1SMTP(8)                     System Manager's Manual                    SMTP(8)
2
3
4

NAME

6       smtp - Postfix SMTP+LMTP client
7

SYNOPSIS

9       smtp [generic Postfix daemon options] [flags=DORX]
10

DESCRIPTION

12       The Postfix SMTP+LMTP client implements the SMTP and LMTP mail delivery
13       protocols. It processes message delivery requests from the  queue  man‐
14       ager.  Each  request specifies a queue file, a sender address, a domain
15       or host to deliver to, and recipient information.  This program expects
16       to be run from the master(8) process manager.
17
18       The  SMTP+LMTP  client  updates  the queue file and marks recipients as
19       finished, or it informs the queue manager that delivery should be tried
20       again  at  a  later  time.  Delivery  status  reports  are  sent to the
21       bounce(8), defer(8) or trace(8) daemon as appropriate.
22
23       The SMTP+LMTP client looks up a list of mail  exchanger  addresses  for
24       the  destination  host,  sorts  the list by preference, and connects to
25       each listed address until it finds a server that responds.
26
27       When a server is not reachable, or when mail delivery fails  due  to  a
28       recoverable  error  condition, the SMTP+LMTP client will try to deliver
29       the mail to an alternate host.
30
31       After a successful mail transaction, a connection may be saved  to  the
32       scache(8)  connection  cache  server,  so  that  it  may be used by any
33       SMTP+LMTP client for a subsequent transaction.
34
35       By default, connection caching is enabled temporarily for  destinations
36       that have a high volume of mail in the active queue. Connection caching
37       can be enabled permanently for specific destinations.
38

SMTP DESTINATION SYNTAX

40       The Postfix SMTP+LMTP client supports multiple  destinations  separated
41       by comma or whitespace (Postfix 3.5 and later).  SMTP destinations have
42       the following form:
43
44       domainname
45
46       domainname:port
47              Look up the mail exchangers for the specified domain,  and  con‐
48              nect to the specified port (default: smtp).
49
50       [hostname]
51
52       [hostname]:port
53              Look  up  the  address(es) of the specified host, and connect to
54              the specified port (default: smtp).
55
56       [address]
57
58       [address]:port
59              Connect to the host at the specified address, and connect to the
60              specified  port (default: smtp). An IPv6 address must be format‐
61              ted as [ipv6:address].
62

LMTP DESTINATION SYNTAX

64       The Postfix SMTP+LMTP client supports multiple  destinations  separated
65       by comma or whitespace (Postfix 3.5 and later).  LMTP destinations have
66       the following form:
67
68       unix:pathname
69              Connect to the local UNIX-domain server that  is  bound  to  the
70              specified  pathname.  If  the process runs chrooted, an absolute
71              pathname is interpreted relative to the Postfix queue directory.
72
73       inet:hostname
74
75       inet:hostname:port
76
77       inet:[address]
78
79       inet:[address]:port
80              Connect to the specified TCP port on the specified local or  re‐
81              mote  host. If no port is specified, connect to the port defined
82              as lmtp in services(4).   If  no  such  service  is  found,  the
83              lmtp_tcp_port configuration parameter (default value of 24) will
84              be used.  An IPv6 address must be formatted as [ipv6:address].
85

SINGLE-RECIPIENT DELIVERY

87       By default, the Postfix SMTP+LMTP client delivers mail to multiple  re‐
88       cipients  per  delivery  request. This is undesirable when prepending a
89       Delivered-to: or X-Original-To: message header. To prevent Postfix from
90       sending multiple recipients per delivery request, specify
91
92           transport_destination_recipient_limit = 1
93
94       in  the  Postfix main.cf file, where transport is the name in the first
95       column of the Postfix master.cf entry for this mail delivery service.
96

COMMAND ATTRIBUTE SYNTAX

98       flags=DORX (optional)
99              Optional message processing flags.
100
101              D      Prepend a "Delivered-To: recipient" message  header  with
102                     the  envelope  recipient address. Note: for this to work,
103                     the transport_destination_recipient_limit must be 1  (see
104                     SINGLE-RECIPIENT DELIVERY above for details).
105
106                     The D flag also enforces loop detection: if a message al‐
107                     ready contains a Delivered-To: header with the  same  re‐
108                     cipient address, then the message is returned as undeliv‐
109                     erable. The address comparison is case insensitive.
110
111                     This feature is available as of Postfix 3.5.
112
113              O      Prepend an "X-Original-To: recipient" message header with
114                     the recipient address as given to Postfix. Note: for this
115                     to work, the  transport_destination_recipient_limit  must
116                     be 1 (see SINGLE-RECIPIENT DELIVERY above for details).
117
118                     This feature is available as of Postfix 3.5.
119
120              R      Prepend a "Return-Path: <sender>" message header with the
121                     envelope sender address.
122
123                     This feature is available as of Postfix 3.5.
124
125              X      Indicates that the delivery is final. This  flag  affects
126                     the status reported in "success" DSN (delivery status no‐
127                     tification) messages, and changes it from "relayed"  into
128                     "delivered".
129
130                     This feature is available as of Postfix 3.5.
131

SECURITY

133       The SMTP+LMTP client is moderately security-sensitive. It
134       talks to SMTP or LMTP servers and to DNS servers on the
135       network. The SMTP+LMTP client can be run chrooted at fixed
136       low privilege.
137

STANDARDS

139       RFC 821 (SMTP protocol)
140       RFC 822 (ARPA Internet Text Messages)
141       RFC 1651 (SMTP service extensions)
142       RFC 1652 (8bit-MIME transport)
143       RFC 1870 (Message Size Declaration)
144       RFC 2033 (LMTP protocol)
145       RFC 2034 (SMTP Enhanced Error Codes)
146       RFC 2045 (MIME: Format of Internet Message Bodies)
147       RFC 2046 (MIME: Media Types)
148       RFC 2554 (AUTH command)
149       RFC 2821 (SMTP protocol)
150       RFC 2920 (SMTP Pipelining)
151       RFC 3207 (STARTTLS command)
152       RFC 3461 (SMTP DSN Extension)
153       RFC 3463 (Enhanced Status Codes)
154       RFC 4954 (AUTH command)
155       RFC 5321 (SMTP protocol)
156       RFC 6531 (Internationalized SMTP)
157       RFC 6533 (Internationalized Delivery Status Notifications)
158       RFC 7672 (SMTP security via opportunistic DANE TLS)
159

DIAGNOSTICS

161       Problems  and  transactions  are  logged  to syslogd(8) or postlogd(8).
162       Corrupted message files are marked so that the queue manager  can  move
163       them to the corrupt queue for further inspection.
164
165       Depending  on the setting of the notify_classes parameter, the postmas‐
166       ter is notified of bounces, protocol problems, and of other trouble.
167

BUGS

169       SMTP and LMTP connection reuse for TLS (without  closing  the  SMTP  or
170       LMTP connection) is not supported before Postfix 3.4.
171
172       SMTP  and LMTP connection reuse assumes that SASL credentials are valid
173       for all destinations that map onto the same IP address and TCP port.
174

CONFIGURATION PARAMETERS

176       Before Postfix version 2.3, the LMTP client is a separate program  that
177       implements  only  a  subset  of  the functionality available with SMTP:
178       there is no support for TLS, and  connections  are  cached  in-process,
179       making it ineffective when the client is used for multiple domains.
180
181       Most smtp_xxx configuration parameters have an lmtp_xxx "mirror" param‐
182       eter for the equivalent LMTP  feature.  This  document  describes  only
183       those LMTP-related parameters that aren't simply "mirror" parameters.
184
185       Changes  to  main.cf  are picked up automatically, as smtp(8) processes
186       run for only a limited amount of time. Use the command "postfix reload"
187       to speed up a change.
188
189       The  text  below provides only a parameter summary. See postconf(5) for
190       more details including examples.
191

COMPATIBILITY CONTROLS

193       ignore_mx_lookup_error (no)
194              Ignore DNS MX lookups that produce no response.
195
196       smtp_always_send_ehlo (yes)
197              Always send EHLO at the start of an SMTP session.
198
199       smtp_never_send_ehlo (no)
200              Never send EHLO at the start of an SMTP session.
201
202       smtp_defer_if_no_mx_address_found (no)
203              Defer mail delivery when no MX record resolves to an IP address.
204
205       smtp_line_length_limit (998)
206              The maximal length of message header and body lines that Postfix
207              will send via SMTP.
208
209       smtp_pix_workaround_delay_time (10s)
210              How   long   the  Postfix  SMTP  client  pauses  before  sending
211              ".<CR><LF>"  in  order  to  work   around   the   PIX   firewall
212              "<CR><LF>.<CR><LF>" bug.
213
214       smtp_pix_workaround_threshold_time (500s)
215              How long a message must be queued before the Postfix SMTP client
216              turns on the PIX firewall "<CR><LF>.<CR><LF>" bug workaround for
217              delivery through firewalls with "smtp fixup" mode turned on.
218
219       smtp_pix_workarounds (disable_esmtp, delay_dotcrlf)
220              A  list  that  specifies  zero or more workarounds for CISCO PIX
221              firewall bugs.
222
223       smtp_pix_workaround_maps (empty)
224              Lookup tables, indexed by the remote SMTP server  address,  with
225              per-destination workarounds for CISCO PIX firewall bugs.
226
227       smtp_quote_rfc821_envelope (yes)
228              Quote  addresses  in  Postfix  SMTP client MAIL FROM and RCPT TO
229              commands as required by RFC 5321.
230
231       smtp_reply_filter (empty)
232              A mechanism to transform replies from remote  SMTP  servers  one
233              line at a time.
234
235       smtp_skip_5xx_greeting (yes)
236              Skip remote SMTP servers that greet with a 5XX status code.
237
238       smtp_skip_quit_response (yes)
239              Do not wait for the response to the SMTP QUIT command.
240
241       Available in Postfix version 2.0 and earlier:
242
243       smtp_skip_4xx_greeting (yes)
244              Skip  SMTP  servers  that greet with a 4XX status code (go away,
245              try again later).
246
247       Available in Postfix version 2.2 and later:
248
249       smtp_discard_ehlo_keyword_address_maps (empty)
250              Lookup tables, indexed by the remote SMTP server  address,  with
251              case  insensitive  lists of EHLO keywords (pipelining, starttls,
252              auth, etc.) that the Postfix SMTP client will ignore in the EHLO
253              response from a remote SMTP server.
254
255       smtp_discard_ehlo_keywords (empty)
256              A  case insensitive list of EHLO keywords (pipelining, starttls,
257              auth, etc.) that the Postfix SMTP client will ignore in the EHLO
258              response from a remote SMTP server.
259
260       smtp_generic_maps (empty)
261              Optional  lookup  tables  that  perform address rewriting in the
262              Postfix SMTP client, typically to transform a locally valid  ad‐
263              dress into a globally valid address when sending mail across the
264              Internet.
265
266       Available in Postfix version 2.2.9 and later:
267
268       smtp_cname_overrides_servername (version dependent)
269              When the remote SMTP servername is  a  DNS  CNAME,  replace  the
270              servername  with the result from CNAME expansion for the purpose
271              of logging, SASL password lookup, TLS policy decisions,  or  TLS
272              certificate verification.
273
274       Available in Postfix version 2.3 and later:
275
276       lmtp_discard_lhlo_keyword_address_maps (empty)
277              Lookup  tables,  indexed by the remote LMTP server address, with
278              case insensitive lists of LHLO keywords  (pipelining,  starttls,
279              auth, etc.) that the Postfix LMTP client will ignore in the LHLO
280              response from a remote LMTP server.
281
282       lmtp_discard_lhlo_keywords (empty)
283              A case insensitive list of LHLO keywords (pipelining,  starttls,
284              auth, etc.) that the Postfix LMTP client will ignore in the LHLO
285              response from a remote LMTP server.
286
287       Available in Postfix version 2.4.4 and later:
288
289       send_cyrus_sasl_authzid (no)
290              When authenticating to a remote SMTP or LMTP server with the de‐
291              fault  setting  "no",  send  no SASL authoriZation ID (authzid);
292              send only the SASL authentiCation ID (authcid)  plus  the  auth‐
293              cid's password.
294
295       Available in Postfix version 2.5 and later:
296
297       smtp_header_checks (empty)
298              Restricted header_checks(5) tables for the Postfix SMTP client.
299
300       smtp_mime_header_checks (empty)
301              Restricted  mime_header_checks(5)  tables  for  the Postfix SMTP
302              client.
303
304       smtp_nested_header_checks (empty)
305              Restricted nested_header_checks(5) tables for the  Postfix  SMTP
306              client.
307
308       smtp_body_checks (empty)
309              Restricted body_checks(5) tables for the Postfix SMTP client.
310
311       Available in Postfix version 2.6 and later:
312
313       tcp_windowsize (0)
314              An  optional  workaround for routers that break TCP window scal‐
315              ing.
316
317       Available in Postfix version 2.8 and later:
318
319       smtp_dns_resolver_options (empty)
320              DNS Resolver options for the Postfix SMTP client.
321
322       Available in Postfix version 2.9 and later:
323
324       smtp_per_record_deadline (no)
325              Change the behavior of the smtp_*_timeout time  limits,  from  a
326              time  limit  per  read  or write system call, to a time limit to
327              send or receive a complete record (an SMTP  command  line,  SMTP
328              response  line,  SMTP message content line, or TLS protocol mes‐
329              sage).
330
331       smtp_send_dummy_mail_auth (no)
332              Whether or not to append the "AUTH=<>" option to the  MAIL  FROM
333              command in SASL-authenticated SMTP sessions.
334
335       Available in Postfix version 2.11 and later:
336
337       smtp_dns_support_level (empty)
338              Level of DNS support in the Postfix SMTP client.
339
340       Available in Postfix version 3.0 and later:
341
342       smtp_delivery_status_filter ($default_delivery_status_filter)
343              Optional filter for the smtp(8) delivery agent to change the de‐
344              livery status code or explanatory text of successful  or  unsuc‐
345              cessful deliveries.
346
347       smtp_dns_reply_filter (empty)
348              Optional filter for Postfix SMTP client DNS lookup results.
349
350       Available in Postfix version 3.3 and later:
351
352       smtp_balance_inet_protocols (yes)
353              When  a remote destination resolves to a combination of IPv4 and
354              IPv6 addresses, ensure that the Postfix SMTP client can try both
355              address types before it runs into the smtp_mx_address_limit.
356
357       Available in Postfix 3.5 and later:
358
359       info_log_address_format (external)
360              The  email  address  form that will be used in non-debug logging
361              (info, warning, etc.).
362
363       Available in Postfix 3.6 and later:
364
365       dnssec_probe (ns:.)
366              The DNS query type (default: "ns") and DNS query name  (default:
367              ".") that Postfix may use to determine whether DNSSEC validation
368              is available.
369
370       known_tcp_ports  (lmtp=24,  smtp=25,   smtps=submissions=465,   submis‐
371       sion=587)
372              Optional  setting  that  avoids lookups in the services(5) data‐
373              base.
374

MIME PROCESSING CONTROLS

376       Available in Postfix version 2.0 and later:
377
378       disable_mime_output_conversion (no)
379              Disable the conversion of 8BITMIME format to 7BIT format.
380
381       mime_boundary_length_limit (2048)
382              The maximal length of MIME multipart boundary strings.
383
384       mime_nesting_limit (100)
385              The maximal recursion level that the MIME processor will handle.
386

EXTERNAL CONTENT INSPECTION CONTROLS

388       Available in Postfix version 2.1 and later:
389
390       smtp_send_xforward_command (no)
391              Send the non-standard XFORWARD command  when  the  Postfix  SMTP
392              server EHLO response announces XFORWARD support.
393

SASL AUTHENTICATION CONTROLS

395       smtp_sasl_auth_enable (no)
396              Enable SASL authentication in the Postfix SMTP client.
397
398       smtp_sasl_password_maps (empty)
399              Optional  Postfix  SMTP  client  lookup  tables  with  one user‐
400              name:password entry per sender, remote hostname or next-hop  do‐
401              main.
402
403       smtp_sasl_security_options (noplaintext, noanonymous)
404              Postfix SMTP client SASL security options; as of Postfix 2.3 the
405              list of available features depends on the SASL client  implemen‐
406              tation that is selected with smtp_sasl_type.
407
408       Available in Postfix version 2.2 and later:
409
410       smtp_sasl_mechanism_filter (empty)
411              If  non-empty,  a Postfix SMTP client filter for the remote SMTP
412              server's list of offered SASL mechanisms.
413
414       Available in Postfix version 2.3 and later:
415
416       smtp_sender_dependent_authentication (no)
417              Enable  sender-dependent  authentication  in  the  Postfix  SMTP
418              client;  this  is  available  only with SASL authentication, and
419              disables SMTP connection caching to ensure that mail  from  dif‐
420              ferent senders will use the appropriate credentials.
421
422       smtp_sasl_path (empty)
423              Implementation-specific information that the Postfix SMTP client
424              passes through to the SASL plug-in implementation  that  is  se‐
425              lected with smtp_sasl_type.
426
427       smtp_sasl_type (cyrus)
428              The  SASL  plug-in  type that the Postfix SMTP client should use
429              for authentication.
430
431       Available in Postfix version 2.5 and later:
432
433       smtp_sasl_auth_cache_name (empty)
434              An optional table to prevent repeated SASL authentication  fail‐
435              ures  with  the  same  remote SMTP server hostname, username and
436              password.
437
438       smtp_sasl_auth_cache_time (90d)
439              The maximal age of an smtp_sasl_auth_cache_name entry before  it
440              is removed.
441
442       smtp_sasl_auth_soft_bounce (yes)
443              When  a remote SMTP server rejects a SASL authentication request
444              with a 535 reply code, defer mail delivery instead of  returning
445              mail as undeliverable.
446
447       Available in Postfix version 2.9 and later:
448
449       smtp_send_dummy_mail_auth (no)
450              Whether  or  not to append the "AUTH=<>" option to the MAIL FROM
451              command in SASL-authenticated SMTP sessions.
452

STARTTLS SUPPORT CONTROLS

454       Detailed information about STARTTLS configuration may be found  in  the
455       TLS_README document.
456
457       smtp_tls_security_level (empty)
458              The default SMTP TLS security level for the Postfix SMTP client;
459              when a non-empty value is specified, this overrides the obsolete
460              parameters   smtp_use_tls,  smtp_enforce_tls,  and  smtp_tls_en‐
461              force_peername.
462
463       smtp_sasl_tls_security_options ($smtp_sasl_security_options)
464              The SASL authentication security options that the  Postfix  SMTP
465              client uses for TLS encrypted SMTP sessions.
466
467       smtp_starttls_timeout (300s)
468              Time  limit  for  Postfix  SMTP client write and read operations
469              during TLS startup and shutdown handshake procedures.
470
471       smtp_tls_CAfile (empty)
472              A file containing CA certificates of root CAs  trusted  to  sign
473              either  remote  SMTP server certificates or intermediate CA cer‐
474              tificates.
475
476       smtp_tls_CApath (empty)
477              Directory with PEM format Certification  Authority  certificates
478              that the Postfix SMTP client uses to verify a remote SMTP server
479              certificate.
480
481       smtp_tls_cert_file (empty)
482              File with the Postfix SMTP client RSA certificate in PEM format.
483
484       smtp_tls_mandatory_ciphers (medium)
485              The minimum TLS cipher grade that the Postfix SMTP  client  will
486              use with mandatory TLS encryption.
487
488       smtp_tls_exclude_ciphers (empty)
489              List of ciphers or cipher types to exclude from the Postfix SMTP
490              client cipher list at all TLS security levels.
491
492       smtp_tls_mandatory_exclude_ciphers (empty)
493              Additional list of ciphers or cipher types to exclude  from  the
494              Postfix  SMTP  client cipher list at mandatory TLS security lev‐
495              els.
496
497       smtp_tls_dcert_file (empty)
498              File with the Postfix SMTP client DSA certificate in PEM format.
499
500       smtp_tls_dkey_file ($smtp_tls_dcert_file)
501              File with the Postfix SMTP client DSA private key in PEM format.
502
503       smtp_tls_key_file ($smtp_tls_cert_file)
504              File with the Postfix SMTP client RSA private key in PEM format.
505
506       smtp_tls_loglevel (0)
507              Enable additional Postfix SMTP client logging of TLS activity.
508
509       smtp_tls_note_starttls_offer (no)
510              Log the hostname of a remote SMTP server that  offers  STARTTLS,
511              when TLS is not already enabled for that server.
512
513       smtp_tls_policy_maps (empty)
514              Optional lookup tables with the Postfix SMTP client TLS security
515              policy by next-hop destination; when a non-empty value is speci‐
516              fied, this overrides the obsolete smtp_tls_per_site parameter.
517
518       smtp_tls_mandatory_protocols (see 'postconf -d' output)
519              TLS  protocols that the Postfix SMTP client will use with manda‐
520              tory TLS encryption.
521
522       smtp_tls_scert_verifydepth (9)
523              The verification depth for remote SMTP server certificates.
524
525       smtp_tls_secure_cert_match (nexthop, dot-nexthop)
526              How the Postfix SMTP  client  verifies  the  server  certificate
527              peername for the "secure" TLS security level.
528
529       smtp_tls_session_cache_database (empty)
530              Name of the file containing the optional Postfix SMTP client TLS
531              session cache.
532
533       smtp_tls_session_cache_timeout (3600s)
534              The expiration time of Postfix SMTP client TLS session cache in‐
535              formation.
536
537       smtp_tls_verify_cert_match (hostname)
538              How  the  Postfix  SMTP  client  verifies the server certificate
539              peername for the "verify" TLS security level.
540
541       tls_daemon_random_bytes (32)
542              The number of pseudo-random bytes that an  smtp(8)  or  smtpd(8)
543              process  requests from the tlsmgr(8) server in order to seed its
544              internal pseudo random number generator (PRNG).
545
546       tls_high_cipherlist (see 'postconf -d' output)
547              The OpenSSL cipherlist for "high" grade ciphers.
548
549       tls_medium_cipherlist (see 'postconf -d' output)
550              The OpenSSL cipherlist for "medium" or higher grade ciphers.
551
552       tls_low_cipherlist (see 'postconf -d' output)
553              The OpenSSL cipherlist for "low" or higher grade ciphers.
554
555       tls_export_cipherlist (see 'postconf -d' output)
556              The OpenSSL cipherlist for "export" or higher grade ciphers.
557
558       tls_null_cipherlist (eNULL:!aNULL)
559              The OpenSSL cipherlist for "NULL" grade ciphers that provide au‐
560              thentication without encryption.
561
562       Available in Postfix version 2.4 and later:
563
564       smtp_sasl_tls_verified_security_options    ($smtp_sasl_tls_security_op‐
565       tions)
566              The SASL authentication security options that the  Postfix  SMTP
567              client  uses  for  TLS  encrypted  SMTP sessions with a verified
568              server certificate.
569
570       Available in Postfix version 2.5 and later:
571
572       smtp_tls_fingerprint_cert_match (empty)
573              List of acceptable remote SMTP server  certificate  fingerprints
574              for   the   "fingerprint"  TLS  security  level  (smtp_tls_secu‐
575              rity_level = fingerprint).
576
577       smtp_tls_fingerprint_digest (see 'postconf -d' output)
578              The message digest  algorithm  used  to  construct  remote  SMTP
579              server certificate fingerprints.
580
581       Available in Postfix version 2.6 and later:
582
583       smtp_tls_protocols (see postconf -d output)
584              TLS  protocols that the Postfix SMTP client will use with oppor‐
585              tunistic TLS encryption.
586
587       smtp_tls_ciphers (medium)
588              The minimum TLS cipher grade that the Postfix SMTP  client  will
589              use with opportunistic TLS encryption.
590
591       smtp_tls_eccert_file (empty)
592              File  with the Postfix SMTP client ECDSA certificate in PEM for‐
593              mat.
594
595       smtp_tls_eckey_file ($smtp_tls_eccert_file)
596              File with the Postfix SMTP client ECDSA private key in PEM  for‐
597              mat.
598
599       Available in Postfix version 2.7 and later:
600
601       smtp_tls_block_early_mail_reply (no)
602              Try  to  detect  a mail hijacking attack based on a TLS protocol
603              vulnerability (CVE-2009-3555), where an attacker prepends  mali‐
604              cious  HELO,  MAIL, RCPT, DATA commands to a Postfix SMTP client
605              TLS session.
606
607       Available in Postfix version 2.8 and later:
608
609       tls_disable_workarounds (see 'postconf -d' output)
610              List or bit-mask of OpenSSL bug work-arounds to disable.
611
612       Available in Postfix version 2.11-3.1:
613
614       tls_dane_digest_agility (on)
615              Configure RFC7671 DANE TLSA digest algorithm agility.
616
617       tls_dane_trust_anchor_digest_enable (yes)
618              Enable support for RFC 6698 (DANE TLSA) DNS records that contain
619              digests of trust-anchors with certificate usage "2".
620
621       Available in Postfix version 2.11 and later:
622
623       smtp_tls_trust_anchor_file (empty)
624              Zero  or  more  PEM-format  files with trust-anchor certificates
625              and/or public keys.
626
627       smtp_tls_force_insecure_host_tlsa_lookup (no)
628              Lookup the associated DANE TLSA RRset even when  a  hostname  is
629              not an alias and its address records lie in an unsigned zone.
630
631       tlsmgr_service_name (tlsmgr)
632              The name of the tlsmgr(8) service entry in master.cf.
633
634       Available in Postfix version 3.0 and later:
635
636       smtp_tls_wrappermode (no)
637              Request  that  the Postfix SMTP client connects using the legacy
638              SMTPS protocol instead of using the STARTTLS command.
639
640       Available in Postfix version 3.1 and later:
641
642       smtp_tls_dane_insecure_mx_policy (see 'postconf -d' output)
643              The TLS policy for MX hosts with "secure" TLSA records when  the
644              nexthop  destination  security  level is dane, but the MX record
645              was found via an "insecure" MX lookup.
646
647       Available in Postfix version 3.4 and later:
648
649       smtp_tls_connection_reuse (no)
650              Try to make multiple deliveries per TLS-encrypted connection.
651
652       smtp_tls_chain_files (empty)
653              List of one or more PEM files, each holding one or more  private
654              keys directly followed by a corresponding certificate chain.
655
656       smtp_tls_servername (empty)
657              Optional  name  to  send  to  the  remote SMTP server in the TLS
658              Server Name Indication (SNI) extension.
659
660       Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
661
662       tls_fast_shutdown_enable (yes)
663              A workaround for implementations that hang Postfix  while  shut‐
664              ting down a TLS session, until Postfix times out.
665

OBSOLETE STARTTLS CONTROLS

667       The  following  configuration  parameters  exist for compatibility with
668       Postfix versions before 2.3. Support for these will be removed in a fu‐
669       ture release.
670
671       smtp_use_tls (no)
672              Opportunistic  mode: use TLS when a remote SMTP server announces
673              STARTTLS support, otherwise send the mail in the clear.
674
675       smtp_enforce_tls (no)
676              Enforcement mode: require that remote SMTP servers use  TLS  en‐
677              cryption, and never send mail in the clear.
678
679       smtp_tls_enforce_peername (yes)
680              With  mandatory  TLS  encryption,  require  that the remote SMTP
681              server hostname matches  the  information  in  the  remote  SMTP
682              server certificate.
683
684       smtp_tls_per_site (empty)
685              Optional  lookup  tables  with the Postfix SMTP client TLS usage
686              policy by next-hop destination and by remote SMTP  server  host‐
687              name.
688
689       smtp_tls_cipherlist (empty)
690              Obsolete  Postfix  < 2.3 control for the Postfix SMTP client TLS
691              cipher list.
692

RESOURCE AND RATE CONTROLS

694       smtp_connect_timeout (30s)
695              The Postfix SMTP client time limit for completing a TCP  connec‐
696              tion, or zero (use the operating system built-in time limit).
697
698       smtp_helo_timeout (300s)
699              The  Postfix SMTP client time limit for sending the HELO or EHLO
700              command, and for receiving the initial remote  SMTP  server  re‐
701              sponse.
702
703       lmtp_lhlo_timeout (300s)
704              The Postfix LMTP client time limit for sending the LHLO command,
705              and for receiving the initial remote LMTP server response.
706
707       smtp_xforward_timeout (300s)
708              The Postfix SMTP client time limit for sending the XFORWARD com‐
709              mand, and for receiving the remote SMTP server response.
710
711       smtp_mail_timeout (300s)
712              The  Postfix  SMTP  client  time limit for sending the MAIL FROM
713              command, and for receiving the remote SMTP server response.
714
715       smtp_rcpt_timeout (300s)
716              The Postfix SMTP client time limit for sending the SMTP RCPT  TO
717              command, and for receiving the remote SMTP server response.
718
719       smtp_data_init_timeout (120s)
720              The  Postfix  SMTP  client  time limit for sending the SMTP DATA
721              command, and for receiving the remote SMTP server response.
722
723       smtp_data_xfer_timeout (180s)
724              The Postfix SMTP client time limit for sending the SMTP  message
725              content.
726
727       smtp_data_done_timeout (600s)
728              The Postfix SMTP client time limit for sending the SMTP ".", and
729              for receiving the remote SMTP server response.
730
731       smtp_quit_timeout (300s)
732              The Postfix SMTP client time limit for sending the QUIT command,
733              and for receiving the remote SMTP server response.
734
735       Available in Postfix version 2.1 and later:
736
737       smtp_mx_address_limit (5)
738              The  maximal number of MX (mail exchanger) IP addresses that can
739              result from Postfix SMTP client mail exchanger lookups, or  zero
740              (no limit).
741
742       smtp_mx_session_limit (2)
743              The  maximal number of SMTP sessions per delivery request before
744              the Postfix SMTP client gives up or delivers to a fall-back  re‐
745              lay host, or zero (no limit).
746
747       smtp_rset_timeout (20s)
748              The Postfix SMTP client time limit for sending the RSET command,
749              and for receiving the remote SMTP server response.
750
751       Available in Postfix version 2.2 and earlier:
752
753       lmtp_cache_connection (yes)
754              Keep Postfix LMTP client connections open for  up  to  $max_idle
755              seconds.
756
757       Available in Postfix version 2.2 and later:
758
759       smtp_connection_cache_destinations (empty)
760              Permanently  enable  SMTP  connection  caching for the specified
761              destinations.
762
763       smtp_connection_cache_on_demand (yes)
764              Temporarily enable SMTP connection caching while  a  destination
765              has a high volume of mail in the active queue.
766
767       smtp_connection_reuse_time_limit (300s)
768              The amount of time during which Postfix will use an SMTP connec‐
769              tion repeatedly.
770
771       smtp_connection_cache_time_limit (2s)
772              When SMTP connection caching is enabled, the amount of time that
773              an unused SMTP client socket is kept open before it is closed.
774
775       Available in Postfix version 2.3 and later:
776
777       connection_cache_protocol_timeout (5s)
778              Time  limit for connection cache connect, send or receive opera‐
779              tions.
780
781       Available in Postfix version 2.9 and later:
782
783       smtp_per_record_deadline (no)
784              Change the behavior of the smtp_*_timeout time  limits,  from  a
785              time  limit  per  read  or write system call, to a time limit to
786              send or receive a complete record (an SMTP  command  line,  SMTP
787              response  line,  SMTP message content line, or TLS protocol mes‐
788              sage).
789
790       Available in Postfix version 2.11 and later:
791
792       smtp_connection_reuse_count_limit (0)
793              When SMTP connection caching is enabled,  the  number  of  times
794              that  an SMTP session may be reused before it is closed, or zero
795              (no limit).
796
797       Available in Postfix version 3.4 and later:
798
799       smtp_tls_connection_reuse (no)
800              Try to make multiple deliveries per TLS-encrypted connection.
801
802       Implemented in the qmgr(8) daemon:
803
804       transport_destination_concurrency_limit   ($default_destination_concur‐
805       rency_limit)
806              A  transport-specific  override for the default_destination_con‐
807              currency_limit parameter value, where transport is the master.cf
808              name of the message delivery transport.
809
810       transport_destination_recipient_limit     ($default_destination_recipi‐
811       ent_limit)
812              A transport-specific override for the default_destination_recip‐
813              ient_limit  parameter  value,  where  transport is the master.cf
814              name of the message delivery transport.
815

SMTPUTF8 CONTROLS

817       Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
818
819       smtputf8_enable (yes)
820              Enable preliminary SMTPUTF8 support for the protocols  described
821              in RFC 6531..6533.
822
823       smtputf8_autodetect_classes (sendmail, verify)
824              Detect  that  a message requires SMTPUTF8 support for the speci‐
825              fied mail origin classes.
826
827       Available in Postfix version 3.2 and later:
828
829       enable_idna2003_compatibility (no)
830              Enable  'transitional'  compatibility   between   IDNA2003   and
831              IDNA2008,  when  converting UTF-8 domain names to/from the ASCII
832              form that is used for DNS lookups.
833

TROUBLE SHOOTING CONTROLS

835       debug_peer_level (2)
836              The increment in verbose logging level when a  nexthop  destina‐
837              tion,  remote client or server name or network address matches a
838              pattern given with the debug_peer_list parameter.
839
840       debug_peer_list (empty)
841              Optional list of nexthop destination, remote  client  or  server
842              name  or  network  address  patterns that, if matched, cause the
843              verbose logging level to increase by  the  amount  specified  in
844              $debug_peer_level.
845
846       error_notice_recipient (postmaster)
847              The  recipient  of  postmaster notifications about mail delivery
848              problems that are caused by policy, resource, software or proto‐
849              col errors.
850
851       internal_mail_filter_classes (empty)
852              What  categories  of  Postfix-generated  mail are subject to be‐
853              fore-queue    content    inspection    by     non_smtpd_milters,
854              header_checks and body_checks.
855
856       notify_classes (resource, software)
857              The list of error classes that are reported to the postmaster.
858

MISCELLANEOUS CONTROLS

860       best_mx_transport (empty)
861              Where  the  Postfix  SMTP client should deliver mail when it de‐
862              tects a "mail loops back to myself" error condition.
863
864       config_directory (see 'postconf -d' output)
865              The default location of the Postfix main.cf and  master.cf  con‐
866              figuration files.
867
868       daemon_timeout (18000s)
869              How  much time a Postfix daemon process may take to handle a re‐
870              quest before it is terminated by a built-in watchdog timer.
871
872       delay_logging_resolution_limit (2)
873              The maximal number of digits after the decimal point  when  log‐
874              ging sub-second delay values.
875
876       disable_dns_lookups (no)
877              Disable DNS lookups in the Postfix SMTP and LMTP clients.
878
879       inet_interfaces (all)
880              The  network  interface addresses that this mail system receives
881              mail on.
882
883       inet_protocols (see 'postconf -d output')
884              The Internet protocols Postfix will attempt to use  when  making
885              or accepting connections.
886
887       ipc_timeout (3600s)
888              The  time limit for sending or receiving information over an in‐
889              ternal communication channel.
890
891       lmtp_assume_final (no)
892              When a remote LMTP server announces no DSN support, assume  that
893              the  server performs final delivery, and send "delivered" deliv‐
894              ery status notifications instead of "relayed".
895
896       lmtp_tcp_port (24)
897              The default TCP port that the Postfix LMTP client connects to.
898
899       max_idle (100s)
900              The maximum amount of time that an idle Postfix  daemon  process
901              waits for an incoming connection before terminating voluntarily.
902
903       max_use (100)
904              The maximal number of incoming connections that a Postfix daemon
905              process will service before terminating voluntarily.
906
907       process_id (read-only)
908              The process ID of a Postfix command or daemon process.
909
910       process_name (read-only)
911              The process name of a Postfix command or daemon process.
912
913       proxy_interfaces (empty)
914              The network interface addresses that this mail  system  receives
915              mail on by way of a proxy or network address translation unit.
916
917       smtp_address_preference (any)
918              The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
919              client will try first, when a destination has IPv6 and IPv4  ad‐
920              dresses with equal MX preference.
921
922       smtp_bind_address (empty)
923              An  optional  numerical  network  address  that the Postfix SMTP
924              client should bind to when making an IPv4 connection.
925
926       smtp_bind_address6 (empty)
927              An optional numerical network  address  that  the  Postfix  SMTP
928              client should bind to when making an IPv6 connection.
929
930       smtp_helo_name ($myhostname)
931              The hostname to send in the SMTP HELO or EHLO command.
932
933       lmtp_lhlo_name ($myhostname)
934              The hostname to send in the LMTP LHLO command.
935
936       smtp_host_lookup (dns)
937              What mechanisms the Postfix SMTP client uses to look up a host's
938              IP address.
939
940       smtp_randomize_addresses (yes)
941              Randomize the order of equal-preference MX host addresses.
942
943       syslog_facility (mail)
944              The syslog facility of Postfix logging.
945
946       syslog_name (see 'postconf -d' output)
947              A prefix that  is  prepended  to  the  process  name  in  syslog
948              records, so that, for example, "smtpd" becomes "prefix/smtpd".
949
950       Available with Postfix 2.2 and earlier:
951
952       fallback_relay (empty)
953              Optional list of relay hosts for SMTP destinations that can't be
954              found or that are unreachable.
955
956       Available with Postfix 2.3 and later:
957
958       smtp_fallback_relay ($fallback_relay)
959              Optional list of relay hosts for SMTP destinations that can't be
960              found or that are unreachable.
961
962       Available with Postfix 3.0 and later:
963
964       smtp_address_verify_target (rcpt)
965              In  the context of email address verification, the SMTP protocol
966              stage that determines whether an email address is deliverable.
967
968       Available with Postfix 3.1 and later:
969
970       lmtp_fallback_relay (empty)
971              Optional list of relay hosts for LMTP destinations that can't be
972              found or that are unreachable.
973
974       Available with Postfix 3.2 and later:
975
976       smtp_tcp_port (smtp)
977              The default TCP port that the Postfix SMTP client connects to.
978
979       Available in Postfix 3.3 and later:
980
981       service_name (read-only)
982              The master.cf service name of a Postfix daemon process.
983

SEE ALSO

985       generic(5), output address rewriting
986       header_checks(5), message header content inspection
987       body_checks(5), body parts content inspection
988       qmgr(8), queue manager
989       bounce(8), delivery status reports
990       scache(8), connection cache server
991       postconf(5), configuration parameters
992       master(5), generic daemon options
993       master(8), process manager
994       tlsmgr(8), TLS session and PRNG management
995       postlogd(8), Postfix logging
996       syslogd(8), system logging
997

README FILES

999       Use  "postconf readme_directory" or "postconf html_directory" to locate
1000       this information.
1001       SASL_README, Postfix SASL howto
1002       TLS_README, Postfix STARTTLS howto
1003

LICENSE

1005       The Secure Mailer license must be distributed with this software.
1006

AUTHOR(S)

1008       Wietse Venema
1009       IBM T.J. Watson Research
1010       P.O. Box 704
1011       Yorktown Heights, NY 10598, USA
1012
1013       Wietse Venema
1014       Google, Inc.
1015       111 8th Avenue
1016       New York, NY 10011, USA
1017
1018       Command pipelining in cooperation with:
1019       Jon Ribbens
1020       Oaktree Internet Solutions Ltd.,
1021       Internet House,
1022       Canal Basin,
1023       Coventry,
1024       CV1 4LY, United Kingdom.
1025
1026       SASL support originally by:
1027       Till Franke
1028       SuSE Rhein/Main AG
1029       65760 Eschborn, Germany
1030
1031       TLS support originally by:
1032       Lutz Jaenicke
1033       BTU Cottbus
1034       Allgemeine Elektrotechnik
1035       Universitaetsplatz 3-4
1036       D-03044 Cottbus, Germany
1037
1038       Revised TLS and SMTP connection cache support by:
1039       Victor Duchovni
1040       Morgan Stanley
1041
1042
1043
1044                                                                       SMTP(8)
Impressum