude specific hosts
8917              from blacklists.  This feature is available in Postfix  2.7  and
8918              later.
8919
8920       check_reverse_client_hostname_ns_access type:table
8921              Search  the specified access(5) database for the DNS servers for
8922              the unverified reverse client hostname, and execute  the  corre‐
8923              sponding  action.   Note:  a  result  of "OK" is not allowed for
8924              safety reasons.  Instead, use DUNNO in order to exclude specific
8925              hosts from blacklists.  This feature is available in Postfix 2.7
8926              and later.
8927
8928       check_sasl_access type:table
8929              Use the remote SMTP client SASL user name as lookup key for  the
8930              specified access(5) database. The lookup key has the form "user‐
8931              name@domainname"  when  the  smtpd_sasl_local_domain   parameter
8932              value  is  non-empty.   Unlike  the check_client_access feature,
8933              check_sasl_access does not perform matches of parent domains  or
8934              IP  subnet  ranges.  This feature is available with Postfix ver‐
8935              sion 2.11 and later.
8936
8937       permit_inet_interfaces
8938              Permit  the  request  when  the  client   IP   address   matches
8939              $inet_interfaces.
8940
8941       permit_mynetworks
8942              Permit  the  request when the client IP address matches any net‐
8943              work or network address listed in  $mynetworks.
8944
8945       permit_sasl_authenticated
8946              Permit the request when the client is successfully authenticated
8947              via the RFC 4954 (AUTH) protocol.
8948
8949       permit_tls_all_clientcerts
8950              Permit  the  request  when the remote SMTP client certificate is
8951              verified successfully.  This option must be used only if a  spe‐
8952              cial  CA  issues  the certificates and only this CA is listed as
8953              trusted CA. Otherwise, clients with  a  third-party  certificate
8954              would  also be allowed to relay.  Specify "tls_append_default_CA
8955              = no" when the trusted CA is specified with smtpd_tls_CAfile  or
8956              smtpd_tls_CApath,  to  prevent  Postfix  from appending the sys‐
8957              tem-supplied    default    CAs.     This    feature     requires
8958              "smtpd_tls_ask_ccert  =  yes" and is available with Postfix ver‐
8959              sion 2.2 and later.
8960
8961       permit_tls_clientcerts
8962              Permit the request when the remote SMTP client certificate  fin‐
8963              gerprint  or  public  key fingerprint (Postfix 2.9 and later) is
8964              listed in $relay_clientcerts.  The fingerprint digest  algorithm
8965              is  configurable  via the smtpd_tls_fingerprint_digest parameter
8966              (hard-coded as md5 prior to Postfix version 2.5).  This  feature
8967              requires "smtpd_tls_ask_ccert = yes" and is available with Post‐
8968              fix version 2.2 and later.
8969
8970       reject_rbl_client rbl_domain=d.d.d.d
8971              Reject the request when the reversed client network  address  is
8972              listed  with  the  A  record "d.d.d.d" under rbl_domain (Postfix
8973              version 2.1 and later only).  Each "d" is a number, or a pattern
8974              inside  "[]"  that contains one or more ";"-separated numbers or
8975              number..number ranges (Postfix version 2.8 and  later).   If  no
8976              "=d.d.d.d"  is  specified,  reject the request when the reversed
8977              client network  address  is  listed  with  any  A  record  under
8978              rbl_domain.
8979              The  maps_rbl_reject_code  parameter specifies the response code
8980              for rejected requests  (default:   554),  the  default_rbl_reply
8981              parameter   specifies   the   default   server  reply,  and  the
8982              rbl_reply_maps  parameter specifies tables with  server  replies
8983              indexed by rbl_domain.  This feature is available in Postfix 2.0
8984              and later.
8985
8986       permit_dnswl_client dnswl_domain=d.d.d.d
8987              Accept the request when the reversed client network  address  is
8988              listed with the A record "d.d.d.d" under dnswl_domain.  Each "d"
8989              is a number, or a pattern inside "[]" that contains one or  more
8990              ";"-separated   numbers   or   number..number   ranges.   If  no
8991              "=d.d.d.d" is specified, accept the request  when  the  reversed
8992              client  network  address  is  listed  with  any  A  record under
8993              dnswl_domain.
8994              For safety, permit_dnswl_client  is  silently  ignored  when  it
8995              would   override   reject_unauth_destination.    The  result  is
8996              DEFER_IF_REJECT when whitelist lookup fails.   This  feature  is
8997              available in Postfix 2.8 and later.
8998
8999       reject_rhsbl_client rbl_domain=d.d.d.d
9000              Reject the request when the client hostname is listed with the A
9001              record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
9002              only).  Each "d" is a number, or a pattern inside "[]" that con‐
9003              tains one or more ";"-separated numbers or number..number ranges
9004              (Postfix version 2.8 and later).  If no "=d.d.d.d" is specified,
9005              reject the request when the client hostname is listed with any A
9006              record  under  rbl_domain. See the reject_rbl_client description
9007              above for additional RBL related configuration parameters.  This
9008              feature is available in Postfix 2.0 and later; with Postfix ver‐
9009              sion 2.8 and  later,  reject_rhsbl_reverse_client  will  usually
9010              produce better results.
9011
9012       permit_rhswl_client rhswl_domain=d.d.d.d
9013              Accept the request when the client hostname is listed with the A
9014              record "d.d.d.d" under rhswl_domain.  Each "d" is a number, or a
9015              pattern inside "[]" that contains one or more ";"-separated num‐
9016              bers or number..number ranges. If no  "=d.d.d.d"  is  specified,
9017              accept the request when the client hostname is listed with any A
9018              record under rhswl_domain.
9019              Caution: client name whitelisting is fragile, since  the  client
9020              name  lookup  can  fail  due  to temporary outages.  Client name
9021              whitelisting should be used only to reduce  false  positives  in
9022              e.g.   DNS-based  blocklists,  and  not  for  making access rule
9023              exceptions.
9024              For safety, permit_rhswl_client  is  silently  ignored  when  it
9025              would   override   reject_unauth_destination.    The  result  is
9026              DEFER_IF_REJECT when whitelist lookup fails.   This  feature  is
9027              available in Postfix 2.8 and later.
9028
9029       reject_rhsbl_reverse_client rbl_domain=d.d.d.d
9030              Reject  the  request when the unverified reverse client hostname
9031              is listed with the A record "d.d.d.d"  under  rbl_domain.   Each
9032              "d"  is  a number, or a pattern inside "[]" that contains one or
9033              more ";"-separated numbers  or  number..number  ranges.   If  no
9034              "=d.d.d.d"  is specified, reject the request when the unverified
9035              reverse client hostname  is  listed  with  any  A  record  under
9036              rbl_domain.  See  the  reject_rbl_client  description  above for
9037              additional RBL related configuration parameters.   This  feature
9038              is available in Postfix 2.8 and later.
9039
9040       reject_unknown_client_hostname      (with      Postfix      <      2.3:
9041       reject_unknown_client)
9042              Reject the request when 1) the client IP  address->name  mapping
9043              fails,  or  2)  the  name->address  mapping  fails,  or  3)  the
9044              name->address mapping does not match the client IP address.
9045              This     is     a     stronger     restriction     than      the
9046              reject_unknown_reverse_client_hostname  feature,  which triggers
9047              only under condition 1) above.
9048              The unknown_client_reject_code parameter specifies the  response
9049              code  for  rejected requests (default: 450). The reply is always
9050              450 in case the address->name or name->address lookup failed due
9051              to a temporary problem.
9052
9053       reject_unknown_reverse_client_hostname
9054              Reject   the   request   when  the  client  IP  address  has  no
9055              address->name mapping.
9056              This     is     a     weaker      restriction      than      the
9057              reject_unknown_client_hostname  feature, which requires not only
9058              that the address->name and  name->address  mappings  exist,  but
9059              also that the two mappings reproduce the client IP address.
9060              The  unknown_client_reject_code parameter specifies the response
9061              code for rejected requests (default: 450).  The reply is  always
9062              450  in  case the address->name lookup failed due to a temporary
9063              problem.
9064              This feature is available in Postfix 2.3 and later.
9065
9066       In addition, you can use any of  the  following  generic  restrictions.
9067       These restrictions are applicable in any SMTP command context.
9068
9069       check_policy_service servername
9070              Query  the  specified policy server. See the SMTPD_POLICY_README
9071              document for details. This feature is available in  Postfix  2.1
9072              and later.
9073
9074       defer  Defer  the  request. The client is told to try again later. This
9075              restriction is useful at the end of a restriction list, to  make
9076              the default policy explicit.
9077              The  defer_code  parameter  specifies the SMTP server reply code
9078              (default: 450).
9079
9080       defer_if_permit
9081              Defer the request if some later restriction would result  in  an
9082              explicit  or  implicit  PERMIT  action.   This  is useful when a
9083              blacklisting feature fails due to  a  temporary  problem.   This
9084              feature is available in Postfix version 2.1 and later.
9085
9086       defer_if_reject
9087              Defer  the  request  if some later restriction would result in a
9088              REJECT action.  This is useful when a whitelisting feature fails
9089              due  to a temporary problem.  This feature is available in Post‐
9090              fix version 2.1 and later.
9091
9092       permit Permit the request. This restriction is useful at the end  of  a
9093              restriction list, to make the default policy explicit.
9094
9095       reject_multi_recipient_bounce
9096              Reject the request when the envelope sender is the null address,
9097              and the message has multiple envelope recipients. This usage has
9098              rare  but  legitimate  applications:  under  certain conditions,
9099              multi-recipient  mail  that  was  posted  with  the  DSN  option
9100              NOTIFY=NEVER may be forwarded with the null sender address.
9101              Note:  this  restriction  can  only  work  reliably when used in
9102              smtpd_data_restrictions    or    smtpd_end_of_data_restrictions,
9103              because  the  total number of recipients is not known at an ear‐
9104              lier stage of the SMTP conversation.  Use at the RCPT stage will
9105              only reject the second etc.  recipient.
9106              The  multi_recipient_bounce_reject_code  parameter specifies the
9107              response code for rejected requests (default:  550).  This  fea‐
9108              ture is available in Postfix 2.1 and later.
9109
9110       reject_plaintext_session
9111              Reject  the  request  when the connection is not encrypted. This
9112              restriction should not be used  before  the  client  has  had  a
9113              chance  to  negotiate  encryption with the AUTH or STARTTLS com‐
9114              mands.
9115              The plaintext_reject_code parameter specifies the response  code
9116              for  rejected  requests (default:  450).  This feature is avail‐
9117              able in Postfix 2.3 and later.
9118
9119       reject_unauth_pipelining
9120              Reject the request when the client sends SMTP commands ahead  of
9121              time where it is not allowed, or when the client sends SMTP com‐
9122              mands ahead of time without knowing that Postfix  actually  sup‐
9123              ports  ESMTP  command pipelining. This stops mail from bulk mail
9124              software that improperly uses ESMTP command pipelining in  order
9125              to speed up deliveries.
9126              With  Postfix  2.6 and later, the SMTP server sets a per-session
9127              flag whenever it detects illegal pipelining, including pipelined
9128              HELO or EHLO commands. The reject_unauth_pipelining feature sim‐
9129              ply tests whether the flag was set at any point in  time  during
9130              the session.
9131              With older Postfix versions, reject_unauth_pipelining checks the
9132              current status of the input read queue, and  its  usage  is  not
9133              recommended in contexts other than smtpd_data_restrictions.
9134
9135       reject Reject  the  request. This restriction is useful at the end of a
9136              restriction list, to make  the  default  policy  explicit.   The
9137              reject_code  configuration parameter specifies the response code
9138              for rejected requests (default: 554).
9139
9140       sleep seconds
9141              Pause for the specified number of seconds and proceed  with  the
9142              next  restriction in the list, if any. This may stop zombie mail
9143              when used as:
9144              /etc/postfix/main.cf:
9145                  smtpd_client_restrictions =
9146                      sleep 1, reject_unauth_pipelining
9147                  smtpd_delay_reject = no
9148              This feature is available in Postfix 2.3.
9149
9150       warn_if_reject
9151              A safety net for testing. When "warn_if_reject" is placed before
9152              a  reject-type  restriction,  access  table query, or check_pol‐
9153              icy_service query, this logs a "reject_warning" message  instead
9154              of rejecting a request (when a reject-type restriction fails due
9155              to a temporary error, this logs a "reject_warning"  message  for
9156              any  implicit "defer_if_permit" actions that would normally pre‐
9157              vent mail from being accepted by some later access restriction).
9158              This feature has no effect on defer_if_reject restrictions.
9159
9160       Other restrictions that are valid in this context:
9161
9162       ·      SMTP  command specific restrictions that are described under the
9163              smtpd_helo_restrictions,      smtpd_sender_restrictions       or
9164              smtpd_recipient_restrictions  parameters.  When  helo, sender or
9165              recipient restrictions are  listed  under  smtpd_client_restric‐
9166              tions, they have effect only with "smtpd_delay_reject = yes", so
9167              that $smtpd_client_restrictions is evaluated at the time of  the
9168              RCPT TO command.
9169
9170       Example:
9171
9172       smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname
9173

smtpd_command_filter (default: empty)

9175       A  mechanism to transform commands from remote SMTP clients.  This is a
9176       last-resort tool to work around client commands that  break  interoper‐
9177       ability  with the Postfix SMTP server.  Other uses involve fault injec‐
9178       tion to test Postfix's handling of invalid commands.
9179
9180       Specify the name of a "type:table" lookup table. The search  string  is
9181       the  SMTP  command as received from the remote SMTP client, except that
9182       initial whitespace and the trailing <CR><LF> are removed.   The  result
9183       value is executed by the Postfix SMTP server.
9184
9185       There is no need to use smtpd_command_filter for the following cases:
9186
9187       ·      Use "resolve_numeric_domain = yes" to accept "user@ipaddress".
9188
9189       ·      Postfix already accepts the correct form "user@[ipaddress]". Use
9190              virtual_alias_maps or canonical_maps  to  translate  these  into
9191              domain names if necessary.
9192
9193       ·      Use "strict_rfc821_envelopes = no" to accept "RCPT TO:<User Name
9194              <user@example.com>>". Postfix will ignore the "User  Name"  part
9195              and deliver to the <user@example.com> address.
9196
9197       Examples  of  problems that can be solved with the smtpd_command_filter
9198       feature:
9199
9200       /etc/postfix/main.cf:
9201           smtpd_command_filter = pcre:/etc/postfix/command_filter
9202
9203       /etc/postfix/command_filter:
9204           # Work around clients that send malformed HELO commands.
9205           /^HELO\s*$/ HELO domain.invalid
9206
9207           # Work around clients that send empty lines.
9208           /^\s*$/     NOOP
9209
9210           # Work around clients that send RCPT TO:<'user@domain'>.
9211           # WARNING: do not lose the parameters that follow the address.
9212           /^(RCPT\s+TO:\s*<)'([^[:space:]]+)'(>.*)/     $1$2$3
9213
9214           # Append XVERP to MAIL FROM commands to request VERP-style delivery.
9215           # See VERP_README for more information on how to use Postfix VERP.
9216           /^(MAIL FROM:\s*<listname@example\.com>.*)/   $1 XVERP
9217
9218           # Bounce-never mail sink. Use notify_classes=bounce,resource,software
9219           # to send bounced mail to the postmaster (with message body removed).
9220           /^(RCPT\s+TO:\s*<.*>.*)\s+NOTIFY=\S+(.*)/     $1 NOTIFY=NEVER$2
9221           /^(RCPT\s+TO:.*)/                             $1 NOTIFY=NEVER
9222
9223       This feature is available in Postfix 2.7.
9224

smtpd_data_restrictions (default: empty)

9226       Optional access restrictions that the Postfix SMTP  server  applies  in
9227       the context of the SMTP DATA command.  See SMTPD_ACCESS_README, section
9228       "Delayed evaluation of SMTP access restriction lists" for a  discussion
9229       of evaluation context and time.
9230
9231       This feature is available in Postfix 2.0 and later.
9232
9233       Specify  a list of restrictions, separated by commas and/or whitespace.
9234       Continue  long  lines  by  starting  the  next  line  with  whitespace.
9235       Restrictions  are applied in the order as specified; the first restric‐
9236       tion that matches wins.
9237
9238       The following restrictions are valid in this context:
9239
9240       ·      Generic restrictions that can be used in any SMTP  command  con‐
9241              text, described under smtpd_client_restrictions.
9242
9243       ·      SMTP    command    specific    restrictions    described   under
9244              smtpd_client_restrictions,              smtpd_helo_restrictions,
9245              smtpd_sender_restrictions or smtpd_recipient_restrictions.
9246
9247       ·      However,  no  recipient  information is available in the case of
9248              multi-recipient mail. Acting on only one recipient would be mis‐
9249              leading,   because  any  decision  will  affect  all  recipients
9250              equally. Acting on all recipients would require a possibly  very
9251              large  amount  of  memory,  and would also be misleading for the
9252              reasons mentioned before.
9253
9254       Examples:
9255
9256       smtpd_data_restrictions = reject_unauth_pipelining
9257       smtpd_data_restrictions = reject_multi_recipient_bounce
9258

smtpd_delay_open_until_valid_rcpt (default: yes)

9260       Postpone the start of an SMTP mail transaction until a  valid  RCPT  TO
9261       command  is received. Specify "no" to create a mail transaction as soon
9262       as the Postfix SMTP server receives a valid MAIL FROM command.
9263
9264       With sites that reject lots of mail, the default  setting  reduces  the
9265       use  of  disk,  CPU and memory resources. The downside is that rejected
9266       recipients are logged with NOQUEUE instead of a  mail  transaction  ID.
9267       This complicates the logfile analysis of multi-recipient mail.
9268
9269       This feature is available in Postfix 2.3 and later.
9270

smtpd_delay_reject (default: yes)

9272       Wait until the RCPT TO command before evaluating $smtpd_client_restric‐
9273       tions, $smtpd_helo_restrictions and $smtpd_sender_restrictions, or wait
9274       until the ETRN command before evaluating $smtpd_client_restrictions and
9275       $smtpd_helo_restrictions.
9276
9277       This feature is turned on by default because  some  clients  apparently
9278       mis-behave  when  the  Postfix SMTP server rejects commands before RCPT
9279       TO.
9280
9281       The default setting has one major benefit: it  allows  Postfix  to  log
9282       recipient  address  information when rejecting a client name/address or
9283       sender address, so that it is possible to find out whose mail is  being
9284       rejected.
9285

smtpd_discard_ehlo_keyword_address_maps (default: empty)

9287       Lookup  tables,  indexed  by  the remote SMTP client address, with case
9288       insensitive lists of EHLO keywords (pipelining, starttls,  auth,  etc.)
9289       that  the  Postfix  SMTP server will not send in the EHLO response to a
9290       remote SMTP client. See smtpd_discard_ehlo_keywords for  details.   The
9291       tables are not searched by hostname for robustness reasons.
9292
9293       Specify zero or more "type:name" lookup tables, separated by whitespace
9294       or comma. Tables will be searched in the specified order until a  match
9295       is found.
9296
9297       This feature is available in Postfix 2.2 and later.
9298

smtpd_discard_ehlo_keywords (default: empty)

9300       A  case  insensitive list of EHLO keywords (pipelining, starttls, auth,
9301       etc.) that the Postfix SMTP server will not send in the  EHLO  response
9302       to a remote SMTP client.
9303
9304       This feature is available in Postfix 2.2 and later.
9305
9306       Notes:
9307
9308       ·      Specify the silent-discard pseudo keyword to prevent this action
9309              from being logged.
9310
9311       ·      Use the smtpd_discard_ehlo_keyword_address_maps feature to  dis‐
9312              card EHLO keywords selectively.
9313

smtpd_dns_reply_filter (default: empty)

9315       Optional  filter  for  Postfix  SMTP  server  DNS  lookup results.  See
9316       smtp_dns_reply_filter for details including an example.
9317
9318       This feature is available in Postfix 3.0 and later.
9319

smtpd_end_of_data_restrictions (default: empty)

9321       Optional access restrictions that the Postfix SMTP  server  applies  in
9322       the  context of the SMTP END-OF-DATA command.  See SMTPD_ACCESS_README,
9323       section "Delayed evaluation of SMTP access  restriction  lists"  for  a
9324       discussion of evaluation context and time.
9325
9326       This feature is available in Postfix 2.2 and later.
9327
9328       See smtpd_data_restrictions for details and limitations.
9329

smtpd_enforce_tls (default: no)

9331       Mandatory  TLS:  announce  STARTTLS support to remote SMTP clients, and
9332       require that clients use TLS encryption.  According to  RFC  2487  this
9333       MUST NOT be applied in case of a publicly-referenced SMTP server.  This
9334       option is therefore off by default.
9335
9336       Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes".
9337
9338       Note 2: when invoked via  "sendmail  -bs",  Postfix  will  never  offer
9339       STARTTLS  due  to  insufficient privileges to access the server private
9340       key. This is intended behavior.
9341
9342       This feature is available in Postfix 2.2 and later.  With  Postfix  2.3
9343       and later use smtpd_tls_security_level instead.
9344

smtpd_error_sleep_time (default: 1s)

9346       With  Postfix  version  2.1  and  later: the SMTP server response delay
9347       after a client has made more than $smtpd_soft_error_limit  errors,  and
9348       fewer than $smtpd_hard_error_limit errors, without delivering mail.
9349
9350       With  Postfix  version  2.0  and  earlier: the SMTP server delay before
9351       sending a reject (4xx or 5xx) response, when the client has made  fewer
9352       than $smtpd_soft_error_limit errors without delivering mail.
9353

smtpd_etrn_restrictions (default: empty)

9355       Optional  restrictions that the Postfix SMTP server applies in the con‐
9356       text of  a  client  ETRN  command.   See  SMTPD_ACCESS_README,  section
9357       "Delayed  evaluation of SMTP access restriction lists" for a discussion
9358       of evaluation context and time.
9359
9360       The Postfix ETRN implementation accepts only destinations that are eli‐
9361       gible  for  the  Postfix "fast flush" service. See the ETRN_README file
9362       for details.
9363
9364       Specify a list of restrictions, separated by commas and/or  whitespace.
9365       Continue  long  lines  by  starting  the  next  line  with  whitespace.
9366       Restrictions are applied in the order as specified; the first  restric‐
9367       tion that matches wins.
9368
9369       The  following restrictions are specific to the domain name information
9370       received with the ETRN command.
9371
9372       check_etrn_access type:table
9373              Search the specified access database for the ETRN domain name or
9374              its parent domains. See the access(5) manual page for details.
9375
9376       Other restrictions that are valid in this context:
9377
9378       ·      Generic  restrictions  that can be used in any SMTP command con‐
9379              text, described under smtpd_client_restrictions.
9380
9381       ·      SMTP   command    specific    restrictions    described    under
9382              smtpd_client_restrictions and smtpd_helo_restrictions.
9383
9384       Example:
9385
9386       smtpd_etrn_restrictions = permit_mynetworks, reject
9387

smtpd_expansion_filter (default: see postconf -d output)

9389       What characters are allowed in $name expansions of RBL reply templates.
9390       Characters not in the allowed set are replaced  by  "_".   Use  C  like
9391       escapes to specify special characters such as whitespace.
9392
9393       The  smtpd_expansion_filter  value is not subject to Postfix configura‐
9394       tion parameter $name expansion.
9395
9396       This feature is available in Postfix 2.0 and later.
9397

smtpd_forbidden_commands (default: CONNECT, GET, POST)

9399       List of commands that cause the Postfix SMTP server to immediately ter‐
9400       minate  the  session  with  a  221 code. This can be used to disconnect
9401       clients that obviously attempt to abuse the system. In addition to  the
9402       commands  listed  in  this parameter, commands that follow the "Label:"
9403       format of message headers will also cause a disconnect.
9404
9405       This feature is available in Postfix 2.2 and later.
9406

smtpd_hard_error_limit (default: normal: 20, overload: 1)

9408       The maximal number of errors a remote SMTP client is  allowed  to  make
9409       without  delivering  mail. The Postfix SMTP server disconnects when the
9410       limit is exceeded. Normally the default limit is  20,  but  it  changes
9411       under overload to just 1. With Postfix 2.5 and earlier, the SMTP server
9412       always allows up to 20 errors by default.
9413

smtpd_helo_required (default: no)

9415       Require that a remote SMTP client introduces itself with  the  HELO  or
9416       EHLO  command  before  sending  the MAIL command or other commands that
9417       require EHLO negotiation.
9418
9419       Example:
9420
9421       smtpd_helo_required = yes
9422

smtpd_helo_restrictions (default: empty)

9424       Optional restrictions that the Postfix SMTP server applies in the  con‐
9425       text  of  a  client  HELO  command.   See  SMTPD_ACCESS_README, section
9426       "Delayed evaluation of SMTP access restriction lists" for a  discussion
9427       of evaluation context and time.
9428
9429       The default is to permit everything.
9430
9431       Note:  specify  "smtpd_helo_required  =  yes"  to  fully  enforce  this
9432       restriction (without "smtpd_helo_required = yes", a client  can  simply
9433       skip smtpd_helo_restrictions by not sending HELO or EHLO).
9434
9435       Specify  a list of restrictions, separated by commas and/or whitespace.
9436       Continue  long  lines  by  starting  the  next  line  with  whitespace.
9437       Restrictions  are applied in the order as specified; the first restric‐
9438       tion that matches wins.
9439
9440       The following restrictions are specific  to  the  hostname  information
9441       received with the HELO or EHLO command.
9442
9443       check_helo_access type:table
9444              Search  the  specified  access(5)  database for the HELO or EHLO
9445              hostname  or  parent  domains,  and  execute  the  corresponding
9446              action.   Note:  specify  "smtpd_helo_required  =  yes" to fully
9447              enforce this restriction (without "smtpd_helo_required = yes", a
9448              client  can simply skip check_helo_access by not sending HELO or
9449              EHLO).
9450
9451       check_helo_a_access type:table
9452              Search the specified access(5) database for the IP addresses for
9453              the HELO or EHLO hostname, and execute the corresponding action.
9454              Note 1: a result of "OK" is  not  allowed  for  safety  reasons.
9455              Instead,  use  DUNNO  in  order  to  exclude specific hosts from
9456              blacklists.  Note 2:  specify  "smtpd_helo_required  =  yes"  to
9457              fully  enforce  this restriction (without "smtpd_helo_required =
9458              yes", a client can simply skip check_helo_a_access by not  send‐
9459              ing HELO or EHLO).  This feature is available in Postfix 3.0 and
9460              later.
9461
9462       check_helo_mx_access type:table
9463              Search the specified access(5) database for the MX hosts for the
9464              HELO  or  EHLO  hostname,  and execute the corresponding action.
9465              Note 1: a result of "OK" is  not  allowed  for  safety  reasons.
9466              Instead,  use  DUNNO  in  order  to  exclude specific hosts from
9467              blacklists.  Note 2:  specify  "smtpd_helo_required  =  yes"  to
9468              fully  enforce  this restriction (without "smtpd_helo_required =
9469              yes", a client can simply skip check_helo_mx_access by not send‐
9470              ing HELO or EHLO).  This feature is available in Postfix 2.1 and
9471              later.
9472
9473       check_helo_ns_access type:table
9474              Search the specified access(5) database for the DNS servers  for
9475              the HELO or EHLO hostname, and execute the corresponding action.
9476              Note 1: a result of "OK" is  not  allowed  for  safety  reasons.
9477              Instead,  use  DUNNO  in  order  to  exclude specific hosts from
9478              blacklists.  Note 2:  specify  "smtpd_helo_required  =  yes"  to
9479              fully  enforce  this restriction (without "smtpd_helo_required =
9480              yes", a client can simply skip check_helo_ns_access by not send‐
9481              ing  HELO or EHLO). This feature is available in Postfix 2.1 and
9482              later.
9483
9484       reject_invalid_helo_hostname (with Postfix < 2.3:  reject_invalid_host‐
9485       name)
9486              Reject  the request when the HELO or EHLO hostname is malformed.
9487              Note: specify "smtpd_helo_required = yes" to fully enforce  this
9488              restriction  (without  "smtpd_helo_required = yes", a client can
9489              simply skip reject_invalid_helo_hostname by not sending HELO  or
9490              EHLO).
9491              The invalid_hostname_reject_code specifies the response code for
9492              rejected requests (default: 501).
9493
9494       reject_non_fqdn_helo_hostname      (with      Postfix      <       2.3:
9495       reject_non_fqdn_hostname)
9496              Reject  the  request  when  the  HELO or EHLO hostname is not in
9497              fully-qualified domain or address literal form, as  required  by
9498              the  RFC.  Note:  specify  "smtpd_helo_required  = yes" to fully
9499              enforce this restriction (without "smtpd_helo_required = yes", a
9500              client  can  simply  skip  reject_non_fqdn_helo_hostname  by not
9501              sending HELO or EHLO).
9502              The non_fqdn_reject_code parameter specifies the  response  code
9503              for rejected requests (default: 504).
9504
9505       reject_rhsbl_helo rbl_domain=d.d.d.d
9506              Reject the request when the HELO or EHLO hostname is listed with
9507              the A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and
9508              later  only).   Each  "d"  is a number, or a pattern inside "[]"
9509              that contains one or more ";"-separated numbers or  number..num‐
9510              ber ranges (Postfix version 2.8 and later).  If no "=d.d.d.d" is
9511              specified, reject the request when the HELO or EHLO hostname  is
9512              listed   with   any   A   record   under   rbl_domain.  See  the
9513              reject_rbl_client description for additional RBL related config‐
9514              uration  parameters.   Note: specify "smtpd_helo_required = yes"
9515              to fully enforce this restriction (without  "smtpd_helo_required
9516              =  yes", a client can simply skip reject_rhsbl_helo by not send‐
9517              ing HELO or EHLO). This feature is available in Postfix 2.0  and
9518              later.
9519
9520       reject_unknown_helo_hostname  (with Postfix < 2.3: reject_unknown_host‐
9521       name)
9522              Reject the request when the HELO or EHLO hostname has no  DNS  A
9523              or MX record.
9524              The  reply  is  specified  with the unknown_hostname_reject_code
9525              parameter   (default:   450)   or    unknown_helo_hostname_temp‐
9526              fail_action  (default:  defer_if_permit).   See  the  respective
9527              parameter descriptions for details.
9528              Note: specify "smtpd_helo_required = yes" to fully enforce  this
9529              restriction  (without  "smtpd_helo_required = yes", a client can
9530              simply skip reject_unknown_helo_hostname by not sending HELO  or
9531              EHLO).
9532
9533       Other restrictions that are valid in this context:
9534
9535       ·      Generic  restrictions  that can be used in any SMTP command con‐
9536              text, described under smtpd_client_restrictions.
9537
9538       ·      Client  hostname  or  network  address   specific   restrictions
9539              described under smtpd_client_restrictions.
9540
9541       ·      SMTP    command    specific    restrictions    described   under
9542              smtpd_sender_restrictions or smtpd_recipient_restrictions.  When
9543              sender    or    recipient    restrictions   are   listed   under
9544              smtpd_helo_restrictions,   they   have    effect    only    with
9545              "smtpd_delay_reject  = yes", so that $smtpd_helo_restrictions is
9546              evaluated at the time of the RCPT TO command.
9547
9548       Examples:
9549
9550       smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname
9551       smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname
9552

smtpd_history_flush_threshold (default: 100)

9554       The maximal number of lines in the Postfix SMTP server command  history
9555       before it is flushed upon receipt of EHLO, RSET, or end of DATA.
9556

smtpd_junk_command_limit (default: normal: 100, overload: 1)

9558       The  number  of  junk commands (NOOP, VRFY, ETRN or RSET) that a remote
9559       SMTP client can send before the Postfix SMTP server starts to increment
9560       the  error  counter  with each junk command.  The junk command count is
9561       reset after mail is delivered.  See also the smtpd_error_sleep_time and
9562       smtpd_soft_error_limit  configuration parameters.  Normally the default
9563       limit is 100, but it changes under overload to just 1. With Postfix 2.5
9564       and  earlier,  the SMTP server always allows up to 100 junk commands by
9565       default.
9566

smtpd_log_access_permit_actions (default: empty)

9568       Enable logging of the named "permit"  actions  in  SMTP  server  access
9569       lists  (by default, the SMTP server logs "reject" actions but not "per‐
9570       mit" actions).  This feature does not affect conditional  actions  such
9571       as "defer_if_permit".
9572
9573       Specify  a  list of "permit" action names, "/file/name" or "type:table"
9574       patterns, separated by commas and/or whitespace. The  list  is  matched
9575       left  to right, and the search stops on the first match. A "/file/name"
9576       pattern is replaced by its contents; a  "type:table"  lookup  table  is
9577       matched  when  a  name  matches  a  lookup  key  (the  lookup result is
9578       ignored).  Continue long lines by starting the next  line  with  white‐
9579       space. Specify "!pattern" to exclude a name from the list.
9580
9581       Examples:
9582
9583       /etc/postfix/main.cf:
9584           # Log all "permit" actions.
9585           smtpd_log_access_permit_actions = static:all
9586
9587       /etc/postfix/main.cf:
9588           # Log "permit_dnswl_client" only.
9589           smtpd_log_access_permit_actions = permit_dnswl_client
9590
9591       This feature is available in Postfix 2.10 and later.
9592

smtpd_milter_maps (default: empty)

9594       Lookup  tables  with Milter settings per remote SMTP client IP address.
9595       The lookup result overrides the smtpd_milters setting, and has the same
9596       syntax.
9597
9598       Note:  lookup  tables  cannot  return empty responses. Specify a lookup
9599       result of DISABLE (case does not matter) to indicate that  Milter  sup‐
9600       port should be disabled.
9601
9602       Example to disable Milters for local clients:
9603
9604       /etc/postfix/main.cf:
9605           smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
9606           smtpd_milters = inet:host:port, { inet:host:port, ... }, ...
9607
9608       /etc/postfix/smtpd_milter_map:
9609           # Disable Milters for local clients.
9610           127.0.0.0/8    DISABLE
9611           192.168.0.0/16 DISABLE
9612           ::/64          DISABLE
9613           2001:db8::/32  DISABLE
9614
9615       This feature is available in Postfix 3.2 and later.
9616

smtpd_milters (default: empty)

9618       A  list  of Milter (mail filter) applications for new mail that arrives
9619       via the Postfix smtpd(8) server. Specify space or comma  as  separator.
9620       See the MILTER_README document for details.
9621
9622       This feature is available in Postfix 2.3 and later.
9623

smtpd_noop_commands (default: empty)

9625       List of commands that the Postfix SMTP server replies to with "250 Ok",
9626       without doing any syntax checks and without changing state.  This  list
9627       overrides any commands built into the Postfix SMTP server.
9628

smtpd_null_access_lookup_key (default: <>)

9630       The  lookup key to be used in SMTP access(5) tables instead of the null
9631       sender address.
9632

smtpd_peername_lookup (default: yes)

9634       Attempt to look up the remote SMTP client hostname, and verify that the
9635       name  matches  the client IP address. A client name is set to "unknown"
9636       when it cannot be looked up or verified, or when name  lookup  is  dis‐
9637       abled.   Turning  off  name lookup reduces delays due to DNS lookup and
9638       increases the maximal inbound delivery rate.
9639
9640       This feature is available in Postfix 2.3 and later.
9641

smtpd_per_record_deadline (default: normal: no, overload: yes)

9643       Change the behavior of  the  smtpd_timeout  and  smtpd_starttls_timeout
9644       time limits, from a time limit per read or write system call, to a time
9645       limit to send or receive a complete record (an SMTP command line,  SMTP
9646       response  line,  SMTP  message  content line, or TLS protocol message).
9647       This limits the impact from hostile peers that trickle data one byte at
9648       a time.
9649
9650       Note:  when per-record deadlines are enabled, a short timeout may cause
9651       problems with TLS over very slow network connections.  The reasons  are
9652       that  a  TLS protocol message can be up to 16 kbytes long (with TLSv1),
9653       and that an entire TLS protocol message must be sent or received within
9654       the per-record deadline.
9655
9656       This  feature is available in Postfix 2.9 and later. With older Postfix
9657       releases, the behavior is as if this parameter is set to "no".
9658

smtpd_policy_service_default_action (default: 451 4.3.5 Server configuration

9660       problem)
9661       The default action when an SMTPD policy service request fails.  Specify
9662       "DUNNO" to behave as if the failed  SMTPD policy  service  request  was
9663       not sent, and to continue processing other access restrictions, if any.
9664
9665       Limitations:
9666
9667       ·      This parameter may specify any value that would be a valid SMTPD
9668              policy server response (or access(5)  map  lookup  result).   An
9669              access(5)  map or policy server in this parameter value may need
9670              to be declared in advance with a restriction_class setting.
9671
9672       ·      If the specified  action  invokes  another  check_policy_service
9673              request, that request will have the built-in default action.
9674
9675       This feature is available in Postfix 3.0 and later.
9676

smtpd_policy_service_max_idle (default: 300s)

9678       The time after which an idle SMTPD policy service connection is closed.
9679
9680       This feature is available in Postfix 2.1 and later.
9681

smtpd_policy_service_max_ttl (default: 1000s)

9683       The  time  after  which  an  active  SMTPD policy service connection is
9684       closed.
9685
9686       This feature is available in Postfix 2.1 and later.
9687

smtpd_policy_service_policy_context (default: empty)

9689       Optional information that the Postfix  SMTP  server  specifies  in  the
9690       "policy_context"  attribute of a policy service request (originally, to
9691       share the same service  endpoint  among  multiple  check_policy_service
9692       clients).
9693
9694       This feature is available in Postfix 3.1 and later.
9695

smtpd_policy_service_request_limit (default: 0)

9697       The  maximal number of requests per SMTPD policy service connection, or
9698       zero (no limit). Once a connection reaches this limit,  the  connection
9699       is closed and the next request will be sent over a new connection. This
9700       is a workaround to avoid error-recovery delays with policy servers that
9701       cannot maintain a persistent connection.
9702
9703       This feature is available in Postfix 3.0 and later.
9704

smtpd_policy_service_retry_delay (default: 1s)

9706       The  delay  between  attempts  to  resend a failed SMTPD policy service
9707       request. Specify a value greater than zero.
9708
9709       This feature is available in Postfix 3.0 and later.
9710

smtpd_policy_service_timeout (default: 100s)

9712       The time limit for connecting to, writing to, or receiving from a dele‐
9713       gated SMTPD policy server.
9714
9715       This feature is available in Postfix 2.1 and later.
9716

smtpd_policy_service_try_limit (default: 2)

9718       The  maximal number of attempts to send an SMTPD policy service request
9719       before giving up. Specify a value greater than zero.
9720
9721       This feature is available in Postfix 3.0 and later.
9722

smtpd_proxy_ehlo (default: $myhostname)

9724       How the Postfix SMTP server announces itself to the proxy  filter.   By
9725       default, the Postfix hostname is used.
9726
9727       This feature is available in Postfix 2.1 and later.
9728

smtpd_proxy_filter (default: empty)

9730       The  hostname  and  TCP  port  of the mail filtering proxy server.  The
9731       proxy receives all mail from the Postfix SMTP server, and  is  supposed
9732       to give the result to another Postfix SMTP server process.
9733
9734       Specify   "host:port"  or  "inet:host:port"  for  a  TCP  endpoint,  or
9735       "unix:pathname" for a UNIX-domain endpoint. The host can  be  specified
9736       as  an  IP address or as a symbolic name; no MX lookups are done.  When
9737       no "host" or "host:"  are specified,  the  local  machine  is  assumed.
9738       Pathname interpretation is relative to the Postfix queue directory.
9739
9740       This feature is available in Postfix 2.1 and later.
9741
9742       The  "inet:"  and  "unix:"  prefixes  are  available in Postfix 2.3 and
9743       later.
9744

smtpd_proxy_options (default: empty)

9746       List of options that control how the Postfix SMTP  server  communicates
9747       with a before-queue content filter. Specify zero or more of the follow‐
9748       ing, separated by comma or whitespace.
9749
9750       speed_adjust
9751              Do not connect to a before-queue content filter until an  entire
9752              message has been received. This reduces the number of simultane‐
9753              ous before-queue content filter processes.
9754
9755       NOTE  1:  A  filter  must  not  selectively  reject  recipients  of   a
9756       multi-recipient message.  Rejecting all recipients is OK, as is accept‐
9757       ing all recipients.
9758
9759       NOTE 2: This feature increases the minimum amount of free  queue  space
9760       by  $message_size_limit.  The extra space is needed to save the message
9761       to a temporary file.
9762
9763       This feature is available in Postfix 2.7 and later.
9764

smtpd_proxy_timeout (default: 100s)

9766       The time limit for connecting to a proxy  filter  and  for  sending  or
9767       receiving  information.   When  a  connection  fails  the client gets a
9768       generic error message while more detailed information is logged to  the
9769       maillog file.
9770
9771       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
9772       The default time unit is s (seconds).
9773
9774       This feature is available in Postfix 2.1 and later.
9775

smtpd_recipient_limit (default: 1000)

9777       The maximal number of recipients that the Postfix SMTP  server  accepts
9778       per message delivery request.
9779

smtpd_recipient_overshoot_limit (default: 1000)

9781       The  number  of recipients that a remote SMTP client can send in excess
9782       of the limit specified with $smtpd_recipient_limit, before the  Postfix
9783       SMTP  server  increments  the  per-session  error count for each excess
9784       recipient.
9785

smtpd_recipient_restrictions (default: see postconf -d output)

9787       Optional restrictions that the Postfix SMTP server applies in the  con‐
9788       text  of a client RCPT TO command, after smtpd_relay_restrictions.  See
9789       SMTPD_ACCESS_README,  section  "Delayed  evaluation  of   SMTP   access
9790       restriction lists" for a discussion of evaluation context and time.
9791
9792       With  Postfix  versions before 2.10, the rules for relay permission and
9793       spam blocking were combined under smtpd_recipient_restrictions, result‐
9794       ing in error-prone configuration.  As of Postfix 2.10, relay permission
9795       rules are preferably implemented with smtpd_relay_restrictions, so that
9796       a  permissive  spam  blocking policy under smtpd_recipient_restrictions
9797       will no longer result in a permissive mail relay policy.
9798
9799       For backwards compatibility, sites that migrate from  Postfix  versions
9800       before  2.10  can  set smtpd_relay_restrictions to the empty value, and
9801       use smtpd_recipient_restrictions exactly as before.
9802
9803       IMPORTANT: Either the  smtpd_relay_restrictions  or  the  smtpd_recipi‐
9804       ent_restrictions  parameter  must specify at least one of the following
9805       restrictions. Otherwise Postfix will refuse to receive mail:
9806
9807           reject, reject_unauth_destination
9808
9809           defer, defer_if_permit, defer_unauth_destination
9810
9811       Specify a list of restrictions, separated by commas and/or  whitespace.
9812       Continue  long  lines  by  starting  the  next  line  with  whitespace.
9813       Restrictions are applied in the order as specified; the first  restric‐
9814       tion that matches wins.
9815
9816       The  following  restrictions are specific to the recipient address that
9817       is received with the RCPT TO command.
9818
9819       check_recipient_access type:table
9820              Search the specified access(5) database for the resolved RCPT TO
9821              address,  domain, parent domains, or localpart@, and execute the
9822              corresponding action.
9823
9824       check_recipient_a_access type:table
9825              Search the specified access(5) database for the IP addresses for
9826              the RCPT TO domain, and execute the corresponding action.  Note:
9827              a result of "OK" is not allowed for safety reasons. Instead, use
9828              DUNNO  in order to exclude specific hosts from blacklists.  This
9829              feature is available in Postfix 3.0 and later.
9830
9831       check_recipient_mx_access type:table
9832              Search the specified access(5) database for the MX hosts for the
9833              RCPT  TO  domain, and execute the corresponding action.  Note: a
9834              result of "OK" is not allowed for safety reasons.  Instead,  use
9835              DUNNO  in order to exclude specific hosts from blacklists.  This
9836              feature is available in Postfix 2.1 and later.
9837
9838       check_recipient_ns_access type:table
9839              Search the specified access(5) database for the DNS servers  for
9840              the RCPT TO domain, and execute the corresponding action.  Note:
9841              a result of "OK" is not allowed for safety reasons. Instead, use
9842              DUNNO  in order to exclude specific hosts from blacklists.  This
9843              feature is available in Postfix 2.1 and later.
9844
9845       permit_auth_destination
9846              Permit the request when one of the following is true:
9847
9848       ·      Postfix is mail forwarder: the resolved RCPT TO  domain  matches
9849              $relay_domains  or a subdomain thereof, and the address contains
9850              no sender-specified routing (user@elsewhere@domain),
9851
9852       ·      Postfix is the final destination: the resolved  RCPT  TO  domain
9853              matches   $mydestination,  $inet_interfaces,  $proxy_interfaces,
9854              $virtual_alias_domains,  or  $virtual_mailbox_domains,  and  the
9855              address   contains   no   sender-specified  routing  (user@else‐
9856              where@domain).
9857
9858       permit_mx_backup
9859              Permit the request when the local mail system is backup  MX  for
9860              the RCPT TO domain, or when the domain is an authorized destina‐
9861              tion (see permit_auth_destination for definition).
9862
9863       ·      Safety: permit_mx_backup does not  accept  addresses  that  have
9864              sender-specified   routing   information   (example:  user@else‐
9865              where@domain).
9866
9867       ·      Safety: permit_mx_backup  can  be  vulnerable  to  mis-use  when
9868              access is not restricted with permit_mx_backup_networks.
9869
9870       ·      Safety:  as  of  Postfix version 2.3, permit_mx_backup no longer
9871              accepts the address when the local mail system is primary MX for
9872              the  recipient  domain.  Exception: permit_mx_backup accepts the
9873              address when it specifies an authorized  destination  (see  per‐
9874              mit_auth_destination for definition).
9875
9876       ·      Limitation:  mail  may  be  rejected  in case of a temporary DNS
9877              lookup problem with Postfix prior to version 2.0.
9878
9879       reject_non_fqdn_recipient
9880              Reject the request when the RCPT TO address specifies  a  domain
9881              that  is  not in fully-qualified domain form, as required by the
9882              RFC.
9883              The non_fqdn_reject_code parameter specifies the  response  code
9884              for rejected requests (default: 504).
9885
9886       reject_rhsbl_recipient rbl_domain=d.d.d.d
9887              Reject  the request when the RCPT TO domain is listed with the A
9888              record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
9889              only).  Each "d" is a number, or a pattern inside "[]" that con‐
9890              tains one or more ";"-separated numbers or number..number ranges
9891              (Postfix  version 2.8 and later). If no "=d.d.d.d" is specified,
9892              reject the request when the RCPT TO domain is listed with any  A
9893              record under rbl_domain.
9894              The  maps_rbl_reject_code  parameter specifies the response code
9895              for rejected  requests  (default:  554);  the  default_rbl_reply
9896              parameter   specifies   the   default   server  reply;  and  the
9897              rbl_reply_maps parameter specifies tables  with  server  replies
9898              indexed  by  rbl_domain.   This  feature is available in Postfix
9899              version 2.0 and later.
9900
9901       reject_unauth_destination
9902              Reject the request unless one of the following is true:
9903
9904       ·      Postfix is mail forwarder: the resolved RCPT TO  domain  matches
9905              $relay_domains   or   a   subdomain  thereof,  and  contains  no
9906              sender-specified routing (user@elsewhere@domain),
9907
9908       ·      Postfix is the final destination: the resolved  RCPT  TO  domain
9909              matches   $mydestination,  $inet_interfaces,  $proxy_interfaces,
9910              $virtual_alias_domains, or  $virtual_mailbox_domains,  and  con‐
9911              tains no sender-specified routing (user@elsewhere@domain).
9912              The  relay_domains_reject_code  parameter specifies the response
9913              code for rejected requests (default: 554).
9914
9915       defer_unauth_destination
9916              Reject the same requests as  reject_unauth_destination,  with  a
9917              non-permanent  error code.  This feature is available in Postfix
9918              2.10 and later.
9919
9920       reject_unknown_recipient_domain
9921              Reject the request when Postfix is not final destination for the
9922              recipient domain, and the RCPT TO domain has 1) no DNS MX and no
9923              DNS A record or 2) a malformed MX record such as a record with a
9924              zero-length MX hostname (Postfix version 2.3 and later).
9925              The  reply  is  specified  with  the unknown_address_reject_code
9926              parameter   (default:   450),    unknown_address_tempfail_action
9927              (default:  defer_if_permit),  or  556  (nullmx,  Postfix 3.0 and
9928              later). See the respective parameter descriptions for details.
9929
9930       reject_unlisted_recipient  (with  Postfix  version  2.0:  check_recipi‐
9931       ent_maps)
9932              Reject the request when the RCPT TO address is not listed in the
9933              list  of  valid  recipients  for  its  domain  class.  See   the
9934              smtpd_reject_unlisted_recipient    parameter   description   for
9935              details.  This feature is available in Postfix 2.1 and later.
9936
9937       reject_unverified_recipient
9938              Reject the request when mail to the RCPT TO address is known  to
9939              bounce,  or when the recipient address destination is not reach‐
9940              able.  Address verification information is managed by  the  ver‐
9941              ify(8)  server;  see  the  ADDRESS_VERIFICATION_README  file for
9942              details.
9943              The  unverified_recipient_reject_code  parameter  specifies  the
9944              numerical  response  code  when  an  address  is known to bounce
9945              (default: 450, change into 550 when you are confident that it is
9946              safe to do so).
9947              The   unverified_recipient_defer_code  parameter  specifies  the
9948              numerical response code when an address probe failed  due  to  a
9949              temporary problem (default: 450).
9950              The unverified_recipient_tempfail_action parameter specifies the
9951              action after address probe failure due to  a  temporary  problem
9952              (default: defer_if_permit).
9953              This  feature  breaks  for aliased addresses with "enable_origi‐
9954              nal_recipient = no" (Postfix <= 3.2).
9955              This feature is available in Postfix 2.1 and later.
9956
9957       Other restrictions that are valid in this context:
9958
9959       ·      Generic restrictions that can be used in any SMTP  command  con‐
9960              text, described under smtpd_client_restrictions.
9961
9962       ·      SMTP    command    specific    restrictions    described   under
9963              smtpd_client_restrictions,      smtpd_helo_restrictions      and
9964              smtpd_sender_restrictions.
9965
9966       Example:
9967
9968       # The Postfix before 2.10 default mail relay policy. Later Postfix
9969       # versions implement this preferably with smtpd_relay_restrictions.
9970       smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
9971
9973       Optional  information  that  is appended after each Postfix SMTP server
9974       4XX or 5XX response.
9975
9976       The following example uses "\c" at the start of the template (supported
9977       in Postfix 2.10 and later) to suppress the line break between the reply
9978       text and the footer text. With earlier  Postfix  versions,  the  footer
9979       text always begins on a new line, and the "\c" is output literally.
9980
9981       /etc/postfix/main.cf:
9982           smtpd_reject_footer = \c. For assistance, call 800-555-0101.
9983            Please provide the following information in your problem report:
9984            time ($localtime), client ($client_address) and server
9985            ($server_name).
9986
9987       Server response:
9988
9989           550-5.5.1 <user@example> Recipient address rejected: User
9990           unknown. For assistance, call 800-555-0101. Please provide the
9991           following information in your problem report: time (Jan 4 15:42:00),
9992           client (192.168.1.248) and server (mail1.example.com).
9993
9994       Note:  the  above  text  is meant to make it easier to find the Postfix
9995       logfile records for a failed SMTP  session.  The  text  itself  is  not
9996       logged to the Postfix SMTP server's maillog file.
9997
9998       Be  sure  to keep the text as short as possible. Long text may be trun‐
9999       cated before it is logged to the remote SMTP client's maillog file,  or
10000       before it is returned to the sender in a delivery status notification.
10001
10002       The  template  text  is  not subject to Postfix configuration parameter
10003       $name expansion. Instead, this feature supports  a  limited  number  of
10004       $name attributes in the footer text. These attributes are replaced with
10005       their current value for the SMTP session.
10006
10007       Note: specify $$name in footer text that is looked up from  regexp:  or
10008       pcre:-based smtpd_reject_footer_maps, otherwise the Postfix server will
10009       not use the footer text and will log a warning instead.
10010
10011       client_address
10012              The Client IP address that is logged in the maillog file.
10013
10014       client_port
10015              The client TCP port that is logged in the maillog file.
10016
10017       localtime
10018              The server local time (Mmm dd hh:mm:ss) that is  logged  in  the
10019              maillog file.
10020
10021       server_name
10022              The server's myhostname value.  This attribute is made available
10023              for sites with multiple MTAs (perhaps behind  a  load-balancer),
10024              where  the  server  name  can  help  the  server support team to
10025              quickly find the right log files.
10026
10027       Notes:
10028
10029       ·      NOT SUPPORTED are other attributes such as sender, recipient, or
10030              main.cf parameters.
10031
10032       ·      For  safety  reasons,  text  that  does  not match $smtpd_expan‐
10033              sion_filter is censored.
10034
10035       This feature supports the two-character sequence \n as a request for  a
10036       line break in the footer text. Postfix automatically inserts after each
10037       line break the three-digit SMTP reply code (and optional enhanced  sta‐
10038       tus code) from the original Postfix reject message.
10039
10040       To work around mail software that mis-handles multi-line replies, spec‐
10041       ify the two-character sequence \c at the start of the  template.   This
10042       suppresses  the  line  break between the reply text and the footer text
10043       (Postfix 2.10 and later).
10044
10045       This feature is available in Postfix 2.8 and later.
10046
10048       Lookup tables, indexed by the complete Postfix SMTP server 4xx  or  5xx
10049       response,  with  reject  footer  templates. See smtpd_reject_footer for
10050       details.
10051
10052       Specify zero or more "type:name" lookup tables, separated by whitespace
10053       or  comma. Tables will be searched in the specified order until a match
10054       is found.
10055
10056       This feature is available in Postfix 3.4 and later.
10057

smtpd_reject_unlisted_recipient (default: yes)

10059       Request that the Postfix SMTP server rejects mail for unknown recipient
10060       addresses,  even  when  no  explicit  reject_unlisted_recipient  access
10061       restriction is specified. This prevents the Postfix queue from  filling
10062       up with undeliverable MAILER-DAEMON messages.
10063
10064       An  address  is  always considered "known" when it matches a virtual(5)
10065       alias or a canonical(5) mapping.
10066
10067       ·      The recipient domain matches $mydestination, $inet_interfaces or
10068              $proxy_interfaces,   but   the   recipient   is  not  listed  in
10069              $local_recipient_maps, and $local_recipient_maps is not null.
10070
10071       ·      The recipient  domain  matches  $virtual_alias_domains  but  the
10072              recipient is not listed in $virtual_alias_maps.
10073
10074       ·      The  recipient  domain  matches $virtual_mailbox_domains but the
10075              recipient is not  listed  in  $virtual_mailbox_maps,  and  $vir‐
10076              tual_mailbox_maps is not null.
10077
10078       ·      The recipient domain matches $relay_domains but the recipient is
10079              not listed in $relay_recipient_maps,  and  $relay_recipient_maps
10080              is not null.
10081
10082       This feature is available in Postfix 2.1 and later.
10083

smtpd_reject_unlisted_sender (default: no)

10085       Request  that  the Postfix SMTP server rejects mail from unknown sender
10086       addresses, even when no explicit reject_unlisted_sender access restric‐
10087       tion  is specified. This can slow down an explosion of forged mail from
10088       worms or viruses.
10089
10090       An address is always considered "known" when it  matches  a  virtual(5)
10091       alias or a canonical(5) mapping.
10092
10093       ·      The  sender  domain  matches $mydestination, $inet_interfaces or
10094              $proxy_interfaces, but the sender is not listed in $local_recip‐
10095              ient_maps, and $local_recipient_maps is not null.
10096
10097       ·      The  sender domain matches $virtual_alias_domains but the sender
10098              is not listed in $virtual_alias_maps.
10099
10100       ·      The  sender  domain  matches  $virtual_mailbox_domains  but  the
10101              sender   is  not  listed  in  $virtual_mailbox_maps,  and  $vir‐
10102              tual_mailbox_maps is not null.
10103
10104       ·      The sender domain matches $relay_domains but the sender  is  not
10105              listed  in  $relay_recipient_maps,  and $relay_recipient_maps is
10106              not null.
10107
10108       This feature is available in Postfix 2.1 and later.
10109

smtpd_relay_restrictions (default: permit_mynetworks, permit_sasl_authenti‐

10111       cated, defer_unauth_destination)
10112       Access restrictions for mail relay control that the Postfix SMTP server
10113       applies in the context of the RCPT  TO  command,  before  smtpd_recipi‐
10114       ent_restrictions.  See SMTPD_ACCESS_README, section "Delayed evaluation
10115       of SMTP access restriction lists" for a discussion of  evaluation  con‐
10116       text and time.
10117
10118       With  Postfix  versions before 2.10, the rules for relay permission and
10119       spam blocking were combined under smtpd_recipient_restrictions, result‐
10120       ing in error-prone configuration.  As of Postfix 2.10, relay permission
10121       rules are preferably implemented with smtpd_relay_restrictions, so that
10122       a  permissive  spam  blocking policy under smtpd_recipient_restrictions
10123       will no longer result in a permissive mail relay policy.
10124
10125       For backwards compatibility, sites that migrate from  Postfix  versions
10126       before  2.10  can  set smtpd_relay_restrictions to the empty value, and
10127       use smtpd_recipient_restrictions exactly as before.
10128
10129       By default, the Postfix SMTP server accepts:
10130
10131       ·      Mail from clients whose IP address matches $mynetworks, or:
10132
10133       ·      Mail to remote destinations that  match  $relay_domains,  except
10134              for  addresses that contain sender-specified routing (user@else‐
10135              where@domain), or:
10136
10137       ·      Mail  to  local  destinations  that  match  $inet_interfaces  or
10138              $proxy_interfaces,  $mydestination,  $virtual_alias_domains,  or
10139              $virtual_mailbox_domains.
10140
10141       IMPORTANT: Either the  smtpd_relay_restrictions  or  the  smtpd_recipi‐
10142       ent_restrictions  parameter  must specify at least one of the following
10143       restrictions. Otherwise Postfix will refuse to receive mail:
10144
10145           reject, reject_unauth_destination
10146
10147           defer, defer_if_permit, defer_unauth_destination
10148
10149       Specify a list of restrictions, separated by commas and/or  whitespace.
10150       Continue  long  lines  by  starting the next line with whitespace.  The
10151       same restrictions  are  available  as  documented  under  smtpd_recipi‐
10152       ent_restrictions.
10153
10154       This feature is available in Postix 2.10 and later.
10155

smtpd_restriction_classes (default: empty)

10157       User-defined aliases for groups of access restrictions. The aliases can
10158       be  specified  in  smtpd_recipient_restrictions  etc.,   and   on   the
10159       right-hand side of a Postfix access(5) table.
10160
10161       One  major  application  is for implementing per-recipient UCE control.
10162       See the RESTRICTION_CLASS_README document for other examples.
10163

smtpd_sasl_application_name (default: smtpd)

10165       The application name that the Postfix SMTP server uses for SASL  server
10166       initialization.  This controls the name of the SASL configuration file.
10167       The default value is smtpd, corresponding to a SASL configuration  file
10168       named smtpd.conf.
10169
10170       This  feature  is available in Postfix 2.1 and 2.2. With Postfix 2.3 it
10171       was renamed to smtpd_sasl_path.
10172

smtpd_sasl_auth_enable (default: no)

10174       Enable SASL authentication in the Postfix SMTP server. By default,  the
10175       Postfix SMTP server does not use authentication.
10176
10177       If a remote SMTP client is authenticated, the permit_sasl_authenticated
10178       access restriction can be used to permit relay access, like this:
10179
10180           # With Postfix 2.10 and later, the mail relay policy is
10181           # preferably specified under smtpd_relay_restrictions.
10182           smtpd_relay_restrictions =
10183               permit_mynetworks, permit_sasl_authenticated, ...
10184
10185       # With Postfix before 2.10, the relay policy can be
10186       # specified only under smtpd_recipient_restrictions.
10187       smtpd_recipient_restrictions =
10188           permit_mynetworks, permit_sasl_authenticated, ...
10189
10190       To reject all SMTP connections from  unauthenticated  clients,  specify
10191       "smtpd_delay_reject = yes" (which is the default) and use:
10192
10193           smtpd_client_restrictions = permit_sasl_authenticated, reject
10194
10195       See the SASL_README file for SASL configuration and operation details.
10196

smtpd_sasl_authenticated_header (default: no)

10198       Report  the  SASL authenticated user name in the smtpd(8) Received mes‐
10199       sage header.
10200
10201       This feature is available in Postfix 2.3 and later.
10202

smtpd_sasl_exceptions_networks (default: empty)

10204       What remote SMTP clients the Postfix SMTP server will  not  offer  AUTH
10205       support to.
10206
10207       Some  clients  (Netscape  4  at  least)  have a bug that causes them to
10208       require a login and password whenever AUTH  is  offered,  whether  it's
10209       necessary  or  not.  To work around this, specify, for example, $mynet‐
10210       works to prevent Postfix from offering AUTH to local clients.
10211
10212       Specify a list of network/netmask patterns, separated by commas  and/or
10213       whitespace.  The  mask specifies the number of bits in the network part
10214       of a host address. You can also "/file/name" or "type:table"  patterns.
10215       A  "/file/name"  pattern  is  replaced  by its contents; a "type:table"
10216       lookup table is matched when a table entry matches a lookup string (the
10217       lookup  result  is  ignored).  Continue long lines by starting the next
10218       line with whitespace. Specify "!pattern" to exclude an address or  net‐
10219       work  block from the list.  The form "!/file/name" is supported only in
10220       Postfix version 2.4 and later.
10221
10222       Note: IP version 6 address information must be specified inside  []  in
10223       the  smtpd_sasl_exceptions_networks  value, and in files specified with
10224       "/file/name".  IP version 6 addresses contain the  ":"  character,  and
10225       would otherwise be confused with a "type:table" pattern.
10226
10227       Example:
10228
10229       smtpd_sasl_exceptions_networks = $mynetworks
10230
10231       This feature is available in Postfix 2.1 and later.
10232

smtpd_sasl_local_domain (default: empty)

10234       The name of the Postfix SMTP server's local SASL authentication realm.
10235
10236       By default, the local authentication realm name is the null string.
10237
10238       Examples:
10239
10240       smtpd_sasl_local_domain = $mydomain
10241       smtpd_sasl_local_domain = $myhostname
10242

smtpd_sasl_path (default: smtpd)

10244       Implementation-specific information that the Postfix SMTP server passes
10245       through to the  SASL  plug-in  implementation  that  is  selected  with
10246       smtpd_sasl_type.   Typically this specifies the name of a configuration
10247       file or rendezvous point.
10248
10249       This feature is available in Postfix 2.3 and later. In earlier releases
10250       it was called smtpd_sasl_application_name.
10251

smtpd_sasl_response_limit (default: 12288)

10253       The  maximum  length of a SASL client's response to a server challenge.
10254       When the client's "initial response" is longer than  the  normal  limit
10255       for  SMTP commands, the client must omit its initial response, and wait
10256       for an empty server challenge; it can then send what  would  have  been
10257       its  "initial  response"  as  a response to the empty server challenge.
10258       RFC4954 requires the server to accept client responses up to  at  least
10259       12288  octets  of  base64-encoded text.  The default value is therefore
10260       also the minimum value accepted for this parameter.
10261
10262       This feature is available in Postfix 3.4 and later. Prior versions  use
10263       "line_length_limit",  which may need to be raised to accommodate larger
10264       client responses, as may be needed with GSSAPI authentication  of  Win‐
10265       dows AD users who are members of many groups.
10266

smtpd_sasl_security_options (default: noanonymous)

10268       Postfix  SMTP  server SASL security options; as of Postfix 2.3 the list
10269       of available features depends on the SASL server implementation that is
10270       selected with smtpd_sasl_type.
10271
10272       The  following  security features are defined for the cyrus server SASL
10273       implementation:
10274
10275       Restrict what authentication mechanisms the Postfix  SMTP  server  will
10276       offer  to  the client.  The list of available authentication mechanisms
10277       is system dependent.
10278
10279       Specify zero or more of the following:
10280
10281       noplaintext
10282              Disallow methods that use plaintext passwords.
10283
10284       noactive
10285              Disallow methods subject to active (non-dictionary) attack.
10286
10287       nodictionary
10288              Disallow methods subject to passive (dictionary) attack.
10289
10290       noanonymous
10291              Disallow methods that allow anonymous authentication.
10292
10293       forward_secrecy
10294              Only allow methods that support forward secrecy (Dovecot only).
10295
10296       mutual_auth
10297              Only allow  methods  that  provide  mutual  authentication  (not
10298              available with Cyrus SASL version 1).
10299
10300       By default, the Postfix SMTP server accepts plaintext passwords but not
10301       anonymous logins.
10302
10303       Warning: it appears that clients  try  authentication  methods  in  the
10304       order  as  advertised  by  the  server (e.g., PLAIN ANONYMOUS CRAM-MD5)
10305       which means that if you disable plaintext passwords, clients  will  log
10306       in  anonymously, even when they should be able to use CRAM-MD5.  So, if
10307       you disable plaintext logins, disable anonymous  logins  too.   Postfix
10308       treats anonymous login as no authentication.
10309
10310       Example:
10311
10312       smtpd_sasl_security_options = noanonymous, noplaintext
10313

smtpd_sasl_service (default: smtp)

10315       The  service  name  that is passed to the SASL plug-in that is selected
10316       with smtpd_sasl_type and smtpd_sasl_path.
10317
10318       This feature is available in Postfix 2.11  and  later.  Prior  versions
10319       behave as if "smtp" is specified.
10320

smtpd_sasl_tls_security_options (default: $smtpd_sasl_security_options)

10322       The  SASL  authentication security options that the Postfix SMTP server
10323       uses for TLS encrypted SMTP sessions.
10324
10325       This feature is available in Postfix 2.2 and later.
10326

smtpd_sasl_type (default: cyrus)

10328       The SASL plug-in type that the  Postfix  SMTP  server  should  use  for
10329       authentication.  The  available types are listed with the "postconf -a"
10330       command.
10331
10332       This feature is available in Postfix 2.3 and later.
10333

smtpd_sender_login_maps (default: empty)

10335       Optional lookup table with the SASL login names  that  own  the  sender
10336       (MAIL FROM) addresses.
10337
10338       Specify zero or more "type:name" lookup tables, separated by whitespace
10339       or comma. Tables will be searched in the specified order until a  match
10340       is  found.   With lookups from indexed files such as DB or DBM, or from
10341       networked tables such as NIS, LDAP or SQL, the following search  opera‐
10342       tions are done with a sender address of user@domain:
10343
10344       1) user@domain
10345              This table lookup is always done and has the highest precedence.
10346
10347       2) user
10348              This  table  lookup  is  done  only  when the domain part of the
10349              sender address matches $myorigin,  $mydestination,  $inet_inter‐
10350              faces or $proxy_interfaces.
10351
10352       3) @domain
10353              This table lookup is done last and has the lowest precedence.
10354
10355       In all cases the result of table lookup must be either "not found" or a
10356       list of SASL login names separated by comma and/or whitespace.
10357

smtpd_sender_restrictions (default: empty)

10359       Optional restrictions that the Postfix SMTP server applies in the  con‐
10360       text  of  a client MAIL FROM command.  See SMTPD_ACCESS_README, section
10361       "Delayed evaluation of SMTP access restriction lists" for a  discussion
10362       of evaluation context and time.
10363
10364       The default is to permit everything.
10365
10366       Specify  a list of restrictions, separated by commas and/or whitespace.
10367       Continue  long  lines  by  starting  the  next  line  with  whitespace.
10368       Restrictions  are applied in the order as specified; the first restric‐
10369       tion that matches wins.
10370
10371       The following restrictions are specific to the sender address  received
10372       with the MAIL FROM command.
10373
10374       check_sender_access type:table
10375              Search  the  specified  access(5)  database  for  the  MAIL FROM
10376              address, domain, parent domains, or localpart@, and execute  the
10377              corresponding action.
10378
10379       check_sender_a_access type:table
10380              Search the specified access(5) database for the IP addresses for
10381              the MAIL FROM domain,  and  execute  the  corresponding  action.
10382              Note:  a  result  of  "OK"  is  not  allowed for safety reasons.
10383              Instead, use DUNNO in  order  to  exclude  specific  hosts  from
10384              blacklists.  This feature is available in Postfix 3.0 and later.
10385
10386       check_sender_mx_access type:table
10387              Search the specified access(5) database for the MX hosts for the
10388              MAIL FROM domain, and execute the corresponding action.  Note: a
10389              result  of  "OK" is not allowed for safety reasons. Instead, use
10390              DUNNO in order to exclude specific hosts from blacklists.   This
10391              feature is available in Postfix 2.1 and later.
10392
10393       check_sender_ns_access type:table
10394              Search  the specified access(5) database for the DNS servers for
10395              the MAIL FROM domain,  and  execute  the  corresponding  action.
10396              Note:  a  result  of  "OK"  is  not  allowed for safety reasons.
10397              Instead, use DUNNO in  order  to  exclude  specific  hosts  from
10398              blacklists.  This feature is available in Postfix 2.1 and later.
10399
10400       reject_authenticated_sender_login_mismatch
10401              Enforces   the   reject_sender_login_mismatch   restriction  for
10402              authenticated clients only. This feature is available in Postfix
10403              version 2.1 and later.
10404
10405       reject_known_sender_login_mismatch
10406              Apply  the reject_sender_login_mismatch restriction only to MAIL
10407              FROM addresses that are known in $smtpd_sender_login_maps.  This
10408              feature is available in Postfix version 2.11 and later.
10409
10410       reject_non_fqdn_sender
10411              Reject the request when the MAIL FROM address specifies a domain
10412              that is not in fully-qualified domain form as  required  by  the
10413              RFC.
10414              The  non_fqdn_reject_code  parameter specifies the response code
10415              for rejected requests (default: 504).
10416
10417       reject_rhsbl_sender rbl_domain=d.d.d.d
10418              Reject the request when the MAIL FROM domain is listed with  the
10419              A  record  "d.d.d.d"  under  rbl_domain (Postfix version 2.1 and
10420              later only).  Each "d" is a number, or  a  pattern  inside  "[]"
10421              that  contains one or more ";"-separated numbers or number..num‐
10422              ber ranges (Postfix version 2.8 and later). If no "=d.d.d.d"  is
10423              specified,  reject  the  request  when  the  MAIL FROM domain is
10424              listed with any A record under rbl_domain.
10425              The maps_rbl_reject_code parameter specifies the  response  code
10426              for  rejected  requests  (default:   554); the default_rbl_reply
10427              parameter  specifies  the  default   server   reply;   and   the
10428              rbl_reply_maps  parameter  specifies  tables with server replies
10429              indexed by rbl_domain.  This feature is available in Postfix 2.0
10430              and later.
10431
10432       reject_sender_login_mismatch
10433              Reject  the  request  when $smtpd_sender_login_maps specifies an
10434              owner for the MAIL FROM address, but the client  is  not  (SASL)
10435              logged in as that MAIL FROM address owner; or when the client is
10436              (SASL) logged in, but the client login name doesn't own the MAIL
10437              FROM address according to $smtpd_sender_login_maps.
10438
10439       reject_unauthenticated_sender_login_mismatch
10440              Enforces  the reject_sender_login_mismatch restriction for unau‐
10441              thenticated clients only. This feature is available  in  Postfix
10442              version 2.1 and later.
10443
10444       reject_unknown_sender_domain
10445              Reject the request when Postfix is not final destination for the
10446              sender address, and the MAIL FROM domain has 1) no DNS MX and no
10447              DNS  A record, or 2) a malformed MX record such as a record with
10448              a zero-length MX hostname (Postfix version 2.3 and later).
10449              The reply  is  specified  with  the  unknown_address_reject_code
10450              parameter    (default:   450),   unknown_address_tempfail_action
10451              (default: defer_if_permit), or  550  (nullmx,  Postfix  3.0  and
10452              later). See the respective parameter descriptions for details.
10453
10454       reject_unlisted_sender
10455              Reject  the  request when the MAIL FROM address is not listed in
10456              the list of valid recipients  for  its  domain  class.  See  the
10457              smtpd_reject_unlisted_sender  parameter description for details.
10458              This feature is available in Postfix 2.1 and later.
10459
10460       reject_unverified_sender
10461              Reject the request when mail to the MAIL FROM address  is  known
10462              to  bounce, or when the sender address destination is not reach‐
10463              able.  Address verification information is managed by  the  ver‐
10464              ify(8)  server;  see  the  ADDRESS_VERIFICATION_README  file for
10465              details.
10466              The unverified_sender_reject_code parameter specifies the numer‐
10467              ical  response code when an address is known to bounce (default:
10468              450, change into 550 when you are confident that it is  safe  to
10469              do so).
10470              The   unverified_sender_defer_code   specifies   the   numerical
10471              response code when an address probe failed due  to  a  temporary
10472              problem (default: 450).
10473              The  unverified_sender_tempfail_action  parameter  specifies the
10474              action after address probe failure due to  a  temporary  problem
10475              (default: defer_if_permit).
10476              This  feature  breaks  for aliased addresses with "enable_origi‐
10477              nal_recipient = no" (Postfix <= 3.2).
10478              This feature is available in Postfix 2.1 and later.
10479
10480       Other restrictions that are valid in this context:
10481
10482       ·      Generic restrictions that can be used in any SMTP  command  con‐
10483              text, described under smtpd_client_restrictions.
10484
10485       ·      SMTP    command    specific    restrictions    described   under
10486              smtpd_client_restrictions and smtpd_helo_restrictions.
10487
10488       ·      SMTP command specific restrictions described under smtpd_recipi‐
10489              ent_restrictions.  When  recipient restrictions are listed under
10490              smtpd_sender_restrictions,   they   have   effect   only    with
10491              "smtpd_delay_reject  =  yes", so that $smtpd_sender_restrictions
10492              is evaluated at the time of the RCPT TO command.
10493
10494       Examples:
10495
10496       smtpd_sender_restrictions = reject_unknown_sender_domain
10497       smtpd_sender_restrictions = reject_unknown_sender_domain,
10498           check_sender_access hash:/etc/postfix/access
10499

smtpd_service_name (default: smtpd)

10501       The internal service that postscreen(8) hands off  allowed  connections
10502       to. In a future version there may be different classes of SMTP service.
10503
10504       This feature is available in Postfix 2.8.
10505

smtpd_soft_error_limit (default: 10)

10507       The  number  of  errors a remote SMTP client is allowed to make without
10508       delivering mail before the Postfix  SMTP  server  slows  down  all  its
10509       responses.
10510
10511       ·      With  Postfix  version  2.1  and  later, the Postfix SMTP server
10512              delays all responses by $smtpd_error_sleep_time seconds.
10513
10514       ·      With Postfix versions 2.0 and earlier, the Postfix  SMTP  server
10515              delays all responses by (number of errors) seconds.
10516

smtpd_starttls_timeout (default: see postconf -d output)

10518       The time limit for Postfix SMTP server write and read operations during
10519       TLS startup and shutdown  handshake  procedures.  The  current  default
10520       value  is stress-dependent. Before Postfix version 2.8, it was fixed at
10521       300s.
10522
10523       This feature is available in Postfix 2.2 and later.
10524

smtpd_timeout (default: normal: 300s, overload: 10s)

10526       The time limit for sending a  Postfix  SMTP  server  response  and  for
10527       receiving  a  remote SMTP client request. Normally the default limit is
10528       300s, but it changes under overload to just 10s. With Postfix  2.5  and
10529       earlier, the SMTP server always uses a time limit of 300s by default.
10530
10531       Note:  if you set SMTP time limits to very large values you may have to
10532       update the global ipc_timeout parameter.
10533
10534       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
10535       The default time unit is s (seconds).
10536

smtpd_tls_CAfile (default: empty)

10538       A  file  containing (PEM format) CA certificates of root CAs trusted to
10539       sign either remote SMTP client certificates or intermediate CA certifi‐
10540       cates.   These are loaded into memory before the smtpd(8) server enters
10541       the chroot jail. If the number of  trusted  roots  is  large,  consider
10542       using smtpd_tls_CApath instead, but note that the latter directory must
10543       be present in the chroot jail if the smtpd(8) server is chrooted.  This
10544       file  may  also  be used to augment the server certificate trust chain,
10545       but it is best to include all the required certificates directly in the
10546       server certificate file.
10547
10548       Specify  "smtpd_tls_CAfile  =  /path/to/system_CA_file" to use ONLY the
10549       system-supplied default Certification Authority certificates.
10550
10551       Specify "tls_append_default_CA = no" to prevent Postfix from  appending
10552       the system-supplied default CAs and trusting third-party certificates.
10553
10554       By  default  (see  smtpd_tls_ask_ccert),  client  certificates  are not
10555       requested, and smtpd_tls_CAfile should remain empty. If you do make use
10556       of client certificates, the distinguished names (DNs) of the Certifica‐
10557       tion Authorities listed in smtpd_tls_CAfile are sent to the remote SMTP
10558       client  in  the  client certificate request message. MUAs with multiple
10559       client certificates may use the list of preferred Certification Author‐
10560       ities  to  select  the correct client certificate.  You may want to put
10561       your "preferred" CA or CAs in this file, and install other trusted  CAs
10562       in $smtpd_tls_CApath.
10563
10564       Example:
10565
10566       smtpd_tls_CAfile = /etc/postfix/CAcert.pem
10567
10568       This feature is available in Postfix 2.2 and later.
10569

smtpd_tls_CApath (default: empty)

10571       A directory containing (PEM format) CA certificates of root CAs trusted
10572       to sign either remote SMTP client certificates or intermediate CA  cer‐
10573       tificates. Do not forget to create the necessary "hash" links with, for
10574       example,  "$OPENSSL_HOME/bin/c_rehash   /etc/postfix/certs".   To   use
10575       smtpd_tls_CApath  in  chroot  mode,  this directory (or a copy) must be
10576       inside the chroot jail.
10577
10578       Specify "smtpd_tls_CApath = /path/to/system_CA_directory" to  use  ONLY
10579       the system-supplied default Certification Authority certificates.
10580
10581       Specify  "tls_append_default_CA = no" to prevent Postfix from appending
10582       the system-supplied default CAs and trusting third-party certificates.
10583
10584       By default  (see  smtpd_tls_ask_ccert),  client  certificates  are  not
10585       requested,  and  smtpd_tls_CApath  should  remain empty. In contrast to
10586       smtpd_tls_CAfile,  DNs  of  Certification  Authorities   installed   in
10587       $smtpd_tls_CApath  are  not  included in the client certificate request
10588       message. MUAs with multiple client certificates may  use  the  list  of
10589       preferred  Certification  Authorities to select the correct client cer‐
10590       tificate.   You  may  want  to  put  your  "preferred"  CA  or  CAs  in
10591       $smtpd_tls_CAfile,   and   install   the   remaining   trusted  CAs  in
10592       $smtpd_tls_CApath.
10593
10594       Example:
10595
10596       smtpd_tls_CApath = /etc/postfix/certs
10597
10598       This feature is available in Postfix 2.2 and later.
10599

smtpd_tls_always_issue_session_ids (default: yes)

10601       Force the Postfix SMTP server to issue a TLS session id, even when  TLS
10602       session  caching  is  turned  off  (smtpd_tls_session_cache_database is
10603       empty). This behavior is compatible with Postfix < 2.3.
10604
10605       With Postfix 2.3 and later the Postfix SMTP server can disable  session
10606       id generation when TLS session caching is turned off. This keeps remote
10607       SMTP clients from caching sessions  that  almost  certainly  cannot  be
10608       re-used.
10609
10610       By  default,  the Postfix SMTP server always generates TLS session ids.
10611       This works around a known defect in mail client applications such as MS
10612       Outlook, and may also prevent interoperability issues with other MTAs.
10613
10614       Example:
10615
10616       smtpd_tls_always_issue_session_ids = no
10617
10618       This feature is available in Postfix 2.3 and later.
10619

smtpd_tls_ask_ccert (default: no)

10621       Ask  a remote SMTP client for a client certificate. This information is
10622       needed for certificate based mail relaying with, for example, the  per‐
10623       mit_tls_clientcerts feature.
10624
10625       Some clients such as Netscape will either complain if no certificate is
10626       available (for the list of CAs in $smtpd_tls_CAfile) or will offer mul‐
10627       tiple client certificates to choose from. This may be annoying, so this
10628       option is "off" by default.
10629
10630       This feature is available in Postfix 2.2 and later.
10631

smtpd_tls_auth_only (default: no)

10633       When TLS encryption is optional in the  Postfix  SMTP  server,  do  not
10634       announce or accept SASL authentication over unencrypted connections.
10635
10636       This feature is available in Postfix 2.2 and later.
10637

smtpd_tls_ccert_verifydepth (default: 9)

10639       The  verification depth for remote SMTP client certificates. A depth of
10640       1 is sufficient if the issuing CA is listed in a local CA file.
10641
10642       The default verification depth is 9 (the OpenSSL default) for  compati‐
10643       bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
10644       value was 5, but the limit was not actually enforced. If you  have  set
10645       this  to  a  lower  non-default  value,  certificates with longer trust
10646       chains may now fail to verify. Certificate chains with 1 or 2  CAs  are
10647       common,  deeper  chains  are  more  rare and any number between 5 and 9
10648       should suffice in practice. You can choose a lower number if, for exam‐
10649       ple,  you  trust  certificates directly signed by an issuing CA but not
10650       any CAs it delegates to.
10651
10652       This feature is available in Postfix 2.2 and later.
10653

smtpd_tls_cert_file (default: empty)

10655       File with the Postfix SMTP server RSA certificate in PEM format.   This
10656       file  may  also  contain the Postfix SMTP server private RSA key.  With
10657       Postfix >= 3.4 the preferred way to configure server keys and  certifi‐
10658       cates is via the "smtpd_tls_chain_files" parameter.
10659
10660       Public  Internet  MX hosts without certificates signed by a "reputable"
10661       CA must generate, and  be  prepared  to  present  to  most  clients,  a
10662       self-signed  or  private-CA  signed certificate. The client will not be
10663       able to authenticate the server, but unless it is running  Postfix  2.3
10664       or similar software, it will still insist on a server certificate.
10665
10666       For  servers  that  are  not public Internet MX hosts, Postfix supports
10667       configurations with no certificates. This entails the use of  just  the
10668       anonymous TLS ciphers, which are not supported by typical SMTP clients.
10669       Since some clients may not fall back to plain text after  a  TLS  hand‐
10670       shake failure, a certificate-less Postfix SMTP server will be unable to
10671       receive email from some TLS-enabled clients. To avoid  accidental  con‐
10672       figurations  with  no  certificates,  Postfix  enables certificate-less
10673       operation    only    when    the    administrator    explicitly    sets
10674       "smtpd_tls_cert_file = none". This ensures that new Postfix SMTP server
10675       configurations will not accidentally enable TLS without certificates.
10676
10677       Note that server certificates are not optional in TLS 1.3. To run with‐
10678       out  certificates you'd have to disable the TLS 1.3 protocol by includ‐
10679       ing   '!TLSv1.3'   in   "smtpd_tls_protocols"    and    perhaps    also
10680       "smtpd_tls_mandatory_protocols".  It is simpler instead to just config‐
10681       ure a certificate chain.   Certificate-less  operation  is  not  recom‐
10682       mended.
10683
10684       Both  RSA  and  DSA  certificates  are  supported.  When both types are
10685       present, the cipher used determines which certificate will be presented
10686       to the client.  For Netscape and OpenSSL clients without special cipher
10687       choices the RSA certificate is preferred.
10688
10689       To enable a remote SMTP client to verify the Postfix SMTP  server  cer‐
10690       tificate,  the  issuing  CA  certificates must be made available to the
10691       client. You should include the required certificates in the server cer‐
10692       tificate  file,  the  server  certificate first, then the issuing CA(s)
10693       (bottom-up order).
10694
10695       Example: the certificate for "server.example.com" was issued by "inter‐
10696       mediate  CA"  which  itself has a certificate of "root CA".  Create the
10697       server.pem   file   with   "cat   server_cert.pem   intermediate_CA.pem
10698       root_CA.pem > server.pem".
10699
10700       If you also want to verify client certificates issued by these CAs, you
10701       can add the CA certificates to the smtpd_tls_CAfile, in which  case  it
10702       is   not   necessary   to   have   them   in  the  smtpd_tls_cert_file,
10703       smtpd_tls_dcert_file (obsolete) or smtpd_tls_eccert_file.
10704
10705       A certificate supplied here must be usable as an SSL server certificate
10706       and hence pass the "openssl verify -purpose sslserver ..." test.
10707
10708       Example:
10709
10710       smtpd_tls_cert_file = /etc/postfix/server.pem
10711
10712       This feature is available in Postfix 2.2 and later.
10713

smtpd_tls_chain_files (default: empty)

10715       List  of  one  or more PEM files, each holding one or more private keys
10716       directly followed by a corresponding certificate chain.  The file names
10717       are  separated  by  commas and/or whitespace.  This parameter obsoletes
10718       the legacy algorithm-specific key and certificate file settings.   When
10719       this  parameter  is non-empty, the legacy parameters are ignored, and a
10720       warning is logged if any are also non-empty.
10721
10722       With the proliferation of multiple private key algorithms-which, as  of
10723       OpenSSL 1.1.1, include DSA (obsolete), RSA, ECDSA, Ed25519 and Ed448-it
10724       is increasingly impractical to use separate parameters to configure the
10725       key  and  certificate chain for each algorithm.  Therefore, Postfix now
10726       supports storing multiple keys and corresponding certificate chains  in
10727       a single file or in a set of files.
10728
10729       Each  key must appear immediately before the corresponding certificate,
10730       optionally followed by additional issuer certificates that complete the
10731       certificate  chain  for  that  key.  When multiple files are specified,
10732       they are equivalent to a single file that is  concatenated  from  those
10733       files  in  the  given order.  Thus, while a key must always precede its
10734       certificate and issuer chain, it can be in a separate file, so long  as
10735       that  file  is listed immediately before the file that holds the corre‐
10736       sponding certificate chain.  Once all the files are  concatenated,  the
10737       sequence  of  PEM  objects must be: key1, cert1, [chain1], key2, cert2,
10738       [chain2], ..., keyN, certN, [chainN].
10739
10740       Storing the private key in the same file as the corresponding  certifi‐
10741       cate is more reliable.  With the key and certificate in separate files,
10742       there is a chance that during key rollover a Postfix process might load
10743       a  private  key  and  certificate from separate files that don't match.
10744       Various operational errors may even result in a persistent broken  con‐
10745       figuration in which the certificate does not match the private key.
10746
10747       The  file  or files must contain at most one key of each type.  If, for
10748       example, two or more RSA keys  and  corresponding  chains  are  listed,
10749       depending  on  the  version of OpenSSL either only the last one will be
10750       used or an configuration  error  may  be  detected.   Note  that  while
10751       "Ed25519"  and  "Ed448" are considered separate algorithms, the various
10752       ECDSA curves (typically one of prime256v1, secp384r1 or secp521r1)  are
10753       considered as different parameters of a single "ECDSA" algorithm, so it
10754       is not presently possible to configure keys for  more  than  one  ECDSA
10755       curve.
10756
10757       RSA  is  still  the  most  widely supported algorithm.  Presently (late
10758       2018), ECDSA support is common, but not yet universal, and Ed25519  and
10759       Ed448 support is mostly absent.  Therefore, an RSA key should generally
10760       be configured, along with any additional keys for the other  algorithms
10761       when desired.
10762
10763       Example  (separate  files  for  each  key and corresponding certificate
10764       chain):
10765
10766           /etc/postfix/main.cf:
10767               smtpd_tls_chain_files =
10768                   ${config_directory}/ed25519.pem,
10769                   ${config_directory}/ed448.pem,
10770                   ${config_directory}/rsa.pem
10771
10772           /etc/postfix/ed25519.pem:
10773               -----BEGIN PRIVATE KEY-----
10774               MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
10775               -----END PRIVATE KEY-----
10776               -----BEGIN CERTIFICATE-----
10777               MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
10778               ...
10779               nC0egv51YPDWxEHom4QA
10780               -----END CERTIFICATE-----
10781
10782           /etc/postfix/ed448.pem:
10783               -----BEGIN PRIVATE KEY-----
10784               MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
10785               LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
10786               -----END PRIVATE KEY-----
10787               -----BEGIN CERTIFICATE-----
10788               MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
10789               ...
10790               pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
10791               -----END CERTIFICATE-----
10792
10793           /etc/postfix/rsa.pem:
10794               -----BEGIN PRIVATE KEY-----
10795               MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
10796               ...
10797               ahQkZ3+krcaJvDSMgvu0tDc=
10798               -----END PRIVATE KEY-----
10799               -----BEGIN CERTIFICATE-----
10800               MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
10801               ...
10802               Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
10803               -----END CERTIFICATE-----
10804
10805       Example (all keys and certificates in a single file):
10806
10807           /etc/postfix/main.cf:
10808               smtpd_tls_chain_files = ${config_directory}/chains.pem
10809
10810           /etc/postfix/chains.pem:
10811               -----BEGIN PRIVATE KEY-----
10812               MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
10813               -----END PRIVATE KEY-----
10814               -----BEGIN CERTIFICATE-----
10815               MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
10816               ...
10817               nC0egv51YPDWxEHom4QA
10818               -----END CERTIFICATE-----
10819               -----BEGIN PRIVATE KEY-----
10820               MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
10821               LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
10822               -----END PRIVATE KEY-----
10823               -----BEGIN CERTIFICATE-----
10824               MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
10825               ...
10826               pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
10827               -----END CERTIFICATE-----
10828               -----BEGIN PRIVATE KEY-----
10829               MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
10830               ...
10831               ahQkZ3+krcaJvDSMgvu0tDc=
10832               -----END PRIVATE KEY-----
10833               -----BEGIN CERTIFICATE-----
10834               MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
10835               ...
10836               Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
10837               -----END CERTIFICATE-----
10838
10839       This feature is available in Postfix 3.4 and later.
10840

smtpd_tls_cipherlist (default: empty)

10842       Obsolete Postfix < 2.3 control for the Postfix SMTP server  TLS  cipher
10843       list.  It  is  easy  to  create interoperability problems by choosing a
10844       non-default cipher list. Do not use a non-default TLS cipherlist for MX
10845       hosts on the public Internet. Clients that begin the TLS handshake, but
10846       are unable to agree on a common cipher, may not be  able  to  send  any
10847       email  to  the  SMTP server. Using a restricted cipher list may be more
10848       appropriate for a dedicated MSA or an internal mailhub, where  one  can
10849       exert some control over the TLS software and settings of the connecting
10850       clients.
10851
10852       Note: do not use "" quotes around the parameter value.
10853
10854       This feature is available with Postfix version 2.2. It is not used with
10855       Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead.
10856

smtpd_tls_ciphers (default: medium)

10858       The minimum TLS cipher grade that the Postfix SMTP server will use with
10859       opportunistic    TLS    encryption.    Cipher    types    listed     in
10860       smtpd_tls_exclude_ciphers  are excluded from the base definition of the
10861       selected cipher grade.  The  default  value  is  "medium"  for  Postfix
10862       releases after the middle of 2015, "export" for older releases.
10863
10864       When   TLS   is   mandatory   the   cipher  grade  is  chosen  via  the
10865       smtpd_tls_mandatory_ciphers configuration parameter, see there for syn‐
10866       tax details.
10867
10868       This  feature is available in Postfix 2.6 and later. With earlier Post‐
10869       fix releases only the smtpd_tls_mandatory_ciphers parameter  is  imple‐
10870       mented, and opportunistic TLS always uses "export" or better (i.e. all)
10871       ciphers.
10872

smtpd_tls_dcert_file (default: empty)

10874       File with the Postfix SMTP server DSA certificate in PEM format.   This
10875       file may also contain the Postfix SMTP server private DSA key.  The DSA
10876       algorithm is obsolete and should not be used.
10877
10878       See the discussion under smtpd_tls_cert_file for more details.
10879
10880       Example:
10881
10882       smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
10883
10884       This feature is available in Postfix 2.2 and later.
10885

smtpd_tls_dh1024_param_file (default: empty)

10887       File with DH parameters that the Postfix SMTP server  should  use  with
10888       non-export EDH ciphers.
10889
10890       Instead  of  using  the  exact  same parameter sets as distributed with
10891       other TLS packages, it is more secure  to  generate  your  own  set  of
10892       parameters with something like the following commands:
10893
10894           openssl dhparam -out /etc/postfix/dh512.pem 512
10895           openssl dhparam -out /etc/postfix/dh1024.pem 1024
10896           openssl dhparam -out /etc/postfix/dh2048.pem 2048
10897
10898       It  is  safe  to  share the same DH parameters between multiple Postfix
10899       instances.  If you prefer, you can  generate  separate  parameters  for
10900       each instance.
10901
10902       If  you  want  to  take maximal advantage of ciphers that offer forward
10903       secrecy see the Getting started section of FORWARD_SECRECY_README.  The
10904       full document conveniently presents all information about Postfix "per‐
10905       fect" forward secrecy support in one place: what  forward  secrecy  is,
10906       how to tweak settings, and what you can expect to see when Postfix uses
10907       ciphers with forward secrecy.
10908
10909       Example:
10910
10911       smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
10912
10913       This feature is available with Postfix version 2.2.
10914

smtpd_tls_dh512_param_file (default: empty)

10916       File with DH parameters that the Postfix SMTP server  should  use  with
10917       export-grade  EDH  ciphers.   The  default  SMTP server cipher grade is
10918       "medium" with Postfix releases after the  middle  of  2015,  and  as  a
10919       result export-grade cipher suites are by default not used.
10920
10921       See  also the discussion under the smtpd_tls_dh1024_param_file configu‐
10922       ration parameter.
10923
10924       Example:
10925
10926       smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
10927
10928       This feature is available with Postfix version 2.2.
10929

smtpd_tls_dkey_file (default: $smtpd_tls_dcert_file)

10931       File with the Postfix SMTP server DSA private key in PEM format.   This
10932       file  may be combined with the Postfix SMTP server DSA certificate file
10933       specified with $smtpd_tls_dcert_file. The DSA algorithm is obsolete and
10934       should not be used.
10935
10936       The  private key must be accessible without a pass-phrase, i.e. it must
10937       not be encrypted. File permissions should grant read-only access to the
10938       system superuser account ("root"), and no access to anyone else.
10939
10940       This feature is available in Postfix 2.2 and later.
10941

smtpd_tls_eccert_file (default: empty)

10943       File  with  the  Postfix  SMTP  server ECDSA certificate in PEM format.
10944       This file may also contain the Postfix SMTP server private  ECDSA  key.
10945       With Postfix >= 3.4 the preferred way to configure server keys and cer‐
10946       tificates is via the "smtpd_tls_chain_files" parameter.
10947
10948       See the discussion under smtpd_tls_cert_file for more details.
10949
10950       Example:
10951
10952       smtpd_tls_eccert_file = /etc/postfix/ecdsa-scert.pem
10953
10954       This feature is available in Postfix 2.6 and  later,  when  Postfix  is
10955       compiled and linked with OpenSSL 1.0.0 or later.
10956

smtpd_tls_eckey_file (default: $smtpd_tls_eccert_file)

10958       File  with  the  Postfix  SMTP  server ECDSA private key in PEM format.
10959       This file may be combined with the Postfix SMTP server  ECDSA  certifi‐
10960       cate  file  specified with $smtpd_tls_eccert_file.  With Postfix >= 3.4
10961       the preferred way to configure server keys and certificates is via  the
10962       "smtpd_tls_chain_files" parameter.
10963
10964       The  private key must be accessible without a pass-phrase, i.e. it must
10965       not be encrypted. File permissions should grant read-only access to the
10966       system superuser account ("root"), and no access to anyone else.
10967
10968       This  feature  is  available  in Postfix 2.6 and later, when Postfix is
10969       compiled and linked with OpenSSL 1.0.0 or later.
10970

smtpd_tls_eecdh_grade (default: see postconf -d output)

10972       The Postfix SMTP server security  grade  for  ephemeral  elliptic-curve
10973       Diffie-Hellman (EECDH) key exchange.
10974
10975       The available choices are:
10976
10977       none   Don't  use  EECDH.  Ciphers  based on EECDH key exchange will be
10978              disabled. This is the default in Postfix versions 2.6 and 2.7.
10979
10980       strong Use EECDH with approximately 128 bits of security at  a  reason‐
10981              able  computational  cost.  This  is  the  current best-practice
10982              trade-off between security and computational efficiency. This is
10983              the default in Postfix version 2.8 and later.
10984
10985       ultra  Use  EECDH  with  approximately 192 bits of security at computa‐
10986              tional cost that is approximately  twice  as  high  as  128  bit
10987              strength  ECC. Barring significant progress in attacks on ellip‐
10988              tic curve crypto-systems, the "strong" curve is  sufficient  for
10989              most users.
10990
10991       auto   Use  the  most  preferred  curve  that  is supported by both the
10992              client and the server.  This setting  requires  Postfix  >=  3.2
10993              compiled  and linked with OpenSSL >= 1.0.2.  This is the default
10994              setting under the above conditions.
10995
10996       If you want to take maximal advantage of  ciphers  that  offer  forward
10997       secrecy see the Getting started section of FORWARD_SECRECY_README.  The
10998       full document conveniently presents all information about Postfix "per‐
10999       fect"  forward  secrecy  support in one place: what forward secrecy is,
11000       how to tweak settings, and what you can expect to see when Postfix uses
11001       ciphers with forward secrecy.
11002
11003       This feature is available in Postfix 2.6 and later, when it is compiled
11004       and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
11005       have not been disabled by the vendor.
11006

smtpd_tls_exclude_ciphers (default: empty)

11008       List  of ciphers or cipher types to exclude from the SMTP server cipher
11009       list at all TLS security levels. Excluding  valid  ciphers  can  create
11010       interoperability  problems.  DO NOT exclude ciphers unless it is essen‐
11011       tial to do so. This is not an OpenSSL cipherlist; it is a  simple  list
11012       separated  by  whitespace  and/or  commas.  The  elements  are a single
11013       cipher, or one or more "+" separated cipher properties, in  which  case
11014       only ciphers matching all the properties are excluded.
11015
11016       Examples (some of these will cause problems):
11017
11018           smtpd_tls_exclude_ciphers = aNULL
11019           smtpd_tls_exclude_ciphers = MD5, DES
11020           smtpd_tls_exclude_ciphers = DES+MD5
11021           smtpd_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
11022           smtpd_tls_exclude_ciphers = kEDH+aRSA
11023
11024       The first setting disables anonymous ciphers. The next setting disables
11025       ciphers that use the MD5 digest algorithm or the (single)  DES  encryp‐
11026       tion  algorithm. The next setting disables ciphers that use MD5 and DES
11027       together.  The next setting disables the two ciphers  "AES256-SHA"  and
11028       "DES-CBC3-MD5".  The  last  setting disables ciphers that use "EDH" key
11029       exchange with RSA authentication.
11030
11031       This feature is available in Postfix 2.3 and later.
11032

smtpd_tls_fingerprint_digest (default: md5)

11034       The message digest algorithm to construct remote  SMTP  client-certifi‐
11035       cate  fingerprints  or  public key fingerprints (Postfix 2.9 and later)
11036       for check_ccert_access and permit_tls_clientcerts.  The  default  algo‐
11037       rithm  is  md5, for backwards compatibility with Postfix releases prior
11038       to 2.5.
11039
11040       Advances in hash function cryptanalysis have led to  md5  being  depre‐
11041       cated in favor of sha1.  However, as long as there are no known "second
11042       pre-image" attacks against md5, its use in this context  can  still  be
11043       considered safe.
11044
11045       While  additional  digest algorithms are often available with OpenSSL's
11046       libcrypto, only those used by libssl in SSL cipher suites are available
11047       to Postfix.
11048
11049       To find the fingerprint of a specific certificate file, with a specific
11050       digest algorithm, run:
11051
11052           $ openssl x509 -noout -fingerprint -digest -in certfile.pem
11053
11054       The text to the right of "=" sign  is  the  desired  fingerprint.   For
11055       example:
11056
11057           $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
11058           SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
11059
11060       To  extract  the  public key fingerprint from an X.509 certificate, you
11061       need to extract the public key from the  certificate  and  compute  the
11062       appropriate digest of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
11063       key" option of the "x509" command extracts the  public  key  always  in
11064       "PEM"  format.  We pipe the result to another OpenSSL command that con‐
11065       verts the key to DER and then to the "dgst" command to compute the fin‐
11066       gerprint.
11067
11068       The  actual  command  to transform the key to DER format depends on the
11069       version of OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey"  com‐
11070       mand  supports  all  key types. With OpenSSL 0.9.8 and earlier, the key
11071       type is always RSA (nobody uses DSA, and EC keys  are  not  fully  sup‐
11072       ported by 0.9.8), so the "rsa" command is used.
11073
11074           # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
11075           $ openssl x509 -in cert.pem -noout -pubkey |
11076               openssl pkey -pubin -outform DER |
11077               openssl dgst -sha1 -c
11078           (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
11079
11080           # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
11081           $ openssl x509 -in cert.pem -noout -pubkey |
11082               openssl rsa -pubin -outform DER |
11083               openssl dgst -md5 -c
11084           (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
11085
11086       The Postfix SMTP server and client log the peer (leaf) certificate fin‐
11087       gerprint and public key fingerprint when  the  TLS  loglevel  is  2  or
11088       higher.
11089
11090       Note:  Postfix  2.9.0-2.9.5  computed the public key fingerprint incor‐
11091       rectly. To use public-key fingerprints, upgrade  to  Postfix  2.9.6  or
11092       later.
11093
11094       Example: client-certificate access table, with sha1 fingerprints:
11095
11096           /etc/postfix/main.cf:
11097               smtpd_tls_fingerprint_digest = sha1
11098               smtpd_client_restrictions =
11099                   check_ccert_access hash:/etc/postfix/access,
11100                   reject
11101           /etc/postfix/access:
11102               # Action folded to next line...
11103               AF:88:7C:AD:51:95:6F:36:96:F6:01:FB:2E:48:CD:AB:49:25:A2:3B
11104                   OK
11105               85:16:78:FD:73:6E:CE:70:E0:31:5F:0D:3C:C8:6D:C4:2C:24:59:E1
11106                   permit_auth_destination
11107
11108       This feature is available in Postfix 2.5 and later.
11109

smtpd_tls_key_file (default: $smtpd_tls_cert_file)

11111       File  with the Postfix SMTP server RSA private key in PEM format.  This
11112       file may be combined with the Postfix SMTP server RSA certificate  file
11113       specified with $smtpd_tls_cert_file.  With Postfix >= 3.4 the preferred
11114       way  to  configure  server   keys   and   certificates   is   via   the
11115       "smtpd_tls_chain_files" parameter.
11116
11117       The  private key must be accessible without a pass-phrase, i.e. it must
11118       not be encrypted. File permissions should grant read-only access to the
11119       system superuser account ("root"), and no access to anyone else.
11120

smtpd_tls_loglevel (default: 0)

11122       Enable  additional  Postfix  SMTP server logging of TLS activity.  Each
11123       logging level also includes the information that is logged at  a  lower
11124       logging level.
11125
11126              0 Disable logging of TLS activity.
11127
11128              1  Log  only  a summary message on TLS handshake completion - no
11129              logging of client certificate trust-chain verification errors if
11130              client  certificate  verification is not required.  With Postfix
11131              2.8 and earlier, log the summary message, peer certificate  sum‐
11132              mary  information  and unconditionally log trust-chain verifica‐
11133              tion errors.
11134
11135              2 Also log levels during TLS negotiation.
11136
11137              3 Also  log  hexadecimal  and  ASCII  dump  of  TLS  negotiation
11138              process.
11139
11140              4  Also  log hexadecimal and ASCII dump of complete transmission
11141              after STARTTLS.
11142
11143       Do not use "smtpd_tls_loglevel = 2" or higher except in case  of  prob‐
11144       lems. Use of loglevel 4 is strongly discouraged.
11145
11146       This feature is available in Postfix 2.2 and later.
11147

smtpd_tls_mandatory_ciphers (default: medium)

11149       The minimum TLS cipher grade that the Postfix SMTP server will use with
11150       mandatory TLS encryption. The default grade ("medium") is  sufficiently
11151       strong  that  any  benefit  from globally restricting TLS sessions to a
11152       more stringent grade is likely negligible, especially  given  the  fact
11153       that  many  implementations  still  do  not  offer any stronger ("high"
11154       grade) ciphers, while those that  do,  will  always  use  "high"  grade
11155       ciphers. So insisting on "high" grade ciphers is generally counter-pro‐
11156       ductive. Allowing "export" or "low" ciphers is  typically  not  a  good
11157       idea,  as  systems  limited  to  just  these  are  limited  to obsolete
11158       browsers. No known SMTP clients fail to support at least  one  "medium"
11159       or "high" grade cipher.
11160
11161       The following cipher grades are supported:
11162
11163       export Enable "EXPORT" grade or stronger OpenSSL ciphers.  The underly‐
11164              ing cipherlist is specified via the  tls_export_cipherlist  con‐
11165              figuration  parameter,  which you are strongly encouraged to not
11166              change.  This choice is insecure and SHOULD NOT be used.
11167
11168       low    Enable "LOW" grade or stronger OpenSSL ciphers.  The  underlying
11169              cipherlist is specified via the tls_low_cipherlist configuration
11170              parameter, which you are  strongly  encouraged  to  not  change.
11171              This choice is insecure and SHOULD NOT be used.
11172
11173       medium Enable  "MEDIUM"  grade  or  stronger OpenSSL ciphers. These use
11174              128-bit or longer symmetric bulk-encryption keys.  This  is  the
11175              default  minimum  strength  for  mandatory  TLS  encryption. The
11176              underlying cipherlist is specified via the tls_medium_cipherlist
11177              configuration  parameter,  which  you are strongly encouraged to
11178              not change.
11179
11180       high   Enable  only  "HIGH"  grade  OpenSSL  ciphers.  The   underlying
11181              cipherlist  is  specified via the tls_high_cipherlist configura‐
11182              tion parameter, which you are strongly encouraged to not change.
11183
11184       null   Enable only the "NULL" OpenSSL ciphers, these provide  authenti‐
11185              cation  without encryption.  This setting is only appropriate in
11186              the rare case that all clients are prepared to use NULL  ciphers
11187              (not normally enabled in TLS clients). The underlying cipherlist
11188              is specified via the tls_null_cipherlist  configuration  parame‐
11189              ter, which you are strongly encouraged to not change.
11190
11191       Cipher   types   listed   in   smtpd_tls_mandatory_exclude_ciphers   or
11192       smtpd_tls_exclude_ciphers are excluded from the base definition of  the
11193       selected  cipher  grade. See smtpd_tls_ciphers for cipher controls that
11194       apply to opportunistic TLS.
11195
11196       The underlying cipherlists for grades other than "null" include  anony‐
11197       mous ciphers, but these are automatically filtered out if the server is
11198       configured to ask for remote SMTP client certificates.   You  are  very
11199       unlikely  to  need to take any steps to exclude anonymous ciphers, they
11200       are excluded automatically as required.  If you must exclude  anonymous
11201       ciphers  even  when Postfix does not need or use peer certificates, set
11202       "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers  only
11203       when   TLS  is  enforced,  set  "smtpd_tls_mandatory_exclude_ciphers  =
11204       aNULL".
11205
11206       This feature is available in Postfix 2.3 and later.
11207

smtpd_tls_mandatory_exclude_ciphers (default: empty)

11209       Additional list of ciphers or cipher types to exclude from the  Postfix
11210       SMTP  server  cipher  list at mandatory TLS security levels.  This list
11211       works    in    addition    to    the     exclusions     listed     with
11212       smtpd_tls_exclude_ciphers (see there for syntax details).
11213
11214       This feature is available in Postfix 2.3 and later.
11215

smtpd_tls_mandatory_protocols (default: !SSLv2, !SSLv3)

11217       The  SSL/TLS  protocols accepted by the Postfix SMTP server with manda‐
11218       tory TLS encryption. If the list is  empty,  the  server  supports  all
11219       available  SSL/TLS  protocol  versions.  A non-empty value is a list of
11220       protocol names separated by whitespace, commas  or  colons.   The  sup‐
11221       ported  protocol  names  are  "SSLv2", "SSLv3" and "TLSv1", and are not
11222       case sensitive. The default  value  is  "!SSLv2,  !SSLv3"  for  Postfix
11223       releases after the middle of 2015, "!SSLv2" for older releases.
11224
11225       With Postfix >= 2.5 the parameter syntax was expanded to support proto‐
11226       col  exclusions.  One  can  explicitly  exclude  "SSLv2"   by   setting
11227       "smtpd_tls_mandatory_protocols  =  !SSLv2". To exclude both "SSLv2" and
11228       "SSLv3" set "smtpd_tls_mandatory_protocols = !SSLv2,  !SSLv3".  Listing
11229       the  protocols  to  include,  rather than protocols to exclude, is sup‐
11230       ported, but not recommended. The exclusion form  more  closely  matches
11231       the underlying OpenSSL interface semantics.
11232
11233       Note:  As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
11234       "TLSv1.2". When Postfix <= 2.5  is  linked  against  OpenSSL  1.0.1  or
11235       later,  these,  or any other new protocol versions, cannot be disabled.
11236       The latest patch levels of Postfix >= 2.6, and all versions of  Postfix
11237       >= 2.10 can disable support for "TLSv1.1" or "TLSv1.2".
11238
11239       OpenSSL  1.1.1  introduces  support for "TLSv1.3".  With Postfix >= 3.4
11240       (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
11241       abled, if need be, via "!TLSv1.3".
11242
11243       Example:
11244
11245       # Preferred syntax with Postfix >= 2.5:
11246       smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
11247       # Legacy syntax:
11248       smtpd_tls_mandatory_protocols = TLSv1
11249
11250       This feature is available in Postfix 2.3 and later.
11251

smtpd_tls_protocols (default: !SSLv2, !SSLv3)

11253       List  of  TLS  protocols  that  the Postfix SMTP server will exclude or
11254       include  with  opportunistic  TLS  encryption.  The  default  value  is
11255       "!SSLv2,  !SSLv3"  for Postfix releases after the middle of 2015, empty
11256       for older releases allowing all protocols to be used with opportunistic
11257       TLS.  A non-empty value is a list of protocol names separated by white‐
11258       space, commas or colons.  The supported  protocol  names  are  "SSLv2",
11259       "SSLv3" and "TLSv1", and are not case sensitive.
11260
11261       Note:  As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
11262       "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all  versions
11263       of Postfix >= 2.10 can disable support for "TLSv1.1" or "TLSv1.2".
11264
11265       OpenSSL  1.1.1  introduces  support for "TLSv1.3".  With Postfix >= 3.4
11266       (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
11267       abled, if need be, via "!TLSv1.3".
11268
11269       To  include  a  protocol  list its name, to exclude it, prefix the name
11270       with a "!" character.  To  exclude  SSLv2  for  opportunistic  TLS  set
11271       "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
11272       "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing  the  proto‐
11273       cols  to  include,  rather than protocols to exclude, is supported, but
11274       not recommended.  The exclusion form more closely matches the  underly‐
11275       ing OpenSSL interface semantics.
11276
11277       Example:
11278       smtpd_tls_protocols = !SSLv2, !SSLv3
11279
11280       This feature is available in Postfix 2.6 and later.
11281

smtpd_tls_received_header (default: no)

11283       Request  that the Postfix SMTP server produces Received:  message head‐
11284       ers that include information about the protocol  and  cipher  used,  as
11285       well as the remote SMTP client CommonName and client certificate issuer
11286       CommonName.  This is disabled by default, as  the  information  may  be
11287       modified  in transit through other mail servers.  Only information that
11288       was recorded by the final destination can be trusted.
11289
11290       This feature is available in Postfix 2.2 and later.
11291

smtpd_tls_req_ccert (default: no)

11293       With mandatory TLS encryption, require a  trusted  remote  SMTP  client
11294       certificate  in order to allow TLS connections to proceed.  This option
11295       implies "smtpd_tls_ask_ccert = yes".
11296
11297       When TLS encryption is optional, this setting is ignored with a warning
11298       written to the mail log.
11299
11300       This feature is available in Postfix 2.2 and later.
11301

smtpd_tls_security_level (default: empty)

11303       The  SMTP  TLS  security  level  for  the  Postfix  SMTP server; when a
11304       non-empty value is specified, this overrides  the  obsolete  parameters
11305       smtpd_use_tls  and  smtpd_enforce_tls.  This  parameter is ignored with
11306       "smtpd_tls_wrappermode = yes".
11307
11308       Specify one of the following security levels:
11309
11310       none   TLS will not be used.
11311
11312       may    Opportunistic TLS: announce  STARTTLS  support  to  remote  SMTP
11313              clients, but do not require that clients use TLS encryption.
11314
11315       encrypt
11316              Mandatory  TLS  encryption:  announce STARTTLS support to remote
11317              SMTP clients, and  require  that  clients  use  TLS  encryption.
11318              According to RFC 2487 this MUST NOT be applied in case of a pub‐
11319              licly-referenced SMTP server. Instead,  this  option  should  be
11320              used only on dedicated servers.
11321
11322       Note  1:  the  "fingerprint", "verify" and "secure" levels are not sup‐
11323       ported here.  The Postfix SMTP server logs a warning and uses "encrypt"
11324       instead.  To verify remote SMTP client certificates, see TLS_README for
11325       a discussion of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and  per‐
11326       mit_tls_clientcerts features.
11327
11328       Note  2:  The  parameter  setting  "smtpd_tls_security_level = encrypt"
11329       implies "smtpd_tls_auth_only = yes".
11330
11331       Note 3: when invoked via  "sendmail  -bs",  Postfix  will  never  offer
11332       STARTTLS  due  to  insufficient privileges to access the server private
11333       key. This is intended behavior.
11334
11335       This feature is available in Postfix 2.3 and later.
11336

smtpd_tls_session_cache_database (default: empty)

11338       Name of the file containing the optional Postfix SMTP server  TLS  ses‐
11339       sion  cache. Specify a database type that supports enumeration, such as
11340       btree or sdbm; there is no need to support concurrent access.  The file
11341       is  created if it does not exist. The smtpd(8) daemon does not use this
11342       parameter directly, rather the cache is implemented indirectly  in  the
11343       tlsmgr(8)  daemon.  This  means that per-smtpd-instance master.cf over‐
11344       rides of this parameter are not effective. Note, that each of the cache
11345       databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
11346       base, $smtp_tls_session_cache_database (and with Postfix 2.3 and  later
11347       $lmtp_tls_session_cache_database), needs to be stored separately. It is
11348       not at this time possible to store multiple caches in  a  single  data‐
11349       base.
11350
11351       Note:  dbm  databases  are  not  suitable.  TLS session objects are too
11352       large.
11353
11354       As of version 2.5, Postfix no longer uses root privileges when  opening
11355       this  file.  The  file  should  now  be  stored under the Postfix-owned
11356       data_directory. As a migration aid, an attempt to open the file under a
11357       non-Postfix  directory  is  redirected to the Postfix-owned data_direc‐
11358       tory, and a warning is logged.
11359
11360       As of Postfix 2.11 the preferred mechanism for  session  resumption  is
11361       RFC  5077 TLS session tickets, which don't require server-side storage.
11362       Consequently, for Postfix >= 2.11 this parameter  should  generally  be
11363       left  empty.   TLS session tickets require an OpenSSL library (at least
11364       version 0.9.8h) that provides full support for this TLS extension.  See
11365       also smtpd_tls_session_cache_timeout.
11366
11367       Example:
11368
11369       smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
11370
11371       This feature is available in Postfix 2.2 and later.
11372

smtpd_tls_session_cache_timeout (default: 3600s)

11374       The  expiration  time of Postfix SMTP server TLS session cache informa‐
11375       tion. A cache cleanup is performed periodically  every  $smtpd_tls_ses‐
11376       sion_cache_timeout  seconds. As with $smtpd_tls_session_cache_database,
11377       this parameter is implemented in the  tlsmgr(8)  daemon  and  therefore
11378       per-smtpd-instance master.cf overrides are not possible.
11379
11380       As  of  Postfix 2.11 this setting cannot exceed 100 days.  If set <= 0,
11381       session caching is disabled, not just via the database,  but  also  via
11382       RFC  5077 TLS session tickets, which don't require server-side storage.
11383       If set to a positive value less than 2 minutes, the minimum value of  2
11384       minutes  is  used  instead.   TLS  session  tickets  require an OpenSSL
11385       library (at least version 0.9.8h) that provides full support  for  this
11386       TLS extension.
11387
11388       This feature is available in Postfix 2.2 and later, and updated for TLS
11389       session ticket support in Postfix 2.11.
11390

smtpd_tls_wrappermode (default: no)

11392       Run the Postfix SMTP server in the non-standard "wrapper" mode, instead
11393       of using the STARTTLS command.
11394
11395       If  you  want  to  support  this service, enable a special port in mas‐
11396       ter.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP server's
11397       command line. Port 465 (smtps) was once chosen for this purpose.
11398
11399       This feature is available in Postfix 2.2 and later.
11400

smtpd_upstream_proxy_protocol (default: empty)

11402       The  name  of the proxy protocol used by an optional before-smtpd proxy
11403       agent. When a proxy agent is used,  this  protocol  conveys  local  and
11404       remote       address      and      port      information.       Specify
11405       "smtpd_upstream_proxy_protocol = haproxy" to enable the haproxy  proto‐
11406       col; version 2 is supported with Postfix 3.5 and later.
11407
11408       NOTE: To use the nginx proxy with smtpd(8), enable the XCLIENT protocol
11409       with smtpd_authorized_xclient_hosts. This supports SASL  authentication
11410       in the proxy agent (Postfix 2.9 and later).
11411
11412       This feature is available in Postfix 2.10 and later.
11413

smtpd_upstream_proxy_timeout (default: 5s)

11415       The   time   limit   for   the   proxy   protocol  specified  with  the
11416       smtpd_upstream_proxy_protocol parameter.
11417
11418       This feature is available in Postfix 2.10 and later.
11419

smtpd_use_tls (default: no)

11421       Opportunistic TLS: announce STARTTLS support to  remote  SMTP  clients,
11422       but do not require that clients use TLS encryption.
11423
11424       Note:  when invoked via "sendmail -bs", Postfix will never offer START‐
11425       TLS due to insufficient privileges to access the  server  private  key.
11426       This is intended behavior.
11427
11428       This  feature  is  available in Postfix 2.2 and later. With Postfix 2.3
11429       and later use smtpd_tls_security_level instead.
11430

smtputf8_autodetect_classes (default: sendmail, verify)

11432       Detect that a message requires SMTPUTF8 support for the specified  mail
11433       origin classes.  This is a workaround to avoid chicken-and-egg problems
11434       during the initial SMTPUTF8 roll-out in environments with  pre-existing
11435       mail flows that contain UTF8. Those mail flows should not break because
11436       Postfix suddenly refuses to deliver such mail to down-stream MTAs  that
11437       don't announce SMTPUTF8 support.
11438
11439       The problem is that Postfix cannot rely solely on the sender's declara‐
11440       tion that a message requires SMTPUTF8  support,  because  UTF8  may  be
11441       introduced during local processing (for example, the client hostname in
11442       Postfix's Received: header,  adding  @$myorigin  or  .$mydomain  to  an
11443       incomplete  address,  address rewriting, alias expansion, automatic BCC
11444       recipients, local forwarding, and changes made by header checks or Mil‐
11445       ter applications).
11446
11447       For  now,  the  default  is to enable "SMTPUTF8 required" autodetection
11448       only for Postfix sendmail command-line submissions and address  verifi‐
11449       cation  probes.   This  may change once SMTPUTF8 support achieves world
11450       domination.  However, sites that add UTF8 content via local  processing
11451       (see  above)  should  autodetect  the need for SMTPUTF8 support for all
11452       email.
11453
11454       Specify one or more of the following:
11455
11456        sendmail
11457              Submission with the Postfix sendmail(1) command.
11458
11459        smtpd Mail received with the smtpd(8) daemon.
11460
11461        qmqpd Mail received with the qmqpd(8) daemon.
11462
11463        forward
11464              Local forwarding or aliasing.  When a message is  received  with
11465              "SMTPUTF8 required", then the forwarded (aliased) message always
11466              has "SMTPUTF8 required".
11467
11468        bounce
11469              Submission by the bounce(8) daemon.  When a message is  received
11470              with  "SMTPUTF8 required", then the delivery status notification
11471              always has "SMTPUTF8 required".
11472
11473        notify
11474              Postmaster notification from the smtp(8) or smtpd(8) daemon.
11475
11476        verify
11477              Address verification probe from the verify(8) daemon.
11478
11479        all   Enable SMTPUTF8 autodetection for all mail.
11480
11481       This feature is available in Postfix 3.0 and later.
11482

smtputf8_enable (default: yes)

11484       Enable preliminary SMTPUTF8 support for the protocols described in  RFC
11485       6531..6533. This requires that Postfix is built to support these proto‐
11486       cols.
11487
11488       This feature is available in Postfix 3.0 and later.
11489

soft_bounce (default: no)

11491       Safety net to keep mail queued that would otherwise be returned to  the
11492       sender.  This parameter disables locally-generated bounces, changes the
11493       handling of negative responses from remote servers, content filters  or
11494       plugins,  and prevents the Postfix SMTP server from rejecting mail per‐
11495       manently by changing 5xx reply codes into 4xx.  However, soft_bounce is
11496       no cure for address rewriting mistakes or mail routing mistakes.
11497
11498       Note:  "soft_bounce  =  yes"  is in some cases implemented by modifying
11499       server responses. Therefore, the response that Postfix logs may  differ
11500       from the response that Postfix actually sends or receives.
11501
11502       Example:
11503
11504       soft_bounce = yes
11505

stale_lock_time (default: 500s)

11507       The  time  after  which  a stale exclusive mailbox lockfile is removed.
11508       This is used for delivery to file or mailbox.
11509
11510       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
11511       The default time unit is s (seconds).
11512

stress (default: empty)

11514       This feature is documented in the STRESS_README document.
11515
11516       This feature is available in Postfix 2.5 and later.
11517

strict_7bit_headers (default: no)

11519       Reject  mail  with 8-bit text in message headers. This blocks mail from
11520       poorly written applications.
11521
11522       This feature should not be enabled on a general  purpose  mail  server,
11523       because it is likely to reject legitimate email.
11524
11525       This feature is available in Postfix 2.0 and later.
11526

strict_8bitmime (default: no)

11528       Enable both strict_7bit_headers and strict_8bitmime_body.
11529
11530       This  feature  should  not be enabled on a general purpose mail server,
11531       because it is likely to reject legitimate email.
11532
11533       This feature is available in Postfix 2.0 and later.
11534

strict_8bitmime_body (default: no)

11536       Reject 8-bit message body text  without  8-bit  MIME  content  encoding
11537       information.  This blocks mail from poorly written applications.
11538
11539       Unfortunately,  this  also rejects majordomo approval requests when the
11540       included request contains valid 8-bit MIME mail, and it rejects bounces
11541       from  mailers  that do not MIME encapsulate 8-bit content (for example,
11542       bounces from qmail or from old versions of Postfix).
11543
11544       This feature should not be enabled on a general  purpose  mail  server,
11545       because it is likely to reject legitimate email.
11546
11547       This feature is available in Postfix 2.0 and later.
11548

strict_mailbox_ownership (default: yes)

11550       Defer  delivery when a mailbox file is not owned by its recipient.  The
11551       default setting is not backwards compatible.
11552
11553       This feature is available in Postfix 2.5.3 and later.
11554

strict_mime_encoding_domain (default: no)

11556       Reject mail with invalid Content-Transfer-Encoding: information for the
11557       message/*  or  multipart/*  MIME  content types.  This blocks mail from
11558       poorly written software.
11559
11560       This feature should not be enabled on a general  purpose  mail  server,
11561       because it will reject mail after a single violation.
11562
11563       This feature is available in Postfix 2.0 and later.
11564

strict_rfc821_envelopes (default: no)

11566       Require  that addresses received in SMTP MAIL FROM and RCPT TO commands
11567       are enclosed with <>, and that those addresses do not contain  RFC  822
11568       style  comments  or phrases.  This stops mail from poorly written soft‐
11569       ware.
11570
11571       By default, the Postfix SMTP server accepts RFC 822 syntax in MAIL FROM
11572       and RCPT TO addresses.
11573

strict_smtputf8 (default: no)

11575       Enable  stricter enforcement of the SMTPUTF8 protocol. The Postfix SMTP
11576       server accepts UTF8 sender or recipient addresses only when the  client
11577       requests an SMTPUTF8 mail transaction.
11578
11579       This feature is available in Postfix 3.0 and later.
11580

sun_mailtool_compatibility (default: no)

11582       Obsolete  SUN  mailtool  compatibility  feature.  Instead,  use  "mail‐
11583       box_delivery_lock = dotlock".
11584

swap_bangpath (default: yes)

11586       Enable the rewriting of "site!user" into "user@site".  This  is  neces‐
11587       sary  if  your machine is connected to UUCP networks.  It is enabled by
11588       default.
11589
11590       Note: with Postfix version 2.2, message header address  rewriting  hap‐
11591       pens only when one of the following conditions is true:
11592
11593       ·      The message is received with the Postfix sendmail(1) command,
11594
11595       ·      The  message  is  received  from  a  network client that matches
11596              $local_header_rewrite_clients,
11597
11598       ·      The  message   is   received   from   the   network,   and   the
11599              remote_header_rewrite_domain  parameter  specifies  a  non-empty
11600              value.
11601
11602       To   get   the   behavior   before   Postfix   version   2.2,   specify
11603       "local_header_rewrite_clients = static:all".
11604
11605       Example:
11606
11607       swap_bangpath = no
11608

syslog_facility (default: mail)

11610       The  syslog  facility of Postfix logging. Specify a facility as defined
11611       in syslog.conf(5). The default facility is "mail".
11612
11613       Warning: a non-default syslog_facility setting takes effect only  after
11614       a  Postfix process has completed initialization.  Errors during process
11615       initialization will be logged with the default facility.  Examples  are
11616       errors  while  parsing  the  command  line  arguments, and errors while
11617       accessing the Postfix main.cf configuration file.
11618

syslog_name (default: see postconf -d output)

11620       A prefix that is prepended to the process name in  syslog  records,  so
11621       that, for example, "smtpd" becomes "prefix/smtpd".
11622
11623       Warning:  a  non-default  syslog_name setting takes effect only after a
11624       Postfix process has completed  initialization.  Errors  during  process
11625       initialization  will  be  logged  with  the  default name. Examples are
11626       errors while parsing the  command  line  arguments,  and  errors  while
11627       accessing the Postfix main.cf configuration file.
11628

tcp_windowsize (default: 0)

11630       An  optional  workaround  for  routers  that  break TCP window scaling.
11631       Specify a value > 0 and < 65536 to enable this feature.   With  Postfix
11632       TCP  servers  (smtpd(8),  qmqpd(8)), this feature is implemented by the
11633       Postfix master(8) daemon.
11634
11635       To change this parameter without stopping Postfix, you  need  to  first
11636       terminate all Postfix TCP servers:
11637
11638           # postconf -e master_service_disable=inet
11639           # postfix reload
11640
11641       This  immediately  terminates all processes that accept network connec‐
11642       tions.  Next, you enable Postfix TCP servers with the updated  tcp_win‐
11643       dowsize setting:
11644
11645           # postconf -e tcp_windowsize=65535 master_service_disable=
11646           # postfix reload
11647
11648       If  you  skip  these  steps  with  a  running  Postfix system, then the
11649       tcp_windowsize change will work only for Postfix TCP clients  (smtp(8),
11650       lmtp(8)).
11651
11652       This feature is available in Postfix 2.6 and later.
11653

tls_append_default_CA (default: no)

11655       Append the system-supplied default Certification Authority certificates
11656       to the ones specified with *_tls_CApath or *_tls_CAfile.   The  default
11657       is  "no";  this prevents Postfix from trusting third-party certificates
11658       and giving them relay permission with permit_tls_all_clientcerts.
11659
11660       This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,  2.7.2  and
11661       later  versions.  Specify  "tls_append_default_CA  = yes" for backwards
11662       compatibility, to avoid breaking certificate  verification  with  sites
11663       that don't use permit_tls_all_clientcerts.
11664

tls_daemon_random_bytes (default: 32)

11666       The  number  of pseudo-random bytes that an smtp(8) or smtpd(8) process
11667       requests from the tlsmgr(8) server in order to seed its internal pseudo
11668       random number generator (PRNG).  The default of 32 bytes (equivalent to
11669       256 bits) is sufficient to generate a 128bit (or 168bit) session key.
11670
11671       This feature is available in Postfix 2.2 and later.
11672

tls_dane_digest_agility (default: on)

11674       Configure RFC7671 DANE TLSA digest algorithm agility.   Do  not  change
11675       this setting from its default value.
11676
11677       See Section 8 of RFC7671 for correct key rotation procedures.
11678
11679       This feature is available in Postfix 2.11 through 3.1.  Postfix 3.2 and
11680       later ignore this configuration parameter and behave as though it  were
11681       set to "on".
11682

tls_dane_digests (default: sha512 sha256)

11684       DANE  TLSA  (RFC  6698,  RFC  7671, RFC 7672) resource-record "matching
11685       type" digest algorithms in descending preference order.  All the speci‐
11686       fied  algorithms  must  be supported by the underlying OpenSSL library,
11687       otherwise the Postfix SMTP client will not support DANE TLSA security.
11688
11689       Specify a list of digest names separated by commas  and/or  whitespace.
11690       Each  digest  name  may  be followed by an optional "=<number>" suffix.
11691       For example, "sha512"  may  instead  be  specified  as  "sha512=2"  and
11692       "sha256"  may  instead be specified as "sha256=1".  The optional number
11693       must match the  <a  href="https://www.iana.org/assignments/dane-parame
11694       ters/dane-parameters.xhtml#matching-types" >IANA assigned TLSA matching
11695       type number the algorithm in question.  Postfix will  check  this  con‐
11696       straint  for  the  algorithms it knows about.  Additional matching type
11697       algorithms registered with IANA can be added with explicit numbers pro‐
11698       vided they are supported by OpenSSL.
11699
11700       Invalid  list  elements are logged with a warning and disable DANE sup‐
11701       port.  TLSA RRs that specify digests  not  included  in  the  list  are
11702       ignored with a warning.
11703
11704       Note:  It  is  unwise to omit sha256 from the digest list.  This digest
11705       algorithm is the only mandatory to implement digest  algorithm  in  RFC
11706       6698,  and  many  servers  are  expected publish TLSA records with just
11707       sha256 digests.  Unless one of the standard digests is  seriously  com‐
11708       promised  and  servers have had ample time to update their TLSA records
11709       you should not omit any standard digests, just arrange  them  in  order
11710       from strongest to weakest.
11711
11712       This feature is available in Postfix 2.11 and later.
11713

tls_dane_trust_anchor_digest_enable (default: yes)

11715       Enable  support  for  RFC  6698  (DANE  TLSA)  DNS records that contain
11716       digests of trust-anchors with certificate usage  "2".   Do  not  change
11717       this setting from its default value.
11718
11719       This  feature  is  available  in Postfix 2.11 through 3.1.  It has been
11720       withdrawn in Postfix 3.2, as trust-anchor TLSA records are  now  widely
11721       used  and  have  proved  sufficiently  reliable.  Postfix 3.2 and later
11722       ignore this configuration parameter and behaves as though it  were  set
11723       to "yes".
11724

tls_disable_workarounds (default: see postconf -d output)

11726       List or bit-mask of OpenSSL bug work-arounds to disable.
11727
11728       The  OpenSSL  toolkit  includes a set of work-arounds for buggy SSL/TLS
11729       implementations. Applications, such as Postfix, that want  to  maximize
11730       interoperability ask the OpenSSL library to enable the full set of rec‐
11731       ommended work-arounds.
11732
11733       From time to time, it is discovered that a work-around creates a  secu‐
11734       rity  issue,  and  should  no longer be used. If upgrading OpenSSL to a
11735       fixed version is not an option or an upgrade  is  not  available  in  a
11736       timely  manner,  or  in  closed  environments where no buggy clients or
11737       servers exist, it may be appropriate to disable  some  or  all  of  the
11738       OpenSSL  interoperability  work-arounds. This parameter specifies which
11739       bug work-arounds to disable.
11740
11741       If the value of the parameter is a hexadecimal  long  integer  starting
11742       with  "0x", the bug work-arounds corresponding to the bits specified in
11743       its value are removed from the  SSL_OP_ALL  work-around  bit-mask  (see
11744       openssl/ssl.h  and  SSL_CTX_set_options(3)).  You can specify more bits
11745       than are present in SSL_OP_ALL, excess  bits  are  ignored.  Specifying
11746       0xFFFFFFFF disables all bug-workarounds on a 32-bit system. This should
11747       also be sufficient on 64-bit systems, until  OpenSSL  abandons  support
11748       for  32-bit  systems  and  starts  using  the  high 32 bits of a 64-bit
11749       bug-workaround mask.
11750
11751       Otherwise, the parameter is a white-space or comma  separated  list  of
11752       specific  named bug work-arounds chosen from the list below. It is pos‐
11753       sible that your OpenSSL version includes  new  bug  work-arounds  added
11754       after  your  Postfix source code was last updated, in that case you can
11755       only disable one of these via the hexadecimal syntax above.
11756
11757       CRYPTOPRO_TLSEXT_BUG
11758              New with GOST support in OpenSSL 1.0.0.
11759
11760       DONT_INSERT_EMPTY_FRAGMENTS
11761              See SSL_CTX_set_options(3)
11762
11763       LEGACY_SERVER_CONNECT
11764              See SSL_CTX_set_options(3)
11765
11766       MICROSOFT_BIG_SSLV3_BUFFER
11767              See SSL_CTX_set_options(3)
11768
11769       MICROSOFT_SESS_ID_BUG
11770              See SSL_CTX_set_options(3)
11771
11772       MSIE_SSLV2_RSA_PADDING
11773              also  aliased  as  CVE-2005-2969.  Postfix  2.8  disables   this
11774              work-around  by  default  with OpenSSL versions that may predate
11775              the fix. Fixed in OpenSSL 0.9.7h and OpenSSL 0.9.8a.
11776
11777       NETSCAPE_CHALLENGE_BUG
11778              See SSL_CTX_set_options(3)
11779
11780       NETSCAPE_REUSE_CIPHER_CHANGE_BUG
11781              also  aliased  as  CVE-2010-4180.  Postfix  2.8  disables   this
11782              work-around  by  default  with OpenSSL versions that may predate
11783              the fix. Fixed in OpenSSL 0.9.8q and OpenSSL 1.0.0c.
11784
11785       SSLEAY_080_CLIENT_DH_BUG
11786              See SSL_CTX_set_options(3)
11787
11788       SSLREF2_REUSE_CERT_TYPE_BUG
11789              See SSL_CTX_set_options(3)
11790
11791       TLS_BLOCK_PADDING_BUG
11792              See SSL_CTX_set_options(3)
11793
11794       TLS_D5_BUG
11795              See SSL_CTX_set_options(3)
11796
11797       TLS_ROLLBACK_BUG
11798              See SSL_CTX_set_options(3).  This is disabled in  OpenSSL  0.9.7
11799              and later. Nobody should still be using 0.9.6!
11800
11801       TLSEXT_PADDING
11802              Postfix >= 3.4. See SSL_CTX_set_options(3).
11803
11804       This feature is available in Postfix 2.8 and later.
11805

tls_eecdh_auto_curves (default: see postconf -d output)

11807       The  prioritized  list of elliptic curves supported by the Postfix SMTP
11808       client and server.  These curves are used by the  Postfix  SMTP  server
11809       when  "smtpd_tls_eecdh_grade  =  auto".   The  selected  curves must be
11810       implemented by OpenSSL and be standardized for use in TLS (RFC 4492  or
11811       its  imminent  successor).   It  is unwise to list only "bleeding-edge"
11812       curves supported by a small subset of clients.   The  default  list  is
11813       suitable for most users.
11814
11815       Postfix  skips  curve  names  that  are unknown to OpenSSL, or that are
11816       known but not yet implemented.  This makes it possible to  "anticipate"
11817       support  for curves that should be used once they become available.  In
11818       particular, in some OpenSSL versions, the new RFC 8031 curves  "X25519"
11819       and  "X448"  may  be known by name, but ECDH support for either or both
11820       may be missing.  These curves may appear in the default value  of  this
11821       parameter,  even  though  they'll only be usable with later versions of
11822       OpenSSL.
11823
11824       This feature is available in Postfix 3.2 and later, when it is compiled
11825       and linked with OpenSSL 1.0.2 or later on platforms where EC algorithms
11826       have not been disabled by the vendor.
11827

tls_eecdh_strong_curve (default: prime256v1)

11829       The elliptic curve used by the Postfix SMTP server for sensibly  strong
11830       ephemeral  ECDH  key  exchange.  This curve is used by the Postfix SMTP
11831       server when "smtpd_tls_eecdh_grade  =  strong".  The  phrase  "sensibly
11832       strong"  means  approximately  128-bit  security  based  on  best known
11833       attacks. The selected curve must be implemented by OpenSSL (as reported
11834       by  ecparam(1) with the "-list_curves" option) and be one of the curves
11835       listed in Section 5.1.1 of RFC 4492. You should  not  generally  change
11836       this  setting.   Remote  SMTP  client implementations must support this
11837       curve for EECDH key exchange to take place.  It is unwise to choose  an
11838       "bleeding-edge" curve supported by only a small subset of clients.
11839
11840       The  default  "strong"  curve  is  rated in NSA Suite B for information
11841       classified up to SECRET.
11842
11843       Note: elliptic curve names are poorly standardized; different standards
11844       groups  are  assigning  different  names to the same underlying curves.
11845       The curve with the X9.62 name "prime256v1" is also known under the SECG
11846       name "secp256r1", but OpenSSL does not recognize the latter name.
11847
11848       If  you  want  to  take maximal advantage of ciphers that offer forward
11849       secrecy see the Getting started section of FORWARD_SECRECY_README.  The
11850       full document conveniently presents all information about Postfix "per‐
11851       fect" forward secrecy support in one place: what  forward  secrecy  is,
11852       how to tweak settings, and what you can expect to see when Postfix uses
11853       ciphers with forward secrecy.
11854
11855       This feature is available in Postfix 2.6 and later, when it is compiled
11856       and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
11857       have not been disabled by the vendor.
11858

tls_eecdh_ultra_curve (default: secp384r1)

11860       The elliptic curve used by the Postfix SMTP server for maximally strong
11861       ephemeral  ECDH  key  exchange.  This curve is used by the Postfix SMTP
11862       server when "smtpd_tls_eecdh_grade  =  ultra".  The  phrase  "maximally
11863       strong"  means  approximately  192-bit  security  based  on  best known
11864       attacks.  This additional strength comes at a significant computational
11865       cost,  most  users should instead set "smtpd_tls_eecdh_grade = strong".
11866       The selected curve must be  implemented  by  OpenSSL  (as  reported  by
11867       ecparam(1)  with  the  "-list_curves"  option) and be one of the curves
11868       listed in Section 5.1.1 of RFC 4492. You should  not  generally  change
11869       this setting.
11870
11871       This  default  "ultra"  curve  is  rated in NSA Suite B for information
11872       classified up to TOP SECRET.
11873
11874       If you want to take maximal advantage of  ciphers  that  offer  forward
11875       secrecy see the Getting started section of FORWARD_SECRECY_README.  The
11876       full document conveniently presents all information about Postfix "per‐
11877       fect"  forward  secrecy  support in one place: what forward secrecy is,
11878       how to tweak settings, and what you can expect to see when Postfix uses
11879       ciphers with forward secrecy.
11880
11881       This feature is available in Postfix 2.6 and later, when it is compiled
11882       and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
11883       have not been disabled by the vendor.
11884

tls_export_cipherlist (default: see postconf -d output)

11886       The  OpenSSL  cipherlist  for  "export"  or  higher grade ciphers. This
11887       defines the meaning  of  the  "export"  setting  in  smtpd_tls_ciphers,
11888       smtpd_tls_mandatory_ciphers,      smtp_tls_ciphers,     smtp_tls_manda‐
11889       tory_ciphers, lmtp_tls_ciphers, and  lmtp_tls_mandatory_ciphers.   With
11890       Postfix  releases  before  the  middle  of  2015  this  is  the default
11891       cipherlist for the opportunistic ("may") TLS client security level  and
11892       also  the  default  cipherlist  for  the  SMTP server. You are strongly
11893       encouraged to not change this setting.
11894
11895       This feature is available in Postfix 2.3 and later.
11896

tls_fast_shutdown_enable (default: yes)

11898       A workaround for implementations that hang Postfix while shutting  down
11899       a TLS session, until Postfix times out. With this enabled, Postfix will
11900       not wait for the remote TLS peer to respond to a TLS later.
11901

tls_high_cipherlist (default: see postconf -d output)

11903       The OpenSSL cipherlist for "high" grade ciphers. This defines the mean‐
11904       ing  of  the  "high"  setting  in  smtpd_tls_ciphers,  smtpd_tls_manda‐
11905       tory_ciphers,       smtp_tls_ciphers,       smtp_tls_mandatory_ciphers,
11906       lmtp_tls_ciphers,  and  lmtp_tls_mandatory_ciphers.  You  are  strongly
11907       encouraged to not change this setting.
11908
11909       This feature is available in Postfix 2.3 and later.
11910

tls_legacy_public_key_fingerprints (default: no)

11912       A temporary migration aid for sites  that  use  certificate  public-key
11913       fingerprints  with  Postfix  2.9.0..2.9.5, which use an incorrect algo‐
11914       rithm. This parameter has no effect on the certificate fingerprint sup‐
11915       port that is available since Postfix 2.2.
11916
11917       Specify "tls_legacy_public_key_fingerprints = yes" temporarily, pending
11918       a  migration  from   configuration   files   with   incorrect   Postfix
11919       2.9.0..2.9.5  certificate public-key finger prints, to the correct fin‐
11920       gerprints used by Postfix 2.9.6 and later.  To compute the correct cer‐
11921       tificate public-key fingerprints, see TLS_README.
11922
11923       This feature is available in Postfix 2.9.6 and later.
11924

tls_low_cipherlist (default: see postconf -d output)

11926       The  OpenSSL cipherlist for "low" or higher grade ciphers. This defines
11927       the meaning of the "low" setting in smtpd_tls_ciphers, smtpd_tls_manda‐
11928       tory_ciphers,       smtp_tls_ciphers,       smtp_tls_mandatory_ciphers,
11929       lmtp_tls_ciphers,  and  lmtp_tls_mandatory_ciphers.  You  are  strongly
11930       encouraged to not change this setting.
11931
11932       This feature is available in Postfix 2.3 and later.
11933

tls_medium_cipherlist (default: see postconf -d output)

11935       The  OpenSSL  cipherlist  for  "medium"  or  higher grade ciphers. This
11936       defines the meaning  of  the  "medium"  setting  in  smtpd_tls_ciphers,
11937       smtpd_tls_mandatory_ciphers,      smtp_tls_ciphers,     smtp_tls_manda‐
11938       tory_ciphers, lmtp_tls_ciphers, and  lmtp_tls_mandatory_ciphers.   This
11939       is  the  default  cipherlist  for  mandatory  TLS encryption in the TLS
11940       client (with anonymous ciphers disabled when verifying server  certifi‐
11941       cates).   This  is  the  default  cipherlist for opportunistic TLS with
11942       Postfix releases after the middle of 2015.  You are strongly encouraged
11943       to not change this setting.
11944
11945       This feature is available in Postfix 2.3 and later.
11946

tls_null_cipherlist (default: eNULL:!aNULL)

11948       The  OpenSSL cipherlist for "NULL" grade ciphers that provide authenti‐
11949       cation without encryption. This defines the meaning of the "null"  set‐
11950       ting  in  smtpd_mandatory_tls_ciphers,  smtp_tls_mandatory_ciphers  and
11951       lmtp_tls_mandatory_ciphers.  You are strongly encouraged to not  change
11952       this setting.
11953
11954       This feature is available in Postfix 2.3 and later.
11955

tls_preempt_cipherlist (default: no)

11957       With  SSLv3  and later, use the Postfix SMTP server's cipher preference
11958       order instead of the remote client's cipher preference order.
11959
11960       By default, the OpenSSL server  selects  the  client's  most  preferred
11961       cipher  that  the server supports. With SSLv3 and later, the server may
11962       choose its own most preferred cipher that is supported (offered) by the
11963       client.  Setting  "tls_preempt_cipherlist  = yes" enables server cipher
11964       preferences.
11965
11966       While server cipher selection may in some cases lead to a  more  secure
11967       or  performant  cipher  choice,  there is some risk of interoperability
11968       issues. In the past,  some  SSL  clients  have  listed  lower  priority
11969       ciphers  that they did not implement correctly. If the server chooses a
11970       cipher that the client prefers less,  it  may  select  a  cipher  whose
11971       client  implementation  is  flawed. Most notably Windows 2003 Microsoft
11972       Exchange servers have flawed  implementations  of  DES-CBC3-SHA,  which
11973       OpenSSL  considers stronger than RC4-SHA.  Enabling server cipher-suite
11974       selection may create interoperability issues with Windows  2003  Micro‐
11975       soft Exchange clients.
11976
11977       This feature is available in Postfix 2.8 and later, in combination with
11978       OpenSSL 0.9.7 and later.
11979

tls_random_bytes (default: 32)

11981       The number of bytes that tlsmgr(8) reads from  $tls_random_source  when
11982       (re)seeding  the  in-memory pseudo random number generator (PRNG) pool.
11983       The default of 32 bytes (256 bits) is good enough for 128bit  symmetric
11984       keys.  If using EGD or a device file, a maximum of 255 bytes is read.
11985
11986       This feature is available in Postfix 2.2 and later.
11987

tls_random_exchange_name (default: see postconf -d output)

11989       Name  of  the  pseudo random number generator (PRNG) state file that is
11990       maintained by tlsmgr(8). The file is created when it  does  not  exist,
11991       and its length is fixed at 1024 bytes.
11992
11993       As  of version 2.5, Postfix no longer uses root privileges when opening
11994       this file, and the  default  file  location  was  changed  from  ${con‐
11995       fig_directory}/prng_exch  to  ${data_directory}/prng_exch.  As a migra‐
11996       tion aid, an attempt to open the file under a non-Postfix directory  is
11997       redirected  to  the  Postfix-owned  data_directory,  and  a  warning is
11998       logged.
11999
12000       This feature is available in Postfix 2.2 and later.
12001

tls_random_prng_update_period (default: 3600s)

12003       The time between attempts by tlsmgr(8) to save the state of the  pseudo
12004       random  number  generator  (PRNG)  to the file specified with $tls_ran‐
12005       dom_exchange_name.
12006
12007       This feature is available in Postfix 2.2 and later.
12008

tls_random_reseed_period (default: 3600s)

12010       The maximal time between attempts by tlsmgr(8) to re-seed the in-memory
12011       pseudo  random number generator (PRNG) pool from external sources.  The
12012       actual time between re-seeding attempts is calculated using  the  PRNG,
12013       and is between 0 and the time specified.
12014
12015       This feature is available in Postfix 2.2 and later.
12016

tls_random_source (default: see postconf -d output)

12018       The  external  entropy source for the in-memory tlsmgr(8) pseudo random
12019       number generator (PRNG) pool. Be sure to specify a non-blocking source.
12020       If  this  source is not a regular file, the entropy source type must be
12021       prepended:  egd:/path/to/egd_socket for a source  with  EGD  compatible
12022       socket interface, or dev:/path/to/device for a device file.
12023
12024       Note:  on  OpenBSD systems specify /dev/arandom when /dev/urandom gives
12025       timeout errors.
12026
12027       This feature is available in Postfix 2.2 and later.
12028

tls_server_sni_maps (default: empty)

12030       Optional lookup tables that map names received from remote SMTP clients
12031       via  the  TLS Server Name Indication (SNI) extension to the appropriate
12032       keys and certificate chains.  This  parameter  is  implemented  in  the
12033       Postfix  TLS  library, and applies to both smtpd(8) and the SMTP server
12034       mode of tlsproxy(8).
12035
12036       When this parameter is non-empty, the Postfix SMTP server  enables  SNI
12037       extension  processing,  and  logs  SNI values that are invalid or don't
12038       match an entry in the the specified tables.  When an entry does  match,
12039       the  SNI name is logged as part of the connection summary at log levels
12040       1 and higher.
12041
12042       The lookup key is either the verbatim SNI domain name  or  an  ancestor
12043       domain prefixed with a leading dot.  For internationalized domains, the
12044       lookup key must be in IDNA 2008 A-label form (as required  in  the  TLS
12045       SNI extension).
12046
12047       The   syntax   of   the   lookup   value   is  the  same  as  with  the
12048       smtp_tls_chain_files parameter (see there for additional details),  but
12049       here  scoped to just TLS connections in which the client sends a match‐
12050       ing SNI domain name.
12051
12052       Example:
12053
12054           /etc/postfix/main.cf:
12055               #
12056               # The indexed SNI table must be created with "postmap -F"
12057               #
12058               indexed = ${default_database_type}:${config_directory}/
12059               tls_server_sni_maps = ${indexed}sni
12060
12061           /etc/postfix/sni:
12062               #
12063               # The example.com domain has both an RSA and ECDSA certificate
12064               # chain.  The chain files MUST start with the private key,
12065               # with the certificate chain next, starting with the leaf
12066               # (server) certificate, and then the issuer certificates.
12067               #
12068               example.com /etc/postfix/sni-chains/rsa2048.example.com.pem,
12069                           /etc/postfix/sni-chains/ecdsa-p256.example.com.pem
12070               #
12071               # The example.net domain has a wildcard certificate, and two
12072               # additional DNS names.  So its certificate chain is also used
12073               # with any subdomain, plus the additional names.
12074               #
12075               example.net /etc/postfix/sni-chains/example.net.pem
12076               .example.net /etc/postfix/sni-chains/example.net.pem
12077               example.info /etc/postfix/sni-chains/example.net.pem
12078               example.org /etc/postfix/sni-chains/example.net.pem
12079
12080       Note that the SNI lookup  tables  should  also  have  entries  for  the
12081       domains  that  correspond to the Postfix SMTP server's default certifi‐
12082       cate(s). This ensures that the remote SMTP client's TLS  SNI  extension
12083       gets  a  positive  response  when  it specifies one of the Postfix SMTP
12084       server's default domains, and ensures that the Postfix SMTP server will
12085       not  log  an  SNI  name  mismatch  for such a domain.  The Postfix SMTP
12086       server's default certificates are then only used when the client  sends
12087       no SNI or when it sends SNI with a domain that the server knows no cer‐
12088       tificate(s) for.
12089
12090       The mapping from an SNI domain name to a certificate chain is indirect.
12091       In  the  input  source files for "cdb", "hash", "btree" or other tables
12092       that are converted to on-disk indexed files via postmap(1),  the  value
12093       specified for each key is a list of filenames.  When postmap(1) is used
12094       with the -F option, the generated table stores for each lookup key  the
12095       base64-encoded  contents of the associated files.  When querying tables
12096       via postmap -Fq, the table value is decoded from base64,  yielding  the
12097       original file content, plus a new line.
12098
12099       With  "regexp",  "pcre",  "inline",  "texthash",  "static"  and similar
12100       tables that are interpreted at run-time,  and  don't  have  a  separate
12101       source  format,  the table value is again a list files, that are loaded
12102       into memory when the table is opened.
12103
12104       With tables whose content is managed outside of Postfix, such as  LDAP,
12105       MySQL, PostgreSQL, socketmap and tcp, the value must be a concatenation
12106       of the desired PEM keys and certificate chains, that  is  then  further
12107       encoded  to yield a single-line base64 string.  Creation of such tables
12108       and secure storage (the value includes private key material)  are  out‐
12109       side the responsibility of Postfix.
12110
12111       With  "socketmap"  and "tcp" the data will be transmitted in the clear,
12112       and there is no query access control, so these are generally unsuitable
12113       for  storing  SNI  chains.  With LDAP and SQL, you should restrict read
12114       access and use TLS to protect the sensitive data in transit.
12115
12116       Typically there is only one private key and its chain  of  certificates
12117       starting  with  the  "leaf"  certificate corresponding to that key, and
12118       continuing with the appropriate intermediate  issuer  CA  certificates,
12119       with  each  certificate  ideally  followed by its issuer.  Servers that
12120       have keys and certificates for more than one algorithm (e.g.   both  an
12121       RSA  key and an ECDSA key, or even RSA, ECDSA and Ed25519) can use mul‐
12122       tiple chains concatenated together, with the key always  listed  before
12123       the corresponding certificates.
12124
12125       This feature is available in Postfix 3.4 and later.
12126

tls_session_ticket_cipher (default: Postfix >= 3.0: aes-256-cbc, Postfix <

12128       3.0: aes-128-cbc)
12129       Algorithm used to encrypt RFC5077 TLS session tickets.  This  algorithm
12130       must  use  CBC  mode,  have  a  128-bit block size, and must have a key
12131       length between 128 and 256 bits.  The default is aes-256-cbc.  Overrid‐
12132       ing the default to choose a different algorithm is discouraged.
12133
12134       Setting  this  parameter  empty  disables session ticket support in the
12135       Postfix SMTP server.  Another way to disable session ticket support  is
12136       via the tls_ssl_options parameter.
12137
12138       This feature is available in Postfix 3.0 and later.
12139

tls_ssl_options (default: empty)

12141       List or bit-mask of OpenSSL options to enable.
12142
12143       The  OpenSSL  toolkit  provides  a set of options that applications can
12144       enable to tune the OpenSSL behavior.  Some of these work around bugs in
12145       other  implementations and are on by default.  You can use the tls_dis‐
12146       able_workarounds parameter to selectively disable some or  all  of  the
12147       bug  work-arounds, making OpenSSL more strict at the cost of non-inter‐
12148       operability with SSL clients or servers that exhibit the bugs.
12149
12150       Other options are off by default, and typically enable or disable  fea‐
12151       tures rather than bug work-arounds.  These may be turned on (with care)
12152       via the tls_ssl_options parameter.  The value is a white-space or comma
12153       separated  list of named options chosen from the list below.  The names
12154       are not case-sensitive, you can use  lower-case  if  you  prefer.   The
12155       upper case values below match the corresponding macro name in the ssl.h
12156       header file with the SSL_OP_ prefix removed.  It is possible that  your
12157       OpenSSL  version  includes  new options added after your Postfix source
12158       code was last updated, in that case you can only enable  one  of  these
12159       via the hexadecimal syntax below.
12160
12161       You  should only enable features via the hexadecimal mask when the need
12162       to control the feature is critical (to deal with a new vulnerability or
12163       a  serious  interoperability  problem).  Postfix DOES NOT promise back‐
12164       wards compatible behavior with respect to the  mask  bits.   A  feature
12165       enabled  via the mask in one release may be enabled by other means in a
12166       later release, and the mask bit will then be ignored.   Therefore,  use
12167       of the hexadecimal mask is only a temporary measure until a new Postfix
12168       or OpenSSL release provides a better solution.
12169
12170       If the value of the parameter is a hexadecimal  long  integer  starting
12171       with "0x", the options corresponding to the bits specified in its value
12172       are enabled (see openssl/ssl.h and  SSL_CTX_set_options(3)).   You  can
12173       only  enable  options not already controlled by other Postfix settings.
12174       For example, you cannot disable protocols or enable server cipher pref‐
12175       erence.   Do not attempt to turn all features by specifying 0xFFFFFFFF,
12176       this is unlikely to be a good idea.  Some  bug  work-arounds  are  also
12177       valid  here,  allowing  them to be re-enabled if/when they're no longer
12178       enabled by default.  The supported values include:
12179
12180       ENABLE_MIDDLEBOX_COMPAT
12181              Postfix >= 3.4. See SSL_CTX_set_options(3).
12182
12183       LEGACY_SERVER_CONNECT
12184              See SSL_CTX_set_options(3).
12185
12186       NO_TICKET
12187              Enabled by default when needed in fully-patched Postfix >=  2.7.
12188              Not  needed  at  all for Postfix >= 2.11, unless for some reason
12189              you do not want to support TLS session resumption.  Best not set
12190              explicitly.  See SSL_CTX_set_options(3).
12191
12192       NO_COMPRESSION
12193              Disable  SSL  compression  even  if  supported  by  the  OpenSSL
12194              library.  Compression is CPU-intensive, and  compression  before
12195              encryption does not always improve security.
12196
12197       NO_RENEGOTIATION
12198              Postfix  >=  3.4.  This can reduce opportunities for a potential
12199              CPU exhaustion attack.  See SSL_CTX_set_options(3).
12200
12201       NO_SESSION_RESUMPTION_ON_RENEGOTIATION
12202              Postfix >= 3.4. See SSL_CTX_set_options(3).
12203
12204       PRIORITIZE_CHACHA
12205              Postfix >= 3.4. See SSL_CTX_set_options(3).
12206
12207       This feature is available in Postfix 2.11 and later.
12208

tls_wildcard_matches_multiple_labels (default: yes)

12210       Match multiple DNS labels with "*" in wildcard certificates.
12211
12212       Some mail service providers prepend the customer domain name to a  base
12213       domain  for  which  they have a wildcard TLS certificate.  For example,
12214       the MX records for example.com hosted by example.net may be:
12215
12216           example.com. IN MX 0 example.com.mx1.example.net.
12217           example.com. IN MX 0 example.com.mx2.example.net.
12218
12219       and the TLS certificate may be for "*.example.net". The "*" then corre‐
12220       sponds  with  multiple  labels  in  the mail server domain name.  While
12221       multi-label wildcards are not widely supported, and are not blessed  by
12222       any  standard, there is little to be gained by disallowing their use in
12223       this context.
12224
12225       Notes:
12226
12227       ·      In a certificate name, the "*" is special only when it  is  used
12228              as the first label.
12229
12230       ·      While Postfix (2.11 or later) can match "*" with multiple domain
12231              name labels, other implementations likely will not.
12232
12233       ·      Earlier  Postfix  implementations  behave   as   if   "tls_wild‐
12234              card_matches_multiple_labels = no".
12235
12236       This feature is available in Postfix 2.11 and later.
12237

tlsmgr_service_name (default: tlsmgr)

12239       The  name  of  the  tlsmgr(8)  service entry in master.cf. This service
12240       maintains TLS session caches and other information in support of TLS.
12241
12242       This feature is available in Postfix 2.11 and later.
12243

tlsproxy_client_CAfile (default: $smtp_tls_CAfile)

12245       A file containing CA certificates of root CAs trusted  to  sign  either
12246       remote  TLS  server  certificates or intermediate CA certificates.  See
12247       smtp_tls_CAfile for further details.
12248
12249       This feature is available in Postfix 3.4 and later.
12250

tlsproxy_client_CApath (default: $smtp_tls_CApath)

12252       Directory with PEM format Certification Authority certificates that the
12253       Postfix  tlsproxy(8) client uses to verify a remote TLS server certifi‐
12254       cate. See smtp_tls_CApath for further details.
12255
12256       This feature is available in Postfix 3.4 and later.
12257

tlsproxy_client_cert_file (default: $smtp_tls_cert_file)

12259       File with the Postfix tlsproxy(8) client RSA certificate in PEM format.
12260       See  smtp_tls_cert_file for further details.  The preferred way to con‐
12261       figure   tlsproxy   client   keys   and   certificates   is   via   the
12262       "tlsproxy_client_chain_files" parameter.
12263
12264       This feature is available in Postfix 3.4 and later.
12265

tlsproxy_client_chain_files (default: $smtp_tls_chain_files)

12267       Files  with  the Postfix tlsproxy(8) client keys and certificate chains
12268       in PEM format. See smtp_tls_chain_files for further details.
12269
12270       This feature is available in Postfix 3.4 and later.
12271

tlsproxy_client_dcert_file (default: $smtp_tls_dcert_file)

12273       File with the Postfix tlsproxy(8) client DSA certificate in PEM format.
12274       See smtp_tls_dcert_file for further details. DSA is obsolete and should
12275       not be used.
12276
12277       This feature is available in Postfix 3.4 and later.
12278

tlsproxy_client_dkey_file (default: $smtp_tls_dkey_file)

12280       File with the Postfix tlsproxy(8) client DSA private key in PEM format.
12281       See  smtp_tls_dkey_file for further details. DSA is obsolete and should
12282       not be used.
12283
12284       This feature is available in Postfix 3.4 and later.
12285

tlsproxy_client_eccert_file (default: $smtp_tls_eccert_file)

12287       File with the Postfix tlsproxy(8) client ECDSA certificate in PEM  for‐
12288       mat. See smtp_tls_eccert_file for further details. The preferred way to
12289       configure  tlsproxy  client  keys   and   certificates   is   via   the
12290       "tlsproxy_client_chain_files" parameter.
12291
12292       This feature is available in Postfix 3.4 and later.
12293

tlsproxy_client_eckey_file (default: $smtp_tls_eckey_file)

12295       File  with the Postfix tlsproxy(8) client ECDSA private key in PEM for‐
12296       mat. See smtp_tls_eckey_file for further details.  The preferred way to
12297       configure   tlsproxy   client   keys   and   certificates  is  via  the
12298       "tlsproxy_client_chain_files" parameter.
12299
12300       This feature is available in Postfix 3.4 and later.
12301

tlsproxy_client_enforce_tls (default: $smtp_enforce_tls)

12303       Enforcement mode: require that SMTP servers use  TLS  encryption.   See
12304       smtp_enforce_tls for further details.
12305
12306       This feature is available in Postfix 3.4 and later.
12307

tlsproxy_client_fingerprint_digest (default: $smtp_tls_fingerprint_digest)

12309       The  message  digest algorithm used to construct remote TLS server cer‐
12310       tificate  fingerprints.  See  smtp_tls_fingerprint_digest  for  further
12311       details.
12312
12313       This feature is available in Postfix 3.4 and later.
12314

tlsproxy_client_key_file (default: $smtp_tls_key_file)

12316       File with the Postfix tlsproxy(8) client RSA private key in PEM format.
12317       See smtp_tls_key_file for further details. The preferred way to config‐
12318       ure    tlsproxy    client    keys   and   certificates   is   via   the
12319       "tlsproxy_client_chain_files" parameter.
12320
12321       This feature is available in Postfix 3.4 and later.
12322

tlsproxy_client_loglevel (default: $smtp_tls_loglevel)

12324       Enable additional Postfix tlsproxy(8) client logging of  TLS  activity.
12325       See smtp_tls_loglevel for further details.
12326
12327       This feature is available in Postfix 3.4 and later.
12328

tlsproxy_client_loglevel_parameter (default: smtp_tls_loglevel)

12330       The  name  of  the parameter that provides the tlsproxy_client_loglevel
12331       value.
12332
12333       This feature is available in Postfix 3.4 and later.
12334

tlsproxy_client_per_site (default: $smtp_tls_per_site)

12336       Optional lookup tables with the Postfix tlsproxy(8)  client  TLS  usage
12337       policy  by next-hop destination and by remote TLS server hostname.  See
12338       smtp_tls_per_site for further details.
12339
12340       This feature is available in Postfix 3.4 and later.
12341

tlsproxy_client_policy_maps (default: $smtp_tls_policy_maps)

12343       Optional lookup tables with the Postfix tlsproxy(8) client TLS security
12344       policy  by  next-hop  destination. See smtp_tls_policy_maps for further
12345       details.
12346
12347       This feature is available in Postfix 3.4 and later.
12348

tlsproxy_client_scert_verifydepth (default: $smtp_tls_scert_verifydepth)

12350       The  verification  depth  for  remote  TLS  server  certificates.   See
12351       smtp_tls_scert_verifydepth for further details.
12352
12353       This feature is available in Postfix 3.4 and later.
12354

tlsproxy_client_security_level (default: $smtp_tls_security_level)

12356       The  default TLS security level for the Postfix tlsproxy(8) client. See
12357       smtp_tls_security_level for further details.
12358
12359       This feature is available in Postfix 3.4 and later.
12360

tlsproxy_client_use_tls (default: $smtp_use_tls)

12362       Opportunistic mode: use TLS when a remote server announces TLS support.
12363       See smtp_use_tls for further details.
12364
12365       This feature is available in Postfix 3.4 and later.
12366

tlsproxy_enforce_tls (default: $smtpd_enforce_tls)

12368       Mandatory  TLS:  announce  STARTTLS support to remote SMTP clients, and
12369       require that clients use TLS encryption. See smtpd_enforce_tls for fur‐
12370       ther details.
12371
12372       This feature is available in Postfix 2.8 and later.
12373

tlsproxy_service_name (default: tlsproxy)

12375       The  name  of  the tlsproxy(8) service entry in master.cf. This service
12376       performs plaintext <=> TLS ciphertext conversion.
12377
12378       This feature is available in Postfix 2.8 and later.
12379

tlsproxy_tls_CAfile (default: $smtpd_tls_CAfile)

12381       A file containing (PEM format) CA certificates of root CAs  trusted  to
12382       sign either remote SMTP client certificates or intermediate CA certifi‐
12383       cates.  See smtpd_tls_CAfile for further details.
12384
12385       This feature is available in Postfix 2.8 and later.
12386

tlsproxy_tls_CApath (default: $smtpd_tls_CApath)

12388       A directory containing (PEM format) CA certificates of root CAs trusted
12389       to  sign either remote SMTP client certificates or intermediate CA cer‐
12390       tificates. See smtpd_tls_CApath for further details.
12391
12392       This feature is available in Postfix 2.8 and later.
12393

tlsproxy_tls_always_issue_session_ids (default: $smtpd_tls_always_issue_ses‐

12395       sion_ids)
12396       Force  the  Postfix  tlsproxy(8) server to issue a TLS session id, even
12397       when TLS session caching is turned off. See smtpd_tls_always_issue_ses‐
12398       sion_ids for further details.
12399
12400       This feature is available in Postfix 2.8 and later.
12401

tlsproxy_tls_ask_ccert (default: $smtpd_tls_ask_ccert)

12403       Ask   a   remote   SMTP   client   for   a   client   certificate.  See
12404       smtpd_tls_ask_ccert for further details.
12405
12406       This feature is available in Postfix 2.8 and later.
12407

tlsproxy_tls_ccert_verifydepth (default: $smtpd_tls_ccert_verifydepth)

12409       The verification depth for remote SMTP client certificates. A depth  of
12410       1  is  sufficient  if  the issuing CA is listed in a local CA file. See
12411       smtpd_tls_ccert_verifydepth for further details.
12412
12413       This feature is available in Postfix 2.8 and later.
12414

tlsproxy_tls_cert_file (default: $smtpd_tls_cert_file)

12416       File with the Postfix tlsproxy(8) server RSA certificate in PEM format.
12417       This  file  may also contain the Postfix tlsproxy(8) server private RSA
12418       key.  See smtpd_tls_cert_file for further details.  With Postfix >= 3.4
12419       the preferred way to configure tlsproxy server keys and certificates is
12420       via the "tlsproxy_tls_chain_files" parameter.
12421
12422       This feature is available in Postfix 2.8 and later.
12423

tlsproxy_tls_chain_files (default: $smtpd_tls_chain_files)

12425       Files with the Postfix tlsproxy(8) server keys and  certificate  chains
12426       in PEM format. See smtpd_tls_chain_files for further details.
12427
12428       This feature is available in Postfix 3.4 and later.
12429

tlsproxy_tls_ciphers (default: $smtpd_tls_ciphers)

12431       The  minimum  TLS cipher grade that the Postfix tlsproxy(8) server will
12432       use with opportunistic TLS encryption. See smtpd_tls_ciphers  for  fur‐
12433       ther details.
12434
12435       This feature is available in Postfix 2.8 and later.
12436

tlsproxy_tls_dcert_file (default: $smtpd_tls_dcert_file)

12438       File with the Postfix tlsproxy(8) server DSA certificate in PEM format.
12439       This file may also contain the Postfix tlsproxy(8) server  private  DSA
12440       key.  DSA is obsolete and should not be used.  See smtpd_tls_dcert_file
12441       for further details.
12442
12443       This feature is available in Postfix 2.8 and later.
12444

tlsproxy_tls_dh1024_param_file (default: $smtpd_tls_dh1024_param_file)

12446       File with DH parameters that the Postfix tlsproxy(8) server should  use
12447       with  non-export  EDH ciphers. See smtpd_tls_dh1024_param_file for fur‐
12448       ther details.
12449
12450       This feature is available in Postfix 2.8 and later.
12451

tlsproxy_tls_dh512_param_file (default: $smtpd_tls_dh512_param_file)

12453       File with DH parameters that the Postfix tlsproxy(8) server should  use
12454       with  export-grade EDH ciphers. See smtpd_tls_dh512_param_file for fur‐
12455       ther details.  The default SMTP server cipher grade  is  "medium"  with
12456       Postfix releases after the middle of 2015, and as a result export-grade
12457       cipher suites are by default not used.
12458
12459       This feature is available in Postfix 2.8 and later.
12460

tlsproxy_tls_dkey_file (default: $smtpd_tls_dkey_file)

12462       File with the Postfix tlsproxy(8) server DSA private key in PEM format.
12463       This  file may be combined with the Postfix tlsproxy(8) server DSA cer‐
12464       tificate file specified with $smtpd_tls_dcert_file.   DSA  is  obsolete
12465       and should not be used.  See smtpd_tls_dkey_file for further details.
12466
12467       This feature is available in Postfix 2.8 and later.
12468

tlsproxy_tls_eccert_file (default: $smtpd_tls_eccert_file)

12470       File  with the Postfix tlsproxy(8) server ECDSA certificate in PEM for‐
12471       mat.  This file may also contain the Postfix tlsproxy(8) server private
12472       ECDSA  key.  See smtpd_tls_eccert_file for further details.  With Post‐
12473       fix >= 3.4 the preferred way to configure tlsproxy server keys and cer‐
12474       tificates is via the "tlsproxy_tls_chain_files" parameter.
12475
12476       This feature is available in Postfix 2.8 and later.
12477

tlsproxy_tls_eckey_file (default: $smtpd_tls_eckey_file)

12479       File  with the Postfix tlsproxy(8) server ECDSA private key in PEM for‐
12480       mat.  This file may be combined with  the  Postfix  tlsproxy(8)  server
12481       ECDSA  certificate  file  specified  with  $smtpd_tls_eccert_file.  See
12482       smtpd_tls_eckey_file for further details.  With Postfix >= 3.4 the pre‐
12483       ferred  way  to  configure tlsproxy server keys and certificates is via
12484       the "tlsproxy_tls_chain_files" parameter.
12485
12486       This feature is available in Postfix 2.8 and later.
12487

tlsproxy_tls_eecdh_grade (default: $smtpd_tls_eecdh_grade)

12489       The Postfix tlsproxy(8) server  security  grade  for  ephemeral  ellip‐
12490       tic-curve      Diffie-Hellman     (EECDH)     key     exchange.     See
12491       smtpd_tls_eecdh_grade for further details.
12492
12493       This feature is available in Postfix 2.8 and later.
12494

tlsproxy_tls_exclude_ciphers (default: $smtpd_tls_exclude_ciphers)

12496       List of ciphers or cipher types to exclude from the tlsproxy(8)  server
12497       cipher  list  at all TLS security levels. See smtpd_tls_exclude_ciphers
12498       for further details.
12499
12500       This feature is available in Postfix 2.8 and later.
12501

tlsproxy_tls_fingerprint_digest (default: $smtpd_tls_fingerprint_digest)

12503       The message digest algorithm to construct remote  SMTP  client-certifi‐
12504       cate   fingerprints.   See   smtpd_tls_fingerprint_digest  for  further
12505       details.
12506
12507       This feature is available in Postfix 2.8 and later.
12508

tlsproxy_tls_key_file (default: $smtpd_tls_key_file)

12510       File with the Postfix tlsproxy(8) server RSA private key in PEM format.
12511       This  file may be combined with the Postfix tlsproxy(8) server RSA cer‐
12512       tificate    file    specified    with    $smtpd_tls_cert_file.      See
12513       smtpd_tls_key_file  for  further details.  With Postfix >= 3.4 the pre‐
12514       ferred way to configure tlsproxy server keys and  certificates  is  via
12515       the "tlsproxy_tls_chain_files" parameter.
12516
12517       This feature is available in Postfix 2.8 and later.
12518

tlsproxy_tls_loglevel (default: $smtpd_tls_loglevel)

12520       Enable  additional  Postfix tlsproxy(8) server logging of TLS activity.
12521       Each logging level also includes the information that is  logged  at  a
12522       lower logging level. See smtpd_tls_loglevel for further details.
12523
12524       This feature is available in Postfix 2.8 and later.
12525

tlsproxy_tls_mandatory_ciphers (default: $smtpd_tls_mandatory_ciphers)

12527       The  minimum  TLS cipher grade that the Postfix tlsproxy(8) server will
12528       use with mandatory TLS encryption. See smtpd_tls_mandatory_ciphers  for
12529       further details.
12530
12531       This feature is available in Postfix 2.8 and later.
12532

tlsproxy_tls_mandatory_exclude_ciphers (default: $smtpd_tls_manda‐

12534       tory_exclude_ciphers)
12535       Additional list  of  ciphers  or  cipher  types  to  exclude  from  the
12536       tlsproxy(8)  server  cipher list at mandatory TLS security levels.  See
12537       smtpd_tls_mandatory_exclude_ciphers for further details.
12538
12539       This feature is available in Postfix 2.8 and later.
12540

tlsproxy_tls_mandatory_protocols (default: $smtpd_tls_mandatory_protocols)

12542       The SSL/TLS protocols accepted by the Postfix tlsproxy(8)  server  with
12543       mandatory TLS encryption. If the list is empty, the server supports all
12544       available SSL/TLS protocol versions.  See smtpd_tls_mandatory_protocols
12545       for further details.
12546
12547       This feature is available in Postfix 2.8 and later.
12548

tlsproxy_tls_protocols (default: $smtpd_tls_protocols)

12550       List  of TLS protocols that the Postfix tlsproxy(8) server will exclude
12551       or include with opportunistic TLS encryption.  See  smtpd_tls_protocols
12552       for further details.
12553
12554       This feature is available in Postfix 2.8 and later.
12555

tlsproxy_tls_req_ccert (default: $smtpd_tls_req_ccert)

12557       With  mandatory  TLS  encryption,  require a trusted remote SMTP client
12558       certificate  in  order  to  allow  TLS  connections  to  proceed.   See
12559       smtpd_tls_req_ccert for further details.
12560
12561       This feature is available in Postfix 2.8 and later.
12562

tlsproxy_tls_security_level (default: $smtpd_tls_security_level)

12564       The  SMTP TLS security level for the Postfix tlsproxy(8) server; when a
12565       non-empty value is specified, this overrides  the  obsolete  parameters
12566       smtpd_use_tls  and  smtpd_enforce_tls. See smtpd_tls_security_level for
12567       further details.
12568
12569       This feature is available in Postfix 2.8 and later.
12570

tlsproxy_tls_session_cache_timeout (default: $smtpd_tls_session_cache_timeout)

12572
12573       Obsolete  expiration  time  of  Postfix  tlsproxy(8) server TLS session
12574       cache information. Since the cache is shared with smtpd(8) and  managed
12575       by  tlsmgr(8),  there  is  only one expiration time for the SMTP server
12576       cache   shared   by   all   three   services,   namely   smtpd_tls_ses‐
12577       sion_cache_timeout.
12578
12579       This feature is available in Postfix 2.8 and later.
12580

tlsproxy_use_tls (default: $smtpd_use_tls)

12582       Opportunistic  TLS:  announce  STARTTLS support to remote SMTP clients,
12583       but do not require that clients use TLS encryption.  See  smtpd_use_tls
12584       for further details.
12585
12586       This feature is available in Postfix 2.8 and later.
12587

tlsproxy_watchdog_timeout (default: 10s)

12589       How much time a tlsproxy(8) process may take to process local or remote
12590       I/O before it is terminated by a built-in watchdog timer.   This  is  a
12591       safety mechanism that prevents tlsproxy(8) from becoming non-responsive
12592       due to a bug in Postfix itself or in system software.  To  avoid  false
12593       alarms  and unnecessary cache corruption this limit cannot be set under
12594       10s.
12595
12596       Specify a non-zero time value  (an  integral  value  plus  an  optional
12597       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
12598       onds), m (minutes), h (hours), d (days), w (weeks).
12599
12600       This feature is available in Postfix 2.8 and later
12601

trace_service_name (default: trace)

12603       The name of the trace service.  This  service  is  implemented  by  the
12604       bounce(8) daemon and maintains a record of mail deliveries and produces
12605       a mail delivery report when verbose delivery is requested  with  "send‐
12606       mail -v".
12607
12608       This feature is available in Postfix 2.1 and later.
12609

transport_delivery_slot_cost (default: $default_delivery_slot_cost)

12611       A transport-specific override for the default_delivery_slot_cost param‐
12612       eter value, where transport is the master.cf name of the message deliv‐
12613       ery transport.
12614
12615       Note:  transport_delivery_slot_cost  parameters  will  not  show  up in
12616       "postconf" command output before Postfix version 2.9.  This  limitation
12617       applies  to  many parameters whose name is a combination of a master.cf
12618       service  name  and  a  built-in  suffix   (in   this   case:   "_deliv‐
12619       ery_slot_cost").
12620

transport_delivery_slot_discount (default: $default_delivery_slot_discount)

12622       A  transport-specific  override  for the default_delivery_slot_discount
12623       parameter value, where transport is the master.cf name of  the  message
12624       delivery transport.
12625
12626       Note:  transport_delivery_slot_discount  parameters will not show up in
12627       "postconf" command output before Postfix version 2.9.  This  limitation
12628       applies  to  many parameters whose name is a combination of a master.cf
12629       service name and a built-in suffix (in this case:  "_delivery_slot_dis‐
12630       count").
12631

transport_delivery_slot_loan (default: $default_delivery_slot_loan)

12633       A transport-specific override for the default_delivery_slot_loan param‐
12634       eter value, where transport is the master.cf name of the message deliv‐
12635       ery transport.
12636
12637       Note:  transport_delivery_slot_loan  parameters  will  not  show  up in
12638       "postconf" command output before Postfix version 2.9.  This  limitation
12639       applies  to  many parameters whose name is a combination of a master.cf
12640       service  name  and  a  built-in  suffix   (in   this   case:   "_deliv‐
12641       ery_slot_loan").
12642

transport_destination_concurrency_failed_cohort_limit (default: $default_des‐

12644       tination_concurrency_failed_cohort_limit)
12645       A  transport-specific  override  for  the   default_destination_concur‐
12646       rency_failed_cohort_limit  parameter value, where transport is the mas‐
12647       ter.cf name of the message delivery transport.
12648
12649       Note: some transport_destination_concurrency_failed_cohort_limit param‐
12650       eters will not show up in "postconf" command output before Postfix ver‐
12651       sion 2.9.  This limitation applies to many parameters whose name  is  a
12652       combination  of a master.cf service name and a built-in suffix (in this
12653       case: "_destination_concurrency_failed_cohort_limit").
12654
12655       This feature is available in Postfix 2.5 and later.
12656

transport_destination_concurrency_limit (default: $default_destination_concur‐

12658       rency_limit)
12659       A   transport-specific  override  for  the  default_destination_concur‐
12660       rency_limit parameter value, where transport is the master.cf  name  of
12661       the message delivery transport.
12662
12663       Note:  some transport_destination_concurrency_limit parameters will not
12664       show up in "postconf" command output before Postfix version 2.9.   This
12665       limitation  applies to many parameters whose name is a combination of a
12666       master.cf service name and a built-in suffix (in this case:  "_destina‐
12667       tion_concurrency_limit").
12668

transport_destination_concurrency_negative_feedback (default: $default_desti‐

12670       nation_concurrency_negative_feedback)
12671       A  transport-specific  override  for  the   default_destination_concur‐
12672       rency_negative_feedback  parameter  value,  where transport is the mas‐
12673       ter.cf name of the message delivery transport.
12674
12675       Note: some transport_destination_concurrency_negative_feedback  parame‐
12676       ters  will not show up in "postconf" command output before Postfix ver‐
12677       sion 2.9.  This limitation applies to many parameters whose name  is  a
12678       combination  of a master.cf service name and a built-in suffix (in this
12679       case: "_destination_concurrency_negative_feedback").
12680
12681       This feature is available in Postfix 2.5 and later.
12682

transport_destination_concurrency_positive_feedback (default: $default_desti‐

12684       nation_concurrency_positive_feedback)
12685       A   transport-specific  override  for  the  default_destination_concur‐
12686       rency_positive_feedback parameter value, where transport  is  the  mas‐
12687       ter.cf name of the message delivery transport.
12688
12689       Note:  some transport_destination_concurrency_positive_feedback parame‐
12690       ters will not show up in "postconf" command output before Postfix  ver‐
12691       sion  2.9.   This limitation applies to many parameters whose name is a
12692       combination of a master.cf service name and a built-in suffix (in  this
12693       case: "_destination_concurrency_positive_feedback").
12694
12695       This feature is available in Postfix 2.5 and later.
12696

transport_destination_rate_delay (default: $default_destination_rate_delay)

12698       A  transport-specific  override  for the default_destination_rate_delay
12699       parameter value, where transport is the master.cf name of  the  message
12700       delivery transport.
12701
12702       Note: some transport_destination_rate_delay parameters will not show up
12703       in "postconf" command output before Postfix version 2.9.  This  limita‐
12704       tion  applies  to many parameters whose name is a combination of a mas‐
12705       ter.cf service name and a built-in suffix  (in  this  case:  "_destina‐
12706       tion_rate_delay").
12707
12708       This feature is available in Postfix 2.5 and later.
12709

transport_destination_recipient_limit (default: $default_destination_recipi‐

12711       ent_limit)
12712       A  transport-specific  override  for  the   default_destination_recipi‐
12713       ent_limit parameter value, where transport is the master.cf name of the
12714       message delivery transport.
12715
12716       Note: some transport_destination_recipient_limit  parameters  will  not
12717       show  up in "postconf" command output before Postfix version 2.9.  This
12718       limitation applies to many parameters whose name is a combination of  a
12719       master.cf  service name and a built-in suffix (in this case: "_destina‐
12720       tion_recipient_limit").
12721

transport_extra_recipient_limit (default: $default_extra_recipient_limit)

12723       A transport-specific  override  for  the  default_extra_recipient_limit
12724       parameter  value,  where transport is the master.cf name of the message
12725       delivery transport.
12726
12727       Note: transport_extra_recipient_limit parameters will not  show  up  in
12728       "postconf"  command output before Postfix version 2.9.  This limitation
12729       applies to many parameters whose name is a combination of  a  master.cf
12730       service  name  and  a  built-in  suffix  (in this case: "_extra_recipi‐
12731       ent_limit").
12732

transport_initial_destination_concurrency (default: $initial_destination_con‐

12734       currency)
12735       A  transport-specific  override for the initial_destination_concurrency
12736       parameter value, where transport is the master.cf name of  the  message
12737       delivery transport.
12738
12739       Note:  some  transport_initial_destination_concurrency  parameters will
12740       not show up in "postconf" command output before  Postfix  version  2.9.
12741       This  limitation applies to many parameters whose name is a combination
12742       of a master.cf service name and a built-in suffix (in this case: "_ini‐
12743       tial_destination_concurrency").
12744
12745       This feature is available in Postfix 2.5 and later.
12746

transport_maps (default: empty)

12748       Optional lookup tables with mappings from recipient address to (message
12749       delivery  transport,  next-hop  destination).   See  transport(5)   for
12750       details.
12751
12752       Specify  zero  or  more "type:table" lookup tables, separated by white‐
12753       space or comma. Tables will be searched in the specified order until  a
12754       match is found.  If you use this feature with local files, run "postmap
12755       /etc/postfix/transport" after making a change.
12756
12757       Pattern matching of domain names  is  controlled  by  the  presence  or
12758       absence  of  "transport_maps"  in  the parent_domain_matches_subdomains
12759       parameter value.
12760
12761       For safety reasons, as of Postfix 2.3 this feature does not allow $num‐
12762       ber substitutions in regular expression maps.
12763
12764       Examples:
12765
12766       transport_maps = dbm:/etc/postfix/transport
12767       transport_maps = hash:/etc/postfix/transport
12768

transport_minimum_delivery_slots (default: $default_minimum_delivery_slots)

12770       A  transport-specific  override  for the default_minimum_delivery_slots
12771       parameter value, where transport is the master.cf name of  the  message
12772       delivery transport.
12773
12774       Note:  transport_minimum_delivery_slots  parameters will not show up in
12775       "postconf" command output before Postfix version 2.9.  This  limitation
12776       applies  to  many parameters whose name is a combination of a master.cf
12777       service name and a built-in  suffix  (in  this  case:  "_minimum_deliv‐
12778       ery_slots").
12779

transport_recipient_limit (default: $default_recipient_limit)

12781       A transport-specific override for the default_recipient_limit parameter
12782       value, where transport is the master.cf name of  the  message  delivery
12783       transport.
12784
12785       Note:  some  transport_recipient_limit  parameters  will not show up in
12786       "postconf" command output before Postfix version 2.9.  This  limitation
12787       applies  to  many parameters whose name is a combination of a master.cf
12788       service name and a built-in suffix (in this case: "_recipient_limit").
12789

transport_recipient_refill_delay (default: $default_recipient_refill_delay)

12791       A transport-specific override  for  the  default_recipient_refill_delay
12792       parameter  value,  where transport is the master.cf name of the message
12793       delivery transport.
12794
12795       Note: transport_recipient_refill_delay parameters will not show  up  in
12796       "postconf"  command output before Postfix version 2.9.  This limitation
12797       applies to many parameters whose name is a combination of  a  master.cf
12798       service   name   and   a  built-in  suffix  (in  this  case:  "_recipi‐
12799       ent_refill_delay").
12800
12801       This feature is available in Postfix 2.4 and later.
12802

transport_recipient_refill_limit (default: $default_recipient_refill_limit)

12804       A transport-specific override  for  the  default_recipient_refill_limit
12805       parameter  value,  where transport is the master.cf name of the message
12806       delivery transport.
12807
12808       Note: transport_recipient_refill_limit parameters will not show  up  in
12809       "postconf"  command output before Postfix version 2.9.  This limitation
12810       applies to many parameters whose name is a combination of  a  master.cf
12811       service   name   and   a  built-in  suffix  (in  this  case:  "_recipi‐
12812       ent_refill_limit").
12813
12814       This feature is available in Postfix 2.4 and later.
12815

transport_retry_time (default: 60s)

12817       The time between attempts by the Postfix queue  manager  to  contact  a
12818       malfunctioning message delivery transport.
12819
12820       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
12821       The default time unit is s (seconds).
12822

transport_time_limit (default: $command_time_limit)

12824       A transport-specific  override  for  the  command_time_limit  parameter
12825       value,  where  transport  is the master.cf name of the message delivery
12826       transport.
12827
12828       Note: transport_time_limit parameters will not show  up  in  "postconf"
12829       command  output before Postfix version 2.9.  This limitation applies to
12830       many parameters whose name is a combination of a master.cf service name
12831       and a built-in suffix (in this case: "_time_limit").
12832

transport_transport_rate_delay (default: $default_transport_rate_delay)

12834       A  transport-specific  override  for  the  default_transport_rate_delay
12835       parameter value, where the initial transport in the parameter  name  is
12836       the master.cf name of the message delivery transport.
12837

trigger_timeout (default: 10s)

12839       The  time limit for sending a trigger to a Postfix daemon (for example,
12840       the pickup(8) or qmgr(8) daemon). This  time  limit  prevents  programs
12841       from getting stuck when the mail system is under heavy load.
12842
12843       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
12844       The default time unit is s (seconds).
12845

undisclosed_recipients_header (default: see postconf -d output)

12847       Message header that the Postfix cleanup(8) server inserts when  a  mes‐
12848       sage contains no To: or Cc: message header. With Postfix 2.8 and later,
12849       the default value is empty. With  Postfix  2.4-2.7,  specify  an  empty
12850       value to disable this feature.
12851
12852       Example:
12853
12854       # Default value before Postfix 2.8.
12855       # Note: the ":" and ";" are both required.
12856       undisclosed_recipients_header = To: undisclosed-recipients:;
12857

unknown_address_reject_code (default: 450)

12859       The  numerical  response  code  when  the Postfix SMTP server rejects a
12860       sender or recipient address because its domain is unknown.  This is one
12861       of      the      possible     replies     from     the     restrictions
12862       reject_unknown_sender_domain and reject_unknown_recipient_domain.
12863
12864       Do not change this unless you have  a  complete  understanding  of  RFC
12865       5321.
12866

unknown_address_tempfail_action (default: $reject_tempfail_action)

12868       The  Postfix  SMTP server's action when reject_unknown_sender_domain or
12869       reject_unknown_recipient_domain fail due to a  temporary  error  condi‐
12870       tion.  Specify  "defer" to defer the remote SMTP client request immedi‐
12871       ately. With the default  "defer_if_permit"  action,  the  Postfix  SMTP
12872       server  continues  to look for opportunities to reject mail, and defers
12873       the client request only if it would otherwise be accepted.
12874
12875       This feature is available in Postfix 2.6 and later.
12876

unknown_client_reject_code (default: 450)

12878       The numerical Postfix SMTP server response code when a  client  without
12879       valid    address    <=>    name    mapping    is    rejected   by   the
12880       reject_unknown_client_hostname  restriction.  The  SMTP  server  always
12881       replies  with 450 when the mapping failed due to a temporary error con‐
12882       dition.
12883
12884       Do not change this unless you have  a  complete  understanding  of  RFC
12885       5321.
12886

unknown_helo_hostname_tempfail_action (default: $reject_tempfail_action)

12888       The  Postfix  SMTP  server's  action  when reject_unknown_helo_hostname
12889       fails due to a temporary error condition. Specify "defer" to defer  the
12890       remote SMTP client request immediately. With the default "defer_if_per‐
12891       mit" action, the Postfix SMTP server continues to look  for  opportuni‐
12892       ties  to  reject  mail,  and defers the client request only if it would
12893       otherwise be accepted.
12894
12895       This feature is available in Postfix 2.6 and later.
12896

unknown_hostname_reject_code (default: 450)

12898       The numerical Postfix SMTP server response code when the hostname spec‐
12899       ified   with   the   HELO   or   EHLO   command   is  rejected  by  the
12900       reject_unknown_helo_hostname restriction.
12901
12902       Do not change this unless you have  a  complete  understanding  of  RFC
12903       5321.
12904

unknown_local_recipient_reject_code (default: 550)

12906       The  numerical  Postfix  SMTP  server  response  code  when a recipient
12907       address is local, and $local_recipient_maps specifies a list of  lookup
12908       tables that does not match the recipient.  A recipient address is local
12909       when  its   domain   matches   $mydestination,   $proxy_interfaces   or
12910       $inet_interfaces.
12911
12912       The  default  setting is 550 (reject mail) but it is safer to initially
12913       use 450 (try again later)  so  you  have  time  to  find  out  if  your
12914       local_recipient_maps settings are OK.
12915
12916       Example:
12917
12918       unknown_local_recipient_reject_code = 450
12919
12920       This feature is available in Postfix 2.0 and later.
12921

unknown_relay_recipient_reject_code (default: 550)

12923       The  numerical  Postfix SMTP server reply code when a recipient address
12924       matches $relay_domains, and relay_recipient_maps specifies  a  list  of
12925       lookup tables that does not match the recipient address.
12926
12927       This feature is available in Postfix 2.0 and later.
12928

unknown_virtual_alias_reject_code (default: 550)

12930       The  Postfix  SMTP  server  reply code when a recipient address matches
12931       $virtual_alias_domains, and $virtual_alias_maps  specifies  a  list  of
12932       lookup tables that does not match the recipient address.
12933
12934       This feature is available in Postfix 2.0 and later.
12935

unknown_virtual_mailbox_reject_code (default: 550)

12937       The  Postfix  SMTP  server  reply code when a recipient address matches
12938       $virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list of
12939       lookup tables that does not match the recipient address.
12940
12941       This feature is available in Postfix 2.0 and later.
12942

unverified_recipient_defer_code (default: 450)

12944       The  numerical  Postfix  SMTP  server response when a recipient address
12945       probe fails due to a temporary error condition.
12946
12947       Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12948       address anyway.
12949
12950       Do  not  change  this  unless  you have a complete understanding of RFC
12951       5321.
12952
12953       This feature is available in Postfix 2.6 and later.
12954

unverified_recipient_reject_code (default: 450)

12956       The numerical Postfix SMTP server response when a recipient address  is
12957       rejected by the reject_unverified_recipient restriction.
12958
12959       Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12960       address anyway.
12961
12962       Do not change this unless you have  a  complete  understanding  of  RFC
12963       5321.
12964
12965       This feature is available in Postfix 2.1 and later.
12966

unverified_recipient_reject_reason (default: empty)

12968       The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
12969       fied_recipient. Do not include the  numeric  SMTP  reply  code  or  the
12970       enhanced  status code. By default, the response includes actual address
12971       verification details.
12972
12973       Example:
12974
12975       unverified_recipient_reject_reason = Recipient address lookup failed
12976
12977       This feature is available in Postfix 2.6 and later.
12978

unverified_recipient_tempfail_action (default: $reject_tempfail_action)

12980       The Postfix SMTP server's action when reject_unverified_recipient fails
12981       due to a temporary error condition. Specify "defer" to defer the remote
12982       SMTP client request immediately.  With  the  default  "defer_if_permit"
12983       action,  the Postfix SMTP server continues to look for opportunities to
12984       reject mail, and defers the client request only if it  would  otherwise
12985       be accepted.
12986
12987       This feature is available in Postfix 2.6 and later.
12988

unverified_sender_defer_code (default: 450)

12990       The  numerical  Postfix SMTP server response code when a sender address
12991       probe fails due to a temporary error condition.
12992
12993       Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12994       address anyway.
12995
12996       Do  not  change  this  unless  you have a complete understanding of RFC
12997       5321.
12998
12999       This feature is available in Postfix 2.6 and later.
13000

unverified_sender_reject_code (default: 450)

13002       The numerical Postfix  SMTP  server  response  code  when  a  recipient
13003       address is rejected by the reject_unverified_sender restriction.
13004
13005       Unlike elsewhere in Postfix, you can specify 250 in order to accept the
13006       address anyway.
13007
13008       Do not change this unless you have  a  complete  understanding  of  RFC
13009       5321.
13010
13011       This feature is available in Postfix 2.1 and later.
13012

unverified_sender_reject_reason (default: empty)

13014       The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
13015       fied_sender. Do not include the numeric SMTP reply code or the enhanced
13016       status code. By default, the response includes actual address verifica‐
13017       tion details.
13018
13019       Example:
13020
13021       unverified_sender_reject_reason = Sender address lookup failed
13022
13023       This feature is available in Postfix 2.6 and later.
13024

unverified_sender_tempfail_action (default: $reject_tempfail_action)

13026       The Postfix SMTP server's action  when  reject_unverified_sender  fails
13027       due to a temporary error condition. Specify "defer" to defer the remote
13028       SMTP client request immediately.  With  the  default  "defer_if_permit"
13029       action,  the Postfix SMTP server continues to look for opportunities to
13030       reject mail, and defers the client request only if it  would  otherwise
13031       be accepted.
13032
13033       This feature is available in Postfix 2.6 and later.
13034

verp_delimiter_filter (default: -=+)

13036       The  characters  Postfix  accepts  as  VERP delimiter characters on the
13037       Postfix sendmail(1) command line and in SMTP commands.
13038
13039       This feature is available in Postfix 1.1 and later.
13040

virtual_alias_address_length_limit (default: 1000)

13042       The maximal length of an email address after virtual  alias  expansion.
13043       This  stops  virtual  aliasing  loops  that increase the address length
13044       exponentially.
13045
13046       This feature is available in Postfix 3.0 and later.
13047

virtual_alias_domains (default: $virtual_alias_maps)

13049       Postfix is final destination for the specified list  of  virtual  alias
13050       domains,  that  is,  domains  for  which  all  addresses are aliased to
13051       addresses in other local or remote domains. The SMTP  server  validates
13052       recipient  addresses  with $virtual_alias_maps and rejects non-existent
13053       recipients.  See  also  the  virtual  alias   domain   class   in   the
13054       ADDRESS_CLASS_README file
13055
13056       This  feature  is available in Postfix 2.0 and later. The default value
13057       is backwards compatible with Postfix version 1.1.
13058
13059       The default value is $virtual_alias_maps  so  that  you  can  keep  all
13060       information about virtual alias domains in one place.  If you have many
13061       users, it is better to separate  information  that  changes  more  fre‐
13062       quently  (virtual  address  ->  local  or  remote address mapping) from
13063       information that changes less frequently (the list  of  virtual  domain
13064       names).
13065
13066       Specify  a  list  of host or domain names, "/file/name" or "type:table"
13067       patterns, separated by commas and/or whitespace. A "/file/name" pattern
13068       is  replaced  by  its  contents; a "type:table" lookup table is matched
13069       when a table entry matches  a  lookup  string  (the  lookup  result  is
13070       ignored).   Continue  long  lines by starting the next line with white‐
13071       space. Specify "!pattern" to exclude a host or  domain  name  from  the
13072       list.  The  form "!/file/name" is supported only in Postfix version 2.4
13073       and later.
13074
13075       See also the VIRTUAL_README and ADDRESS_CLASS_README documents for fur‐
13076       ther information.
13077
13078       Example:
13079
13080       virtual_alias_domains = virtual1.tld virtual2.tld
13081

virtual_alias_expansion_limit (default: 1000)

13083       The  maximal  number of addresses that virtual alias expansion produces
13084       from each original recipient.
13085
13086       This feature is available in Postfix 2.1 and later.
13087

virtual_alias_maps (default: $virtual_maps)

13089       Optional lookup tables that alias specific mail addresses or domains to
13090       other  local or remote address.  The table format and lookups are docu‐
13091       mented in virtual(5). For an overview of Postfix address  manipulations
13092       see the ADDRESS_REWRITING_README document.
13093
13094       This  feature  is available in Postfix 2.0 and later. The default value
13095       is backwards compatible with Postfix version 1.1.
13096
13097       Specify zero or more "type:name" lookup tables, separated by whitespace
13098       or  comma. Tables will be searched in the specified order until a match
13099       is found.  Note: these lookups are recursive.
13100
13101       If you use this feature with indexed  files,  run  "postmap  /etc/post‐
13102       fix/virtual" after changing the file.
13103
13104       Examples:
13105
13106       virtual_alias_maps = dbm:/etc/postfix/virtual
13107       virtual_alias_maps = hash:/etc/postfix/virtual
13108

virtual_alias_recursion_limit (default: 1000)

13110       The  maximal  nesting  depth of virtual alias expansion.  Currently the
13111       recursion limit is applied only to the left  branch  of  the  expansion
13112       graph,  so the depth of the tree can in the worst case reach the sum of
13113       the expansion and recursion limits.  This may change in the future.
13114
13115       This feature is available in Postfix 2.1 and later.
13116

virtual_delivery_status_filter (default: $default_delivery_status_filter)

13118       Optional filter for the virtual(8) delivery agent to change the  deliv‐
13119       ery  status  code  or  explanatory  text  of successful or unsuccessful
13120       deliveries.  See default_delivery_status_filter for details.
13121
13122       This feature is available in Postfix 3.0 and later.
13123

virtual_destination_concurrency_limit (default: $default_destination_concur‐

13125       rency_limit)
13126       The  maximal  number of parallel deliveries to the same destination via
13127       the virtual message delivery transport. This limit is enforced  by  the
13128       queue  manager.  The message delivery transport name is the first field
13129       in the entry in the master.cf file.
13130

virtual_destination_recipient_limit (default: $default_destination_recipi‐

13132       ent_limit)
13133       The  maximal  number  of recipients per message for the virtual message
13134       delivery transport. This limit is enforced by the  queue  manager.  The
13135       message  delivery transport name is the first field in the entry in the
13136       master.cf file.
13137
13138       Setting this parameter to a value of 1  changes  the  meaning  of  vir‐
13139       tual_destination_concurrency_limit  from  concurrency  per  domain into
13140       concurrency per recipient.
13141

virtual_gid_maps (default: empty)

13143       Lookup tables with the per-recipient group ID  for  virtual(8)  mailbox
13144       delivery.
13145
13146       This  parameter  is specific to the virtual(8) delivery agent.  It does
13147       not apply when mail is delivered with a different  mail  delivery  pro‐
13148       gram.
13149
13150       Specify zero or more "type:name" lookup tables, separated by whitespace
13151       or comma. Tables will be searched in the specified order until a  match
13152       is found.
13153
13154       In  a  lookup table, specify a left-hand side of "@domain.tld" to match
13155       any user in  the  specified  domain  that  does  not  have  a  specific
13156       "user@domain.tld" entry.
13157
13158       When   a   recipient   address   has   an  optional  address  extension
13159       (user+foo@domain.tld), the virtual(8) delivery agent looks up the  full
13160       address  first,  and  when the lookup fails, it looks up the unextended
13161       address (user@domain.tld).
13162
13163       Note 1: for security reasons, the virtual(8) delivery  agent  disallows
13164       regular expression substitution of $1 etc. in regular expression lookup
13165       tables, because that would open a security hole.
13166
13167       Note 2: for  security  reasons,  the  virtual(8)  delivery  agent  will
13168       silently ignore requests to use the proxymap(8) server. Instead it will
13169       open the table directly. Before Postfix  version  2.2,  the  virtual(8)
13170       delivery agent will terminate with a fatal error.
13171

virtual_mailbox_base (default: empty)

13173       A  prefix  that  the virtual(8) delivery agent prepends to all pathname
13174       results from $virtual_mailbox_maps table lookups.   This  is  a  safety
13175       measure  to  ensure  that an out of control map doesn't litter the file
13176       system with mailboxes.  While virtual_mailbox_base could be set to "/",
13177       this setting isn't recommended.
13178
13179       This  parameter  is specific to the virtual(8) delivery agent.  It does
13180       not apply when mail is delivered with a different  mail  delivery  pro‐
13181       gram.
13182
13183       Example:
13184
13185       virtual_mailbox_base = /var/mail
13186

virtual_mailbox_domains (default: $virtual_mailbox_maps)

13188       Postfix is final destination for the specified list of domains; mail is
13189       delivered via  the  $virtual_transport  mail  delivery  transport.   By
13190       default this is the Postfix virtual(8) delivery agent.  The SMTP server
13191       validates recipient addresses with  $virtual_mailbox_maps  and  rejects
13192       mail  for non-existent recipients.  See also the virtual mailbox domain
13193       class in the ADDRESS_CLASS_README file.
13194
13195       This parameter expects the same syntax as the mydestination  configura‐
13196       tion parameter.
13197
13198       This  feature  is available in Postfix 2.0 and later. The default value
13199       is backwards compatible with Postfix version 1.1.
13200

virtual_mailbox_limit (default: 51200000)

13202       The maximal size in  bytes  of  an  individual  virtual(8)  mailbox  or
13203       maildir file, or zero (no limit).
13204
13205       This  parameter  is specific to the virtual(8) delivery agent.  It does
13206       not apply when mail is delivered with a different  mail  delivery  pro‐
13207       gram.
13208

virtual_mailbox_lock (default: see postconf -d output)

13210       How to lock a UNIX-style virtual(8) mailbox before attempting delivery.
13211       For a list of available file locking methods,  use  the  "postconf  -l"
13212       command.
13213
13214       This  parameter  is specific to the virtual(8) delivery agent.  It does
13215       not apply when mail is delivered with a different  mail  delivery  pro‐
13216       gram.
13217
13218       This  setting  is  ignored  with  maildir  style delivery, because such
13219       deliveries are safe without application-level locks.
13220
13221       Note 1: the dotlock method requires that the recipient UID or  GID  has
13222       write access to the parent directory of the recipient's mailbox file.
13223
13224       Note 2: the default setting of this parameter is system dependent.
13225

virtual_mailbox_maps (default: empty)

13227       Optional  lookup  tables  with  all valid addresses in the domains that
13228       match $virtual_mailbox_domains.
13229
13230       Specify zero or more "type:name" lookup tables, separated by whitespace
13231       or  comma. Tables will be searched in the specified order until a match
13232       is found.
13233
13234       In a lookup table, specify a left-hand side of "@domain.tld"  to  match
13235       any  user  in  the  specified  domain  that  does  not  have a specific
13236       "user@domain.tld" entry.
13237
13238       The remainder of this text  is  specific  to  the  virtual(8)  delivery
13239       agent.   It does not apply when mail is delivered with a different mail
13240       delivery program.
13241
13242       The virtual(8) delivery agent uses this table to look up the per-recip‐
13243       ient mailbox or maildir pathname.  If the lookup result ends in a slash
13244       ("/"), maildir-style delivery is carried out,  otherwise  the  path  is
13245       assumed to specify a UNIX-style mailbox file.  Note that $virtual_mail‐
13246       box_base is unconditionally prepended to this path.
13247
13248       When  a  recipient  address   has   an   optional   address   extension
13249       (user+foo@domain.tld),  the virtual(8) delivery agent looks up the full
13250       address first, and when the lookup fails, it looks  up  the  unextended
13251       address (user@domain.tld).
13252
13253       Note  1:  for security reasons, the virtual(8) delivery agent disallows
13254       regular expression substitution of $1 etc. in regular expression lookup
13255       tables, because that would open a security hole.
13256
13257       Note  2:  for  security  reasons,  the  virtual(8)  delivery agent will
13258       silently ignore requests to use the proxymap(8) server. Instead it will
13259       open  the  table  directly.  Before Postfix version 2.2, the virtual(8)
13260       delivery agent will terminate with a fatal error.
13261

virtual_maps (default: empty)

13263       Optional lookup tables with a) names of domains for which all addresses
13264       are  aliased  to  addresses  in  other  local or remote domains, and b)
13265       addresses that are aliased  to  addresses  in  other  local  or  remote
13266       domains.   Available  before  Postfix version 2.0. With Postfix version
13267       2.0  and  later,  this  is  replaced   by   separate   controls:   vir‐
13268       tual_alias_domains and virtual_alias_maps.
13269

virtual_minimum_uid (default: 100)

13271       The minimum user ID value that the virtual(8) delivery agent accepts as
13272       a result from $virtual_uid_maps table  lookup.   Returned  values  less
13273       than this will be rejected, and the message will be deferred.
13274
13275       This  parameter  is specific to the virtual(8) delivery agent.  It does
13276       not apply when mail is delivered with a different  mail  delivery  pro‐
13277       gram.
13278

virtual_transport (default: virtual)

13280       The  default mail delivery transport and next-hop destination for final
13281       delivery to domains listed with $virtual_mailbox_domains.  This  infor‐
13282       mation can be overruled with the transport(5) table.
13283
13284       Specify  a string of the form transport:nexthop, where transport is the
13285       name of a mail delivery transport defined in master.cf.   The  :nexthop
13286       destination is optional; its syntax is documented in the manual page of
13287       the corresponding delivery agent.
13288
13289       This feature is available in Postfix 2.0 and later.
13290

virtual_uid_maps (default: empty)

13292       Lookup tables with the per-recipient user ID that the virtual(8) deliv‐
13293       ery agent uses while writing to the recipient's mailbox.
13294
13295       This  parameter  is specific to the virtual(8) delivery agent.  It does
13296       not apply when mail is delivered with a different  mail  delivery  pro‐
13297       gram.
13298
13299       Specify zero or more "type:name" lookup tables, separated by whitespace
13300       or comma. Tables will be searched in the specified order until a  match
13301       is found.
13302
13303       In  a  lookup table, specify a left-hand side of "@domain.tld" to match
13304       any user in  the  specified  domain  that  does  not  have  a  specific
13305       "user@domain.tld" entry.
13306
13307       When   a   recipient   address   has   an  optional  address  extension
13308       (user+foo@domain.tld), the virtual(8) delivery agent looks up the  full
13309       address  first,  and  when the lookup fails, it looks up the unextended
13310       address (user@domain.tld).
13311
13312       Note 1: for security reasons, the virtual(8) delivery  agent  disallows
13313       regular expression substitution of $1 etc. in regular expression lookup
13314       tables, because that would open a security hole.
13315
13316       Note 2: for  security  reasons,  the  virtual(8)  delivery  agent  will
13317       silently ignore requests to use the proxymap(8) server. Instead it will
13318       open the table directly. Before Postfix  version  2.2,  the  virtual(8)
13319       delivery agent will terminate with a fatal error.
13320

SEE ALSO

13322       postconf(1), Postfix configuration parameter maintenance
13323       master(5), Postfix daemon configuration maintenance
13324

LICENSE

13326       The Secure Mailer license must be distributed with this software.
13327

AUTHOR(S)

13329       Wietse Venema
13330       IBM T.J. Watson Research
13331       P.O. Box 704
13332       Yorktown Heights, NY 10598, USA
13333
13334       Wietse Venema
13335       Google, Inc.
13336       111 8th Avenue
13337       New York, NY 10011, USA
13338
13339       Viktor Dukhovni
13340
13341
13342
13343                                                                   POSTCONF(5)
Impressum